Library and Archives Canada
Symbol of the Government of Canada

Institutional links


Archived Content

This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.

Audit of The AMICAN, 2007

Appendix B

Risk Model

1.0 Project Governance Risk

This class of risk pertains to the presence of a well-defined structure of roles, responsibilities and authorities within which the project operates, and within which all major decisions concerning the scope and objectives of the project, including changes to the same, are made.

  • Senior Management Control Framework: the relationship of the project to strategic plans; the assignment of responsibility, owner/sponsor, project structure, committee structure, and linkages to related projects; the roles of key organizations and people; the flow of management information; and communications within organization, and with clients.

  • Change Management: the ability of the project to adapt to changing internal and external conditions. Strategic issues include: project scope management; risk management; and, relationships to other key projects, initiatives and/or events.

  • Benefits Achievement: involves the initial business case, and the process to measure project benefits realized by the organization as they are achieved through the project.

2.0 Business Risk

This class of risk pertains to the clarity and stability of the business rules and processes from which system's requirements will be derived, to the integrity and robustness of the design that will be prepared to address those requirements, and to the capacity of the organization to organize itself for and to manage the changes that the introduction of a new system implies.

  • Business Requirements: the specification of business requirements related to the processes under consideration. Strategic issues include: the breadth of business change represented by the new requirements; the availability of expert users to contribute to the definition; and, the level of complexity of the business rules being defined.

  • Solution Design: the process in place to translate the business requirements into the solution; the relationship of investment in cost and time to functionality delivered; the internal control framework; and, the provision for security (i.e. confidentiality, integrity, and availability).

  • Management of Change: the impact of the project on the major business processes of the sponsoring organization and the ability of the organization to deal with the overall change.

3.0 Project Risk

This class of risk pertains to the internal organization and management of the project, and to its monitoring, reporting, control and communications functions.

This class of risk also considers the tools, techniques, methods and procedures needed to do the actual work of the project: to understand the requirements that have to be addressed, and from that understanding to design, develop, implement and make operational a relevant, reliable, usable system.

  • Project Organization & Management: the roles and responsibilities of each major organizational component of the project structure, the records of decisions made, and the type and quality of project management information made available on a regular basis.

  • Development Process: the existence of a formal process definition with milestone deliverables; solution design integration and cohesiveness; construction risk minimization; certification and accreditation; and transition management.

  • Project Control Processes: planning and scheduling methodology used, critical path management, and related resource levels; budgets, financial reporting, and variance analysis; project change management, problem and issue identification and resolution; quality strategy; communications vehicles; contract management and amendment control.

4.0 Testing Risk

This class of risk pertains to the level of preparedness exhibited by the project in planning for, conducting and proving the results of appropriate testing.

  • Test Strategy and Organization: the overall approach to testing, and the management support for user participation in accepting the product delivery.

  • Test Plans and Approach: the evidence of appropriate test planning for this project, the establishment of test processes that are congruent with the overall departmental IT organization, and management approval of this process.

  • Test Results: the evidence of the full use of the approved process in proving the new product to the satisfaction of project management, users, middle and senior management.

5.0 Infrastructure Risk

This class of risk pertains to the degree of inherent risk in the technology platforms chosen to support the system. Newer and less widely-proven platforms have substantially higher risk than mature and widely-used platforms. Not only is there a greater probability of a flaw in the platform, know-how to deal with flaws is rare. This class also pertains to the transition of the application into the infrastructure within which it will operate. Newly developed and implemented infrastructures pose more risk than a structured mature one.

  • Infrastructure: the degree of project conformity to the organizations technical standards and methods and technology environment, and the impact the project will have on this infrastructure.

  • Technology Transition: the readiness of the organization to deal with the new technology, overall technology configuration management, and the ability of the organization to offer support (short and long range).