Risk Management - Knowledge Area

National Project Management System
Business Projects-IT-Enabled

TITLE:

NPMS Business Projects-IT-Enabled Knowledge Area - Risk Management

1. EFFECTIVE DATE:

December 2010

2. AUTHORITY:

This policy related document is issued under the authority of the Deputy Minister, Public Services and Procurement Canada (PSPC).

3. CONTEXT:

This knowledge area is to be implemented in conjunction with the PSPC National Project Management System (NPMS) Policy.

4. PURPOSE:

To describe the components and requirements of the NPMS as applied to the management of project risks.

5. DETAILS:

Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, analyzing, evaluating, controlling, and communicating risks. Risk management involves the review and evaluation of strategies, policies and practices.

Risks derive from project constraints, sources of funding, fixed timelines, assumptions and other sources of uncertainty and vulnerability in the project and operational environment.

Risk management considerations must be applied throughout the lifecycle of all projects. This process is described below in relation to the nine phases of the NPMS. Risk Management in NPMS is primarily based on the new Canadian Standards Association's Q850 and the International Standards Organization's (ISO) 31000. A Risk Management Plan is to be prepared for every project, and risk registers linked to the Risk Management Plan are to be updated throughout the project lifecycle as the project evolves.

Communication and Consultation

Project risks and risk treatments are continuously communicated to relevant project stakeholders to ensure they are aware of the status of project risks throughout the duration of the project.

ISO 31000 states that communication and consultation processes should be developed at an early stage. There should be a focus on effective internal and external communication to ensure that those responsible for implementing the management process as well as stakeholders, understand the basis on which decisions are made and reasons why particular decisions were taken. Risk communications and consultation are integrated into the project's communications management plan which is normally a component of the project management plan (PMP).

Establishing the Context

Establishing the context is the process that involves recognizing that specific risks exist and defining their characteristics and drivers. It also involves establishing risk criteria. An environmental scan can be done in order to determine what risks the organization will face, internally and externally.

When establishing the context, it is important to ask: "how does the particular context fit into the risk management process?" To answer this question, one must look at both the external and internal context. When examining the external context, ensure that stakeholder concerns regarding risk are appropriately addressed. As for the internal context, it is vital that the risk management process is in alignment with PSPC overall mandates as well as plans and priorities of specific branch projects.

Finally, it is crucial to develop a documentation approach. This will allow for present, as well as future justification about what process took place, how the process took place and why the process took place.

Risk Approach

The overall approach to risk management on Business Projects-IT-Enabled is based on the following activities:

  • Risk assessment;
  • Risk identification;
  • Risk analysis;
  • Risk evaluation,
  • Risk treatment;
  • Monitor and review; and
  • Communication/consultation.

Risk Assessment

Risk assessment is the overall process of risk management, and it consists of three elements: risk identification, risk analysis and risk evaluation. From the outputs of the three elements, decision-makers are provided with a clearer understanding regarding the risks (as well as their likelihood and impact) PSPC faces.

The Risk Assessment process must be open and transparent, respect PSPC's context and be tailored to its needs. It should ensure that the limitations faced by PSPC (i.e. capacity, insufficient information, lack of resources) are acknowledged and accounted for.

Risk Identification

According to ISO 31000, risk identification is the process of finding, recognizing and describing risks. The risk identification process involves the identification of risk sources, events, their causes and their potential consequences. That information is incorporated into the Project Management process. Project risks are typically identified via four forums throughout the project: a preliminary risk identification workshop, a detailed risk identification workshop during the planning phase, periodic risk workshops (before a Treasury Board (TB) submission), and regularly scheduled risk management meetings (separate meetings or part of general project management meetings). The Risk Manager uses the project schedule to plan and sequence risk management activities. Identified risks are summarized and articulated in a 'risk statement' that describes both the cause and consequence of the risk. The project team should also consider the risk of not pursuing an opportunity. When identifying risks and their consequences, the team should consider the "knock-on" effects of a particular consequence, including cascade and cumulative effects. All identified risks are documented in the Risk Log by the Risk Manager or on-line using an approved risk tracking/management tool.

Risk identification recognizes the positive and negative risks, along with their causes and consequences, which could affect the achievement of objectives. Risk identification also involves recognizing risks associated with not pursuing an opportunity as well as risks that may not be under the control of the organization. When identifying risks, it is important to ask, what could threaten or enhance your ability to achieve priorities and expected results? During the risk identification process, it is critical that all risks be identified, as risks not identified will not be included in the analysis stage.

All significant causes and consequences should be considered, even those that are not necessarily apparent. Once all risks are identified and detailed, boundaries and/or values are assigned to the risks by identifying their probability, impact, and timeframe.

Risk Identification (Workshops and Continuous Identification)

An initial risk management workshop is held early in the project to identify project risks. Periodic risk identification workshops are held at strategic, pre-defined points throughout the project to identify new risks, review existing risks, identify lessons learned and communicate risks/sharing of best practices. Risk Workshops are held prior to all TB Submissions to ensure that current project risks and related response plans are included in the submission.

Risks are continuously identified throughout the project by any member of the project team and are formally presented and analyzed during weekly project management meetings.

Risk Analysis

ISO 31000 states that "risk analysis involves consideration of the causes and sources of risk, their positive and negative consequence and the likelihood that those consequences can occur." Risk analysis is about the determination of probability and impact, which will in turn determine risk exposure. It is important to keep in mind that the assessment of risk exposure can also lead to opportunity/innovation.

The purpose of risk analysis is to develop an understanding of the risks identified during the risk identification process and provide input on how to treat risks, and what measures should be taken to treat risks.

Information gathered through risk identification is implemented through risk analysis. It is important to ask the questions: What is the risk? What are the positive and negative consequences of the risk? What is the likelihood such consequences will take place?

Risks are analysed by determining both their likelihood and their impacts. It is important that both the worst-case and the best-case scenarios be assessed.

See Annex B - Risk Analysis

Risk Evaluation

Risk response planning involves determining the most appropriate risk response "strategy" and subsequent "plan" to address each identified risk, based on the outcomes of the risk analysis. Evaluation of risks includes a determination of the priority in which risks will be dealt with. This will normally be determined by the risk exposure and proximity. For example, if two risks score equally in terms of impact and probability, the one that may occur first will tend to have a higher priority. Regardless of proximity, risks with higher probability and higher impact are treated as a higher priority than risks with lower combined scores.

Risk Treatment

Risk treatment provides an appropriate response to the risk. There are four possible risk treatment strategies:

  • Eliminating the risk (completely eliminate the probability and/or impact of the risk)
  • Mitigating the risk (lessen the probability and/or impact of the risk)
  • Transferring the risk (transfer responsibility of the risk outside the project)
  • Accepting the risk (monitor the risk and do not apply any of the above strategies)

When the project management team determines an appropriate strategy for a risk, it assigns the risk to an Office of Primary Interest (OPI) owner to develop a detailed risk treatment plan. Risk treatment plans are developed for those risks to be eliminated, mitigated or transferred. Risk treatment plans are not prepared for risks to be accepted. The risk treatment strategies and plans are recorded in the updated Risk Log by the Risk Manager.

Once the project management team approves the risk treatment plan, a formal Change Request may be submitted via the Change Management process. When the Change Request is approved, the Risk OPI implements the plan. Risk response strategy criteria are included in the Risk Log.

Monitor/Review Risks

Risk monitoring and review involves the ongoing process of acquiring, compiling and reporting accurate and timely data about risks being managed. Specifically, the risk OPI owner tracks and reports the:

  • stage of the risk response development and implementation (development & approval, Change Request approval, implementation);
  • proposed actions;
  • reporting/monitoring requirements; and;
  • status of each stage (Green = On track, Yellow = Minor problems being managed, Red = Significant problems, requiring project management intervention).

The risk status updates and subsequent decisions are documented in the Risk Log. Risk monitoring and review involves analyzing status reports, deciding how to proceed and implementing decisions. Project risk status updates are reviewed and analyzed by the OPI and project management team during regularly scheduled risk management meetings. The subsequent risk monitoring and review decision options are:

  • Executing/tracking the plan;
  • Modifying the plan;
  • Re-planning;
  • Closing the risk;
  • Opening an issue (if risk has manifested).

5.1 Risk Process by NPMS Stage and Phase

Inception Stage

Definition phase

Project Managers conduct a preliminary definition phase risk assessment to identify risks that are related to problem or opportunity identified in the Statement of requirements (SoR).

Projects document the key risks and potential mitigation strategies associated with the risks identified in the SoR; for example:

  • Part 4 of the SoR: Identify key risks and potential mitigation strategies associated with the problem to be solved by the proposed project
  • Part 6of the SoR: Identify the impact and associated mitigation strategies of not proceeding with the project.

Identification Stage

Initiation phase

Projects identify and capture high-level risks in the preliminary project plan (PPP) along with a proposed high-level response strategy for each identified risk. This process will be consistent with the risk management process (standard template) which is an integral part of the Risk Management Plan completed during the Planning Phase.

Use the project risk log template to prepare an initial Risk Log. This Log is to be included in the SoR as well as the PPP. The Log addresses anticipated risks that will affect the planning of the project or may affect the achievement of project objectives.

Feasibility Phase

Projects conduct a risk assessment of each solution option in terms of scope, time, cost, and other considerations surrounding the project (e.g. physical, infrastructure, technical, economic, political, legal, organizational, and social factors). The goal is to identify viable options to meet project scope objectives, and to screen out nonviable options in order to recommend to the approving authority all viable potential solutions that should be further analysed in the Analysis Phase.

  • Rank each of the options in terms of relative risk level and (estimated) potential exposure.
  • Document risks that may impact the successful delivery of the business outcomes in the feasibility report (section 4, Assessment of the Options)
  • Document the risk assessment of the 3-5 most significant risks pertaining to the viable options in Section 5 of the feasibility report, then update the Risk Log previously annexed to the PPP. If an estimate of the required risk allowance/contingency funding has not yet been identified it should be developed and recorded at this point.

Analysis Phase

In order to conduct the assessment of risks, it is recommended that a risk management workshop/meeting be held with the project team prior to the completion of the Business Case document to ensure that all key stakeholders have input into the identification of risks and mitigation plans.

Projects review previous risk assessments of all the options against the risk assessment for the recommended solution option to ensure that the optimum solution has been determined to meet the SoR approved in the definition phase.

Risk Analysis in this phase is more detailed and rigorous. It involves examining identified risks to determine the extent of the risks, their relationship to each other and their priority and assigning an OPI. Individual risks are evaluated to determine the probability of their occurrence and the severity of the impact. These attributes define the overall exposure of each risk (i.e. high, medium, low). See the PSPC Risk Heat Map (Annex A - Risk Heat Map). The risk exposure is used to classify the risks and to determine what strategies may be used to address them. All risks with a risk exposure of medium and high have a risk response plan prepared to address them. Low risks as indicated in the Heat Map below are "managed by routine procedures". The criteria for determining risk probability, impact, timeframe, and risk exposure are found in the Risk Analysis and Planning Criteria Analysis is recorded in the updated Risk Log, attached to both the Business Case and PPP. Any new risks and mitigation plans identified at this phase should also be updated in both documents. Ensure risk allowances have been determined for all risks identified and documented in the Risk Log.

Identification Close-Out Phase

The purpose of the identification close out phase is to ensure an appropriate level of assessment, reporting, evaluation, hand-over, and administrative closure has taken place that will provide enough directional detail for the delivery organization Project Manager, to seamlessly proceed to the Delivery Stage.

In light of the preliminary project approval (PPA) decision, obtained in the Analysis Phase, projects ensure that an updated Risk Log is annexed to and reflected in the body of the PPP to clearly define the risks and risk treatment strategies for the chosen option.

Delivery Stage

Planning Phase

Projects conduct a detailed risk workshop to recapitulate the full risk assessment process and flesh out the risks and risk treatment plans.

Projects review key risks and treatments for the approved solution and update the Risk Log and related documents associated to the Risk Management Plan to ensure all risks through the delivery stage are addressed accordingly.

Projects incorporate risk status as an ongoing business item of project team meetings or implement separate regular risk meetings for the remainder of the project delivery stage.

Design Phase

If this project is subject to TBS approval, projects conduct a risk workshop in support of the TBS effective project approval submission process.

Projects update the Risk Log and related documents associated to the Risk Management Plan in light of project design developments.

Note: the Risk Management Plan is normally a component of the PMP developed during the Planning Phase.

The PMP once completed remains static; associated documents such as the Risk Log are updated and kept current.

Implementation Phase

Project Managers monitor the project in order to respond to project risks as needed. Update the Risk Log and related documents associated to the Risk Management Plan as required to reflect any newly identified risks or mitigation strategies.

Delivery Close-Out Phase

Once the project is complete, the project team prepares the Project close out document, including a lessons learned component, and conducts the administrative and contract Close Out activities, documenting the process thoroughly. The Risk Log and any other subsidiary risk management documents attached to the Risk Management Plan must be updated to summarize all risks that were assessed during the project as well as how they were addressed. Significant risks and the success or failure of the risk treatment that respond to these should be captured in the lessons learned Report. Risks that were identified late in the lifecycle need to be highlighted for the benefit of future planning.

6. SCOPE:

This procedure applies to all PSPC Business Projects-IT-Enabled.

7. DEFINITIONS:

The following definitions are extracted from the PSPC DP 082 Integrated Risk Management Policy. They are based on the TBS Framework for the Management of Risk, the Canadian Standards Association's Q850 and the International Standards Organization's 31000.

Impact
Impact outcome of an event affecting objectives.
Integrated Risk Management
Integrated Risk Management is a systematic and continuous approach to understand, communicate and manage risk from an organization-wide perspective. It involves making strategic decisions that minimize negative consequences and maximize opportunities that contribute to the achievement of an organization's corporate objectives.
Issue
Issue is a certain event and/or an ongoing concern that must be proactively managed.
Project Management Body of Knowledge - A risk that has become a reality.
Knock-on Effect
A secondary or incidental effect, such as a falling domino sequentially knocking over a string of adjacent dominos.
Likelihood
Likelihood refers to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and is described using either general terms or mathematically.
Residual Risk
Residual risk is the remaining risk after treatments have been applied. It may contain unidentified risks.
Risk
Risk refers to the effect of uncertainty on objectives. It is the expression of the likelihood and impact of an event with the potential to influence positively or negatively an organization's achievement of objectives.
Risk Acceptance
Risk acceptance is an informed decision to accept a risk. Risk acceptance can occur without risk treatment or during the risk treatment process and are subject to monitoring and review.
Risk Appetite
Risk appetite refers to how much and the type of risk an organization is willing to pursue or take on to ensure it has ample opportunity to achieve its objectives.
Risk Assessment
Risk assessment refers to assessing key risks, measuring their likelihood and impact, ranking the key risks, and implementing an appropriate response to them by considering the costs and benefits of measures for managing the risk and the needs, issues and concerns of stakeholders.
Risk Communication
Risk communication is the transfer or exchange of information among stakeholders about the existence, nature, form, severity, or acceptability of risks. It also includes reporting and review.
Risk Management
Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, analyzing, evaluating, controlling, and communicating risks. Risk management involves the review and evaluation of strategies, policies and practices.
Risk Management Plan
Risk management plan is the document that specifies the approach, the management components and resources to be applied to the management of a risk.
Risk Mitigation
Risk mitigation is the measure taken to reduce an undesired consequence.
Risk of Ethical Reputation
Risk of ethical reputation refers to risk of making a decision without appropriate consideration to values and ethics. The impact of the risk when making an unethical decision is loss of public confidence and credibility; negative media coverage, loss of financial resources; delays in processes/results (e.g. if TB holds up approval of programs or projects); low employee morale and reduced productivity; and, in an extreme situation, putting the future of PSPC at risk.
Risk Perception
Risk perception is the value or concern with which stakeholders view a particular risk, irrespective of the expected or likely loss associated with the risk. Risk perception plays an important role in establishing risk tolerances and formulating/adopting risk management strategies.
Risk Profile
Risk profile is a set of risks.
Risk Response
Risk response refers to the risk measures or controls that are developed and implemented to address an identified risk.
Risk-smart Culture
Risk-smart culture refers to building risk into existing governance and organizational structures, including business planning and decision making and operational processes. It also ensures that the workplace has the capacity and tools to be innovative while protecting the public interest and maintaining public trust.
Risk Tolerance
Risk tolerance is PSPC's readiness to bear the residual risk after risk treatments have been applied.
Risk Treatment
Risk treatment is the process of developing, selecting and implementing controls. It can include avoiding the risk, seeking an opportunity, removing the risk, changing the likelihood of a risk, changing the consequences associated with a risk, sharing the risk with another party, and or retaining the risk.
Values and Ethics Code for the Public Service
Values and Ethics Code for the Public Service (PS) is the body of values and ethics to guide and support public servants in all their professional activities. It also serves to maintain and enhance public confidence in the integrity of the PS.
Uncertainty
Uncertainty (incertitude) is the state of having limited knowledge or understanding of an event and/or future outcome and its consequence or likelihood.

8. RESPONSIBILITIES:

All parties responsible for developing Risk Management Plans are strongly encouraged to consult with other project leaders/managers and senior project managers when developing the Risk Management Plan. It is also recommended that project managers and risk managers seek advice from technical experts and other Subject Matter Experts (SME) within PSPC when producing/updating the Risk Log and risk response strategies and plans.

Project Lead (Business Side)

  • Initiating a continuing process to formally and consistently assess project risks, which includes developing the project Risk Log and risk profile, keeping it up-to-date from the business perspective;
  • Ensuring that cost estimates reflect the assessment of risk throughout the various phases of the project life cycle;
  • Ensuring that the preferred investment option of a particular project takes into consideration the project risk profile and risk tolerance;
  • Preparing an outline of the plan to deal with actual project contingencies and specifying these measures in the risk management sections of the project approval documentation;
  • Preparing and revising project approval documentation when the project risk assessment changes significantly; and
  • Preparing an outline of a communications plan with the help of a communications advisor for high-risk activities that may attract media or public attention, including the appointment of a spokesperson.

Project Manager

The Project Manager has overall responsibility for risk management during the project and is specifically responsible for the following activities:

  • Ensuring that a Risk Management Plan is created, maintained and implemented as documented, using the Risk Log created during the Initiation Stage and updated during the Identification Stage as the basis for the Risk Management Plan;
  • Participating in the risk management processes/meetings;
  • Assigning project resources to manage project risks;
  • Ensuring risk and issues action items are carried out;
  • Ensuring that risk management documents are properly maintained and stored by those responsible;
  • Ensuring that all risk management activities are included in project plans, schedules and budgets;
  • Ensuring that all risk management activities are integrated with the project Change Management Process; and
  • Seeking and capturing lessons learned from specific project risks or issues, and from the risk management process.

Risk Manager

Note: A dedicated resource may be required to fill the Risk Manager role in larger projects; otherwise it normally is filled by the (delivery) Project Manager.

The Risk Manager is responsible for the following risk management activities:

  • Developing and maintaining the Risk Management Plan;
  • Providing risk management coaching, support and advice to project participants;
  • Coordinating and facilitating the risk management portion of the regular Project Management Meeting;
  • Ensuring the overall quality of the risk management documents and compliance with the Risk Management Process;
  • Maintaining a Risk Management document repository (Risk Management Plan, Risk Logs);
  • Identifying lesson learned regarding the project risk management process; and
  • Reporting on risks.

Risk OPIs

Note: anyone assigned responsibility for a risk is termed a risk OPI.

The risk OPI is responsible for the following risk management activities:

  • Defining the risk treatments, action items, measures/triggers, necessary to satisfy the prescribed risk treatment strategy;
  • Ensuring that risk action items are carried out;
  • Reporting risk status at the project management meetings; and
  • Identifying and documenting lessons learned regarding specific risks and the risk management process.

Project Management Team

The Project Management Team is responsible for the following risk management activities:

  • Assigning risk OPIs;
  • Analyzing submitted project risks and determining the appropriate risk treatment strategy;
  • Approving and reviewing the status of risk treatment plans; and
  • Identifying and documenting lessons learned from the Risk Management Process.

Project Team

Project Team members are responsible for the following risk management activities:

  • Identifying and presenting new project risks;
  • Participating, in the risk management process when invited i.e. attending meetings, reviewing risks, being a risk OPI; and
  • Identifying and reporting lessons learned from the Risk Management Process.

Client/Business Line Owner

The Client is responsible for the following risk management activities:

  • Supporting the Project Manager in ensuring that risk management is carried out on the project;
  • Participating in the risk management process and meetings (directly or via delegated authority);
  • Identifying and presenting new risks to the project; and
  • Ensuring risk action items assigned to the client organization (non-project team members) are carried out.

Stakeholders

Project Stakeholders are responsible for the following risk management activities:

  • Participating in the risk management process/meetings when requested;
  • Carrying out specific risk action items assigned to the organization; and
  • Identifying and reporting lessons learned regarding individual risks; and
  • Participating in the risk management process workshops/meetings when requested.

9. REFERENCES:

10. ATTACHMENTS:

11. ENQUIRIES:

Please direct enquiries about this Knowledge Area to the Director, Centre of Excellence, ITSB Project Delivery Office.

Annex A - Risk Heat Map

Table Summary

The table describes the likelihood and impacts of risks.

Likelihood Impacts
Low Medium-Low Medium Medium-High High
High (Almost
certain)		 4Assign oversight/
management
responsibilities		 5Need senior management attention 5Need senior management attention 5Detailed management planning and attention is required 5To be managed by senior management with a detailed plan
Medium-
High
(Likely)		 4Assign oversight/
management
responsibilities		 4Assign oversight/
management
responsibilities		 5Need senior management attention 5Need senior management attention 5Detailed management planning and attention is required
Medium
(Possible)		 1Manage by routine
procedures
 3Assign oversight/
management
responsibilities		 3Assign oversight/
management
responsibilities		 5Need senior management attention 5Detailed management planning and attention is required
Medium-Low
(Unlikely)		 1Manage by routine procedures 1Manage by routine procedures 2Assign oversight/
management
responsibilities		 2Assign oversight
management
responsibilities		 2Assign oversight/
management
responsibilities
Low
(Rare)		 1Manage by routine procedures 1Manage by routine procedures 1Manage by routine procedures 2Assign oversight/
management
responsibilities		 2Assign oversight/
management
responsibilities

Source: CAN/CSA-Q850-09 Risk Management: Implementation to CSA-ISO-31000

Figure 1 - Risk Heat Map

Impact

  • 5 - High (severe): would stop or accelerate achievement of functional goals/objectives
  • 4 - Medium-High (major); would threaten or enable functional goals/objectives
  • 3 - Medium (moderate); would necessitate significant adjustment to overall function
  • 2 - Medium-Low (minor); would threaten or enable an element of the function
  • 1 - Low (negligible); low consequence

Likelihood

  • 5 - High (almost certain); expected in circumstances
  • 4 - Medium-High (Likely); will probably occur
  • 3 - Medium (Possible); could occur at some time
  • 2 - Medium-Low (Unlikely); not expected to occur
  • 1 - Low (Rare); exceptional circumstances only

Annex B - Risk Analysis

Using information collected during the risk identification process, potential future situations are constructed. Teams of individuals with appropriate cross functional skills collaborate to produce a number of possible scenarios and assess what could go wrong. Examine best case, most likely, and worst case scenarios.

Table Summary

The table describes the analysis of risk at the departmental, branch and project level.

Departmental Level Branch Level Project Level
What would a continuing trend of doing more with less look like? What are the possible outcomes of Indian land claims in a particular geographic area? What is the impact of information technology on my organization's daily activities?
What would happen if PSPC were to face another, and more stringent, program review? What if all small suppliers of computers banded together to form a super-supplier? What would our process look like if we adopted the concept of virtual teams?
How might the Canadian government respond to increasing pressures to advance environmentally sustainable development? What would happen if there was a technological breakthrough in electronic purchasing? What would happen if all contracts for under $25,000 had to be funnelled through materiel management?

Key Questions

Likelihood (Probability)

  1. What criteria will you use to determine the probability of the risks you have identified?
    • Is the risk internal or external?
    • What is the history of occurrence? Has an event occurred recently?
    • What are the predictions for occurrence in the future?
    • If no additional action is taken, what would be the likelihood of the risk?
  2. According to the responses to the questions, assess the probability of risk as:
    • Low (nominal or unlikely): it is unlikely that the risk will occur.
    • Medium (likely): it is likely that the risk will occur at some time.
    • High (very likely): it is likely that the risk will occur in most circumstances.

Impact

  1. What criteria will you use to determine the impact of the risks you have identified?
    • What can go wrong?
    • If this risk occurs, what will the consequences be?
    • Who will be affected? How will they be affected? How will they react?
    • What will be the impact on the department's/Branch's ability to achieve its objectives?
  2. What controls are in place to prevent or minimize the risks?
    • Are there too many controls for low risks?
    • Are there too few, or no controls for high risks?