2012-09-12 TSC Risk Assessment notes

From HL7 TSC
Jump to navigation Jump to search

TSC Risk Assessment

Meeting 2012-09-12 at 2012Sep, Baltimore

TSC Risk Assessment Tiger Team

  • Attendees: Austin, Calvin, Ed, Pat, Jane, Charlie, Ron
  • Convene 7:09 AM
  • Charlie shares a methodology for managing risk, modeled after the Billboard Top 10 with 4 types. Four types are resource risks, technology risks, requirements risks, political/social risks. Evaluates internal vs external, likelihood and impact, mitigation and contingency. Ed adds that we should consider contingency alarms to let you know when the trending is going south.

Austin states goals for this session are setting our methodology and how to move forward. We'll need to organize a weekly set of calls around this. Trying to get to Version zero by the next WGM, maybe 6 weeks.

  • Ron analogizes to GOM as response to things that happen in the organization. May need to review Governance and Operations Manual (GOM) with eye to why do things happen and what do we want to avoid by establishing rules in the GOM. Work Group Health (WGH) is even risk management. We're also looking at this at a program level so we are looking for coherence and continuity.
  • Jane summarizes we Identify risk, assign Probability, estimate impact, and design mitigation.
  • Austin notes that we have to take into account risks that occur at the Board level though we don't have responsibility at that level. We don't want to get too deeply into risks within a particular product line. Ron adds elements of risk patterns may become part of the project scope statements, seeking narrative that feeds into definition of governance points where mitigation involves review or intervention at a certain step.
  • Calvin describes categorization of common risks may exclude unique conditions, so should the product lines do their own assessments. We may need to delegate this function.
  • Charlie notes it's not one-and-done and the Project Scope Statement might confer that on them. We may need to ask them for their risk profile and clarify that you keep reviewing them.
  • Ron notes we first identify risks and then operationalizing them.
  • Ed notes we should set the risks around the 11 steps we discussed before and then pass them on.
  • Look at source material for identifying risks, GOM, Strategic Initiatives, SWOTs. Ron suggests BAM material developed shortly will be an input. Austin adds the ANSI audit will also add source material.
  • Ron talks about methodology for operationalizing - product line manager receives assessment from the Management Board. Governance sets the precepts. We need to identify behaviors in Work Groups that also create risk (e.g. not posting minutes) that are not project-related. Cross-product-line risk should be considered including interaction with BOD and Executive level. Product-line risk in coherence and consistency needs to be set. Internal product line risks will be evaluated in the product lines. Jane says we need to look at our existing controls, and members will see we're already doing this with existing procedures but we're making it explicit. TSC policies and procedures are another source.
  • Identifying risks takes a process that produces something, and identify barriers to success. Look at key processes and their controls as input.
  • TSC analysis also needs to have a cut-off on where we analyze risk to what level. Charlie adds that the repetition of the activity gives some quantitative measures by using trending.
  • Charlie suggests category grading according to bug tracking - critical, high, medium, low. Critical stops everything. High stops everything but has a workaround, for example. Jane notes another risk is introducing complexity to implementers in things that make it easier for us.
  • Need a core set of procedures that have deliverables at risk from the GOM, SI, SWOT, TSC P&P. Charlie will take a first draft.Jane adds that ballot processes as an important first evaluation are mostly in the GOM.
    • Ron can do the organizational process of the GOM,
    • Pat will do the ballot process,
    • Jane will do the harmonization process. C
    • Calvin will look at SWOTs
    • Austin will look at TSC P&P
    • Ed will look at Strategic Initiatives.
  • Charlie adds that as assessment of Work Group Health we should eventually add the review and update of the risk profile for a WG or product line. Functional management responsibilities for the product lines need to be determined and the disposition of Steering Divisions. Ron notes that this is where the BAM and this process intersect.
  • Meet next in two weeks, send a Doodle poll to schedule. Need a wiki page to collect information; once created we'll send a link.

Adjourn 7:59 AM EDT