ATA (Ask to Answer) for the Risk expert Mr. Maynard.
I wonder if there is a formal explanation for something I call “Organizational Accepted Risk”. There are many risk items that I personally don’t call out in my risk mitigation strategy because the Organization automatically accepts the Risk and will deal with it when it occurs. I mention it in my governance document, but not in my Risk Plan. Some examples of these risks are listed below:
- A team member leaves the organization (whatever the reason: resignation, layoffs, death, etc.) It definitely can impact my deliverables, but.
- A cyber attack. I do a lot of network projects and there is always the risk of a cyber attack taking resources (wanacry is one example). We deal with it, but it can cause a jeopardy.
- Funding cut. I treat this as an issue when and if it occurs and requires the project plan to be reviewed.
- Act of God – there are lots of things that can happen to disrupt the project. Fire, hurricane, tornado, zombie apocalypse. I don’t call these out as specific Risk items as we just accept them. The probability is low for some areas (not too many hurricanes in Ft Wayne)
My question: “is there an accepted best-practice for handling Organization Accepted Risk” and could you direct me to it?
by David Davis
on: October 10, 2017 04:29 PM