Enterprise Risk Matrix v1 02

8/6/2019 Enterprise Risk Matrix v1 02

1/26

Change Management Risk Matrix

Enterprise Computing Services

Europe


2/26


3/26


Unilever Enterprise Computing Services

Europe

Document Information

Author Mark Phypers

Owner Nick Brace

Status / Version 1.02

Reference Ref No

Category -

Technology Change process

Date Published 20th September 2010

Review Due 20th November 2010

Document History

Version Description

1.0

1.01 See issue log for list of amendments in this revision

1.02 See issue log for list of amendments in this revision

Review Record

Version Reviewer Role

Approval Record

Version Approver Role

Fixed issue with cross tower involvement reducing rather than increasingrisk. Wording changed to "Tick those that DO NOT apply"Increased the business risk of making changes to SC1/2 services %Prod/DR environmentsAdded ITMW answer in outage sectionLocked ready for distribution


4/26

Author Date

Mark Phypers 9/16/2010



Date

Date


5/26

Prepared by mark.phypers 06/06/2011

Change Management Risk Matrix C

Unilever Enterprise Computing Services Busin

Europe Techn

Description

A.

Process

A1 What is the proposed lead time?

Normal Normal agreed lead-time or greater

Rapid Change is requested to be implemented sooner than the standard lead time

s

inessImpacts

B1

None

Medium

Significant Significant impact, e.g. an Incident, problem or known error will remain unresolved.

B2

NO The change has no functional impact on end users

YES The change will introduce new or enhanced/amended service functionality

B3 Is there a planned outage to service?

No No, the service is planned to remain available throughout the duration of the Chang

Out of Hours

Degraded Possible degraded service or intermittent loss of service throughout duration of the

Outage Yes, the Service will be unavailable for a period

None

What are the business implications ofpostponing this change

No impact - the change has no IT or Business driver and no requirements for a setimplementation date

Some impact, e.g. postponement or failure of the change could cause delay to a mila project.

Does the change introducenew/enhanced/amended functionality tousers of the service?

Yes, the Service will be unavailable and/or degraded for a period but this is during aMaintenance Window or outside of agreed serviice hours.

This is purely an administrative change and there is an absolute zero potential impalive IT system as a result of making this change (e.g CMDB updates, and other papetype changes)


6/26



Unilever Enterprise Computing Services B

Europe Te

Description

B:

Bu

B4

Non-Prod

If this is a change to a Prod/DR Service, whatare the most serious potential impacts uponthe business, as a result of the plannedchanges, in the event of an unplannedoutcome?

This is a change to Non-Prod - (E.g. Dev/QA/Sandbox). Risk of direct impact upbusiness services is negligible.

Resilience /Capacity

Failure could, at worst, only result in a loss of system resilience and/or capacity.a change to a single CI within a high availability architecture)

SystemsManagement

Failure could at worst only impair the IT organisations ability to manage this or osystems - not impact directly upon any Business systems themselves.

ServiceContinuity

Failure could, at worst, only impair the ability to recover service in event of a fursystems (For example a change to back up routines, locations, schedules or a cwithin the DR environment).

BusinessProcess

An unexpected outcome could result in a detrimental impact upon a business prresulting in financial impact to the company through impaired or lost ability to peprocess until service is restored.


7/26


Change Management Risk Matrix C

Unilever Enterprise Computing Services Busin

Europe Techn

Description

C:EnvironmentsImpacted

C1

Development, Proof of Concept and/or Sandbox systems

QA/Reg Quality Assurance and/or regression systems

Prod/DR Production and Disaster Recovery systems

C2

NONE There is no change to a service as defined in the CMDB

SC4/5 Service Criticality 4 or 5

SC3 Service Criticality 3



C3

NO

Project The service is not yet operational but is in regular use as part of an inflight project.

Enabling

Business Yes the change is to an operational business service

C4

No No further implications

Manageable

Type of environment(s) the change impacts?(Tick highest impact one only)

Dev / POC /Sandbox

What is the highest SC level Servicecomprising this change?(Tick highest impact one only)

Is this a change to an operational service orsystem?

The change has no effect on an operational serviceHover for guidance notes

Yes the change is to an operational business service during normal service hours bsystem is a backoffice system such as monitoring tools, system management tools,systems, etc so the change could not directly impact business processes if it were tofailure

Are there further impacts outside the serviceor host e. . schedulin /batch

Some disruption which can be managed in advancee.g. holding schedules or rescheduling FTP times


8/26

Prepared by mark.phypers 06/06/2011 Page 8

Change Management Risk Matrix Change ID

Unilever Enterprise Computing Services Business Risk

Europe Technical Risk

Description

Yes

YES further disruptive impacte.g. delay to batch processing or potential loss of FTP data.Please ensure your implementation plan includes tasks to handle this.


9/26



Unilever Enterprise Computing Services Bu

Europe Tec

Description

D:

Cross

TowerIm

pac

ts D1 Will this change impact the Service Desk?

No No impact on call volumes or change in support levels / models / agreements

Yes May cause increased call volumes or involves changes to support levels, help file

D2

Client Does not impact upon Client Services ability to provide contracted services

Network Does not impact upon Network Services ability to provide contracted services

Enterprise Does not impact upon Enterprise Hostings ability to proviode contracted services

Application Does not impact upon Application Services ability to provide contracted services

3rd party Does not impact upon a 3rd parties ability to provide contracted services

Tes

ting

E1

NA This is not a physical change - communication / documentation purposes only

Test

Yes

Partial

No No testing has been done or testing is not possible. e.g. Emergency fix

None No issues found from testing

Will this change impact upon other towers or3rd parties ability to supply their services?

(tick all that ARE NOT impacted - leave blankif it does impact them))

Has the change been tested successfully?

This change has been raised in order to carry out testing on a non production envprior to implementation on production systems.

Successful testing has been completed for the change in matched QA environmechange has been completed successfully on a previous occasion

Successful testing has been completed, however there are known differences beQA and Production environments; there is a potential for unforeseen issues to ari


10/26


Change Management Risk Matrix Chan

Unilever Enterprise Computing Services Business

Europe Technical

Description

E:

E2 Minor Minor known issues to be released into production, with potential to cause small incident

Major

Testing output - any known issues fromtesting?

Change includes a significant known error being released into production; potential to casignificant incidents but the risk has been accepted by the business


11/26



Unilever Enterprise Computing Services

Europe T

Description

E3 Is post implementation testing planned?

Full Full post implementation testing is planned immediately after change is implem

Business

None No post implementation testing has been planned

F:

Bac

kou

tF1 What is the backout complexity?

Simple Easily implemented by change implementor in isolation

Complex Complex back out plan requiring staggered activities from a number of teams

Unknown No backout assessment has been made or backout is not possible

F2 Has the Backout plan been tested?

Yes This change has been both implemented and backed out on a matched QA en

Standard

No Backout plan has not been or cannot be tested.

:Resource

G1 Resource complexity

1

2

3

Confidence testing planned by Business contacts (Not necessarily straight afteimplemented e.g. On-site testing)

This is a standard backout plan used many times in the past for similar change

been specifically tested with regard to this piece of work.

The change can be implemented, tested & backed out by the change implemeisolation.

The change requires more than one internal implementing team available duriwindow. Any issues can be resolved between these parties

The change requires both internal and 3rd parties or cross tower teams availachange window. Any issues can be resolved between these parties


12/26

Prepared by mark.phypers 06/06/2011 Page 12

Change Management Risk Matrix Change ID

Unilever Enterprise Computing Services Business Risk

Europe Technical Risk

Description

4 The change will require outside assistance (Internal or third party) if it errors


13/26


10

10


14/26


10

10


15/26


10

10


16/26


10

10


17/26


10

10


18/26


10

10


19/26


10

10


20/26


10

10


21/26

Issue Log

Issue ID Raised by Q#

1 Paul White All

2 Paul White

3 B1

4 B4

5 Eddie Cohen

6 C3

7 Admin All

8 Paul White B3

9 Josh Ruding all

10 Ade Badru c3

11 Steve Judge E1

12 Misc

13

14

15

16

17

18

19

2021

22

23

24

25

26

27

28

29

30

31

3233

C1,C2

Simon Goddard /Eddie Cohen

Simon Goddard /Eddie Cohen

Paul White / Eddie

Cohen / SimonGoddard


22/26

34

35

36

37

38

39

40


23/26

Description

Issue regarding ticking multiple "Type of environments impacted".

Issue regarding the wording of the "impact on service if change fails" answer.

Proposed addition of guidance notes.

Numbered the questions to make issue tracking and revision history straight forward to administrate.

No option for changes raised to carry out testing

Testing reveals very difficult to get an ITMW change to come out as a major. This is because the matrixassesses risk not size and if action has been taken to mitigate the risk then the change will not achieveMajor categorisation.

Issue regarding the "Business implications of Postponement" question adding too much risk or whetherrelevant at all.

Issue regarding the "Operational Service" answer needing clarification as to meaning and not reducing

risk score enough.

Suggested this structuring this slightly differently:- No planned outage- Planned degradation (agreed with business or ITMW)- Planned outage (agreed with business or ITMW)- Planned outage or degradation (not agreed)

Suggested adding in calculations to show the change category and lead time as well as the business &technical risk

Changes to back up regimes normally happen during normal hours of the service but not during the

hours of the backup - which happens OOH - theres no increased risk to the service by making thesechanges in normal hours but the risk matrix will say that there is.


24/26


25/26

Status Version Resolved In

1.01

1.01

1.01

1.01

Updated 1.01

1.02

24-9-10: will be added in a future release.

1.02

12/10: Added low risk answer 1.02

24-9-10: Under discussion whether to add aquestion relating to number of CIs impacted in orderto push the risk higher for "Large" releases.Or to

handle this via guidance notes

Updated - clarification added to instruct to tick oneanswer only

Updated - Scoring changed to only add noticeablerisk to the unresolved issue answer.

Updated - wording clarified on answer 1

24-9-10: will be added in a future release.12-10-10: a couple of guidance notes added ascomments on the risk sheet

Partial 1.02

Trial solution added - guidance note added on

answer 1 and scoring of answer 1 weighted to muchlower risk

24-9-10: Needs discussion12-10-10: Solution added - needs testing

29-09-10: Loggged issue

12-10-10: Soluton added to questions B4 &C3


26/26

Enterprise Risk Matrix v1 02

Documents

Transcript of Enterprise Risk Matrix v1 02