You have just left a four hour meeting where you described the network expansion project to your colleagues. You explained the architecture, new enterprise level firewall, the additional requirements for network monitoring and maintenance, the need for an additional system administrator, and the risks of not complying with Federal Information Security Management Act (FISMA) regulations for securely trading with the U.S. Government.
Before proceeding with the expansion project, management has asked you to lead a team that will estimate the risks associated with this project. They want you to provide a high level summary of quantitative and qualitative risks associated with the following items: The project implementation deadline occurs in 9 months. Each month after the deadline is missed, a penalty of $100,000 is assessed. Three months after the deadline, the contract will be cancelled. Several new network storage, security, and throughput hardware appliances need to be installed and configured. (Is there room/power/personnel to support this new hardware?) Complying with FISMA is a new venture for your organization. What Risks does this involve?
I want to make this report as easy to understand as possible so What I have done is break everything down into two categories: quantitative and qualitative risks. Now given these two categories I will define them so you can better understand why I have put the certain risks within either category. I will also explain why I have chosen these particular risks. Some detailed information will not be included due to the fact that more information will be required from other departments but I will do my best to fill in with as much information as I possibly can.
A quantitative risk is used when relating risks to the probability of a financial loss. So the quantitative risk that will impact the outcome of this opportunity are as followed: The biggest issue is the deadline risk. The reason I say this is because there is only 9 months allowed to have everything up and running. To meet this deadline we have to not only have all departments kept on the same page and working together, but we also need to make sure that we keep FISMA aware of what’s going on. Now once those 9 months are up if we are not up and running it will cost the company $100,000 for each month. This could be considered a risk as well because if that’s not included in with the financial department and we don’t get everything done within that 9 months that will have to come out of our spending budget which means less money to spend on equipment, hiring more staff, and the expansion of the company. If the contract isn’t finalized within a year to date the contract will be cancelled.
This will become a big problem because this is a once in a lifetime opportunity that should not be taken lightly. With this opportunity comes great opportunities for everyone involved. So to lose this chance should not be an option. Another risk is the financial department and the reason for this is because we can’t make any final decisions without knowing what our budget looks like. We want to make the company money not cost the company money. So it is very critical that the CFO maintains a participating factor in this project. FISMA is also a serious risk because they have to be able to provide all the information from their end to help us get up to standards for them and how much it’s going to cost us. Everything within this section is so crucial because this part has to be viewed by the CFO to make sure everything is within the budget, before submitting into a final draft. Then being turned into the CEO of the company.
The definition of a qualitative risks is an observation than can’t be measured in numbers such as a pass/fail, go/no-go technique. When assigning risks to this category we have to consider the fact of what do we need and do we have anywhere to put it? This is where we are going to start. We know that with this big contract, we don’t currently have the space, the power, or the personnel to pull this off. So these issues become big risks that we must evaluate in order to make this work. Now since we know this, we have to figure out how much more space, power and personnel will be needed to be able to seal the deal.