Risk Assessment Excel Template

IT PROJECT MANAGEMENT
OVERVIEW AND RISK ASSESSMENT
Expected Mitigating Control Elements
Item# Topic Risk Control Environment Risk Assessment Control Activities

1 Business-IT Alignment The objectives of the IT project are not 1. Management expects that IT There is a campus, medical center, or laboratory-
aligned with the overall mission- projects will serve, or will be level process within which IT projects are
oriented strategy of the campus, essential components of programs identified, defined, evaluated, prioritized, and
medical center, or laboratory, and that serve, the campus, medical selected so as to ensure strategic alignment with
therefore entity resources are being center, or laboratory's mission. the entity's mission.
mis-allocated by allowing them to flow 2. Responsibility for IT projects
to the project. includes a role assigned at an
organizational level that is able to
view proposed IT projects in the
context of campus-, medical center-,
or laboratory-level mission-oriented
strategy.
2 Application Acquisition, Within IT projects, IT solutions that Management expects that in the A consistent approach, compliant with IS-10, to
Development, or Maintenance involve application acquisition, case of application acquisition, IT solutions that involve application acquisition,
development, or maintenance, emerge development, or maintenance, all development, or maintenance, is followed.
in an uncontrolled way, and thus do necessary natural sub-steps will be
not end up meeting the originating followed.
needs.
1 of 27
Are the Mitigating

Control Elements,
or Equivalent Judgment as to Residual Risk
Practices, Present of Project Failure (Check High,
(check Yes or No)? Medium, Low)
Comment and/or ARC

Item# Topic Monitoring Information and Communication Yes No Reference High Medium Low
1 Business-IT Alignment The expectation that IT projects will
serve, or will be essential components
of programs that serve, the campus,
medical center, or laboratory's mission,
is communicated to the appropriate
recipients.
2 Application Acquisition, The expectation that application

Development, or Maintenance acquisition, development, or
maintenance solutions will follow a
naturally phased process, is
communicated to the appropriate
recipients.
2 of 27
Comment
and/or ARC
Item# Topic Reference
1 Business-IT Alignment
2 Application Acquisition,
Development, or Maintenance
3 of 27

3 Project Execution--Defined, Extra time, and/or failure to achieve 1. Management expects that IT An explicit project management approach that
Consistent Approach deliverables consistently, because the projects will be managed in addresses project initiation, planning, executing,
execution process is re-invented with accordance with an explicitly defined controlling, and closing is used campus-, medical
each project. approach that addresses project center-, or laboratory-wide.
initiation, planning, executing,
controlling, and closing. 2. IT project
management is assigned at an
organizational level that ensures a
consistent approach for all projects.
4 Project Execution-- Unclear responsibilities and The commitment and participation Ongoing involvement includes, but is not limited
Stakeholder Commitment accountabilities for ensuring cost of key stakeholders, including to, project approval, project phase approval,
control and project success; insufficient management of the affected user project checkpoint reporting, project
stakeholder participation in defining department and key end users in representation at the campus-, medical center-,
requirements and reviewing the initiation, definition and or laboratory-level of governance, project
deliverables; reduced understanding authorization of a project, is planning, product testing, user training, user
and delivery of business benefits obtained. procedures documentation and project
communication material development.
4 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

3 Project Execution--Defined, The expectation that IT projects will be
Consistent Approach managed in accordance with an
explicitly defined approach, is
communicated to the appropriate
recipients.
4 Project Execution-- During project initiation, ongoing key

Stakeholder Commitment stakeholder commitment and roles and
responsibilities for the duration of the
project life cycle are outlined.
5 of 27
Comment
and/or ARC
3 Project Execution--Defined,
Consistent Approach
4 Project Execution--
Stakeholder Commitment
6 of 27

5 Project Execution--Scope Misunderstanding of project objectives It is ensured that key stakeholders and program
Statement and requirements; failure of projects to and project sponsors within the organization and
meet business and user requirements; IT agree upon and accept the requirements for
misunderstanding of the impact of this the project, including definition of project success
project with other related projects (acceptance) criteria and key performance
indicators.
6 Project Execution--Phase Lack of alignment of projects to the Criteria for acceptance of project Approval and sign-off on the deliverables
Initiation organization’s vision; wrong phase deliverables are agreed to by produced in each project phase is obtained from
prioritization of projects; undetected key stakeholders prior to the phase designated managers and customers of the
deviations from the overall project work, and there is an acceptance affected business and IT functions.
plan; poor utilization of resources process based on these criteria.
7 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

5 Project Execution--Scope 1.Stakeholders are provided with a
Statement clear, written statement defining the
nature, scope and business benefit of
every project to create a common
understanding of project scope. 2. The
project definition describes the
requirements for a project
communication plan that identifies
internal and external project
communications. 3. With the approval of
stakeholders, the project definition is
maintained throughout the project,
reflecting changing requirements.
6 Project Execution--Phase It is assessed whether the

Initiation project is on schedule, within
budget and aligned with the
agreed-upon scope. Identified
variances are assessed and the
impact on the project plan and
realization of expected benefits
is identified.
8 of 27
Comment
and/or ARC
5 Project Execution--Scope
Statement
6 Project Execution--Phase
Initiation
9 of 27

7 Project Execution--Integrated Undetected errors in project planning
Plan and budgeting; lack of alignment of
projects to the organization’s objectives
and to other interdependent projects;
undetected deviations from the project
plan; project not completed on time
and on budget.
10 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

7 Project Execution--Integrated 1. A project plan is developed that
Plan provides information to enable
management to control project
progress. The plan should include
details of project deliverables, required
resources and responsibilities, clear
work breakdown structures and work
packages, estimates of resources
required, milestones, key dependencies,
and identification of a critical path.
Interdependencies of resources (e.g.,
key personnel) and deliverables with
other projects are also identified. 2. The
project plan and any dependent plans
are maintained to ensure that they are
up to date and reflect actual progress
and material changes.
3. There is effective communication of
project plans and progress reports
amongst all projects and with campus-,
medical center-, or laboratory-level
objectives. Any changes made to
individual plans are reflected in the
other plans.
11 of 27
Comment
and/or ARC
7 Project Execution--Integrated
Plan
12 of 27

8 Project Execution--Resources Gaps in skills and resources 1. Resource needs for the project 1. Experienced project management and team
jeopardizing critical project tasks; are identified and roles and leader resources with skills appropriate to the
inefficient use of resources; contract responsibilities are clearly mapped size, complexity and risk of the project, are
disputes with outsourced resources out, with escalation and decision- utilized. 2. Third-party relationships are managed.
making authorities agreed upon and
understood.
2. The roles and the responsibilities
of other involved parties, including
finance, legal, procurement, human
resources, internal audit and
compliance, are considered and
clearly defined.
3. The responsibility for
procurement and management of
third-party products and services is
clearly defined and agreed upon.
13 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

8 Project Execution--Resources Required skills and time requirements
for all individuals involved in the project
phases are identified in relation to
defined roles. Roles are staffed based
on available skills information (e.g., IT
skills matrix).
14 of 27
Comment
and/or ARC
8 Project Execution--Resources
15 of 27

9 Project Execution--Risk Undetected project risks; lack of 1. A formal project risk management 1. Identifying and quantifying Risk owners oversee or themselves perform in
Management mitigating actions for identified risks; framework that includes identifying, risks is performed accordance with their responses to risk
Undetected project showstoppers analyzing, responding to, mitigating, continuously throughout the communications.
monitoring and controlling risks, is project.
established. 2. Project risks are reassessed
2. Appropriately skilled personnel periodically, including at entry
are assigned the responsibility for into each major project phase
executing the organization’s project and as part of major change
risk management framework within request assessments.
a project.
10 Project Execution--Quality Project deliverables failing to meet 1. To provide quality assurance for
Plan business and user requirements; gaps the project deliverables, ownership
in expected and delivered quality and responsibilities, quality review
within the projects; inefficient and processes, success criteria and
fragmented approach to quality performance metrics are identified.
assurance; implemented system or 2. Any requirements for independent
changes adversely impact existing validation and verification of the
systems and infrastructure quality of deliverables in the plan
are defined.
16 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

9 Project Execution--Risk The project issues log is 1. Appropriate (i.e., consistent with the
Management analyzed periodically for trends project governance structure) risk and
and recurring problems, to issue owners are identified, for
ensure that root causes are responses to avoid, accept or mitigate
corrected. risks, and risks are communicated to
them.
2. A project risk register of all potential
project risks, and a log of all project
issues and their resolution, are
maintained and reviewed.
10 Project Execution--Quality
Plan
17 of 27
Comment
and/or ARC
9 Project Execution--Risk
Management
10 Project Execution--Quality
Plan
18 of 27

11 Project Execution--Change Lack of control over project scope, cost The individuals (business 1. A standard change request form is established,
Control and schedule; lost business focus; stakeholders, IT personnel) as well as a request process requiring
inability to manage resources authorized to make project change documentation of the requested change and the
requests have been designated by expected benefits of the change. 2. Change
authority at the campus-, medical requests are reviewed and the potential effects
center-, or laboratory level. on the project, including resource requirements
and impact on schedule, are estimated. The
estimated project impact is documented in the
change request. 3. The completed change
request is reviewed and the approval or denial of
the request by key stakeholders, including
business project sponsor and IT project manager,
is documented. 4. All approved project change
requests are considered and approved at the
campus-, medical center-, or laboratory level
based on an assessment of the effect the change
will have on the other projects. If the requested
change should not be implemented, the reasons
are shared with the requesting project
management team so they can evaluate
alternative approaches. 5. For projects involving
in-house software development, change control
extends to that area, for example in the form of
source code control, separation of test-QA-
production environments, separation of duties
and/or programmatic source code control
systems.
19 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

11 Project Execution--Change The project and, as necessary, entity-
Control level plans are updated for all approved
changes, and approved changes are
communicated to all business and IT
stakeholders in a timely manner.
20 of 27
Comment
and/or ARC
11 Project Execution--Change
Control
21 of 27

12 Project Execution--Assurance Untrustworthy assurance activities; The assurance tasks required to Appropriate subject matter specialists (e.g., audit,
Methods ineffective and/or inefficient assurance ensure compliance with internal security or compliance) are included in the
activities; accreditation and controls and security requirements process.
implementation delays that impact the systems or
processes in the scope of the project
are defined. Key compliance
stakeholders are included in the
definition and approval of assurance
tasks.
13 Project Execution-- Ineffective reporting on project Campus-, medical center-, or 1. Remedial action is implemented as necessary
Performance Measurement, progress and unidentified issues; lack laboratory-level criteria exist for to maintain project performance. 2. Project-
Reporting, and Monitoring of control over project progress; loss of project scope, schedule, quality, related financial transactions are recorded in a
focus on customer expectations and cost, and level of risk. way that fully integrates with the campus,
business needs. Project financial medical center, or laboratory's official financial
information is not reflected in the reporting system. Financial transactions are coded
campus, medical center, or laboratory in a manner that allows all project related costs to
financial reports. be tracked and reports produced, for example, by
establishing activity codes, unique fund or org
code number, etc. (terminology may vary by
location). If "shadow" systems are used for
tracking project-related costs, processes occur
that reconcile shadow system information to that
in the campus, medical center, or laboratory's
official financial reporting system.
22 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

12 Project Execution--Assurance How the assurance tasks will be
Methods performed is detemined and
documented.
13 Project Execution-- 1. Project performance is 1. Project progress is reported to

Performance Measurement, measured against key project stakeholders, along with deviations from
Reporting, and Monitoring performance criteria. 2. established key project performance
Deviations from established key criteria, and positive and negative
project performance criteria are entity-level effects. 2. Any necessary
analyzed for cause, and entity- changes in project performance criteria
level positive and negative are documented and submitted for
effects are assessed. stakeholders' approval before adoption.
3. Entity-level changes are Revised criteria are communicated to
monitored, and existing key project managers for use in future
project performance criteria are performance reports. 3. Remedial
reviewed to determine if they action is recommended where
still represent valid measures of necessary.
progress.
23 of 27
Comment
and/or ARC
12 Project Execution--Assurance
Methods
13 Project Execution--
Performance Measurement,
Reporting, and Monitoring
24 of 27

14 Project Execution--Closure Undetected project management Key steps for project closure, 1. Key steps for project closure are applied. 2.
weaknesses; missed opportunities from including post-implementation Post-implementation reviews are planned and
lessons learned reviews that assess whether a executed to determine if projects delivered
project attained desired results and expected benefits and to improve the project
benefits, are defined. management and system development process
methodology. 3. Any uncompleted activities
required to achieve planned project results and
benefits are identified, assigned, communicated,
and tracked.
25 of 27
Are the Mitigating

Control Elements,
Comment and/or ARC

14 Project Execution--Closure The lessons learned and key activities
that led to delivered benefits are
collected from the project participants
and reviewers. The data is analyzed,
and recommendations are made for
improving the project management
method for future projects.
26 of 27
Comment
and/or ARC
14 Project Execution--Closure
27 of 27

Risk Assessment Excel Template

Uploaded by

Copyright:

Available Formats

Risk Assessment Excel Template

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Assessment Excel Template

Uploaded by

Copyright:

Available Formats

IT PROJECT MANAGEMENT

OVERVIEW AND RISK ASSESSMENT

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

2 Application Acquisition, The expectation that application

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

4 Project Execution-- During project initiation, ongoing key

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

6 Project Execution--Phase It is assessed whether the

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

13 Project Execution-- 1. Project performance is 1. Project progress is reported to

Expected Mitigating Control Elements

Item# Topic Risk Control Environment Risk Assessment Control Activities

Are the Mitigating

Comment and/or ARC

You might also like