The risk management plan specifies responsibilities, which provides accountability. If responsibilities are not assigned, tasks can easily be missed. Responsibilities can be assigned to:
Ensuring that any entity that is assigned a responsibility has the authority to complete the task is important. This is especially important for the PM.
For example, team members may not work directly for the PM. Technicians, for example, might work in the IT department. They can be assigned as team members for a project. However, they may still report directly to supervisors in the IT department. So their task assignments from the IT department and from the PM may compete with each other. If the PM doesn’t have the authority to resolve these problems, the success of the project can be affected. At the very least, the PM should have access to stakeholders to resolve problems.
The PM is responsible for the overall success of the plan. Some of the common tasks of a PM are:
A risk management PM is sometimes called a risk management coordinator. The skills required of a successful risk management PM are the same skills required of a successful project manager for almost any project.
Individual responsibilities could be assigned for the following activities:
Examples of responsibility statements for the website and HIPAA compliance scenarios are presented in the following two sections.
Consider creating a threat-likelihood–impact matrix. A percentage from 10 to 100 is assigned for each likelihood. The impact severity is assigned a value between 10 and 100. The value is then calculated by multiplying the two values. Higher values indicate risks that should be addressed first. Lower values indicate risks that may be accepted.
The CFO will provide funding to the IT department to hire a security consultant who will assist the IT department.
The IT department is responsible for providing:
The sales department is responsible for providing:
The CFO will validate the data provided by the IT and sales departments. The CFO will then complete a CBA.
The HR department is responsible for identifying all health information held by Mini Acme. The HR department is responsible for providing:
The IT department is responsible for providing:
The CFO will validate the data provided by the IT and sales departments and then complete a CBA.