OMNITRACKER Risk Management application Benelux Breakfast Seminar

26.02.2014 © OMNINET Risk Management Breakfast Seminar

OMNITRACKER Breakfast Seminar

Risk Management

Application Template


Presentors


Breakfast Session

Breakfast Seminar Concept

Blend between Presentation/demo and Breakfast

Please feel free to keep enjoying the breakfast during the presentation/demo


Breakfast Session: Agenda

Agenda:

Powerpoint Presentation / Live Demo: 90 min.

General Risk Management principles (Part 1 – John Bun)

Break (10 mins)

Risk Management Template Features (Part 2 – Ruud Dolmans)

Live Demo


Breakfast Session: Organisation

Presentation / Demo

Live Demo is supported by a powerpoint presentation

The items in the powerpoint will be explained more in detail via a Live Demo


General Risk Management principles

John Bun IT Service Management / Strategy / Managing consultant at CTG


What is a Risk?


Risk Management

Agenda:

General Risk Management principles

What is a Risk?

What is Risk Management?

Risk types and examples

Risk Strategies & Risk Phases

Risk Management Principles

Risk Management Frameworks

Summary


Definition of a Risk


What is a risk?

Impact:

Datacenter

outage

Risk syntax: Risk of <loss or damage to asset> due to <event> caused by <cause>

Risk example: Loss of datacenter due to power outage caused by poor UPS maintenance

Event:

Power Outage

Control:

UPS Vulnerability:

poor

maintenance


What is Risk Management?

to againsttoProcess Protect Threatsagainst


1. Complete IT provisioning

2. Infrastructure (datacenter, networks, etc)

3. Project

4. Change Request

5. Organization

6. Information

7. IT Process

8. …

Risk Management Sources

Risk Assessment Scope:


Risk Management: Events & Categories


IT Risk Categories


Risk Phases

Identification

Assessment

Analysis & Mitigation

Monitoring


Step 1: Risk Identification

Identification

Assessment


Monitoring



Identification

Assessment


Monitoring

Power Supply & UPS systems

Extreme weather

conditions

Cyber Attack Human Errors

HVAC IT Equipment failures



Identification

Assessment


Monitoring



Lack of timeLack of

capability

Hardware not in time

Subcontractor will

underperform

Customer resources not

in time

Delayed Decision Making


Step 1: Risk Identification - TIPS

Use the structure as a basis for risk identification

Be thorough….but not absurd

Develop a list which is as complete as possible

Assign risk identification tasks to different people

Do not analyse the risks in this phase


Risk Phases

Identification

Assessment


Monitoring


Identification

Assessment

Mitigation

Monitoring

Phases

Prioritize based on frequency

and impact

(Quantiy and Qualify)event

High

probability

Large impact

Low

Risk

Moderate

Risk

High

Risk

Step 2: Risk Assessment / Risk rating


Step 2: Risk Assessment – Risk Map

Cyber Attack(Ddos)

Human Errors HVAC

Power Supply & UPS

Systems

Extreme weather

conditions

IT Equipment Failures

Low Medium High

Low

Med

ium

Hig

h

Pro

bab

ility

/ Fr

eq

ue

ncy

Impact


Step 2: Risk Assessment - TIPS

Rank analyzed risks (highest to lowest)Define Impact & Frequency

Use quantitative ranking where possible, otherwise use qualitative ranking

Prioritize risks as a team

Do not plan mitigation strategies at this time


Risk Phases

Identification

Assessment


Monitoring


Identification

Assessment


Monitoring

Ways to handle risks

Step 3: Risk Analysis & Mitigation


Step 3: Risk Analysis (Examples)

Mitigation

Avoid Reduce Transfer Accept

Power & UPS systems

Test & maintainUPS System components

(Test & maintainUPS System

components)

Cyber Attack (ddos)

Ddos detectionservice & multiple

telco providers

HVAC

HVAC ServiceProvider

Maintenance activities

Human ErrorsTraining & Foureyes principle

IT EquipmentFailures

LifecycleManagement

Extreme weatherconditions

Accept


Step 3: Risk Mitigation - TIPS

Work down prioritized risk listing

Create various Risk Action Plan alternatives

Evaluate as many alternatives as possible

Incorporate milestones into risk management/project plan (schedule measures)


Risk Phases

Identification

Assessment


Monitoring


Step 4: Risk Monitoring


Step 4: Monitoring - Action Plans & Measures


Link to frameworks and certifications


Final thoughts

Analyzing and calculating risks is an everydayaspect of life

Weave risk management practices in the daily projector service management practices

Create awareness among the staff of the importanceof risk management

Make risk management a part of the corporate culture

Create risk matrices to analyze risks from different perspectives (legal, financial, etc…)


What should you definitely remember?


The mystery?

The mystery behind:

1. on time &

2. on budget &

3. meeting customer expectation (quality)

Well executed “Risk Management”


Time for a break!


Risk Management Template features &

Live Demo

Ruud DolmansPresales Consultant at OMNINET


OMNITRACKER Layered Structure


OMNITRACKER: Layered Architecture


Risk Management Center at a glance


OMNITRACKER Risk Management Center at a glance

Solution to cover the entire process from

Fast & easy recording of risks,

Assessing them,

Analysing them

Determining the strategy to mitigate

up to planning and controlling measures to be taken

(monitoring)


OMNITRACKER Risk Management Center at a glance

High level features:

Easy to use risk management

Structured, controled and centralized management of Risks

Risks are workflow-based administrated and monitored in

OMNITRACKER

Systematic approach for more efficiency, professionalism & cost

reduction

Integration with other OMNITRACKER processes

Possibility to use it through the entire organization

Based on best-practices


Risk Management Center general features


Efficient Risk Management with OMNITRACKER Risk Management

General OMNITRACKER Risk Management features

Risk catalogue

• Categorization in category Tree

• Freely definable

• Adaptable

Risk

• Risk definition

• Risk Rating & Prioritization

• Categorization

• Lifecycle

Action Plans

• Strategy

• Bundle of measures

Measures

• Actions to monitor risk



Generic information model, easy adaptable and extensible

Workflow based

Transparency about the current state/respectively the progress for

all stakeholders

Rule-based notifications and mails after state transition, new risks,

etc.

Periodic- or event-driven reporting

The display of risks in a risk map provides the management to

focus on the highest risks

Standard search & filter functions

Integrated standard OMNITRACKER functionality


Abstraction Levels

Risk catalogue

Risk

Action Plan

Measure


OMNITRACKER Risk Management

Risk catalogue:

Categorization of risks

Risks:

Describe the unexpected deviation from targets or

consequences of requirements which are not fulfilled

Risk lifecycle

Action plans:

Define the strategy of the risk handling (Avoid, reduce,

transfer or accept)

Bundle of measures/actions which belong logically

together

Several measures to be taken for implementation of the

strategy

Measures:

Define specific actions and measure points, which are

determined to apply the risk strategy

contain a “time plan”, i.e. unique or repeatedly

procedure of measures, which are monitored


Risk Catalogue

Risk catalogue

Risk

Action Plan

Measure


Risk Catalogue

Example of tree structure of risk catalogue

Risk catalogue:

Categorization

Modelled as category

tree:

Extensible

Adaptable

The risk catalogue is

administrated by the

risk manager

Can be used e.g. for

reporting purposes


Risk

Risk catalogue

Risk

Action Plan

Measure


Risk

Risk Lifecycle / Workflow States

Risk Responsible

Risk definition & information

Risk Rating & Prioritization

Categorization


OMNITRACKER Risk Management: Workflow of a Risk

Creation

Identifcation

Assessment

Analysis

Closed

Monitoring

Creation: Recording of a potential risk

Identification: Risk manager evaluate the risk qualitative and identify

problem fields as well as the responsible for processing the

risk

Assessment: Risk responsible carries out a high-level risk assessment

(impact, probability)

Quantitative assessment (financial impacts)

Analysis: Risk responsible analysis reasons and identifies the

potential loss and evaluates the worst case scenario of an

risk

Contingency plans, action plans, measures

Monitoring: Carry out measures

Audits

Continuous monitoring of carrying out measures by the risk

responsible

Closed: Risk does not exist anymore


Action Plans

Risk catalogue

Risk

Action Plan

Measure


Action Plans

Can e.g. focus on one specific risk aspect (root cause)

Define action plan

Choose strategy


Action Plans: Strategy

Risk strategy:

Avoid

Reduce

Transfer

Accept

This is standard best-practice

in Risk Management!


Action Plans

Strategy is defined

Contains one or more measures

Bundle of measures/actions which belong logically together

Several measures to be taken for implementation of the strategy


Measures

Risk category

Risk

Action Plan

Measure


Measures

Measure form

Actions to be carried out by measure

responsible

Assign a responsible for the measure

Can be scheduled

We can define start date & end date

Interval to carry out the measure regularly


User Roles


OMNITRACKER Risk Management User Roles

The following user roles are out-of-the-box integrated in the OMNITRACKER Risk

Management Center process template. Based on these roles, permissions are defined:

Risk Manager:

General responsibility over Risk Management process

Group members are responsible for the risk identification

Responsible for accepting or rejecting a recorded, potential risk

Accepted risks are delegated to a specific member of the user group “Risk

Responsible”

Risk Responsible:

Responsible for a risk, to assess and to analyse the risk as well as to define suitable

(counter-)measures

Monitoring that the defined measures are taken and implemented

Can be selected as responsible for specific measures

Risk Management Users:

All persons that are allowed to record risks and have access to Risk Management

process

After a risk is recorded, it is sent to the user group “Risk Manager”



Summary

Risk catalogue

• Categorization in category Tree

• Freely definable

• Adaptable

Risk

• Risk definition

• Risk Rating & Prioritization

• Categorization

• Lifecycle

Action Plans

• Strategy

• Bundle of measures

Measures

• Actions to monitor risk


Live Demo


Demo Case

Creating a Risk


Live Demo Case: Datacenter Outage

Datacenter Outage

Datacenter Outage of two hours cost 900.000USD. This is about 684.000 € or about 5700€ per

minute. Numbers are based on a study in the US in December 2013 conducted at 67 datacenters,

calculating the costs of datacenter outages for organizations with revenue models that depend on the

datacenter ability to deliver IT & networking services to those companies.

Statistical root causes of system failures:

UPS battery failure (55 cases)

UPS capacity exceeded (46 percent)

UPS equipment failure (27 percent)

Accidental / human error (48 percent)

Heat related/CRAC failure (29 percent)

Cyber attack (34 percent)

IT equipment failure (33 percent)

Water incursion (32 percent)

Weather related (30 percent)

PDU/circuit breaker failure (26 percent)

Source: Study in december 2013 by the Ponemon Institute, in collaboration with Emerson Network Power


Datacenter Outage cost (in Euro)

4000

5700

0

1000

2000

3000

4000

5000

6000

Cost per minute

Datacenter Outage cost per minute (in Euro)

2010 2013

• About 40% raise of cost in comparison to 2010

• 52% of respondents believe all or most of the unplanned

outages could have been prevented.

Source: Study in december 2013 by the Ponemon Institute, in collaboration with Emerson Network Power

240000

342000

0

50000

100000

150000

200000

250000

300000

350000

400000

Cost per hour

Datacenter Outage cost per hour (in Euro)

2010 2013


Live Demo Case: Datacenter Outage

Demo steps:

Overview of general structure in Risk Management Center

Process Template

Creation of the Risk

Identification and assessment on a high level

Analysis and definition of action plans & measures

Monitoring state

State closed


Risk Workflow: Creation

Steps:

Every member of group “Risk Management User” can create risks

Specify title and description

Optional: Adding of attachments to describe the risk and to display

possible scenarios of impacts

By sending the risk it is transferred to the users of group “Risk

Manager” for identification

Creation Identification Assessment Analysis Monitoring Closure


Risk Workflow: Identification

Steps:

Members of the group “Risk Manager” receive an email to identify

the risk

Qualitative high-level assessment of the risk

Specify a risk category

Identify dependencies to existing risks or other business objects (e.g.

contracts, change requests)

Assign the responsibility to one risk responsible



Risk Workflow: Assessment

Steps:

The risk responsible receives an email to assess the risk

The assessment take place in regard to:

1. Impact

2. Probability (likelihood of occurrence)

Financial impacts

Specify risk root cause (risk driver and reasons for the risk)



Risk Workflow: Analysis

Steps:

Impact analysis by risk responsible

Identify main reasons

Definition of worst case scenario

Specify one or more action plans & measures

Specify an Emergency Plan:

Describing actions, which have to be carried out in in case of an

emergency

Description of the remaining risk



Risk Workflow: Monitoring & Closure

Steps:

Risk responsible continuously monitors that the defined measures

are taken

Carries out audits



Risk Workflow: Monitoring & Closure

Closure:

If a risk does not exist anymore, it will be closed by the risk

responsible

After closure, the risk responsible, risk manager and the responsible

of the measures receive an email notification

Risk and action plan will be automatically closed

The measures are closed manually by the responsible after a final

verification



Reporting


OMNITRACKER Risk Management: Reporting

Several Pre-defined reports

Easy and flexible adaption of existing reports

Creation

on demand

time-triggered

Event-triggered

Risk- and Measure- State:

Grouping functionality

Filtering and sorting by state, risk-level, etc

Risk MapIndividual Risk Assessment

(Risk Report)


OMNITRACKER Risk Management: Reporting

Risk Map

Individual Risk Assessment

(Risk Report)


Integration with other OMNITRACKER

Application Templates


OMNITRACKER Integration

Integration with all OMNITRACKER processes:

Examples:

Integration with ITSM Center Application Template:

Risks can be added to all ITIL processes (e.g. Change Management)

A new tab will be created for this

Integration with Project Management Center Application Template:

Risks can be added to all projects

A new tab will be created for this

Possible integration with Activity Management:

Integration for e.g. Scheduled Activities and Time registration


Conclusion


Easy to use

Same User Interface as the other process in OMNITRACKER

Create new Risks and manage & monitor them

Intuitive workflow-based solution

Generic information model, easy adaptable and extensible

Integration with other OMNITRACKER processes

Based on best-practices in the market

Allows organizations to increase efficiency & maturity level

Conclusion


Questions ?

Thanks for your attention!


OMNINET GmbH

D-90542 Eckental

[email protected] – http://www.omninet.de

OMNINET Austria GmbH

A-1030 Wien

[email protected] – http://www.omninet.at

OMNINET Technologies NV/SA

B-3018 Leuven

[email protected] – http://www.omninet.be

OMNINET Nederland

NL-2517 Den Haag

[email protected] – http://www.omninet.nl

OMNINET Russia

RUS-Moscow 121099

[email protected] – http://www.omninet.ru

OMNINET GmbH (Schweiz)

CH-3072 Ostermundigen

[email protected] – http://www.omninet.ch

OMNINET USA

US-New York, NY 10011

[email protected] – http://www.omninet.biz

OMNINET Software Solutions

OMNITRACKER Risk Management application Benelux Breakfast Seminar

Software

Transcript of OMNITRACKER Risk Management application Benelux Breakfast Seminar