60GG-1.002. Risk and Complexity Assessment  


Effective on Thursday, July 16, 2015
  • 1(1) The Agency will perform Risk & Complexity Assessments (R&C Assessments) for information technology (IT) projects to evaluate the risk and complexity factors for each IT project 28https://www.flrules.org/Gateway/reference.asp?No=Ref-0556930. The purpose of the assessments is to determine the minimum level of project management control necessary to manage a given project in order to reduce risk and increase the probability of success.

    63(2) These assessments align projects by risk and complexity levels into one (1) of four (4) Risk and Complexity (R&C) Categories, which determine the amount of project management control required. The following diagram indicates the distribution of risk and complexity levels into the R&C Category:

     

    108Complexity

    109Low

    110Medium

    111High

    112Risk

    113Low

    1141

    1151

    1162

    117Medium

    1182

    1192

    1203

    121High

    1223

    1233

    1244

    125(a) Category 4 represents High Risk and High Complexity projects.

    135(b) Category 3 represents High Risk and Medium Complexity projects, High Risk and Low Complexity projects, or Medium Risk and High Complexity projects.

    158(c) Category 2 represents Medium Risk and Medium Complexity projects, Medium Risk and Low Complexity projects, or Low Risk and High Complexity projects.

    181(d) Category 1 represents Low Risk and Medium Complexity projects or Low Risk and Low Complexity projects.

    198(e) Specific lifecycle phase requirements for each category are identified in rule 21060GG211-1.003, F.A.C. 213‒ Initiation; rule 21660GG217-1.004, F.A.C. ‒ Planning; rule 22260GG223-1.005, F.A.C. ‒ Execution; rule 22860GG229-1.006, F.A.C. ‒ Monitoring and Controlling; and rule 23760GG238-1.007, F.A.C. ‒ Closure.

    242(3) The R&C Assessments are conducted using 249Form DMS-F-0505A, DMS Risk & Co255mplexity Assessment Workbook (07/15). This workbook is used by Agencies to determine 267the cumulative R&C Category designation. The R&C Assessment Workbook 276is divided into seven (7) separate assessment worksheets which are conducted at four (4) key points in the project management life cycle. 298Form DMS-F-0505A, DMS Risk & Complexity Assessment Workbook, is hereby incorporated by reference in this rule.

    314(a) The Agency must complete a Pre-Charter R&C Assessment (consisting of a Risk worksheet and a Complexity worksheet) at the start of the Initiation phase of the project. During this assessment, the Agency will review priorities and business need, assess the project, and analyze factors that might impact project success. The resulting R&C Category establishes the project management control requirements to be applied during the project Initiation phase. (See rule 38460GG385-1.003, F.A.C. 387‒ Initiation)

    389(b) The Agency must complete an Initiation Gate R&C Assessment at the end of the Initiation phase following completion of project Initation documentation. During this assessment, the Agency will review Initiation documents, validate or amend 424the previous R&C assessment findings, and complete the Initiation Gate R&C Assessment 436(consisting of a Risk worksheet and a Complexity worksheet). This assessment will confirm or adjust the project’s cumulative risk & complexity level and resulting R&C Category, examine the effectiveness of Initiation phase activities, and set requirements for the project Planning phase. (See rule 47960GG480-1.004, F.A.C. 482‒ Planning)

    484(c) The Agency must complete a Planning Gate R&C Assessment at the end of the Planning phase, following completion of project planning documentation. During this assessment, the Agency will review project documents, validate or amend the previo521us R&C assessment findings, and complete the Planning Gate R&C Assessment (consisting of a Risk worksheet and a Complexity worksheet). This assessment will confirm or adjust the project’s cumulative risk and complexity level and resulting R&C Category, examine the effectiveness of Planning phase activities, and set requirements for the project Execution and Monitoring and Controlling phases. (See rule 57960GG580-1.005, F.A.C. 582‒ Execution, and rule 58660GG587-1.006, F.A.C. ‒Monitoring and Controlling)

    592(d) The Agency must complete an Event-Driven R&C Assessment if the project experiences a significant change, or cumulative changes (in cost, schedule, or scope) from the project baseline. During this assessment, the Agency will review the change control request(s) and project documentation. The Agency will also review, validate or amend the previous R&C assessment findings, and complete the Event-Driven R&C Assessment (consisting of a Risk worksheet). This assessment will confirm or adjust the project’s cumulative risk & complexity level and resulting R&C Category and determine if review and amendment to project management baselines are needed.

    687Rulemaking Authority 689282.0051(18) 690FS691. Law Implemented 694282.0041, 695282.0051 696FS. History‒New 7-16-15, Formerly 74-1.002.