Project Risks

By June 26, 2020 No Comments

* Yuri Carneiro

In an increasingly globalized world, which is constantly changing and has to keep up with technological developments to supply market needs, Information Technology (IT) has played a fundamental role in this growth and supply of this new demand.

IT projects are increasingly complex: there are countless integrations, functionalities and business rules that, if not well studied, generate huge costs for maintaining the operation of that project. This time and cost that is spent to maintain the operation, ends up being nothing less than rework than what was badly thought and planned in the project's execution time.

Currently, one of the challenges of IT is to reduce efforts on tasks that consist of correcting past errors and spending them on activities that add more value to its user and end customer. The reduction in the number of incidents in production is one of the major challenges for companies, as these incidents often have an impact not only on the company's internal customer, but also on its final customers. Therefore, the perception of the quality of the services provided by the company in a market context results in improvements and the tendency is that there will be gains in marketshare and possibly profit for the business.

Thus, risk management in the project becomes an extremely important activity, which aims to guarantee quality and reduce the number of incidents after the implementation of the solution in production. The final objective of the article is to cross the risk discipline with the Service Design phase, as recommended by ITIL.

Risk Management

At PMBOK, Risk Management it is a systematic process of identifying, analyzing and responding to project risk, which consists of identifying, analyzing and reacting to these risks. It includes maximizing the probabilities and consequences of positive events relative to the project objectives, minimizing the probabilities and consequences of adverse events.

The benefits are many:

  • Minimizes crisis management;
  • Minimizes the occurrence of surprises and problems;
  • Enables improvement in results leverage;
  • It increases the probability of success of the project.

The main processes involved in Risk Management are:

  • Risk Management Planning;
  • Risk Identification;
  • Qualitative Risk Analysis;
  • Quantitative Risk Analysis;
  • Risk Response Planning;
  • Risk Monitoring and Control.

The Service Design phase

The Service Design process provides a guide for the design and development of services and service management processes. It provides principles and methods for converting strategic objectives into a portfolio. The scope of Service Design is not limited to new services only, it also includes changes and improvements necessary to increase or maintain value to customers throughout the life cycle, continuity, compliance with service levels and compliance with standards and regulations. Its concept is to guide the organization on how to develop the design capacity for service management.

This includes Service Level Management, Service Catalog Management, Availability Management, Information Security Management, Supplier Management, Capacity Management and Service Continuity Management.

The main premises are:

  • Have the Design of a new or changed service to enter the production environment;
  • The Service Design phase begins with business requirements and ends with the development of a solution designed to meet organizational needs. This solution will go through the Service Transition process, where it will be evaluated, tested and migrated. As soon as the transition is completed, control over the service will shift to Operation;
  • Understand the IT requirements, as well as the interfaces between applications (which data and information should be kept and assess the capacity of the environment to meet this need);
  • Understand what needs to be done, as well as how to measure, when to perform it and by whom it should be done;
  • Document policies and rules;
  • Ensure that qualified resources exist to meet demand.

Included in this process are: Design of the service portfolio (including the service catalog), Design of the technological architecture of the management systems, Design of processes (roles, responsibilities and required skills) and Design of methods and metrics.


It can be seen that the PMBOK Risk Management process and the Service Design phase are quite complementary. In this way, we can identify the risks related to the Service Design phase in ITIL in order to reduce the number of Incidents and thus guarantee better levels of service with the customer.

In Service Design, this is where the identification of risks that may affect the operation actually begins. As this is a phase in which the entire project is specified in order to meet the user's requirements, numerous risks can be listed.

This phase is extremely important, because errors in planning and the lack of the correct analysis of the risks of it have a very great potential to cause incidents in the Operation. Capacity mapping errors can, for example, make the service unstable, degraded or even unavailable. Errors in contracts with Suppliers can cause numerous conflicts that may affect the Service Level Agreements. Lack of studies of an infrastructure with high availability, may interrupt the service for the user. Therefore, the mapping of risks must be carried out in advance, in order to minimize or mitigate the impact on users. The biggest concerns to be addressed in this phase are:

  • How to reach the contracted service levels?
  • Are there processes in place to maintain the other stages of the service life cycle?
  • Is this the right product to be developed / maintained?
  • What needs to be delivered and what are the risks involved if the service does not meet the needs?
  • Is there visibility into all IT requirements? - such as, for example, interfaces with other applications, what data is to be saved, how long they need to be saved and what capacity is needed for that.
  • Are there enough human resources to keep that service operational?
  • Are suppliers prepared to achieve the required SLAs and Service Levels?
  • Will IT be able to reach that service level that was agreed?
  • Are Service Levels incompatible with requirements?
  • What is the best way to measure Service Level?
  • Are there clear definitions of cost, scope, quality? How to meet them and what roles and responsibilities should be adopted?
  • Are user requirements compatible with existing rules in production?

As can be seen, this phase is extremely critical and should not be performed superficially. Mistakes made here may delay the Transition phase or, in the worst case, compromise the Service Operation and, as a consequence, the Service Level Agreement.


As a final objective, we carried out a survey of the risks in the Service Design phase so that this results in less impact on the operation. In order to carry out this survey of risks and issues, an analysis was made of what is expected for the Design phase and what are its associated risks, as well as its issues to be dealt with in the project time. The expected result of this is a less reactive, costly operation and easier to adapt to the constant changes that are required in the environments.

* Yuri Carneiro is a GRC and Information Security Specialist


SAFEWAY is an Information Security consulting company, recognized by its clients for offering high value added solutions through projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.

Today through 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people. SAFEWAY can also help your organization by validating compliance and maturity with GDPR (General Data Protection Regulation) and GDPR (General Data Protection Law) considering the business environment to which it is inserted, in order to identify the main action plans for compliance with the regulations, aiming at process improvements and gains for your organization.