OMNITRACKER Risk Management application Benelux Breakfast Seminar
Transcript of OMNITRACKER Risk Management application Benelux Breakfast Seminar
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Breakfast Seminar
Risk Management
Application Template
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Presentors
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Breakfast Session
Breakfast Seminar Concept
Blend between Presentation/demo and Breakfast
Please feel free to keep enjoying the breakfast during the presentation/demo
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Breakfast Session: Agenda
Agenda:
Powerpoint Presentation / Live Demo: 90 min.
General Risk Management principles (Part 1 – John Bun)
Break (10 mins)
Risk Management Template Features (Part 2 – Ruud Dolmans)
Live Demo
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Breakfast Session: Organisation
Presentation / Demo
Live Demo is supported by a powerpoint presentation
The items in the powerpoint will be explained more in detail via a Live Demo
26.02.2014 © OMNINET Risk Management Breakfast Seminar
General Risk Management principles
John Bun IT Service Management / Strategy / Managing consultant at CTG
26.02.2014 © OMNINET Risk Management Breakfast Seminar
What is a Risk?
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Management
Agenda:
General Risk Management principles
What is a Risk?
What is Risk Management?
Risk types and examples
Risk Strategies & Risk Phases
Risk Management Principles
Risk Management Frameworks
Summary
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Definition of a Risk
26.02.2014 © OMNINET Risk Management Breakfast Seminar
What is a risk?
Impact:
Datacenter
outage
Risk syntax: Risk of <loss or damage to asset> due to <event> caused by <cause>
Risk example: Loss of datacenter due to power outage caused by poor UPS maintenance
Event:
Power Outage
Control:
UPS Vulnerability:
poor
maintenance
26.02.2014 © OMNINET Risk Management Breakfast Seminar
What is Risk Management?
to againsttoProcess Protect Threatsagainst
26.02.2014 © OMNINET Risk Management Breakfast Seminar
1. Complete IT provisioning
2. Infrastructure (datacenter, networks, etc)
3. Project
4. Change Request
5. Organization
6. Information
7. IT Process
8. …
Risk Management Sources
Risk Assessment Scope:
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Management: Events & Categories
26.02.2014 © OMNINET Risk Management Breakfast Seminar
IT Risk Categories
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Phases
Identification
Assessment
Analysis & Mitigation
Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 1: Risk Identification
Identification
Assessment
Analysis & Mitigation
Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 1: Risk Identification
Identification
Assessment
Analysis & Mitigation
Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 1: Risk Identification
Identification
Assessment
Analysis & Mitigation
Monitoring
Power Supply & UPS systems
Extreme weather
conditions
Cyber Attack Human Errors
HVAC IT Equipment failures
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 1: Risk Identification
Identification
Assessment
Analysis & Mitigation
Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 1: Risk Identification
Lack of timeLack of
capability
Hardware not in time
Subcontractor will
underperform
Customer resources not
in time
Delayed Decision Making
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 1: Risk Identification - TIPS
Use the structure as a basis for risk identification
Be thorough….but not absurd
Develop a list which is as complete as possible
Assign risk identification tasks to different people
Do not analyse the risks in this phase
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Phases
Identification
Assessment
Analysis & Mitigation
Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Identification
Assessment
Mitigation
Monitoring
Phases
Prioritize based on frequency
and impact
(Quantiy and Qualify)event
High
probability
Large impact
Low
Risk
Moderate
Risk
High
Risk
Step 2: Risk Assessment / Risk rating
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 2: Risk Assessment – Risk Map
Cyber Attack(Ddos)
Human Errors HVAC
Power Supply & UPS
Systems
Extreme weather
conditions
IT Equipment Failures
Low Medium High
Low
Med
ium
Hig
h
Pro
bab
ility
/ Fr
eq
ue
ncy
Impact
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 2: Risk Assessment - TIPS
Rank analyzed risks (highest to lowest)Define Impact & Frequency
Use quantitative ranking where possible, otherwise use qualitative ranking
Prioritize risks as a team
Do not plan mitigation strategies at this time
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Phases
Identification
Assessment
Analysis & Mitigation
Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Identification
Assessment
Analysis & Mitigation
Monitoring
Ways to handle risks
Step 3: Risk Analysis & Mitigation
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 3: Risk Analysis (Examples)
Mitigation
Avoid Reduce Transfer Accept
Power & UPS systems
Test & maintainUPS System components
(Test & maintainUPS System
components)
Cyber Attack (ddos)
Ddos detectionservice & multiple
telco providers
HVAC
HVAC ServiceProvider
Maintenance activities
Human ErrorsTraining & Foureyes principle
IT EquipmentFailures
LifecycleManagement
Extreme weatherconditions
Accept
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 3: Risk Mitigation - TIPS
Work down prioritized risk listing
Create various Risk Action Plan alternatives
Evaluate as many alternatives as possible
Incorporate milestones into risk management/project plan (schedule measures)
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Phases
Identification
Assessment
Analysis & Mitigation
Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 4: Risk Monitoring
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Step 4: Monitoring - Action Plans & Measures
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Link to frameworks and certifications
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Final thoughts
Analyzing and calculating risks is an everydayaspect of life
Weave risk management practices in the daily projector service management practices
Create awareness among the staff of the importanceof risk management
Make risk management a part of the corporate culture
Create risk matrices to analyze risks from different perspectives (legal, financial, etc…)
26.02.2014 © OMNINET Risk Management Breakfast Seminar
What should you definitely remember?
26.02.2014 © OMNINET Risk Management Breakfast Seminar
The mystery?
The mystery behind:
1. on time &
2. on budget &
3. meeting customer expectation (quality)
Well executed “Risk Management”
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Time for a break!
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Management Template features &
Live Demo
Ruud DolmansPresales Consultant at OMNINET
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Layered Structure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER: Layered Architecture
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Management Center at a glance
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Risk Management Center at a glance
Solution to cover the entire process from
Fast & easy recording of risks,
Assessing them,
Analysing them
Determining the strategy to mitigate
up to planning and controlling measures to be taken
(monitoring)
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Risk Management Center at a glance
High level features:
Easy to use risk management
Structured, controled and centralized management of Risks
Risks are workflow-based administrated and monitored in
OMNITRACKER
Systematic approach for more efficiency, professionalism & cost
reduction
Integration with other OMNITRACKER processes
Possibility to use it through the entire organization
Based on best-practices
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Management Center general features
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Efficient Risk Management with OMNITRACKER Risk Management
General OMNITRACKER Risk Management features
Risk catalogue
• Categorization in category Tree
• Freely definable
• Adaptable
Risk
• Risk definition
• Risk Rating & Prioritization
• Categorization
• Lifecycle
Action Plans
• Strategy
• Bundle of measures
Measures
• Actions to monitor risk
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Efficient Risk Management with OMNITRACKER Risk Management
Generic information model, easy adaptable and extensible
Workflow based
Transparency about the current state/respectively the progress for
all stakeholders
Rule-based notifications and mails after state transition, new risks,
etc.
Periodic- or event-driven reporting
The display of risks in a risk map provides the management to
focus on the highest risks
Standard search & filter functions
Integrated standard OMNITRACKER functionality
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Abstraction Levels
Risk catalogue
Risk
Action Plan
Measure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Risk Management
Risk catalogue:
Categorization of risks
Risks:
Describe the unexpected deviation from targets or
consequences of requirements which are not fulfilled
Risk lifecycle
Action plans:
Define the strategy of the risk handling (Avoid, reduce,
transfer or accept)
Bundle of measures/actions which belong logically
together
Several measures to be taken for implementation of the
strategy
Measures:
Define specific actions and measure points, which are
determined to apply the risk strategy
contain a “time plan”, i.e. unique or repeatedly
procedure of measures, which are monitored
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Catalogue
Risk catalogue
Risk
Action Plan
Measure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Catalogue
Example of tree structure of risk catalogue
Risk catalogue:
Categorization
Modelled as category
tree:
Extensible
Adaptable
The risk catalogue is
administrated by the
risk manager
Can be used e.g. for
reporting purposes
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk
Risk catalogue
Risk
Action Plan
Measure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk
Risk Lifecycle / Workflow States
Risk Responsible
Risk definition & information
Risk Rating & Prioritization
Categorization
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Risk Management: Workflow of a Risk
Creation
Identifcation
Assessment
Analysis
Closed
Monitoring
Creation: Recording of a potential risk
Identification: Risk manager evaluate the risk qualitative and identify
problem fields as well as the responsible for processing the
risk
Assessment: Risk responsible carries out a high-level risk assessment
(impact, probability)
Quantitative assessment (financial impacts)
Analysis: Risk responsible analysis reasons and identifies the
potential loss and evaluates the worst case scenario of an
risk
Contingency plans, action plans, measures
Monitoring: Carry out measures
Audits
Continuous monitoring of carrying out measures by the risk
responsible
Closed: Risk does not exist anymore
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Action Plans
Risk catalogue
Risk
Action Plan
Measure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Action Plans
Can e.g. focus on one specific risk aspect (root cause)
Define action plan
Choose strategy
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Action Plans: Strategy
Risk strategy:
Avoid
Reduce
Transfer
Accept
This is standard best-practice
in Risk Management!
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Action Plans
Strategy is defined
Contains one or more measures
Bundle of measures/actions which belong logically together
Several measures to be taken for implementation of the strategy
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Measures
Risk category
Risk
Action Plan
Measure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Measures
Measure form
Actions to be carried out by measure
responsible
Assign a responsible for the measure
Can be scheduled
We can define start date & end date
Interval to carry out the measure regularly
26.02.2014 © OMNINET Risk Management Breakfast Seminar
User Roles
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Risk Management User Roles
The following user roles are out-of-the-box integrated in the OMNITRACKER Risk
Management Center process template. Based on these roles, permissions are defined:
Risk Manager:
General responsibility over Risk Management process
Group members are responsible for the risk identification
Responsible for accepting or rejecting a recorded, potential risk
Accepted risks are delegated to a specific member of the user group “Risk
Responsible”
Risk Responsible:
Responsible for a risk, to assess and to analyse the risk as well as to define suitable
(counter-)measures
Monitoring that the defined measures are taken and implemented
Can be selected as responsible for specific measures
Risk Management Users:
All persons that are allowed to record risks and have access to Risk Management
process
After a risk is recorded, it is sent to the user group “Risk Manager”
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Efficient Risk Management with OMNITRACKER Risk Management
Summary
Risk catalogue
• Categorization in category Tree
• Freely definable
• Adaptable
Risk
• Risk definition
• Risk Rating & Prioritization
• Categorization
• Lifecycle
Action Plans
• Strategy
• Bundle of measures
Measures
• Actions to monitor risk
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Live Demo
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Demo Case
Creating a Risk
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Live Demo Case: Datacenter Outage
Datacenter Outage
Datacenter Outage of two hours cost 900.000USD. This is about 684.000 € or about 5700€ per
minute. Numbers are based on a study in the US in December 2013 conducted at 67 datacenters,
calculating the costs of datacenter outages for organizations with revenue models that depend on the
datacenter ability to deliver IT & networking services to those companies.
Statistical root causes of system failures:
UPS battery failure (55 cases)
UPS capacity exceeded (46 percent)
UPS equipment failure (27 percent)
Accidental / human error (48 percent)
Heat related/CRAC failure (29 percent)
Cyber attack (34 percent)
IT equipment failure (33 percent)
Water incursion (32 percent)
Weather related (30 percent)
PDU/circuit breaker failure (26 percent)
Source: Study in december 2013 by the Ponemon Institute, in collaboration with Emerson Network Power
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Datacenter Outage cost (in Euro)
4000
5700
0
1000
2000
3000
4000
5000
6000
Cost per minute
Datacenter Outage cost per minute (in Euro)
2010 2013
• About 40% raise of cost in comparison to 2010
• 52% of respondents believe all or most of the unplanned
outages could have been prevented.
Source: Study in december 2013 by the Ponemon Institute, in collaboration with Emerson Network Power
240000
342000
0
50000
100000
150000
200000
250000
300000
350000
400000
Cost per hour
Datacenter Outage cost per hour (in Euro)
2010 2013
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Live Demo Case: Datacenter Outage
Demo steps:
Overview of general structure in Risk Management Center
Process Template
Creation of the Risk
Identification and assessment on a high level
Analysis and definition of action plans & measures
Monitoring state
State closed
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Workflow: Creation
Steps:
Every member of group “Risk Management User” can create risks
Specify title and description
Optional: Adding of attachments to describe the risk and to display
possible scenarios of impacts
By sending the risk it is transferred to the users of group “Risk
Manager” for identification
Creation Identification Assessment Analysis Monitoring Closure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Workflow: Identification
Steps:
Members of the group “Risk Manager” receive an email to identify
the risk
Qualitative high-level assessment of the risk
Specify a risk category
Identify dependencies to existing risks or other business objects (e.g.
contracts, change requests)
Assign the responsibility to one risk responsible
Creation Identification Assessment Analysis Monitoring Closure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Workflow: Assessment
Steps:
The risk responsible receives an email to assess the risk
The assessment take place in regard to:
1. Impact
2. Probability (likelihood of occurrence)
Financial impacts
Specify risk root cause (risk driver and reasons for the risk)
Creation Identification Assessment Analysis Monitoring Closure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Workflow: Analysis
Steps:
Impact analysis by risk responsible
Identify main reasons
Definition of worst case scenario
Specify one or more action plans & measures
Specify an Emergency Plan:
Describing actions, which have to be carried out in in case of an
emergency
Description of the remaining risk
Creation Identification Assessment Analysis Monitoring Closure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Workflow: Monitoring & Closure
Steps:
Risk responsible continuously monitors that the defined measures
are taken
Carries out audits
Creation Identification Assessment Analysis Monitoring Closure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Risk Workflow: Monitoring & Closure
Closure:
If a risk does not exist anymore, it will be closed by the risk
responsible
After closure, the risk responsible, risk manager and the responsible
of the measures receive an email notification
Risk and action plan will be automatically closed
The measures are closed manually by the responsible after a final
verification
Creation Identification Assessment Analysis Monitoring Closure
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Reporting
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Risk Management: Reporting
Several Pre-defined reports
Easy and flexible adaption of existing reports
Creation
on demand
time-triggered
Event-triggered
Risk- and Measure- State:
Grouping functionality
Filtering and sorting by state, risk-level, etc
Risk MapIndividual Risk Assessment
(Risk Report)
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Risk Management: Reporting
Risk Map
Individual Risk Assessment
(Risk Report)
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Integration with other OMNITRACKER
Application Templates
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNITRACKER Integration
Integration with all OMNITRACKER processes:
Examples:
Integration with ITSM Center Application Template:
Risks can be added to all ITIL processes (e.g. Change Management)
A new tab will be created for this
Integration with Project Management Center Application Template:
Risks can be added to all projects
A new tab will be created for this
Possible integration with Activity Management:
Integration for e.g. Scheduled Activities and Time registration
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Conclusion
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Easy to use
Same User Interface as the other process in OMNITRACKER
Create new Risks and manage & monitor them
Intuitive workflow-based solution
Generic information model, easy adaptable and extensible
Integration with other OMNITRACKER processes
Based on best-practices in the market
Allows organizations to increase efficiency & maturity level
Conclusion
26.02.2014 © OMNINET Risk Management Breakfast Seminar
Questions ?
Thanks for your attention!
26.02.2014 © OMNINET Risk Management Breakfast Seminar
OMNINET GmbH
D-90542 Eckental
[email protected] – http://www.omninet.de
OMNINET Austria GmbH
A-1030 Wien
[email protected] – http://www.omninet.at
OMNINET Technologies NV/SA
B-3018 Leuven
[email protected] – http://www.omninet.be
OMNINET Nederland
NL-2517 Den Haag
[email protected] – http://www.omninet.nl
OMNINET Russia
RUS-Moscow 121099
[email protected] – http://www.omninet.ru
OMNINET GmbH (Schweiz)
CH-3072 Ostermundigen
[email protected] – http://www.omninet.ch
OMNINET USA
US-New York, NY 10011
[email protected] – http://www.omninet.biz
OMNINET Software Solutions