Risk Management Plan

Purpose Of The Risk Management Plan Risk is characterized by the combination of the probability or likelihood that the program will experience an event and the consequences, impact, or severity of the event, were it to occur. Risk Management (RM) is a continuous, iterative, and proactive process to manage risk and achieve mission success. The process involves identifying, analyzing, planning, tracking, controlling, documenting, and communicating risks effectively. RM begins in the End-to-End Systems Architecture Definition phase and continues through the operations and disposal phase with the disposition and tracking of existing residual and new risks. This document establishes the RM Plan for Blue Shield of California (BSC), and their proprietary Blue Shield Customer Database Software (BSCD). The BSC will utilize RM as a decision-making tool to ensure safety and to enable program success. Decisions are made based on an orderly risk management effort that includes the identification, assessment, mitigation, and disposition of risks throughout the programs life cycle. Applying the RM process also ensures that risk communication and documentation are maintained across the corporation.

SCOPE Will develop guidelines on reporting incidences in the event of an occurrence that is not in compliance with other federal agencies. This will create a vivid understanding of BSCD Compliance Issues, in order to maintain proper policies and procedures. Ensuring the collection and analysis of data to monitor the performance of processes that involve risk or that may result in serious adverse events (e.g., preventive screening, diagnostic testing, medication use processes, perinatal care). Proactive risk assessment can include the use of failure mode and effects analysis, system analysis, and other tools. Overseeing the organizational RMIS for data collection and processing, information analysis, and generation of statistical trend reports for the identification and monitoring of adverse events, claims, finances, and effectiveness of the risk management program Ensuring compliance with data collection and reporting requirements of governmental, regulatory, and accrediting agencies Reducing the probability of events that may result in losses to the physical plant and equipment (e.g., biomedical equipment maintenance, fire prevention).

Preventing and minimizing the risk of liability to the organization, and protecting the financial, human, other tangible and intangible assets of the organization Support quality assessment and improvement programs throughout the organization. Implementing programs that fulfill regulatory, legal, and accreditation requirements. Decreasing the likelihood of lawsuits through effective claims management, and investigating and assisting in claim resolution to minimize financial exposure in coordination with the liability insurer and its representatives Completing insurance, and deeming applications. risk management Procedure Process The BSCD System Program Director (SPD) is taking a proactive approach to managing risk. In the initial planning phases, risk identification was initiated and continues throughout the BSC Program life cycle with the goal to reduce unexpected events that require workarounds, contingency or fallback plans, and additional funding. It is anticipated that changes and improvements will be necessary over time as the risk management process is further defined and implemented by the program.

This plan has been prepared for the Blue Shield Customer Database Software Program for all data phases including End-to-End Systems Architecture Study, Program Definition and Risk Reduction (PDRR), Acquisition and Operations (AO), and Disposal. Future iterations of the plan may be required as the mission evolves. A distinction may need to be made between overall project risk management and IT system or application risk management. Risks related to IT systems or applications must be identified and documented based on the methodology in NIST SP 800-30, Risk Management Guide for Information Technology Systems. ROLES AND RESPONSIBILITIES RoleResponsibilitiesBusiness SME (BSME)The BSME assists in identifying and determining the context, consequence, impact, timing, and priority of the risk. Risk Manager or Project Manager (PM)The Risk Manager or PM is a member of the Integrated Project Team (IPT). The Risk Manager or PM determines if the Risk is unique, identifies risk interdependencies across projects, verifies if risk is internal or external to project, assigns risk classification and tracking number.

During the life of the project, they continually monitor the projects for potential risks.Integrated Project Team The IPT is responsible for identifying the risks, the dependencies of the risk within the project, the context and consequence of the risk. They are also responsible for determining the impact, timing, and priority of the risk as well as formulating the risk statements.Risk Owner(s)The risk owner determines which risks require mitigation and contingency plans, he/she generates the risk mitigation and contingency strategies and performs a cost benefit analysis of the proposed strategies. The risk owner is responsible for monitoring and controlling and updating the status of the risk throughout the project lifecycle. The risk owner can be a member of the project team. Other Key StakeholdersThe other stakeholders assist in identifying and determining the context, consequence, impact, timing, and priority of the risk.

Risk Identification Risk identification will involve the project team, appropriate stakeholders, and will include an evaluation of environmental factors, organizational culture and the project management plan including the project scope, schedule, cost, or quality. Careful attention will be given to the project deliverables, assumptions, constraints, WBS, cost/effort estimates, resource plan, and other key project documents. Methods for Risk Identification The following methods will be used to assist in the identification of risks associated with Blue Shield of California Brainstorming Interviewing SWOT (Strengths, Weaknesses, Opportunities and Threats) Diagramming Etc. A Risk Management Log will be generated and updated as needed and will be stored electronically in the project library located on the BSC Database Server. Risk Analysis All risks identified will be assessed to identify the range of possible project outcomes. Risks will be prioritized by their level of importance.

Qualitative Risk Analysis The probability and impact of occurrence for each identified risk will be assessed by the project manager, with input from the project team using the following approach Probability High Greater than 70 probability of occurrence Medium Between 30 and 70 probability of occurrence Low Below 30 probability of occurrence Impact ImpactHMLLMHProbabilityHigh Risk that has the potential to greatly impact project cost, project schedule or performance Medium Risk that has the potential to slightly impact project cost, project schedule or performance Low Risk that has relatively little impact on cost, schedule or performance Risks that fall within the RED and YELLOW zones will have risk response plan which may include both a risk response strategy and a risk contingency plan. Quantitative Risk Analysis Analysis of risk events that have been prioritized using the qualitative risk analysis process and their affect on project activities will be estimated, a numerical rating is applied to each risk based on quantitative analysis, and then documented in this section of the risk management plan. Validation Evaluation In each successive level of review, the RMBs evaluate the validity of all proposed risks submitted.

A risk is deemed valid if it truly represents a credible condition that includes a level of uncertainty with a consequence to the program. A candidate risk may be rejected if it is determined that the concern is something other than a risk (problem or failure), has no merit, or has no impact to the program. Similarly, elevated risks may be returned for resolution at the lower level. A risk may be elevated to the attention of higher level management for three reasons a) the risk exposure is high (red risk) b) the risk spans more than one segment, product area, or discipline, and must therefore be addressed at the next higher level in the organization or, c) resources and/or authority beyond those available in the original area are required to address the risk. Risk Response Planning Each major risk (those falling in the Red Yellow zones) will be assigned to a risk owner for monitoring and controlling purposes to ensure that the risk will not fall through the cracks. For each major risk, one of the following approaches will be selected to address it Avoid Eliminate the threat or condition or to protect the project objectives from its impact by eliminating the cause Mitigate Identify ways to reduce the probability or the impact of the risk Accept Nothing will be done Contingency Define actions to be taken in response to risks Transfer Shift the consequence of a risk to a third party together with ownership of the response by making another party responsible for the risk (buy insurance, outsourcing, etc.)

For each risk that will be mitigated, the project team will identify ways to prevent the risk from occurring or reduce its impact or probability of occurring. This may include prototyping, adding tasks to the project schedule, adding resources, etc. Any secondary risks that result from risk mitigation response will be documented and follow the risk management protocol as the primary risks. For each major risk that is to be mitigated or that is accepted, a course of action will be outlined in the event that the risk does materialize in order to minimize its impact. Risk Monitoring, Controlling, And Reporting The level of risk on a project will be tracked, monitored and controlled and reported throughout the project lifecycle. Risks will be assigned a risk owner(s) who will track, monitor and control and report on the status and effectiveness of each risk response action to the Project Manager and Risk Management Team on a Bi-Weekly Basis. A Top 10 Risk List will be maintained by the PM/Risk Manager or IPT and will be reported as a component of the project status reporting process for this project.

All project change requests will be analyzed for their possible impact to the project risks. As Risk Events occur, the list will be re-prioritized during weekly reviews and risk management plan will reflect any and all changes to the risk lists including secondary and residual risks. Management will be notified of important changes to risk status as a component to the Executive Project Status Report every 1st of the month, or as necessary. The Risk Manager (PM) will Review, reevaluate, and modify the probability and impact for each risk item on the 1st of every month or as needed Analyze any new risks that are identified and add these items to the risk list (or risk database). Monitor and control risks that have been identified Review and update the top ten risk list as needed Escalate issues/ problems to management documented mitigation actions are not effective or producing the desired results the overall level of risk is rising. The Risk Owner will Help develop the risk response and risk trigger and carry out the execution of the risk response, if a risk event occurs. Participate in the review, re-evaluation, and modification of the probability and impact for each risk item on a weekly basis. Identify and participate in the analysis of any new risks that occur.

Escalate issues/problems to PM that, Significantly impact the projects triple constraint or trigger another risk event to occur. Require action prior to the next weekly review Risk strategy is not effective or productive causing the need to execute the contingency plan. Risk activities will be recorded in the Risk_Activities.docx located on the BSC Database Server. Risk Contingency Budgeting A risk contingency budget can be established to prepare in advance for the possibility that some risks will not be managed successfully. The risk contingency budget will contain funds that can be tapped so that your project doesnt go over budget. There is a total of 1 Million dollars in the Blue Shield of California Project budget allocated for Risk Management activities. These activities may include, but are not limited to, identifying, analyzing, tracking, controlling, managing, and planning for risks. This also includes creating and updating the risk response strategies and contingency plans.

Tools And Practices A Risk Management Log will be maintained by the project manager and will be reviewed as a standing agenda item for project team meetings. Risk activities will be recorded in the Risk_Information.doc located on the BSC Database Server. Closing a Risk A risk will be considered closed when it meets the following criteria Risk is no longer valid Risk Event has occurred Risk is no longer considered a risk Risk closure at the direction of the Project Manager Lessons Learned The lessons learned will be captured and recorded in the Lessons_Learned.docx located on the BSC Database Server. Appendix A DOCPROPERTY Title MERGEFORMAT Risk Management Plan Approval Verify The Following Presented and Written by Jacob Rodriguez The Following Risk Management Plan (RM) contains information about how Blue Shield of California can mitigate opportunities for risks to happen.

These plans and procedures are written to prevent and/or continue normal working procedures in the event of a risk. In order to insure the proper function of all procedures and policies, mitigation of risks, continuity of BSC, and Compliancy with HIPAA there must be a follow up and correction of certain program abilities. We, Umbrella Corp, will not be held accountable for Risk Damages outside of scope or Risk Consequences that could have been prevented by following our presented RM plan. I hereby understand the written agreement above, and understand that any negligence about the plan will void any contract between Umbrella Corp. and Blue Shield of California