| < Day Day Up > |
|
Learn to plan or plan to fail.
- Unknown
Take the time to scope the program. In short, this step means take the time to decide how large a view this project requires. Commit this scope to paper; too narrow a view and the project will not address enough critical issues, too wide of a view and the material will be too diluted. With restated emphasis, this is the point to make certain the project has passionate executive-level sponsorship, a dedicated owner, and assurance that its goals are aligned with current business plans. Many projects fail because they do not have a solid foundation. In broad terms, the risk management program will take steps to identify and prioritize critical assets, determine threats and their frequency, identify vulnerabilities, identify safeguards and their effectiveness, and execute postcritical incident processes to resume business operations.
Start the team formulation process by including people from relevant business units that will be impacted by the project, and whose actions will facilitate the project's efforts. Team members should feel like they have a stake in the project team possessing knowledge and creativity. Look for employees who have track records of successful team participation. Based on the size of your organization, there could be many units that will be affected. It is strongly recommended that you include input and participation from at least the following areas:
Executive committee member
Legal
Human Resources
Information and physical security
Senior systems administrators
Auditing managers
Finance/Budget
Assemble the team, develop the team's goals and motivate them. The more passionate the team members are, the more likely the project will succeed.
Formulate an outline for your plan using the collective abilities of your team. Ask for their comments and input. Disseminating clear, brief, direct, and concise ideas should be considered part of your team's "best practices." In all cases, be certain to document all your steps. You can direct e-mail and memo copies to a specially designated computer folder. Copies of paper memos, correspondence, work papers, notes, and meeting minutes should be archived. Documenting your efforts will save your proverbial bacon with auditors and the legal department.
Meetings are not forums for the same persons to propound their ideas constantly. If you do not need a meeting, do not schedule one. Taking notes during telephone calls and e-mailing them to participating employees for their review and adoption is a good idea. After they have been reviewed, amended, and adopted, direct them to a project file for retention. If there is a conference call or meeting, make certain there are designated start and end times, and an agenda with objectives. Do not allow meetings to fall into the abyss of uselessness.
Minutes of the meeting may seem like an unnecessary step, but remember you might be explaining the process to a group of stockholders from a witness chair in the future. Keeping accurate records of the team's efforts will demonstrate professional diligence and measure your leadership and dedication to this project.
This is a good time to invest in drafting a few charts documenting steps, assignments, and progress. There are many volumes available detailing the manner to complete impressive charts.
Experience Note | The preferred method is KISS … "Keep It Simple Simon." Frankly, the simpler the chart, the easier it is to follow. |
Depending on the complexity of the task, Gantt charts are functional for the majority of projects. However, if you require many simultaneous steps, Critical Path Method charts accompanied by a detailed legend with completion deadlines might be a better alternative. Examples of these charting methods are found in Exhibit 2 and Exhibit 3. Remember these are only examples; create and modify your charts to fit your team's needs and goals.
Exhibit 2: Example of Simple Gantt Chart
No. | Task Name | Duration (days) | Start | Finish | Communications | Complete (%) |
---|---|---|---|---|---|---|
1 | Select Team Members | 0 | 2/8/03 | 2/8/03 | Personal discussion | 0 |
2 | Meet w/Team | 1 | 2/8/03 | 2/8/03 | Schedule meeting | 0 |
3 | Proposed Plan | 4 | 2/18/03 | 2/21/03 | | 0 |
4 | Deliver Draft Plan | 0 | 2/22/03 | 2/22/03 | | 0 |
5 | Plan Approval | 1 | 2/26/03 | 2/26/03 | Conference call | 0 |
6 | Decide Acquisition and Implementation Needs | 2 | 3/12/03 | 3/13/03 | | 0 |
7 | Decide Timetable for Implementation | 0.5 | 3/13/03 | 3/13/03 | | 0 |
8 | Resource Acquisition | 10 | 3/13/03 | 3/23/03 | Designated team members | 0 |
9 | Implementation | 30 | 3/24/03 | 4/24/03 | Designated team members | 0 |
10 | Monitoring and Testing | 90 | 4/24/03 | 7/24/03 | Designated team members | 0 |
11 | Revising Program | 5 | 7/25/03 | 7/30/03 | Entire team | 0 |
Exhibit 3: Example of Simple Critical Path Method Chart
In the Critical Path Method (CPM) chart, dots represent steps that must be taken. Letters identify actions, positions, persons, and completion deadlines. Using the CPM chart, you can address essentially the same type of information contained in the Gantt chart through careful explanation in the chart's legend. As an example, dot A is the team selection and notification, while dot B is the risk questionnaire development. Charts are merely tools and are not as important as the planning, accomplishment, implementation, and documentation of the risk program.
After completing your plan of action, acquire the human resources and materials needed to implement the risk program and put it into place.
Once the program is in place, prudent managers will step back, monitor its utility, and test its function. Any failings, real or perceived, should be addressed and the program should be revised to implement these changes. Remember, rather than address changes in a willy-nilly fashion, implement change controls in your planning process. Change controls follow the same process as planning. Assess the requirements of the proposed changes, determine their effects, obtain comments from affected persons and positions, pass these changes through the planning participants, and then implement them on a pilot basis, measuring their effect. If they are successful, implement them fully. Depending on your perspective, it is better to proceed cautiously than fix preventable blunders.
| < Day Day Up > |
|