Introduction
Risks are part of daily operations for many organizations and enterprises, and the need to develop and implement a process that will balance systematic risk analyses is crucial. This kind of solution provides cost-effective measures for risk management that allocate the major risks in the operations domain. Risk management, on the other hand, is the process of making and carrying out decisions that will minimize the adverse effects of risk in an organization.
During the course of our work, we have been faced with the need to develop a solution that will optimize the process of tracking and mitigating risk. The entire solution is based on our own needs and requirements.
In the following blog post, we are going to elaborate on the building of the solution. The solution includes three types of risks for Projects, Practice, and Business Units, and each of the risks shares exactly the same concept in terms of the way risks are being handled, but with a slightly modified configuration because their scope affects different categories.
The entire solution was implemented on Jira (Server version), as internally we are using Jira to support our own internal projects and processes. The solution can be also implemented on the Cloud version as well and some of the processes can be performed with out-of-the-box Automation for Jira, for which you can read more in our blog for Automation for Jira Cloud https://iwconnect.com/what-you-need-to-know-about-automation-for-jira-cloud/
Risk Management Process
The Risk Management process is an important part of the operations domain. The full cycle of handling risks includes three key phases: Risk Assessment, Risk Handling, and Risk Treatment.
- Risk Assessment Analysis is the first phase where we identify the threats and vulnerabilities, analyze the occurrence and the impact, and based on the analysis evaluate the risk with High, Medium, or Low priority.
- Risk Handling phase is the phase where the risk owner, based on the previous analyses, decides how they want to handle the risk. There are four outcomes for handling the risk:
– Accept the Risk
– Avoid the Risk
– Transfer to third party
– Mitigate the risk - Risk treatment is the phase where a risk treatment plan (tasks, controls…) is being prepared to reduce or eliminate risk appearance.
About the solution and building the solution
The solution allows Practice Leads and Managers to create risks pertaining to their project or practice. This is made possible by using groovy scripting. The permission scheme is set to allow viewing risks that are related to a specific domain. So, when a user is added in some of the custom fields (Project, Practice Lead, or Business Unit Manager), that user will be able to view only the risks within their domain. In this case, the groovy script enables automatic population of the custom fields whenever a risk is created.
Another important feature of the solution is the automatic evaluation of the risks (high, medium, or low). The evaluation is done by using groovy scripting, and on the basis of a matrix that was concluded by ISMS (Information Security Management) for our company.
The last automation rule that was created for the solution is the automatic transition into that status, based on how the risk owner wants to handle the risk to Avoid, Accept, Transfer, or Mitigate which was also done with groovy scripting.
Implementation of the solution
4.1 The process of handling risk in our implemented process
The following diagram shows the steps of the process, from ticket creation, to automation rules that help us in deciding how risks are evaluated and how the risk owner decides to handle particular risks using groovy scripting.
4.2 Jira implementation part
In order to have a unified solution that will be applied to all three risk areas, we used the following configuration segments for the Jira project:
First, we need to define the proper issue types, workflow, screens, custom fields, schemas, permissions, filters, and boards. After that, we are going to automate the process by using the custom Groovy post functions and validations.
Custom fields on Create:
- Issue Type (Project Risk, Practice Risk, Business Unit Risk)
- Summary
- Priority
- Project or Practice depend of the issue type
- Category (Human Resource skills, Human Resource number, Technical Resources, Budget, Time Constraint, Security, Other)
- Risk Owner/s
- Assignee
Custom Fields on Edit/View:
- Threats and vulnerability
- Likelihood (Low:1, Medium:2, High:3)
- Impact (Low:1, Medium:2, High:3)
- Risk Evaluation
- Risk Handling (Decided by Risk Owner/s)
– Avoid the Risk: Decide to not start or continue with the activity that gives rise to the risk (withdraw from this situation/action).
– Accept the Risk: Be aware that risk can happen, start or continue with the activities.
– Mitigate: Plan and implement actions to reduce the risk
– Transfer: Transferring the risk to a third party - Risk Control Plan
4.3 Workflow Process
The second step is defining a workflow with statuses and transitions that will represent the entire risk management lifecycle. On a higher level, the process consists of risk assessment and risk treatment and is conducted according to the adopted risk management methodology approach intended to be used for dealing with risks in projects, practices and business units. This methodology is divided into the following phases/steps and each Issue type will follow the same workflow:
1. Risk Assessment
- Risk identification – Assessment of relevant threats and vulnerabilities, risk owner, and category identification.
- Risk Analysis – Analysis of the likelihood of threats occurrence and impact
- Risk Evaluation – Evaluating the possibility of risk occurrence and estimating effects of the impact.
2. Risk Handling – After analyzing and reviewing all previously entered parameters and values, and considering the output value from the risk evaluating, as risk handling value should be entered.
3. Risk Treatment – Prepare risk treatment plan (tasks, controls…) in order to reduce or eliminate risk appearance.
4.4 Automation process using Groovy scripts
- On Create transition:
For Practice Risk when the reporter selects the practice after the ticket is created, the custom fields Practice lead and BUM will be populated dynamically depending on who the Practice lead and BU Manager is of that particular Practice or Unit. As for Project Risk, depending on the project lead of the project, the custom field Project lead of a type user picker will be populated with user/practice lead of the chosen project to which the risk is affected.
- Risk Evaluation – on Analyze transition:
Depending on the impact and likelihood, the risk will be evaluated to Low, Medium, or High, based on the risk management matrix that was concluded by Information Security Committee (ISC), in ⋮IWConnect. The Risk Evaluation methodology is being decided by the organization itself and it could be different depending on how the organization would like to handle its risks.
- Risk Handling – on Mitigate transition:
The status will transition automatically based on how the Risk Owner wants to handle the risk to Avoid, Accept, or Transfer. With this automation process, we jump one step forward where after the risk owner has decided how they want to proceed with the risk, the manual activity of moving to the next status is automated.
- Assign/De-assign Member to Project as Team lead request:
Because Team leads are many and they change very often it is difficult to synchronize this list. When the user has been approved to be the Team Lead of a particular project and that has been approved in JSD, on In-Progress transition the script will add or remove that user in Project Lead group in user management. This group will be used to give specific users the ability to create risks in this project.
4.5 Kanban board configuration
The best-suited issue presentation for this solution would be the Kanban board, which we configured in a way so that the issues will be shown as cards with the most relevant information about that particular risk. In the columns section we’ve set-up the status of the risks, and for the swimlanes type of the risks that we generate them by using a simple JQL query. As a final touch in the issue detail view section, we add custom fields that provide the important risk information such as threats and vulnerabilities, risk evaluation, owner, and how the risk is being handled.
Benefits and results
This type of unified solution prepares the organization for unexpected events, saves its reputation, and minimizes the risks and costs of handling risks before they happen.
The other benefits of risk management are:
- Regulatory requirements in some industries and countries
- Reduced uncertainty for the future
- Learning, improvement, and awareness about the risks
- Tool for making the right decisions
- Proper projection of performance results
- Improved culture
Another important benefit for the Managers and Practice Leads is the system dashboard with filters and gadgets which provide a global perspective in terms of risks on all three levels: Projects, Practices, and BU. Thus, risk management provides:
- Well-Structured Risk Identification Process
- A centralized place for tracking, monitoring, and mitigating risks
- Better data quality for decision making
- More efficient, consistent operations
- More complex/thorough risk analysis to increase organizational effectiveness
- Improved report generating ability (i.e. charts, data presentation) to show to management and operations
- Significantly less administrative data entry, as previously used excel spreadsheets
- Standardized risk reporting
- Automated processes from the time-saving perspective
Conclusion
There is no doubt that every organization these days should have a well-designed risk management process and framework that can help in identifying potential and unwanted threats or risk quickly and easily. Risk management allows organizations to prepare for the unexpected by minimizing risks and extra costs before they happen.
Our model has been developed and implemented for our own needs and purposes but it can be also applied to other organizations with a different or similar configuration depending on their risk management methodology assessment, organization structure and etc., so feel free to contact us regarding any questions or consultations.