Qualitative risk assessment of RFID

Below is a short qualitative risk assessment of RFID (Radio Frequency Identification) I have pieced together.  In order to highlight strengths, weaknesses and benefits.

May it help you come to a conclusion on how would you deploy this technology while minimizing its risks?

Category Risk Impact Probability Affects
Customer QoS for customers declines because decrease in staff Medium Low Customers, Company rep.
Customer Customers may be dissatisfied with change Medium Medium Company rep, customers
Fraud Scale to RFID Fraud Low High inventory
Fraud Hackers making there own RFID tags High Low Revenue, company rep, emp trust
Inventory Management Mis-tagged or no RFID tag High Medium Inventory, revenue
Employees Adaptability Very High High Employee trust
Employees Lose or trust Medium Medium Employee loyalty
Employees strike Low Low Company rep, employee loyalty, revenue
Employees Productivity to meet new expectations Medium Low Inventory, company rep, customer loyalty
Pricing Lack or pricing from no supervision of ID creator Low Medium Revenue, company rep.
Pricing Inconsistencies Medium Medium revenue
Pricing Scanners not scanning all items Low Low Inventory, revenue
Inventory Management Mis-counts or stock and poor inventory control Medium Low Inventory control
Technical Issues RFID not functioning Very High Medium Data, company rep, employee trust, customer trust.
Technical Issues RFID limitations Medium Low data
Technical Issues Lack of knowledge for RFID or when system goes down High Medium Customer loyalty, company rep.
Technical Issues Designing Standards and processes Medium Medium Employee trust
Inventory Management RFID supplies not delivered on time Low High Inventory, customers, inventory
Inventory Management Lack of knowledge for RFID inventory processing Medium Low Employee, company rep.



  • Become a leader through technology
  • Improve process flow
  • Customer satisfaction by adding value to customer services


  • Lack of technical support knowledge
  • RFID tagging on devices and produce
  • Major inventory fluctuations
  • Internal fraud
  • Damage to reputation of RFID is not effective


  • Better real time data and additional data to make assumptions by
  • Possible opening to new market segments

Cost would be on schedule and worth the cost if all negative risks had a contingency plan. Costs can be fixed in the system and validated during pilot program to ensure cost consistency.



Amber Russell, Curt Ireton, Damon Mulligan, Jan Bondoc, Tyler Rudolph. (November 2009). Risk Management Plan. RFID Implementation for Fresh Foods. Retrieved from http:// www.curtireton.com/Assets/Fresh_Foods_Risk.pdf



Risk Assessment of Cloud Computing

Below, I have  Performed a short qualitative risk assessment of cloud computing that may be used as guidance for any company thinking of moving to the cloud.  Showing some of the strengths, weaknesses and benefits?


Risk Description Probability Impact Risk Affects
Lock-in Difficult to migrate from one service provide to the next. High Medium Company Rep., Data, Service
Loss of Governance Loss of some control  to CP and unknown roles Very High Very High Company rep, data, customers trust, service
Compliance Challenged Compliance with regulations and certifications Very High High Certifications, fines
Business Rep Loss Poor Service harms business during transition. Low High Company rep, service,  data
Cloud service Terminated Poor provider, lack of understandable terms N/A Very High Rep, trust, emp loyaty, service
Provider Acquisition Mergers and buy-outs of CP N/A Medium Rep, customer trust, emp exp, intellectual property, data, service
Supply chain Failure Lack of supplier redundancy Low Medium Company rep, customer trust, data, services
Technical Risk Over/under provisioning Medium Medium Access control, company rep
Malicious Insider Abuse of high privileges Medium Very High Company rep. data, employee and customer trust
Intercept Data in transit Weak encryption, vulnerabilities in cloud Medium High Company rep. data, intellectual property
Insecure/Ineffective deletion of data Proper sanitization or data Medium Very High Sensitive data, personal data
DDoS Distributed Denial of Service Attack Medium High Cloud Interface, Network, Customers, Company rep, service
Data Protection Staorage in multiple locations High High Company rep, data, service
Not part of CP Network Breaks Medium Medium Service
Social Engineering Lack of security & awareness Medium High Intellectual property, data, emp & customer trust, reputation.
Natural Disasters Lack or recovery plan Very Low High Back-ups, all of the above


Strengths & Benefits:

  • Security measures are cheaper when implemented on a large scale.
  • Data is replicated in multiple areas – increasing redundancy and independence from failure.
  • Local network problems are less likely to have global side effects.
  • Larger scale systems can develop more effective incident response capabilities.
  • Threat management is increased since the larger corporations that own the cloud can afford the generalists to deal with specific security threats that smaller companies cannot.
  • Reduces cost of running personal servers
  • Access to better technology

Weakness and Costs:

  • External CP will depend on network bandwidth
  • Integration of variety of software, integration can be very costly
  • Different configuration panel controls, learning curve for IT department
  • Configuring mixed modes between physical, virtual & cloud
  • Reports on performance could be hidden
  • May not integrate with current management controls


Alex Gutman and Martin Perlin. (February 2011) 8 Cloud Building Conditions You Need for Taking your Data Center to the Next Level. www.evolven.com. Retrieved from: http://www.evolven.com/blog/8-cloud-building-conditions-you-need-for-taking-your-data-center-to-the-next-level.html

Daniele Catteddu, Giles Hogben. (n.d. Cloud Computing Risk Assessment — ENISA. Retrieved from http://www.enisa.europa.eu/act/rm/files/…/cloud-computing-risk-assessment

Naushad K. Cherrayil. (October 7, 2011). Cloud computing is the future of networking retrieved from http://gulfnews.com/business/technology/cloud-computing-is-the-future-of-networking-1.886905

Risk Management Planning

Risk Management Plan

Risk Management Planning

Risk management typically follows four stages in an iterative process. These are identification, assessment, planning and monitoring. They should be followed at project start-up and then monitored in response to change, completion of project stages. One of the main reasons why risk-management activities fail to deliver as well as they should is because they get treated as a one-time exercise. Once the full heat of the project battle is underway, plans and contingencies get left to gather dust on the shelf. This is a sad waste; the initial assessment will have helped identify where the project is most at risk and will have helped focus attention on how to mitigate these risks (or accept them). However, the lack of monitoring allows new risks to emerge, or old ones to grow more serious, without anyone actually noticing. It then comes as a surprise that the roof has fallen in on the project.

indentify risk

The above picture demonstrates the dimensions of where risk comes into play when dealing with project risk management that must be dealt with.

Identification of Risk

Identification is the first step. Ideally, it involves asking anyone and everyone (within reason) to identify any risks they consider might apply to the project, a checklist may be involved like the one on the next page.

Question/comment Yes/no
Has a complete risk identification/assessment/planning exercise been conducted?
Is there an ‘owner’ for this process?
If not, have all the areas of risk been considered? As below:







For all the risks identified, is there a realistic assessment of impact and probability?
Have these risks been ranked (prioritized) according to impact and probability

Identifying and classifying risk.

probability of occurrence

Risk Analysis

Once risk has been identified they can then be rated according to severity and probability. Normally, this is done on the basis of low, medium or high for both categories as seen in the above diagram.

We try to base on ranking the risks according to combined impact and probability. The first filter employed would be to eliminate all the very low risks. These need only be considered if their ranking changes in the future, it is not a good thing to to simply file and forget risks. The ranking process can then be applied to give increasingly higher profiles to high-impact/probability risks. During this assessment process, we could associate/review ranking numbers with the impact on budget and time. This can then be used to keep a track of how risks evolve with time as a result of project progress, risk reduction and contingency plans, plus events in the outside world.

 Risk Response

Following on logically, once the nature of the risk has been fully assessed, the next step is to develop a plan for dealing with each risk. These typically include: ignore it, take mitigating action to reduce the chance of it happening or minimize the impact, and have a contingency plan in case it actually comes to pass.

These are the four main solutions to risk for when they can potentially occur:

1. Avoidance

Includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the liability that comes with it. Another would be not flying in order to not take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.

2. Reduction

Involves methods that reduce the severity of the loss or the likelihood of the loss from occurring. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.

3.   Retention

Involves accepting the loss when it occurs. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.

4. Transfer

Means causing another party to accept the risk, typically by contract or by hedging. Insurance is one type of risk transfer that uses contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. Liability among construction or other contractors is very often transferred this way. On the other hand, taking offsetting positions in derivatives is typically how firms use hedging to financially manage risk.

 The risk identification, assessment and planning stages need to be re-evaluated when things change. This can either be done by having regularly timed reviews (with the overhead that you might have reviews when you don’t need them). Alternatively, risk reviews can be implemented whenever there is a request for a change, however trivial, or by setting criteria that determine the extent of the reviews according to the extent of the change.

Risk Monitoring and Control

The monitoring process will be to systematically tracks and evaluate the effectiveness of risk handling actions against established metrics. Monitoring results may also provide a basis for developing additional risk handling options and approaches, or updating existing risk handling approaches, and reanalyzing known risks. In some cases monitoring results may also be used to identify new risks and revise some aspects of risk planning. The key to the risk monitoring process is to establish a cost, performance, and schedule management indicator system over the program that the program manager and other key personnel use to evaluate the status of the program. The indicator system should be designed to provide early warning of potential problems to allow management actions. Risk monitoring is not a problem-solving technique, but rather, a proactive technique to obtain objective information on the progress to date in reducing risks to acceptable levels.

“Best practices” acknowledges that all of the traps have not been identified for each risk issue. The traps are intended to be suggestive, and other potential issues should be examined as they arise. It is also important to recognize that sources and types of risk evolve over time. Risks may take a long time to mature into problems. Attention must be properly focused to examine risks and lessons learned.

Lessons learned should be documented so that future project managers can learn from past mistakes.

From past companies, and education, I have developed  risk management plans. That included risk management planning, identification of risk, risk analysis, risk response (including avoidance reduction transfer and retention), and risk monitoring and control.

As I find time, I will post more information.


Andersen, Erling S.; Grude, Kristoffer V.; Haug, Tor.; Katagiri, Mike.; Turner, J. Rodney
Goal Directed Project Management: Effective Techniques and Strategies
3Rd Ed. / Edited By Mike Katagiri, Rodney Turner. : London ; Sterling, VA : Kogan Page, 2004.

Ben-David and T. Raz An Integrated Approach for Risk Response Development in Project Planning; The Journal of the Operational Research Society, Vol. 52, No. 1 (Jan., 2001), pp. 14-25

Kerzner, Harold; Project Management: A Systems Approach to Planning, Scheduling, and Controlling : New York John Wiley & Sons, Inc. (US), 2001.

Nickson, David.; Siddons, Suzy;Project Disasters & How to Survive Them;: London ; Sterling, VA : Kogan Page, 2005.

Smith, Nigel J.; Managing Risk in Construction Projects : Oxford ; Malden, Mass. Blackwell Science, 1999.


Critical Chain Safety

Critical ChainSafety is a necessary CYOA mentality that most project managers need projects can finish on time. Trying to balance time management with resources needed is what it is all about and can be summed up in 3 steps; planning, execution, and monitoring.

1. Planning:

Two durations are entered for each task: a “best guess,” or 50% probability duration, and a “safe” duration, which should have higher probability of completion.

Resources are then assigned to each task, and the plan is resource leveled using the 50% estimates. The longest sequence of resource-leveled tasks that lead from beginning to end of the project is then identified as the critical chain. The justification for using the 50% estimates is that half of the tasks will finish early and half will finish late, so that the variance over the course of the project should be zero.

Recognizing that tasks are more likely to take more rather than less time due to Parkinson’s Law “Work expands to fill (and often exceed) the time allowed.”, Student syndrome, or other reasons, “buffers” are used to establish dates for deliverables and for monitoring project schedule and financial performance. The “extra” duration of each task on the critical chain—the difference between the “safe” durations and the 50% durations—is gathered together in a buffer at the end of the project. In the same way, buffers are gathered at the end of each sequence of tasks that feed into the critical chain.

2. Execution:

When the plan is complete and the project ready to start, the project network is fixed and the buffers size is locked. With no slack in the duration of individual tasks, the resources on the critical chain are exploited by ensuring that they work on the critical chain task and nothing else; multitasking is eliminated. People should be focused on completing the assigned task as quickly as possible, with no distractions.

Because task durations have been planned at the 50% probability duration, there is pressure on the resources to complete critical chain tasks as quickly as possible, overcoming student’s syndrome and Parkinson’s Law.

3. Monitoring:

In some ways is, the greatest advantage of the Critical Chain method. Because individual tasks will vary in duration from the 50% estimate, there is no point in trying to force every task to complete “on time;” estimates can never be perfect. Instead, we monitor the buffers that were created during the planning stage. If the rate of buffer consumption is low, the project is on target. If the rate of consumption is such that there is likely to be little or no buffer at the end of the project, then corrective actions or recovery plans must be developed to recover the loss. When the buffer consumption rate exceeds some critical value (roughly: the rate where all of the buffer may be expected to be consumed before the end of the project, resulting in late completion), then alternative plans need to be implemented.



Critical Chain Project Management – Wikipedia, the free encyclopedia 6/19/2012


Goldratt, Eliyahu M. : Critical Chain, North River Press, Great Barrington, MA. 1997