Erhalten Sie Zugang zu diesem und mehr als 300000 Büchern ab EUR 5,99 monatlich.
Management Systems are required for a wide variety of purposes. This includes the management of a company as well as the control of an IT project or the adherence to a quality, environmental or information security standard. They show objectives and provide to the management proven methods for achieving them, as well as the associated control and monitoring mechanisms. This book describes how the generally necessary core process of risk management works within such a management system. The main feature of the model is the cyclical repetition of the identification and evaluation of opportunities and risks, resulting in the taking of all necessary control measures, in particular the application of appropriate options for risk treatment. Another feature is its continuous improvement. The book deals with the economics of risk management and provides suggestions for optimization using proven IT methods such as standardization and automation.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 51
Das E-Book (TTS) können Sie hören im Abo „Legimi Premium” in Legimi-Apps auf:
Ähnliche
Stefan Luckhaus
Mastering Opportunities and Risks in IT Projects
Identifying, anticipating and controlling opportunities and risks:
A model for effective management in IT development and operation.
© 2018 Stefan Luckhaus
Publisher: tredition GmbH, Hamburg
ISBN
Paperback
978-3-7439-9847-6
Hardcover
978-3-7439-9848-3
e-Book
978-3-7439-9849-0
Printed in Germany
The work, including its parts, is protected by copyright. Any use without the consent of the publisher and the author is prohibited. This applies in particular to electronic or other reproduction, translation, distribution and making publicly available.
The translation of this book was supported by www.DeepL.com/Translator.
Contents
Introduction
A model for managing opportunities and risks
Identify and evaluate risks
Selection of specific goals
Analysis of the influencing variables
Quantification and assessment of risks
Quantification and assessment of the damage
Comprehensive evaluation of the specific goals
Focus on the risk profile
Control risks
Prerequisites for the current risk level
Treatment of residual risks
Management reviews
Risk treatment measures
Report on risks
(1) Tabular display as of the reporting date
(2) Diagrams
(3) Key figures
Continuous improvement of the management system
Improving effectiveness
Improving efficiency
Suggestions for practical use
Design for efficiency
Distributed risk assessment
Threat catalogues
Sets of rules
Machine learning
Conclusion
Glossary
Bibliography
About the author
Book recommendations
Introduction
The future is not fixed. This also applies to IT projects. If we want to achieve a certain state in the future (a goal or objective), we are usually confronted with so many influences on our goal-oriented path that we can neither count nor overlook them.
We may be driven by these influences, but we can also analyze them and differentiate between disturbing and favoring influences in the sense of goal achievement. This enables us to reduce or completely avoid the effects of disturbing influences (referred to as threats or risks in the context of this book) and, in contrast, to promote the effects of favoring influences (in the further course: opportunities).
Figure 1 shows in a striking way and based on everyday experience how different threats can influence the way to a goal, in this example the adherence to an agreed delivery date. If these influences are not recognized and not countered, they lead to a deviation from the planned direct path. In the worst case, the goal is not achieved.
Figure 1: Example of influencing variables for goal achievement
This simple principle can be found in many modern management systems. They show the management goals in a certain context - and ways to achieve them. The paths are symbolic of proven methods for achieving particular goal types.
In modern management systems, the analysis of opportunities and risks is a core process and an important input for controlling the achievement of goals. Every corporate management is based on a management system and is thus oriented towards opportunities and risks, as are, for example, organizations for the implementation of IT projects, whose management systems are usually based on proven process models. Other areas of application are topic-related, standardized management systems such as
• Quality management systems according to DIN EN ISO 9001 [DIN EN ISO 9001 2015],
• Information security management systems according to ISO/IEC 27001 [ISO/IEC 27001 2015] and
• Environmental management systems according to ISO 14001 [ISO 14001 2015].
This book describes a model for managing opportunities and risks that can be used in all risk-oriented management systems. It is based on practical experience from the areas of software development and IT operations, but is also likely to be transferable to other industries.
Since there are many terms in the context of risk management that are used in practice with different meanings, this book contains a glossary in which the definitions of these terms used in the book are given. In the following text of the book, terms are underlined with dashes when-ever the definition given in the glossary is important for understanding.
References to further literature are given in square brackets and are specified in the bibliography.
A model for managing opportunities and risks
Risk management is a core process of many management systems. This term is often used synonymously for the management of opportunities and risks, neglecting the term opportunities. In the main, such a process is not about a suitable tool, but about defining and establishing the interaction of roles, processes and methods as well as appropriate control and monitoring mechanisms. Figure 2 shows the schematic diagram of a simple and proven risk management model.
The three management levels of an organization described below [Bleicher 2017] form the roof of the model depicted as a house.
• Normative management: The so-called top management, by which principles, guidelines and standards are defined.
• Strategic management is responsible for the development and planning of procedures to meet the requirements of normative management.
• Operational management is responsible for the practical implementation of the procedures planned by strategic management.
Figure 2: Model for managing opportunities and risks
The organization and thus all management levels are driven by the same objectives or goals, which in turn are exposed to the most diverse influences - opportunities as well as risks. Depending on the context, these can be company goals or goals that are pursued with a project.
Under the direction of operational management, these opportunities and risks affecting the goals are identified and evaluated in an analysis and then managed with the aid of suitable control measures. Triggered by a review, the most sustainable improvement measures possible are identified and their implementation is initiated as far as this makes economic sense and is feasible. The entire process starts all over again and is repeated in regular cycles.
In this model, the risk portfolio represents the valued population of all potential opportunities and risks with regard to the goals of the organization or project under consideration. On the other hand, the risk profile is a selection of precisely those entries in the risk portfolio whose evaluation requires risk-reducing measures or explicit acceptance of the residual risks by the management. The risk profile can be extended or reduced in each cycle and is always a subset of the risk portfolio.
