2.109.2 Risk, Issue, and Action Item Management Process 2.109.2.1 Program Scope and Objectives 2.109.2.1.1 Background 2.109.2.1.1.1 Process Description 2.109.2.1.1.2 Goal 2.109.2.1.1.3 Objectives 2.109.2.1.2 Authority 2.109.2.1.3 Roles and Responsibilities 2.109.2.1.4 Program Management and Review 2.109.2.1.5 Program Control 2.109.2.1.5.1 Controls 2.109.2.1.5.2 Metrics 2.109.2.1.5.3 Tailoring Guidelines 2.109.2.1.6 Terms/Definitions/Acronyms 2.109.2.1.6.1 Terms and Definitions 2.109.2.1.6.2 Acronyms 2.109.2.1.7 Related Resources 2.109.2.1.8 Training 2.109.2.2 Process Workflow 2.109.2.2.1 Main Process Diagram 2.109.2.2.2 Inputs 2.109.2.2.3 Outputs 2.109.2.2.4 Activities 2.109.2.2.5 Procedure 2.109.2.2.5.1 1.0: Risk Management Process 2.109.2.2.5.1.1 Cross-Functional Flow Diagram 2.109.2.2.5.2 2.0: Issue Management Process 2.109.2.2.5.2.1 Cross-Functional Flow Diagram 2.109.2.2.5.3 3.0: Action Management Process 2.109.2.2.5.3.1 Cross-Functional Flow Diagram 2.109.2.2.5.4 4.0: Risk and Issue Meeting and Reporting Process 2.109.2.2.5.4.1 Cross-Functional Flow Diagram Part 2. Information Technology Chapter 109. Risk, Issue, and Action Item Management Policy Section 2. Risk, Issue, and Action Item Management Process 2.109.2 Risk, Issue, and Action Item Management Process Manual Transmittal April 22, 2020 Purpose (1) This transmits new Internal Revenue Manual (IRM) 2.109.2, Risk, Issue, and Action Item Management Practices, Risk, Issue, and Action Item Management Process. Material Changes (1) This is a new manual and thus without material changes. Effect on Other Documents Risk, Issue, and Action Item Management Process Description Version 3.1.3 dated October 09, 2014 is superseded. Risk Identification Procedure Version 1.0.3 dated October 20, 2014 is superseded. Risk Analysis and Validation Procedure Version 1.0.3 dated October 20, 2014 is superseded. Risk Mitigation Planning and Execution Procedure Version 1.0.3 dated October 20, 2014 is superseded Issue Management Procedure Version 1.0.3 dated October 20, 2014 is superseded. Action Item Management Procedure Version 1.0.3 dated October 20, 2014 is superseded. Risk/Issue Meeting and Reporting Procedure Version 1.0.2 dated October 20, 2014 is superseded Audience The audience for this manual is the Information Technology (IT) Organization, contracted personnel, and other stakeholders responsible for following Enterprise Life Cycle (ELC) guidance. Effective Date (04-22-2020) Nancy Sieger Acting Chief Information Officer 2.109.2.1 (04-22-2020) Program Scope and Objectives Overview - This document describes the formal process for implementing the requirements of the Risk, Issue, and Action Item Management process which includes risk identification, analysis, validation, mitigation planning and execution, reporting as well as issue management and action item management. It provides an operational definition of the major components of the process and how to perform each step in the process. This document also describes the logical arrangements of steps that are essential to successfully completing the process and achieving its desirable outcome. Purpose - The purpose of this policy is to establish a common management process for risks, issues, and action items management plans across Internal Revenue Service (IRS) IT Organization. Audience - The audience for this IRM is the IT Organization, contracted personnel, and other stakeholders responsible for following the Enterprise Life Cycle (ELC) guidance. Policy Owner - Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office. Program Owner - Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office is responsible for the development, implementation, and maintenance, of this process. Approval of this process, including updates, rests with the Director, Business Planning and Risk Management. All proposed changes to this policy must be submitted to Business Planning and Risk Management, Enterprise Life Cycle Office. Primary Stakeholders - This process applies to all IT projects and programs. Program Goals - The goal is to establish an authoritative repository for all IT programs and projects to maintain risk and issues, and action items management. 2.109.2.1.1 (02-28-2020) Background A process is defined as “A set of related activities that accomplish a common goal”. The process definition laid out in this document further breaks down these Activities into Tasks, each of which have a complete set of attributes defined such as data and tool specifications and the role(s) responsible for executing the tasks. The document also includes process goal and objectives, metrics, role definitions, policies and other process related attributes. 2.109.2.1.1.1 (02-28-2020) Process Description This Risk, Issue, and Action Item Management process describes what happens within the Risk, Issue, and Action Item Management process and provides an operational definition of the major components of the process. This process specifies, in a complete, precise, and verifiable manner, the requirements, design, and behavior characteristics of the Risk, Issue, and Action Item Management process. 2.109.2.1.1.2 (02-28-2020) Goal The process goal describes a specific purpose or achievement toward which the efforts of the process are directed. Each process has a specific focus and when combined with the other processes, forms a comprehensive framework for delivering and managing services. The goal of this process is to establish a common management process for risk, issue, and action item management across the IT organization. To support risk management requirements for all IT program and projects. To provide a set of interrelated activities that all program and projects should follow regarding the Risk, Issue, and Action Item Management process. 2.109.2.1.1.3 (02-28-2020) Objectives The objective is to have everyone using the same tools and techniques and follow the same repeatable steps so that the organization can quantify how well the Risk, Issue, and Action Item Management process is working and train future staff members who may not currently know the routine. Ensuring consistency is a critical component for ensuring optimum efficiency. The following is a list of objectives for this process: To assist a program or project with the identification, analysis, validation and mitigation of risks. To assist a program or project with the management of issues. To assist a program or project with the management of action items. To assist a program or project with the reporting and tracking of risks, issues and action items. 2.109.2.1.2 (02-28-2020) Authority All proposed changes to this document must be submitted in writing, with supporting rationale, to the Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office. 2.109.2.1.3 (02-28-2020) Roles and Responsibilities Each process defines at least one role. Each role is assigned to perform specific tasks within the process. The responsibilities of a role are confined to the specific process. They do not imply any functional standing within the hierarchy of an organization. For example, the process manager role does not imply the role is associated with or fulfilled by someone with functional management responsibilities within the organization. Within a specific process, there can be more than one individual associated with a specific role. Additionally, a single individual can assume more than one role within the process although typically not at the same time. Below are the roles and provide a brief description for this process. Name Description Responsible Manager The Responsible Manager is ultimately responsible for the management of all risks and issues in accordance with the mission and goals of the IT organization to ensure the program and/or project goals are achieved. Also the Responsible Manager: ensures that risks and issues are identified and managed on a continual basis throughout the life of the program or project, normally leads item identification activities during initial planning and re-planning for a program or project, assigns an Item Owner, approves the mitigation or management plan for resolving the risk or issue, provides the necessary resources required to successfully execute the plan; ensuring that the mitigation or management plan does not inadvertently change technical or contract requirements or negatively impact organization schedules. assesses the success/results of the activity and reviews progress of the risk or issue to resolution of the activity associated with a risk, issue, or action item, approves final disposition of a risk, issue and action item and decides when the item may be closed. conducts the review meetings, and escalates the risk or issue to the appropriate reporting Governance Board Item Identifier Any program, project or team member or stakeholder may identify a candidate risk, issue or action item. The Item Identifier: provides clear and concise information that defines a candidate risk, issue or action item and its context (such as title, statement, date identified, source, scope, responsible manager/organization, probable impact date, due date, closure criteria, etc.), provide completed information in an acceptable format, using one of the templates based on if the item identified is a risk, issue or action item, shall forward the required information to the Item Coordinator for entry into the Item Tracking Reporting and Control (ITRAC) Repository, and may be asked to participate in the analysis of the risk or issue to determine its impact and the activities required for resolution. Item Owner (Risk, Issue or Acton Item) The Item Owner Item is responsible for developing the mitigation or management plan to resolve a risk or an issue. The Item Owner obtains necessary resources from the Responsible Manager and manages the execution of the mitigation or management plan as well as: modifies the mitigation or management plan, when necessary, to achieve the required results, determines the appropriate mitigation or management approach. Re-plans the mitigation or management strategy when changes in item parameters warrant a different approach, provides status on the resolution activities throughout the execution of the mitigation or management plan to the Responsible Manager, provides information to the Item Coordinator for entry in the ITRAC repository, determines the results needed to resolve the action item, involve the stakeholders or SME to assist with developing the information about the risk or issue to a sufficient level of detail for the Responsible Manager to make a decision, advises the Responsible Manager regarding escalation of the item, directs the Activity Owners to start activities for each step of the mitigation plan or management plan., ensures Activity Owners have required information and resources, Monitors activity to completion, and converts risk to an issue if risk happens and recommends closure of an item. Activity Owner The Activity Owner executes the assigned activity. During the performance of assigned activities the Activity Owner: may be involved in the development of the management plan and dates for assigned activities. provides timely status information to the Item Owner, and provides status information to the Item Coordinator to update ITRAC. Item Coordinator (Risk, Issue, or Action Item) The Item Coordinator for a program, project or organization records the risk, issue or action item in the ITRAC repository. The Item Coordinator is also responsible for: collecting and entering status information, and producing reports for the Responsible Manager when notified update and close a risk, issue or action item as well as that all decisions are recorded in ITRAC, ensures that the Item Owner provides timely status to the risk or issue information, generates the reports as necessary to support management needs, and assist with the coordination of the risk/issue meetings. 2.109.2.1.4 (02-28-2020) Program Management and Review Policies outline a set of plans or courses of action that are intended to influence and determine decisions or actions of a process. Policies provide an element of governance over the process that provides alignment to business vision, mission and goals. Process Management Statement: The Risk, Issue, and Action Item Management process will have a single Process Owner and a separate Process Manager responsible for implementation and ensuring adherence to the process. The process will be reviewed regularly to ensure that it continues to support the business requirements of the enterprise. The process will be designed and developed based on ROI to the business. Process metric will be focused on providing relevant information as opposed to merely presenting raw data. People: Statement: Roles and responsibilities for the process must be clearly defined and appropriately staffed with people having the required skills and training. The mission, goals, scope and importance of the process must be clearly and regularly communicated by upper management to the staff and business customers of IT. All IT staff (direct and indirect users of the process) shall be trained at the appropriate level to enable them to support the process. Rationale: It is imperative that people working in, supporting or interacting with the process in any manner understand what they are supposed to do. Without that understanding Risk, Issue, and Action Item Management process will not be successful. Process: Statement: Modifications to the Risk, Issue, and Action Item Management process must be approved by the Process Owner. The design of the process must include appropriate interfaces with other processes to facilitate data sharing, escalation and workflow. The process must be capable of providing data to support real-time requirements as well as historical/trending data for overall process improvement initiatives. The process must be fully documented, published and accessible to the various stakeholders of the process. The process will be reviewed on a periodic basis in order to ensure it continues to support organizational goals and objectives (continuous improvement). The process must include Inputs, Outputs, Controls, Metrics, Activities, Tasks, Roles and Responsibilities, Tool and Data requirements along with documented process flows. The process will be kept straight forward, rational, and easy to understand. Rationale: The process must meet operational and business requirements. Technology and Tools: Statement: All tools selected must conform to the enterprise architectural standards and direction. Existing in-house tools and technology will be used wherever possible, new tools will only be entertained if they satisfy a business need that cannot be met by current in-house tools. The selection of supporting tools must be process driven and based on the requirements of the business. Selected tools must provide ease of deployment, customization and use. Automated workflow, notification and escalation will be deployed wherever possible to minimize delays, ensure consistency, reduce manual intervention and ensure appropriate parties are made aware of issues requiring their attention. The tools used by this process are the following: ITRAC EXCEL MS Word MS Power Point Rationale: Technology and tools should be used to augment the process capabilities, not become an end themselves. 2.109.2.1.5 (02-28-2020) Program Control Activities involved in ensuring a process is predictable, stable, and consistently operating at the target level of performance. 2.109.2.1.5.1 (02-28-2020) Controls Process controls represent the policies and guiding principles on how the process will operate. Controls provide direction over the operation of processes and define constraints or boundaries within which the process must operate. Name Description Audits ITRAC undergoes a Privacy & Civil Liberties Impact Assessment (PCLIA) every three years. Procedure and policies are reviewed every two years Policies Policies for the Risk, Issue, and Action Item Management process are established in the Risk, Issue, and Action Item Management Policy IRM 2.109.1. Security Policies Security policies governing access to ITRAC has specified levels of access and the database is protected by user-set passwords. All Users must have a valid IRS Network Login Standard Employee Identifier (SEID). Scope The scope of the Risk, Issue, and Action Item Management process is to provide a centralized set of standard procedures. Change Management Policies Requests for changes to this process should be directed to the process owner. Management Reports Metric and statistics reports concerning ITRAC risks, issues, and action items manager are produced on a monthly basis. 2.109.2.1.5.2 (02-28-2020) Metrics Metrics are used for the quantitative and periodic assessment of a process. They should be associated with targets that are set based on specific business objectives. Metrics provide information related to the goals and objectives of a process and are used to take corrective action when desired results are not being achieved and can be used to drive continual improvement of process effectiveness and efficiency. Management will regularly set targets for process performance, gather quantifiable data related to different functions of the Risk, Issue, and Action Item process, and review that data in order to make informed decisions and take appropriate corrective action. 2.109.2.1.5.3 (02-28-2020) Tailoring Guidelines The tailoring guidelines identify the allowable variations of the IT organization’s standard process as needed for adjustments (adding, deleting, modifying) relative to specific operational or functional needs of another organization. Process tailoring is about roles and procedures, not the standard process or major activities defined in this process. All tailoring request, with supporting rationale, must be submitted in writing to and approved by the Strategy and Planning, Business Planning and Risk Management, Enterprise Life Cycle Office owner. 2.109.2.1.6 (02-28-2020) Terms/Definitions/Acronyms Terms/Definitions/Acronyms 2.109.2.1.6.1 (02-28-2020) Terms and Definitions Terms and Definitions Term Definition Action Item A short-duration, minimal resources activity assigned to a member or stakeholder in the program/project or organization within IT. An action item must be within the scope of the duties currently assigned to that person. Action Plan Description of the activities planned to resolve the action item and updates giving status of the activities. Activity Update Detailed status of the activity - Typically, a running chronology is provided in descending date order. Example: 10/22/2020 – Action plan approved by mgr. 09/20/2020 – Kickoff meeting held. Actual Date Closed Date management approved closure. Actual Start Date Date activity was started. Actual Completion Date Date activity was completed. Assigned Organization Code Acronym of the organization to whom the item identifier recommends the responsibility for the risk, issue or action item be assigned. This is a recommendation by the responsible manager or item identifier. Attachments Other files providing further information or documentation may be attached to the risk, issue or action item. Example: Work plans, decision papers, information to support closure criteria or Power Point presentations. Closed Date Date an issue or action item is actually closed. Closure Criteria Description of the requirement that must be met to close the ITRAC record. The closure criteria should be specific and measurable and should state how the item can be closed or eliminated. Closure Rationale Reason for closing the item along with the name of approving manager. The item is no longer valid, the event has occurred, or the item is no longer considered a risk. Example: Mitigation plan has successfully completed and has reduced the probability of this risk occurring to less than 10%. Per approval of the project manager, Jane Doe, this risk can be closed. Note: Closure rationale should address the closure criteria or explain why the item can be closed without criteria being met. Contractor Coordinator The name of the IRS contractor employee assigned to edit, input, and/or update the ITRAC record. Date Identified Date the risk was identified. Decisions The Item Owner’s assessment of any key decisions that would impact successful closure of this item. Description Narrative of the issue and its impact on the organization. Example: Lack of compatibility of tools in environment is causing a 50% increase in workload for 10 people. Due Date Date resolution is needed by the program or a project(s) to resolve the issue or action item. Impact This is a required database field in the ITRAC system. Rating is the cumulative effect of a risk on the cost, schedule, technical performance, and effect on other Teams/Projects. A numerical rating for each of these 4 areas is selected by the user. The overall impact rating for the Risk is generate by ITRAC and reflects the worst potential in each of the four areas: 1 and 2 = Low, 3 = Medium, 4 = High, 5 = Severe Cost Ratings: 1. Minimal or no impact 2. Additional resources required; able to meet need date 3. Minor slip in key milestones; not able to meet need date 4. Major slip in key milestones or critical path impacted 5. Cannot achieve key team or major program milestone Schedule Ratings: 1. None or Minimal Impact (ex: < $10,000) 2. Low (ex: $10,000 - $100,000) 3. Moderate (ex: $100,000 - $ 1,000,000) 4. High (ex: $1,000,000 - $10,000,000) 5. Severe (ex: > $10,000,000) Technical Performance Ratings: 1. Minimal or no impact 2. Minor technical shortfall but no impact to requirements 3. Moderate technical shortfall but workaround available which will eliminate impact to requirements 4. Major technical shortfall but work around available which will eliminate impact to requirements 5. Solution not meeting minimum technical requirements Impact on other Team Ratings: 1. None 2. Some Impact 3. Moderate Impact 4. Major Impact Unacceptable impact, may affect a release window Include on Chief Information Officer (CIO) Risk Report A check box in the ITRAC system used by the User to identify project risks to be included on the CIO Risk Report. If checked, then this risk will be listed in the project’s CIO Risk Report. Include on Risk Categories Risk Report A check box used by the User to identify project risks to be included on the Risk Categories on the report. If checked, then this risk will be listed in the project’s Risk Categories Risk Report. The Risk Categories support the OMB E300 Risks. Interfaces Owner’s assessment of any interface actions that would impact successful closure of this item. IRS Coordinator The name of the IRS federal employee assigned to edit, input, and/or update the ITRAC record. Issue A situation or condition that (1) currently has a negative consequence for the investment, program, project, or organization or (2) has 100% probability of having negative consequences for the investment, program, project, or organization within 30 calendar days. Item An item is a risk or issue as defined. Item can also be interchanged for an Action Item, Risk or Issue Coordinator, Identifier or Owner as defined. ITRAC ID Unique number for a risk, issue or action item. The number is automatically generated by the database and assigned to the item when it is entered the repository. Mitigation/Management Activity Multiple entries containing the date of the entry and status of the mitigation activity. Status is listed in most recent date order. Example: 7/21/2022 - Approved proposal template. 7/15/2022 - Proposal template completed by working group. 6/15/2022 - Working group formed to revise proposal template. Probable Impact Date Most likely date that the program or a project(s) will be impacted by the risk. Probability of Risk Occurring This is a required database field in the ITRAC system. A user supplied estimate that the risk will occur, and it provides thresholds for evaluating probability. 1. Probability of occurrence is less than 25% and greater than 0% 2. Probability of the occurrence is less than 75% and greater than or equal to 25% 3. Probability of occurrence is less than 100% and greater than or equal to 75% Priority Indicator of the urgency of an item for the program or project: High: Item has a significant impact (such as a solution not meeting minimal technical requirements; or cost or schedule being affected). Moderate: Item has a moderate impact (such as a technical shortfall but work-around available which will eliminate impact to requirements; and no impact on cost and schedule). Low: Item has a low impact (such as a minor technical shortfall but no impact to requirements; and no impact to cost or schedule). Projected Completion Date Date projected for a risk, issue or action item closure. RACI The RACI model is based on the principle that people act in one of four ways when executing a task. It accounts for the fact that more than one role may be active in performing a specific task while clearly defining specific responsibilities for that role. While many roles may be involved in a task only one is Accountable for the results. The actions are: R Responsible for the action (may do the task) A Accountable for the action (including approval) C Required to be Consulted on the action I Required to be Informed of the action. If a task does not have an Accountable role indicated then the Responsible role is assumed to be accountable for the task. Responsible Manager The name of the IRS manager assigned to mange the ITRAC record. Resources Owner’s assessment of any resources that would impact successful closure of this item. Risk A potential event or condition that could have an impact or opportunity on the cost, schedule, business, or technical performance of an Information Technology investment, program, project, or organization. Risk Categories Office of Management and Budget (OMB) - A11 Risk Categories. An E 300 database field has been added to ITRAC to support (OMB-A11). The user assessment of what category type; you can populate this data field by selecting one of the values that appear in a drop-down pick list. Additional information can be found on the Risk Management Share Point site. Risk, Issue, and Action Item Management Risk, Issue, and Action Item Management is a set of well-defined program management processes and procedures designed to identify, analyze, report, and manage IT program or project risks, issues, and action items. Scheduled Completion Date Date activity is scheduled to be complete. Scheduled Start Date Date activity is scheduled to start. Scope Selected from a pick list by the user to identify the scope of this item. Indication of whether the item is at the program level organization(s) or project(s) or multiple organizations are affected by the following item. This is a required database field for all ITRAC Items: Project: It is a fixed-duration endeavor undertaken with defined start and stop dates to deliver a unique product, service or result. It represents solutions to a specific business issue. Example: Customer Account Data Engine 2 (CADE 2) Transition State 2. Program: is to be selected if the item impacts a group of related project releases managed in a coordinated way which usually includes an element of ongoing work. It may impact projects that are concurrently executed with or without overlapping dates and can have more than one domain involved. Example: Foreign Account Tax Compliance Act (FATCA) (includes all project releases). Domain is to be selected if the item impacts an area that contains similar project activities directed toward achieving a set of defined functions in support of the agency’s mission and vision strategy Example: Submission Processing. Enterprise Release: is to be selected if the item impacts a set of configuration items including application software, hardware, systems software, telecommunications and procedures grouped together to be delivered to the Production environment at a certain point in time. A release will generally include components from across architecture, projects, programs, and domains. Example: Enterprise Architecture. Portfolio: It is a custom view of a set of IT investments that is user definable. IT Portfolio Summary includes all IT resources for the IT Investments from all funding sources. Source Name of organization/person or event that identified the risk, issue; or action item. Example: Risk Review Board Meeting - Tom Jones State Active Mitigation - a mitigation plan is currently being executed for the risk. Candidate - Default when the risk is first is entered into the repository. Closed - the item is no longer opened, and all closure criteria have been met or it is no longer a risk, an issue or action item. Escalated - the risk or issue has been escalated to a higher management level. Monitored - the risk is being watched, but no mitigation plan is currently active. Open – the issue or action item is currently active and has not yet been resolved. Withdrawn - the candidate risk has not been accepted for monitoring and potential mitigation. Note: Current life cycle state for a Risk is “Candidate, for an Issue or Action Item: “Open” (default state is set when an item is first entered into the ITRAC database). Statement A clear, concise statement of the condition followed by a clear, concise statement of the consequence. The condition is a single phrase that briefly describes the key circumstances, situations, etc. causing the concern; The consequence is a single phrase that describes the potential event that will have a negative impact on the program/project. Example: If a new methodology is imposed on the project, then additional training costs will be incurred. Status Summary status of item Status of Mitigation/Management Plan Indicator of the overall status of the mitigation plan is calculated by ITRAC. Green: all open activities have started as scheduled. Yellow: one or more activities have not started as scheduled. Red: one or more activities have not completed as scheduled or the probable impact date or due date has passed. N/A: Risk is not in the Active Mitigation State, and probable impact date has not passed Title Title containing keywords that briefly identify the Condition and Consequence of the risk (max 120 characters). This title is used in summary level reports to identify the risk. Example: A new methodology is imposed on the project which would incur additional training costs. This description is used in summary level reports to identify the issue or action item. Example: Lack of tools compatibility in the development environment. 2.109.2.1.6.2 (02-28-2020) Acronyms Acronyms Acronyms Description ACIO Associate Chief Information Officer CADE2 Customer Account Data Engine 2 CIO Chief Information Officer ELC Enterprise Life Cycle FATCA Foreign Account Tax Compliance IPM Integrated Process Management IRM Internal Revenue Manual IRS Internal Revenue Service IT Information Technology ITRAC Item Tracking Reporting and Control OMB Office of Management and Budget PCLIA Privacy & Civil Liberties Impact Assessment RACI Responsible, Accountable, Consulted and Informed ROI Return-on-Investment SEID Standard Employee Identifier SME Stakeholder and Subject Matter Expert TIGTA Treasury Inspector General for Tax Administration 2.109.2.1.7 (02-28-2020) Related Resources The following sources were used to develop and/or support this process. Risk, Issue, and Action Item Management Policy IRM 2.109.1 2.109.2.1.8 (02-28-2020) Training Process training involves training all stakeholders about key processes that are crucial for an organization to deliver business objectives. Training provides clarity to employees on a set of procedures that needs to be carried out as part of the process and the best possible way to do them. List below the training resources available for this process: PM IT Risk Management (Formerly Software Risk Management) – Course 13868 SKSBS Identifying Risks in Your Organization – Course 66312 SKSBS Risk Management: Identifying Risk – Course 47947 SKSBS IT Project Management Essentials: Managing Risks in an IT Project – Course 36546 SKSBS IT Project Management Essentials: Monitoring and Controlling IT Projects – Course 36545 2.109.2.2 (02-28-2020) Process Workflow A process workflow consists of Activities and Tasks, Inputs and Outputs, Roles, and Flow Diagrams. It describes the tasks, procedural steps, organizations or people involved, required input and output information, and tools needed for each step of the process. 2.109.2.2.1 (02-28-2020) Main Process Diagram The following figure graphically depicts the roles, activities, and steps for each activity within the Risk, Issue, and Action Item Management process. Figure 2.109.2-1 Risk, Issue, and Action Item Management ProcessThis figure is a graphic substitute for the text. Please click here for the text description of the image. 2.109.2.2.2 (02-28-2020) Inputs Process inputs are used as triggers to initiate the process and to produce the desired outputs. Users, stakeholders or other processes provide inputs. The following is a list of inputs for this process: Name Description Supplier A risk event A potential risk to the cost, schedule or performance of an IT program or project is identified Program Manager or Project Manager or Responsible Manager or Team Member or SME or Stakeholders Materialized risk event A previously identified risk is realized. Program Manager or Project Manager or Responsible Manager or Team Member or SME or Stakeholders Reports Generate the item reports as necessary to support management needs. Program Manager or Project Manager or Responsible Manager or Team Member or SME or Stakeholders Issue An event that has impact on the program or project ability to achieve its goal. Program Manager or Project Manager or Responsible Manager or Team Member or SME or Stakeholders Problems or issues discussed at Executive meetings The issues at hand that have been discussed at Executive level meetings and require immediate attention. Senior Executive Action Item A short-duration, minimal resources activity assigned to a member or stakeholder in the program/project or organization. An action item must be within the scope of the duties currently assigned to the member or stakeholder in the program/project or organization. Senior Executive, Program Manager or Project Manager or Responsible Manager 2.109.2.2.3 (02-28-2020) Outputs Each process produces tangible outputs. These outputs can take the form of products or data and can be delivered to a user or stakeholder or they can be used as inputs to other processes. Outputs are measurable in terms of quantity and quality. Below is the process output table. Name Description Recipient Candidate risk A candidate risk that has been accurately recorded in the risk repository. Program Manager or Project Manager or Responsible Manager or Team Member or SME or Item Owner or Item Coordinator A risk in monitoring state A risk is observed, and the progress is checked over a period and keeps under systematic review. Program Manager or Project Manager or Responsible Manager or Team Member or Item Owner or Activity Owner or Item Coordinator A risk that is withdrawn A risk is withdrawn when it is determined that it is not a valid risk. Program Manager or Project Manager or Responsible Manager or Team Member or Item Owner or Activity Owner or Item Coordinator A risk that is transferred to another organization When a risk is determined to be the responsibility of another organization. The risk is transferred to another organization and is accepted by all parties involved. Program Manager or Project Manager or Responsible Manager or Item Owner or Stakeholder or Item Coordinator A closed risk A risk that did not occur or was mitigated. Program Manager or Project Manager or Responsible Manager or, Team Member or Item Owner or Activity Owner or Item Coordinator A materialized risk A previously identified risk is realized Program Manager or Project Manager or Responsible Manager or, Team Member or Item Owner or Activity Owner or Stakeholder or Item Coordinator An generated item report and conducting meetings A detail item report or index summary report produced to support management decisions during a meeting Program Manager or Project Manager or Responsible Manager or, Team Member or Item Owner or Activity Owner or Stakeholder or Item Coordinator An closed Issue An issue is managed or closed, no longer valid, no longer considered an issue, or escalated. Item Coordinator An closed Action Item An action item that is executed, no longer valid no longer considered an action item, escalated or closed. Item Coordinator 2.109.2.2.4 (02-28-2020) Activities An activity is a major unit of work to be completed in achieving the objectives of the process. A process consists of a sequence of related activities that transforms inputs into outputs and performed by the roles defined in the process. Activities are measurable in terms of efficiency and effectiveness. Identify the activities in the process and provide a brief description. The activities must correspond with the high-level process flow diagram above. ID Name Description 1.0 Risk Management Process This activity includes identifying a potential risk that could potentially prevent the program, or project from achieving its objectives. Assessment of the risk to determine whether the potential event is of significance to the organization. Determination of the mitigation strategies that will be performed to minimize or avoid the risk. 2.0 Issue Management Process Determination of the management strategies that will be performed to minimize the issue. 3.0 Action Item Management Process The management of action items resulting from significant program or project level meetings.. 4.0 Risk and Issue Meeting and Reporting Process This process is an iterative allows the program and/or project team to identify, categorize, prioritize, and mitigate or avoid issues, uses progress status reports and deliverable status to monitor and control risks and issues. 2.109.2.2.5 (02-28-2020) Procedure Procedure 2.109.2.2.5.1 (02-28-2020) 1.0: Risk Management Process Risk Management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risk identification allows individuals to identify risks so that the project team becomes aware of potential problems. Not only should risk identification be undertaken as early as possible, but it also should be repeated frequently. Risk analysis transforms the estimates or data about specific risks that developed during risk identification into a consistent form that can be used to make decisions around prioritization. Risk analysis enables stakeholders to commit resources to manage the most important risks. Risk validation takes the information obtained from risk analysis and uses it to formulate strategies, plans, change requests, and actions. Risk validation ensures that these plans are approved and then incorporated into the standard day-to-day processes and infrastructure. Risk control and mitigation is the process of executing risk action plans and their associated status reporting; the development of mitigation plans designed to manage, eliminate, or reduce risk to an acceptable level. Risk control and mitigation also includes monitoring risks, identifying new risks, prioritizing mitigation alternatives, and evaluating risk process effectiveness throughout the project. This requires that detailed descriptions of the risk mitigation plans, mitigation activities, and closure rationale are captured, and closure documentation is entered into the ITRAC for all IT organization program and projects risks, as applicable. Risk tracking monitors the status of specific risks and the progress in their respective action plans. Risk tracking also includes monitoring the probability, impact, exposure, and other measures of risk for changes that could alter priority or risk plans and ultimately the availability of the service. Risk reporting ensures that the operations staff, service manager, and other stakeholders are aware of the status of top risks and the plans to manage them. Each program or project is required to conduct periodic reviews of the risk descriptions and documentation entered into the ITRAC to ensure that the information is appropriate, current, complete, and accurate. During the risk management process, develop appropriate action plans to reduce the risks from impacting to program or project goals and objectives. Conduct periodic reviews of the risks to ensure that all mitigation activities are being implemented, monitoring previously identified risks, and reevaluating existing risks to verify the planned risks response strategies for their effectiveness. Validate risk mitigation strategies and alternatives. Reassess the risk as necessary, monitoring any triggers associated with the risk. Capture any new identified actions to be taken and track risk response. Prioritize risks for subsequent ongoing management based on their likelihood of occurrence and potential impact. Set realistic due dates and then work to meet the dates. Update ITRAC with detailed analysis and assessment of the risk and with specific mitigation plan activities for the risk. Take corrective action when actual events occur. Identify new risks resulting from risk mitigation actions. Attached any documents as necessary that capture the results of mitigation actions. Communicate status and risk response follow-through as appropriate. The following table depicts the tasks and roles for each activity in the Risk Management process. ID Task Name and Description Role RACI Duties Risk Identification 1.1 Identify a candidate risk This activity includes identifying a potential risk and providing clear and concise information about the risk and its context. Item Identifier R As appropriate, involve people who understand the program, project, domain and environment in working session to draw on available team and stakeholder experience. Use the techniques such as brainstorming or a checklist during the meeting to aid in identifying candidate risks. Examine and evaluate the program or project environment and available documentation; work that has been done previously to determine its adequacy for the program or project, in general or at a particular phase of the program or project. Pay close attention to missing information that must be obtained from sources outside the program or project. Evaluate the business and technical performance requirements that the project must achieve. Determine the operational (functional and environmental) conditions under which the key performance areas or key performance parameters are measured. Pay close attention to requirements that are not clearly stated or stable. Identify the engineering processes being applied. Evaluate the reasonableness of the schedule estimate and whether the schedule is sufficient for the work required to be performed. Evaluate the reasonableness of the cost estimate and determine whether the planned (or budgeted) cost is feasible for the work required to be performed. Insufficient resources (personnel, funds, schedule, and tools necessary for successful development and deployment of the project) are a common and serious risk. Examine dependencies upon other organizations. Cross-project dependencies and dependencies on other program level organizations are a normal part of managing a large program. Only include a dependency as a risk when there is some external event that may cause a condition where the other organization cannot meet a commitment on your critical path. The existence of a dependency does not automatically constitute a risk. Examine underlying assumptions that define the success, direction, or existence of the organization such as executive management sponsorship and funding. Document all candidate risks identified during the review and analysis phase and maintain all available documentation. For each identified candidate risk: Note the date that the candidate risk was identified Note the source or event where the candidate risk was identified Create a title for the risk that captures identifying keywords Develop a risk statement that clearly communicates the risk to management, at all levels, and is sufficiently descriptive and specific to allow review by the responsible manager to assess its validity as a risk. A risk statement contains two parts: Cause - a clear, concise statement of the condition. This is a single phrase that briefly describes the key circumstances, situations, etc. causing the concern. Impact - a clear, concise statement of the consequence. This is a single phrase that describes the potential event that will have a negative impact on the program/project. Risk Identification 1.2 Determine the scope of the risk This activity includes using all available information to determine the scope of the risk. Item Identifier Responsible Manager R C Using available information, assess the scope of the risk. As necessary, engage the Responsible Manager, other stakeholders and SMEs in determining the scope of the risk. Assess cross project and other external dependencies that may identify other program/projects or organizations impacted by the risk. Determine if the risk is limited to a specific project, program or domain, or enterprise wide. Document all areas impacted by the risk. Risk Identification 1.3 Estimate the probable date of impact. The purpose of this activity is to review related program/project schedules and related information for impacted areas. Item Identifier Responsible Manager R A Review related program/project schedules and related information for impacted areas. As necessary, engage the Responsible Manager, other stakeholders and SMEs in determining the scope of the risk. Assess impact date of cross project or external dependencies which may contribute to impact of the risk. Estimate and document a probable date when the candidate risk event could begin to negatively impact the program/project or organization entities. Risk Identification 1.4 Develop closure criteria This activity involves using available information, research possible criteria that would clearly indicate when a risk should be closed Item Identifier Responsible Manager R A Using available information, research possible criteria that would clearly indicate when a risk should be closed. As necessary, engage the Responsible Manager, Item Coordinator and other stakeholders and SMEs in determining the closure criteria. Develop and document objective closure criteria that will be recommended for determining the closure of a specific risk. Risk Identification 1.5 Submit the candidate risk This activity involves submitting for review. Item Identifier R Assemble risk related information determined in activities A1 – A4: Risk Title Risk Statement Date Identified Risk Identifier Risk Source Risk Scope Responsible Manager and Organization Probable Impact Date Closure Criteria Record information in an acceptable format, such as the Risk Template available on the Risk Management website at https://portal.ds.irsnet.gov/sites/ITSPRiskManagement. Forward required candidate risk information to the Responsible Manager for review. As requested, support the Item Coordinator by providing additional information or clarification. Risk Identification 1.6 Identify the responsible manager and organization Based impacted program or project determine responsibility of the risk. Responsible Manager R Review and validate correctness, completeness, and understandability of all recorded risk information, and determine level of analysis required. Based on program/project and organizational areas that have been identified as impacted areas, identify the responsible manager and organization for each impacted area. As necessary, engage stakeholders and SMEs in determining the responsible managers/organizations. Determine and note the Responsible Manager/Organization with the greatest potential impact. If a Responsible Manager cannot be identified, at a minimum determine the Responsible Organization. Forward required candidate risk information to the Item Coordinator for entry into the ITRAC Repository. Risk Identification 1.7 Enter the candidate risk in repository Create a new Risk item in ITRAC and enter candidate risk information in the system. As necessary engage the Responsible Manager and/or other stakeholders in validating or correcting submitted information. Item Coordinator Responsible Manager R A Review candidate risk information for completeness and accuracy. As required request additional information or clarification from the Item Identifier. As needed, engage the Responsible Manager to validate or correct submitted information. If there are any changes to the submitted candidate risk information, these changes should be coordinated with the Item Identifier. Create a new Risk item in ITRAC. Projects may use the Risk Template as a guide of required information necessary for input into ITRAC.NOTE: All IT projects shall record and maintain risks and issues, in the Item Tracking Reporting and Control (ITRAC) repository with the exception of Cybersecurity, which shall record and maintain all IT risks and issues in Archer. ITRAC serves as the authoritative source of IT projects’ Risk information at Internal Revenue Service. Notify the Responsible Manager and Item Identifier that a new risk item has been created and provide the unique Risk ID assigned by ITRAC. Risk Analysis and Validation 1.1 Perform an analysis of the candidate risk This activity includes performing a preliminary assessment of the risk. Responsible Manager R Review the risk attributes to determine whether the information (such as the risk statement, probable impact date, and close criteria) is specific, complete, accurate, and understandable. Work with the Item Identifier and SME to obtain clarification where necessary. Perform a preliminary assessment of the risk to determine whether the potential event is of such significance to the organization that additional resources are warranted to perform further analyses and possible mitigation planning. Risk Analysis and Validation 1.2 Determine disposition The purpose of this activity is for the Responsible Manager to determine the disposition of the risk. Responsible Manager Item Identifier R C If the Responsible Manager decides the candidate risk is not a valid risk, the risk is withdrawn. If the Item Identifier disagrees with the Responsible Manager that a candidate risk is not a valid risk, the Item Identifier can escalate the risk to the next level of management for resolution. If the Responsible Manager decides the candidate risk belong another to the organization, the risk is transferred to that organization. The risk remains in the “Candidate” state, if transferred, until the receiving organization validates the risk. After the risk is validated (accepted), the risk state is set to “Monitored” or “Active Mitigation” in the risk repository. Inform the Item Coordinator and identify an Item Owner. Assign a Item Owner to evaluate the risk parameters. The Item Owner is typically an organization member with expertise in the subject of the risk and experienced in evaluating risk parameters Risk Analysis and Validation 1.3 Analyze the risk If the risk is validated (accepted), a risk owner is assigned to analyze the risk. Item Owner R The Item Owner will analyze the risk to develop a mitigation plan for the risk. The Item Owner will review related program/project schedules and related information for impacted areas such as:Detailed Impact Description: Create a detailed description of the anticipated impact of the risk on the organization. Assumptions may be made to develop a reasonable impact cost. This could include potential loss of skilled resources, additional resource costs to retain staff or contractors for extended time periods, impacts to other organizations or projects, schedule slips, and any other consequences attributable to the occurrence of the risk. Ensure that detailed descriptions of the risk mitigation plans, mitigation activities, and closure rationale are captured, and entered into the ITRAC for all IT organization program or projects risks.Probability: Assign probability to risk. Risk Analysis and Validation 1.4 Update the risk in the repository Record any changes to risk attributes resulting from refinements made during review and validation of the candidate risk in the risk repository. Item Coordinator Item Owner R I Record any changes to risk attributes resulting from refinements made during analysis and validation of the candidate risk in ITRAC. The following additional information is required for a validated risk: Detailed Impact Description Names of Responsible Manager and Item Owner Probability and impact Risk Mitigation Planning and Execution 1.1 Determine the mitigation approach The purpose of this activity is determined which strategy is the most effective basis for a mitigation approach. Item Owner Responsible Manager R A Determine which strategy is the most effective basis for a mitigation approach. For example, the Item Owner may select an approach that guarantees maintenance of the organization schedule but has a high cost. Or, the Item Owner may select an approach that stays within cost boundaries but extends schedule. There are four common strategies for managing risks: Risk Control seeks to contain the effects of a risk (but not to eliminate the source of the risk) through direct management activities that reduce the risk’s likelihood of occurrence and/or its impact to the organization. Risk Acceptance acknowledges the existence of a particular risk and makes a deliberate decision to accept the risk without engaging in special efforts to control the risk. This is most effective during the planning phase of a project or other significant effort. Risk Avoidance seeks to eliminate the sources of a risk and replace them with a lower risk solution. This is most effective during the planning phase of a project or other significant effort and caution should be given when considering this strategy. Risk Transfer reallocates the risk from one organization to another. This process can involve the reallocation of risks within Contractors’ organizations, to IRS organizations, or to IRS organizations not directly involved in the project/program/organization Summarize the mitigation approach in a three or four sentence paragraph that specifies the strategy selected and the goal of the mitigation approach in ITRAC. Risk Mitigation Planning and Execution 1.2 Develop the mitigation plan The purpose of this activity is to develop actions to be taken to mitigate risks. Item Owner Responsible Manager R A Develop actions to be taken to mitigate risks. Define each mitigation activity as a bounded activity with a measurable result. Ensure that completing all the mitigation activities results in satisfying the overall risk close criteria. Mitigation plans do not replace current task plans; they drive necessary work into the normal program/project management processes where they can be scheduled and staffed. Identify an owner for each activity in the mitigation plan. The Activity Owner must have the expertise and the authority to implement the specific activity. If the Activity Owner does not belong to the Item Owner organization, then the Item Owner has to have acceptance of the activity from the Activity Owner. Verify that the probable impact date of the risk is still valid. Review task schedules, cross-project dependencies, and program level organization dependencies to verify the probable impact date. Schedule a start and complete date for each activity. Allow for recovery time within the plan if activities slip. Ensure that all the mitigation activities are scheduled for completion before the probable impact date of the risk. Estimate the cost of each mitigation approach, including labor and materials. The cost can be a gross estimate; however, it must be sufficient to enable the Responsible Manager to make trade-offs when recommending where scarce organization resources should be spent to mitigate risks. Identify any costs estimated in the current task plan that will not be incurred if the mitigation plan is executed. Estimate the cost of several different mitigation strategies, if appropriate, to select the most cost-effective approach compared to the impact cost of the risk. Risk Mitigation Planning and Execution 1.3 Execute the mitigation plan The Item Owner initiate mitigation activities. Item Owner Responsible Manager R A Accept the mitigation plan. Activities includes to estimate the cost of each mitigation approach, including labor and materials as well as resources. The cost of the mitigation plan should be relative to the criticality and impact cost of the risk. The cost of the mitigation plan relative to the criticality and impact cost of the risk are factors considered by the Responsible Manager in accepting the mitigation plan for implementation. A high-level assessment of three key areas (resources, key decisions and interfaces) should be considered by the Responsible Manager in mitigation planning as well. Set the risk state to Active Mitigation in ITRAC and direct the Activity Owners to begin mitigation activities. Assess completion status of each activity and the effectiveness of the expected results. Adjust plan as necessary to achieve results as directed by the Responsible Manager. Re-plan the mitigation plan if the goal or mitigation strategy must be changed to achieve success or there is significant impact to the project (e.g. in case the original mitigation plan fails to solve the problem). Record the current status of mitigation activities in the mitigation plan. Review and update the status of mitigation activities in ITRAC. Risk Mitigation Planning and Execution 1.4 Recommend the risk disposition This activity involves recommendation for closure of the risk. Item Owner Responsible Manager R A The Item Owner recommends to the Responsible Manager closure of the risk when all mitigation activities have been completed, the closure criteria have been met, and the goal of the mitigation strategy has been achieved; or, when the time-frame has passed, and the risk has not occurred. If the risk has already materialized, it should be converted to an issue or if the probability of a risk occurring rises to 100%. Risk Mitigation Planning and Execution 1.5 Update the risk repository The purpose of this activity is to update the status of mitigation activities in ITRAC. Item Coordinator Responsible Manager Item Owner R A I Update risk parameters in the risk repository. Update the status of mitigation activities in ITRAC. Ensure the accuracy of the parameters and mitigation status which must support the decisions the Responsible Manager has to make to effectively manage the risk. Confirm the closure criteria have been met. Record the risk state as Closed, record the rationale for closure, and record the date the closed disposition was approved.. Ensure that all activities have been completed and closed prior to closing out the risk. Attached any necessary documents associated with the closing of this risk, as applicable. The additional information required for a tracked or controlled risk is as follows: Actual start date of each mitigation activity Actual completion date of each mitigation activity Results/status updates of each mitigation activity Status of overall mitigation plan Rationale for closure Date of closure 2.109.2.2.5.1.1 (02-28-2020) Cross-Functional Flow Diagram The following figure graphically depicts the roles, activities, and steps for each activity within the Risk Management process. Figure 2.109.2-2 Risk Management ProcessThis figure is a graphic substitute for the text. Please click here for the text description of the image. 2.109.2.2.5.2 (02-28-2020) 2.0: Issue Management Process Issue Management is the process of identifying and resolving issues in a program, project or organization. Issue Management Process is undertaken to ensure that each issue identified within the program, project or organization is documented, prioritized and resolved within an appropriate time frame so that program or project deadlines are not negatively impacted and should be followed to track any issue that may impact the success of a program or project. An issue is an event or condition that has already happened and has impacted or is currently impacting the goals and objectives of a program, project, or organization. There is no uncertainty or probability aspect associated with an issue. When managing an issue, the action needs to take place right away to resolve the issue. The Issue Management Process will help you to: Identify and record issues clearly Document issues properly, including any pertinent details such as the date and who reported it Determine the impact of each issue Determine a priority for the issue Review issues and report on their status Assign the issue to a project team member Review all issues and decide on a course of action Take the steps needed to resolve issues quickly When closing an issue ensure to update the issue status, ensure that the resolution description provides accurate description of the steps completed to resolve the issue. Monitor progress towards resolving the issue and follow up with the issue owner on a regular basis. The following table depicts the tasks and roles for each activity in the Issue Management process. ID Task Name and Description Role RACI Duties Issue Management 1.1 Define the issue or a realized risk This activity includes identifying an issue or a realized risk and providing clear and concise information about the issue and its context. Item Identifier Responsible Manager R A Concurrent with a realized risk being officially closed out by the Responsible Manager; request that an issue be opened in the ITRAC repository. Coordinate with the Item Coordinator to ensure that the ITRAC number of the realized risk is included in the Notes field. Record information in an acceptable format, such as the Issue Template available on the Risk Management website at https://portal.ds.irsnet.gov/sites/ITSPRiskManagement When a new issue is identified that isn’t related to a previously recorded risk. Document initial discovery information about an issue. Note the source or event where the issue was identified (e.g., realized risk). Create a title for the issue that captures identifying keywords. Develop an issue description statement that clearly communicates the issue to management. Recommend an organization or Responsible Manager that should be responsible for resolving the Issue. Issue Management 1.2 Determine the scope of the issue This activity includes using all available information to assess the scope of the issue. Item Identifier Responsible Manager R A Using available information and coordination with the Responsible Manager and/or SME, assess the scope of the issue as being one of the following:Enterprise Release: is to be selected if the item impacts a set of configuration items including application software, hardware, systems software, telecommunications and procedures grouped together to be delivered to the Production environment at a certain point in time. A release will generally include components from across architecture, projects, programs, and domains. Example: Enterprise Architecture.Portfolio: It is a custom view of a set of IT investments that is user definable. IT Portfolio Summary includes all IT resources for the IT Investments from all funding sources.Domain is to be selected if the item impacts an area that contains similar project activities directed toward achieving a set of defined functions in support of the agency’s mission and vision strategy. Example: Submission Processing.Program: is to be selected if the item impacts a group of related project releases managed in a coordinated way which usually includes an element of ongoing work. It may impact projects that are concurrently executed with or without overlapping dates and can have more than one domain involved. Example: Foreign Account Tax Compliance Act (FATCA) (includes all project releases).Project: It is a fixed-duration endeavor undertaken with defined start and stop dates to deliver a unique product, service or result. It represents solutions to a specific business issue. Example: Customer Account Data Engine 2 (CADE 2) Transition State 2. Identify the Responsible Manager/organization based on program, project and organizational areas that have been identified as impacted areas. Determine the appropriate organization to recommend as the Assigned Organization for resolving the issue, in coordination with the Responsible Manager. Develop and document objective closure criteria that will be recommended for determining the closure of a specific issue. Closure criteria should be explicit and quantifiable. Determine the appropriate priority to reflect the urgency of the issue. Estimate the due date when the resolution is expected to be completed. Issue Management 1.3 Submit the issue The purpose of this activity is to assemble issue-to be enter into the ITRAC Repository. Item Identifier Responsible Manager R A Assemble issue related information determined in Steps 1.1 and 1.2. Assigned Organization, Closure Criteria, Due Date, Description, Priority, Responsible Manager, Title, Scope, and Source. Record information in an acceptable format, such as the Issue Template available on the Risk Management website at https://portal.ds.irsnet.gov/sites/ITSPRiskManagement. .As needed, engage other stakeholders and SME to validate or correct submitted information. Forward the issue template to the Responsible Manager for review and for assignment of an Issue Owner as well as the Item Coordinator for entry into ITRAC. Issue Management 1.4 Enter issue into the ITRAC repository This activity involves entering a new issue in ITRAC. Item Coordinator Item Owner R A The Item Coordinator will enter the new issue into the ITRAC. Review the information for completeness and accuracy. As needed, engage Item Owner to validate or correct submitted information. Notify the Responsible Manager and the Issue Owner that a new issue item has been entered into ITRAC and provide the ITRAC ID. Issue Management 1.5 Disposition the issue The purpose of this activity is to review and validate the issue for correctness. Item Owner Responsible Manager R A Review and validate correctness, completeness, and understandability of all recorded issue information, and determine whether further analysis is warranted. As necessary, engage other stakeholders and SMEs in validating or correcting submitted information, and performing additional analysis Develop recommended disposition: Recommend transfer to another organization if the issue was assigned to the wrong organization. Escalate issue if the responsible manager does not have enough resources or authority to resolve the issue. Obtain consensus on recommended disposition with appropriate stakeholders. If concurrence can’t be obtained, escalate the issue to the next level of management for disposition resolution. Assign an Item Owner to develop a management plan and oversee the resolution of the issue. The Item Owner should have the knowledge and authority to address the issue and is typically an organization member with expertise in the issue subject (e.g., business architect, system engineer, or technology expert). Notify Item Owner of assignment of responsibility for resolution of the issue. Notify Item Coordinator of disposition action for updating in ITRAC. Issue Management 1.6 Develop management plan Develop a management plan to resolve the issue Item Owner Responsible Manager R A Develop a management plan to resolve the issue: Define the specific activities required to resolve the issue. Coordinate the availability of needed resources with the Responsible Manager. Based on available resources and dependencies, assign the Activity Owners and develop/obtain start and completion dates for required activities. As necessary, engage the other stakeholders and SMEs in validating or correcting submitted information, and performing detailed impact analysis. Record the management plan into ITRAC including the activity title, description, owner and scheduled start and completion dates for each activity. Obtain Responsible Manager approval of the management plan. Communicate the approved management plan to all Activity Owners. If the ability to resolve the issue is beyond the authority or resources of the assigned organization, recommend that the issue be transferred to another organization or escalated to the appropriate reporting Governance Board. Issue Management 1.7 Perform and monitor planned activities. Oversee the performance of management plan activities and provide guidance and instructions to the Activity Owners as needed. Item Owner Responsible Manager R A Oversee the performance of management plan activities and provide guidance and instructions to the Activity Owners as needed. Review periodic status reports and as needed, initiate/request ad hoc reports in order to monitor the performance of management plan activities. Assess actual performance results against planned performance results. Make adjustments to the management plan as required. If significant changes are required, obtain approval from the Responsible Manager. Issue Management 1.8 Close the issue. Ensure that the issue, as recorded in the ITRAC Repository, is updated to reflect a closed status. Item Owner Responsible Manager R A When all management plan activities have been completed for an issue, verify that close criteria have been fully satisfied. As necessary, engage the Responsible Manager and Activity Owners and other stakeholders in verifying that the closure criteria have been satisfied. Develop description of final closure rationale. Submit closure rationale to the Responsible Manager and obtain approval to close-out the issue. Ensure that all activities have been completed and closed prior to closing out the issue. Attached any necessary documents as well that is associated with the closing of this issue. This information should be provided to the Item Coordinator to update ITRAC. 2.109.2.2.5.2.1 (02-28-2020) Cross-Functional Flow Diagram The following figure graphically depicts the roles, activities, and steps for each activity with in the Issue Management process. Figure 2.109.2-3 Issue Management ProcessThis figure is a graphic substitute for the text. Please click here for the text description of the image. 2.109.2.2.5.3 (20-28-2020) 3.0: Action Management Process Action Item Management is a discrete task that must be accomplished, usually by a single individual or a small team or group and completed in a short period of time. Action items typically arise from meetings and should always be clearly documented. Managing action items is important to the smooth running of the program or project. Update action items on a regular basis (e.g., a weekly team meeting), tracking and closing each one to ensure the rest of the program or project work continues to run smoothly. The following table depicts the tasks and roles for each activity in the Action Item Management process. ID Task Name and Description Role RACI Duties Action Item Management 1.1 Define action item This task includes identifying an action item, providing clear and concise information about the action item and its context. Item Identifier Responsible Manager R A Provide clear and concise information about the action item and its context. Give a short title for the action item that captures keywords. State the action item and the required results. Provide a recommended due date for the action item. Identify the source of the action item. Recommend an organization that should be responsible for resolving the action item. Name the manager responsible for that organization. Include additional information on the context of the action item in attached documents, if required. Record information in an acceptable format, such as the Action Template available on the Risk Management website at https://portal.ds.irsnet.gov/sites/ITSPRiskManagement Action Item Management 1.2 Assign Item Owner This task ensures that the action item is assigned an Action Item Owner to evaluate the action item and develop an action plan (if applicable). Responsible Manager R Assign an Action Item Owner to evaluate the action item and develop an action plan (if applicable). The Action Item Owner is typically an organization member with expertise in the subject of the action item (e.g., business architect, system engineer, or technology expert). Notify the Action Item Owner within 3 to 5 working days after an action item has been identified. Action Item Management 1.3 Enter action item in the ITRAC repository The purpose of this task is to enter an action item into the ITRAC repository. Action Item Coordinator R Review action item information for completeness and accuracy. As required, request additional information or clarification from the Action Item Owner. As needed, engage other stakeholders to validate or correct submitted information. Enter Action Item into the ITRAC repository. The Action Item Coordinator will entered Action Item into the ITRAC repository. Notify the Responsible Manager and Action Item Owner that a new action item has been enter into the ITRAC repository and provide the assigned action item identification number. Action Item Management 1.4 Develop action plan. If necessary, develop a brief action plan defining the activities necessary to resolve the action item if applicable. Action Item Owner Responsible Manager R A Analyze the action item to determine the immediate actions needed to resolve the action item. If necessary, develop a brief action plan defining the activities necessary to resolve the action item. As appropriate, coordinate with the Responsible Manager and/or Item Identifier to redefine the due date if the action item cannot be resolved in the recommended time frame. Action Item Management 1.5 Execute action plan. This activity includes implementing the action plan, if applicable. Action Item Owner Responsible Manager R A Implement the action plan (usually within 5 to 15 working days after an action item has been identified) and maintain the current status and results of the resolution activities in the ITRAC repository, if applicable. if necessary, recommend that an action item be transferred to another organization or escalated to executive management if the ability to resolve the action item is beyond the authority or resources of the assigned organization. The Action Item Coordinator shall distribute a summary to assure clarification of action items. Action Item Management 1.6 Update and report action item status. This activity includes maintaining and reporting on the status of the action item. Action Item Coordinator R Update and report action item status to the Responsible Manager and other Stakeholders as needed. Ensure that activity status information is requested, and current status information is maintained for planned action item activities, if applicable. Request from Action Item Owners on a periodic or event driven basis, and current status regarding action item activities, if applicable. Provide Item Coordinator with any updated information to be input in the ITRAC repository. Action Item Management 1.7 Close the action item. This activity includes ensuring that the action item is updated to reflect a closed status. Action Item Coordinator Responsible Manager R A An action item may be closed when the Responsible Manager agrees that the activities have been resolved. The Action Item Owner shall coordinate with the Action Item Coordinator to ensure that the action item is updated to reflect a closed status and appropriate descriptive information is recorded in the closure rationale field in the ITRAC repository. 2.109.2.2.5.3.1 (02-28-2020) Cross-Functional Flow Diagram The following figure graphically depicts the roles, activities, and steps for each activity with in the Action Item Management process. Figure 2.109.2-4 Action Item Management ProcessThis figure is a graphic substitute for the text. Please click here for the text description of the image. 2.109.2.2.5.4 (02-28-2020) 4.0: Risk and Issue Meeting and Reporting Process Risk and Issue reporting is an iterative process that uses progress status reports and deliverable status to monitor and control risks and issues. This is enabled by various status reports, such as an ITRAC index summary report or an ITRAC detail report. Reviews are conducted at regular intervals, when change is planned or when change occurs. Reviews facilitate better change management and continuous improvement. The objective of a reviewing risks or issues is to reevaluate the environment, their action plans, and their relative priority, probability and impact. The program or project should continuously update and status their risk mitigation plan and issue management plans in the ITRAC repository. Reviews of risks and issues should be a mandatory item of a Risk Review Board meeting and/or regular program or project status meeting, but they can also be executed during separately planned risk review meetings. These reviews must be held regularly. The frequency could also be determined based on the overall risk level of a program or project. The review meeting allows the program and/or project team to identify, categorize, prioritize, and mitigate or avoid risks and issues ahead of time. The program and/or project team should use these meetings to determine the probability and impact of each risk, determine if the risk can/should be avoided by making changes to the program and/or project, plan an appropriate response, and catalog risks and responses in ITRAC. The risk and issue review meeting should be a formal meeting conducted during the project’s planning process. It is imperative that the program, project manager or risk coordinator sends a meeting invitation and agenda to all attendees well ahead of time. This allows the meeting participants time to review what will be discussed and note any risks they may have already identified. During the risk review meeting any new and past due risks and issues are discussed. The item identifier should present the new risk or issue and provide the necessary details. The item owners should provide updates for all other risks or issues. After the meeting the results of the meetings (i.e., status of new risks or issue submitted, new mitigation or management updates, and risks or issues approved and/or close should be updated in the ITRAC repository. The following table depicts the tasks and roles for each activity in the Risk and Issue Meeting and Reporting process. ID Task Name and Description Role RACI Duties Risk and Issue Meeting and Reporting 1.1 Produce a detail report. The purpose of this activity is to produce details reports. Item Coordinator R Produce detail report for all open items in the repository of the area of responsibility. The level of detail in the report supports thorough analysis and reporting of each item. Coordinate with the Responsible Manager and the Item Owner to ensure the correct items to be reviewed. The reports are periodically distributed electronically by the Item Coordinator. Risk and Issue Meeting and Reporting 1.2 Produce index report for summary of items. The purpose of this activity is to produce index reports. Item Coordinator R Produce index report for all open items in the repository of the area of responsibility. The reports are periodically distributed electronically by the Item Coordinator. Risk and Issue Meeting and Reporting 1.3 Produce ad hoc reports; The purpose of this activity is to produce ad hoc reports.. Item Coordinator R Produce an ad hoc report that present metric of items across the area of responsibility, that present the progress of items or that show the effectiveness of the risk management program to support the needs of the Responsible Manager for the organization or for the Item Owner. Risk and Issue Meeting and Reporting 1.4 Coordinate meetings. The purpose of this activity is to organize item meetings which shall be conducted weekly, bi-monthly or monthly, as appropriate. Item Coordinator Responsible Manager R A The Item Coordinator, with the assistance of the Responsible Manager shall coordinate item meetings which shall be conducted by the Responsible Manager on a weekly, bi-monthly or monthly basis, as appropriate. The Responsible Manager, Item Owners, and as well as other stakeholders throughout the Business area, IT, or other representatives should attend these periodic review meetings. During the meeting the existing risks and issues will be reviewed for status, closure or escalation and new risks or issues are identified and reviewed for acceptance or withdrawal. Prior to the meeting the Item Coordinator shall collect any new items from all Stakeholders that will be presented at the meeting. The Item Coordinator shall provide pre-read material (via e-mail) which should include all items to be discussed at the meeting, (new and existing items). Risk and Issue Meeting and Reporting 1.5 Conducting item meeting This activity involves conducting review meetings of risks and issues. Responsible Manager R The Responsible Manager shall conduct item meetings weekly, bi-monthly, or monthly, as appropriate. The Item Coordinator shall ensure all the Responsible Managers, Item Owners, SMEs as well as other stakeholders or their representatives have been invited to these meetings. During the meeting, the Responsible Manager along with the Item Coordinator shall ensure that: Existing items are reviewed for status/closure/escalation. If the items cannot be resolved because of an ineffective management plan, the Responsible Manager shall direct the Item Owner to revise the management plan or execute the contingency plan (in case of risk and if a contingency plan is available). If the items cannot be resolved because of lack of resources or authority, the items should be escalated to the appropriate Governance Board. If the items are ready for closure, the closure rationale shall be provided to the Item Coordinator. New items are reviewed for acceptance/withdrawal. If an issue is identified, the Responsible Manager shall task the Issue Owner to develop a management plan as soon as possible If a risk is accepted, the Item Coordinator shall change the update the item in the repository. After the meeting, the Item Coordinator shall ensure that decisions for each item are recorded in the repository . The Item Coordinator shall distribute a meeting summary to assure clarification of items presented during the meetings Risk and Issue Meeting and Reporting 1.6 Record decisions and update repository. The purpose of this activity is to ensure that all decisions made about an item are updated in ITRAC repository Item Coordinator Responsible Manager R A The Item Coordinator shall record the information in the repository provided by the Responsible Manager and/or Item Owner ITRAC repository. The Responsible Manager shall provides guidance on decisions made about the items to ensure that the information is updated in the repository. 2.109.2.2.5.4.1 (02-28-2020) Cross-Functional Flow Diagram The following figure graphically depicts the roles, activities, and steps for each activity with in the Risk and Issue Meeting and Reporting process. Figure 2.109.2-5 Risk and Issue Meeting and Reporting ProcessThis figure is a graphic substitute for the text. Please click here for the text description of the image. More Internal Revenue Manual
