Effective Solutions Through Partnership

Category Archives: Risk Assessment

Why Validating Assumptions is So Critical to Project Success

Best Practices, Issues and Risks, Project Management, Risk Assessment, Validating Assumptions

By Stephen Alfano

Full disclosure, I made three assumptions before I wrote this blog post:

  1. I assumed that project management mavens (and groupies) would overlook my obviously self-serving gambit and give me the professional courtesy to read beyond the first sentence.
  2. I assumed that even the most courteous reader would grow impatient (bolt!) if I didn’t pen something provocative about an intentionally rigid project management subroutine that at times can seem mind-numbingly pedantic.
  3. I assumed that only a handful of the readers would read all the way through the opening paragraph; while most of the readers who remained engaged beyond the gambit would have skipped down to the links leading to additional insight on the prescriptive and didactic data science behind validating assumptions.

If you are still reading this blog post (thank you!), you probably figured out my stratagem quickly and decided to chalk it up to a level-setting parlor trick used to underscore the “tricky” nature of assumptions. (You saw what I did: That statement is an assumption.) So, let’s move on, starting with an official, textbook definition of an assumption.

An assumption is, “a thing that is accepted as true or as certain to happen, without proof.” Of course, how would you know this definition is the definition you seek? How could you be sure it comes from a legitimate and “official” source? (Tricky, right?) In short, an assumption needs to be validated.

Validating Assumptions 101

  • To properly validate an assumption, you need to start by capturing it into a database tool called an assumption log.
    • The assumption log lists assumptions by date.
    • The log is usually created and maintained by a project manager. However, everyone on the project team will have access to the log. More important, specific individuals or groups on the project team will be assigned assumptions to validate throughout the project lifecycle.
  • Not all assumptions are equal, which is why the validation process begins by determining the level of impact or affect an assumption has on the project outcome.
    • Moreover, assumptions may also be project risks—either now or in the future. So, in addition to creating an assumption log, a project manager will produce an overlapping or supporting database called a risk register. The risk register is used to identify, manage, and mitigate risks.
    • The continuous alignment (interdependence) of the assumption log and the risk register is central to a project management plan.
  • Once the level of impact or affect an assumption has on a project outcome is determined, project team members or groups are given the responsibility to validate assumptions by a specific date to keep the project on track.
    • Validation at its core is scientific probing—asking lots of “why” and “how” questions until the assumption can become a proof point. This probing supports the decision-making process towards delivering or realizing project goals. (At this point, I’ll assume you now know how important that is.)

For more insight on validating assumptions, check out these links below:

ASSUMPTIONS ARE MADE TO BE VALIDATED via Leading Agile

The Need to Validate Project Assumptionss via Business 2 Community

5 Tips to Make Sure You Are Validating Early and Often via Kissmetrics

Case Study: Using the 5 Whys to Validate Assumptions via iSixSigma

Identifying and Validating Assumptions and Mitigating Biases in User Research via UX Matters

Build Better Products: How to Identify and Validate Assumptions via Users Know / SlideShare

Now it’s your turn—what are some of your best practices to validate assumptions and reduce risk on your projects? Or, what other trouble spots does your project have—we’d love to cover some mitigation techniques in a future blog post!

About the Author: Stephen Alfano is an Organizational Change Management Consultant and Communications Expert. He has over 25 years of experience leading and managing internal and external marketing initiatives for both private and public sector clients. His résumé includes providing both new business and business process improvement services to Apple, American Express, AT&T, California Department of Transportation, Chevron, Entergy, Levi Strauss & Co., Louisiana Office of Tourism, Mattel, Microsoft, Novell, SONY, Sutter Health, and Wells Fargo. Stephen currently works as an Executive Consultant with KAI Partners, Inc., providing change management and communications expertise and support services to California State Departments.

KAI Partners is Hiring!

Agile, Business Analysis, Certified ScrumMaster (CSM), Communications, Cyber Security, Hiring, Human Resources, Information Security, Information Technology, Issues and Risks, KAI Partners, Onboarding, Organizational Change Management (OCM), Project Management, Risk Assessment, Sacramento, Small Business, Technology, Training

KAI Partners is thrilled to announce we are once again expanding our stellar team! Interested in joining our growing company? Take a look at the following positions for which we are currently hiring!

Business Analyst
The seasoned, motivated, and client-focused Business Analyst should be a highly organized, self-directed, and engaged individual. The Business Analyst will be responsible for a diverse set of responsibilities including, but not limited to:

  • Requirement elicitation and facilitation
  • Business process improvement
  • Business process and narrative modeling
  • User testing
  • Training
  • Organizational change management and communication
  • Process standardization and improvement for ongoing operations

We are looking for four (4) Business Analysts who are enthusiastic problem-solvers who thrive on aligning the client’s business needs with technology solutions. Click here for more information or to apply for one of our on-site, Sacramento-based Business Analyst roles.

IT Audit Consultant
The seasoned, motivated, and client-focused contract IT Audit Consultant will engage with a number of stakeholders in client IT support infrastructures to ensure appropriate processes, procedures, and controls are adequately designed and implemented to meet key control requirements for clients, and will mitigate significant risks that clients deem appropriate. To be successful, the IT Audit Consultant should be a dedicated professional who possesses the analytical, feasibility, relationship, and executive IT audit skills needed to identify and test risk and control management strategies to meet various client requirements, along with compliance and regulatory requirements. The IT Audit Consultant will be responsible for providing IT risk management advice and control solution alternatives as the client needs.

The IT Audit Consultant can be based from anywhere in the U.S., but must have a valid U.S. passport and the ability to travel. Click here or for more information or to apply for the IT Audit Consultant role.

IV&V (Independent Verification & Validation) Consultant
The experienced, motivated, and flexible IV&V Consultant will be an enthusiastic problem-solver who thrives in a fast-paced environment. The IV&V Consultant will be responsible for performing IV&V assessments including, but not limited to:

  • Quality Management
  • Training
  • Requirements Management
  • Operating Environment
  • Development Environment
  • Software Development
  • Systems and Acceptance Testing
  • Data Management
  • Operation Oversight
  • Assessing Program risks

Click here for more information or to apply for the on-site, Sacramento-based IV&V Consultant role.

Scrum Master
The Scrum Master should have experience setting up teams for successful delivery by removing obstacles, constantly helping the team to become more self-organizing, and enabling the work the team does rather than imposing how the work is done. The Scrum Master will manage one or more agile projects, typically to deliver a specific product or transformation via a multi-disciplinary, high-skilled digital team. Adept at delivering complex digital projects, breaking down barriers to the team, and both planning at a higher level and getting into the detail to make things happen when needed, the Scrum Master will define project needs and feed the needs into the portfolio/program process to enable resources to be appropriately allocated.

Click here for more information or to apply for the on-site, Sacramento-based Scrum Master role.

Senior Technical Lead

The experienced, motivated, and flexible Senior Technical Lead should be an enthusiastic problem-solver who thrives on aligning business needs with the technology solutions. The Senior Technical Lead will work with a team of people to deliver the following tasks:

  • Task Accomplishment Plan (TAP)
  • TAP updates
  • Monthly written status reports
  • Requirements Management Plan
  • Project Schedule
  • Weekly Project Schedule Updates
  • Conduct JAD sessions
  • Code Assessment
  • Documentation Review and Assessment
  • Process Analysis
  • Data Analysis
  • Validate Requirements
  • Business Rules Extraction and Analysis
  • Knowledge Transfer

Click here for more information or to apply for the on-site, Sacramento-based Senior Technical Lead role.

Systems Analyst

The experienced, motivated, and flexible Systems Analyst should be an enthusiastic problem-solver who thrives in a fast-paced environment and has SharePoint experience. Some responsibilities of the Systems Analyst include, but are not limited to:

  • Determining operational objectives by studying business functions; gathering information; evaluating output requirements and formats
  • Designing new computer programs by analyzing requirements; constructing workflow charts and diagrams; studying system capabilities; writing specifications
  • Improves systems by studying current practices; designing modifications.
  • Recommending controls by identifying problems; writing improved procedures
  • Defining project requirements by identifying project milestones, phases, and elements; forming project team; establishing project budget
  • Monitoring project progress by tracking activity; resolving problems; publishing progress reports; recommending actions

Click here for more information or to apply for the on-site, Sacramento-based Systems Analyst role.

Technical Lead

The experienced, motivated, and flexible Technical Lead should be an enthusiastic problem-solver who thrives on aligning business needs with the technology solutions. The Technical Lead will work with a team of people to deliver the following tasks:

  • Task Accomplishment Plan (TAP)
  • TAP updates
  • Monthly written status reports
  • Requirements Management Plan
  • Project Schedule
  • Weekly Project Schedule Updates
  • Conduct JAD sessions
  • Code Assessment
  • Documentation Review and Assessment
  • Process Analysis
  • Data Analysis
  • Validate Requirements
  • Business Rules Extraction and Analysis
  • Knowledge Transfer

We are looking for three (3) Technical Leads. Click here for more information or to apply for one of our on-site, Sacramento-based Technical Lead roles.

We look forward to receiving your application today!

3 Top Cyber Security Infographics

Best Practices, Cyber Security, Infographic, Information Security, Information Security Management System (ISMS), Information Technology, National Cyber Security Awareness Month, Ransomware, Risk Assessment, Small Business, Technology

October is National Cyber Security Awareness Month! While we think cyber security should be at the forefront of everyone’s minds every day, we are glad to see a month dedicated to all things security. To help you be aware of the best insight and advice on this subject, we’ve rounded up some great infographics from around the Internet to share with you today. Take a look at these infographics to make sure you are applying the most up-to-date best practices to protect you and your business.

Remember, KAI Partners can help you to identify gaps in your security efforts. Email us at info@kaipartners.com to address and help minimize your cyber security risks.

Via Stay Safe Online (National Cyber Security Alliance)

 

Via Digital Guardian

 

Via Trend Micro

Why you Should Perform a Small Business Information Security Risk Assessment: Part 2

Best Practices, Cyber Security, Information Security, Information Technology, Risk Assessment, Small Business, Technology

Small Business Information Security

By Julie Kendall

Last week, we discussed small business information security basics and provided tips for categorizing the types of business information that you may want to keep protected. Now we’ll delve further into deciding what kind of information you may want to protect, and looking at how cost factors into the decision-making process.

Once you’ve identified all of your organization’s information types—those pieces of information you want to keep protected—the next step is to categorize to top priorities for your business. This means deciding which information type would hurt your business most if it was lost, stolen, or incorrect should something go wrong. As part of this assessment, you should filter your information types through the three primary information security objectives of confidentiality, integrity, and availability. As part of your assessment, you should also identify where each high priority type of information is stored, whether it’s stored manually or in various automated systems.

The final step is one of estimating potential costs to the business if bad things happen to your important business information. Think about the information used in/by your organization, and consider issues for each type of information where the following may occur: a) data is released inappropriately, b) data is modified badly, or c) data is just plain missing for some reason. Some cost categories may include the following:

  • Cost to verify information accuracy and completeness
  • Cost of lost availability—how long can you last in business without the information?
  • Cost of lost work
  • Legal costs
  • Costs to repair a problem
  • Fines and penalties
  • Reputational or loss of trust in your business
  • Other costs like special notifications to your customers about the incident

There may be additional costs particular to your business to consider but this will help you get started to identifying the cost of an information security incident to your business by type of information impacted. The reason to conduct this type of exposure analysis is to help you decide on whether to protect or not protect information types based an estimated total cost to your business.

Conducting an assessment of your information security needs is the first step in creating an information security plan. KAI Partners, Inc. can help you complete these assessments in just one day. Email us at info@kaipartners.com to get more information or to help take control of your valuable information in a cost effective and decisive manner.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.

Why you Should Perform a Small Business Information Security Risk Assessment: Part 1

Best Practices, Cyber Security, Information Security, Information Technology, Risk Assessment, Small Business, Technology

Small Business Information Security

By Julie Kendall

Information security is not any less important for a small business than it is for a multi-national corporation. In this two-part series, we’ll discuss small business information security basics, as well as how to assess your security needs to ensure your company or organization is appropriately protected.

Small businesses today are struggling to meet the demands of ongoing and increasingly sophisticated information security risks. As they automate their business world, their exposure to these risks expands. Unfortunately, their expertise in handling them does not.

All too often, small business owners believe if they just rely on outsourced automation services, then the need to address information security risks will be “taken care of” by these vendors.

While many vendors do have robust information security controls within their automation servicers, the responsibility to decide exactly what needs to be protected remains with the small business clients themselves. Unfortunately, these small business owners and managers are often unclear as to how to make these critical security decisions.

When it comes to information security there are three objectives you should always consider:

  1. Information confidentiality
  2. Information integrity
  3. Information availability

When we talk about confidentiality, what we are really saying is only those who need access to information to do their jobs should have access to it. Information integrity objectives focus on ensuring the information hasn’t been tampered with or deleted by those who shouldn’t have had access to it. Finally, information availability focuses on ensuring the information is available when it’s needed.

So, how can a small business today—whose operating margins are slim and who just don’t have the resources to buy or rent sophisticated information security controls—decide on the right protections for their valuable information assets?

You should first categorize the types of information used or produced by your organization. Here are a few examples of some information types that may be associated with your business and need to be protected:

  • Sensitive, private employee, or customer information like health or payroll information or customer credit card information
  • Confidential business research or business plans used to determine the strategies or new product offerings for your business
  • Financial information about your organization

Thinking about the types of information you want to protect is just the first step in assessing your information security needs. Next week, we will discuss more in depth the various factors to consider when deciding what kind of information you want to protect, while also taking into account how cost factors into the decision-making.

For more information or to help take control of your valuable information in a cost effective and decisive manner, email us at info@kaipartners.com.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.