Assignment 2 - RMP EduStream

1 INTRODUCTION

1.1 Purpose of the Project Risk Management Plan

Risk Management (RM) defines the processes required for identification, assessment,
mitigation, tracking, control, and management of a project’s risks. RM should drive
decisions that affect the development of the business capacity and the management of the
project.

This Risk Management Plan (RMP) aims to give the EduStream project a consistent method
for managing risks, to help ensure success.

1.2 Objectives of this RMP Document

Specific objectives of this RMP include:

 helping to ensure critical risks do not adversely impact on scope, schedule, budget,
business performance, and/or Change Management, by proactively identifying,
communicating, mitigating, and escalating such matters in a timely manner;
 facilitating the focussing of attention to key risks that are likely to adversely impact on
the project and teams;
 ensuring that appropriate stakeholders are informed and, if applicable, engaging them in
the mitigation; and
 recording an audit trail of discussions and mitigation processes implemented to manage
project risks.

1.3 Guiding Principles

The following guiding principles shall be applied to effectively implement Risk

Management:
 the Project Manager is responsible for making an overall risk assessment and reviewing it
with the team and stakeholders;
 although Risk Management is the ultimate responsibility of the Project Manager, the
administration and control will be supported by the Project Office (PO) and the Quality
Group (QG);
 wherever possible, the risks will be addressed in the order of their expected severity;
 high impact, impending risks, will be managed with a rapid decision turnaround;
 realistic due dates will be set and then the team will make best efforts to meet those dates;
 identified risks will be managed and mitigated at the appropriate level (i.e. project,
working group, individual teams, etc.);
 stakeholders will be kept consistently informed about the current risk status; and
 planned Risk Management and the mitigation history will be documented, and wherever
possible such documentation will include root cause analysis, key learnings and
metrics, so similar future risks can be identified and mitigated more effectively.

Murdoch University Page 1

Assignment 2 - RMP EduStream

2 PROJECT SCOPE
We will deliver a streaming system that displays educational games and videos online in a
stable, user-friendly and effective manner. The streaming system will have a secured database
in which the user data is stored, secure billing system and content access according to the
user’s age. The platform will also be available on a wide range of devices. Our goal is to
ensure the reliability, accessibility and security of the software provided for the clients.
While EduStream's primary customers are organizational clients (e.g., schools, businesses,
and government), the company also plans to expand its customer base by offering its services
to individual consumers (mass market). This will help reduce the risk of profit loss and rather
increase the profit. The pilot rollout will also be a great way to reduce the risk of failure since
the company has realistic schedules and enough resources, such as a well-suited team for the
project. For instance, breaking down the development stage into 3 distinct parts (pilots). Each
of these pilots will be held in a different location, pilot 1 in Perth, pilot 2 in Sydney, and pilot
3 in Melbourne. This ensures that one pilot is fully optimized before moving on to the next.
Moreover, the project has team members that have sufficient collaborations with each other,
making it another reason for the project's success.

This system will be deployed by creating three pilot Content Delivery Network (CDN) nodes.
The nodes will be located in Perth, Sydney and Melbourne, respectively. For each of the
nodes there will be Web servers, a Client Database, an Open Connect Appliance (OCA),
Games Server, and System Health Management.
Web Server:
 The clients will be able to access the front-end of the application where the Web Servers
will be.
 An easy-to-use application will allow customers to access and download their videos or
games effortlessly and without hassle.
 In order for the system to run efficiently, it must communicate with the Client DB and
extract the data directly from the OCA and Games Server libraries.

Client Database (DB):

 Information about users such as names, age, addresses and credit card information will be
stored in the Client DB.
 Tokens will also be stored. It is important to store this information, as it will let the
system identify the user, give the right material, debit the monthly payments
automatically, or determine the access to games based on the tokens software gained by
the user.

Open Connect Appliance (OCA):

 In order to store videos on the platform a Netflix rack-mounted server will be required
(hardware).
 The software will also be designed for the platform and will include CODEC, RTSP and
H.264.
 Videos must be converted to MP4 and FLV format. Therefore, the videos will be able to
be streamed in both MP4 and FLV.

Murdoch University Page 2

Assignment 2 - RMP EduStream

 It will be essential to have an interface between the OCA and the client's DB and it will
also be required to have an interface between the Web Servers and the OCA.

Games Server:
 A Games Server will be installed as a streaming engine for the games.
 The hardware for the Games Server will be a rack-mountable server.
 The software will be developed to handle the distribution and administration of games
within an inventory.
 An interface between the Games Server and the Client DB will be needed to verify the
tokens.

System Health Management:

 In order to monitor the CDN nodes activity, the System Health Management will need a
dedicated hardware and software.
 System Health Management is important for load sharing.

Client Application:
 The client software will be downloadable and can run on Apple and Android from diverse
platforms such as Tablets, Computers, Phones, TVs and smart TVs.
 The hardware will not be provided by us.
 The test environment will be supplied by us and it will require RTSP, CODEC and a thin-
client application.

Security:
 The security of the DB has been outsourced to DemSet.
 A standard set of security protocols and mechanisms will be developed by DemSet, as
well as system implementation and monitoring across the whole system.
 DemSet will handle all areas, including applications (Client, OCA, streaming, web-front-
end, and games), firewall, router, network, DB and DB replication in order to provide a
comprehensive solution.
 By the first week of October 2021, DemSet hopes to have their security plan accessible
for distribution to StreamTech and other relevant individuals.

Customer Support:
 The customer support is outsourced to MBSD.
 As part of a service management system, MBSD will provide Level 1 support for
government, business, and educational institutions.
 ITIL-compliant Service Desk Management System (SDMS) will be used to coordinate
level 1 support, which will require EdMI to deliver the necessary data.
 Where a problem cannot be resolved by the Service Centre Level 1 support, it will be
referred to EdMI.
To ensure the project operates well and is delivered on schedule, the key milestones will be
essential to follow. Some of the key milestones are submission to the Board, formal project
start date, finalizing system design, software and hardware development, commencing
marketing, CDN nodes Beta goes-live (for Perth, Sydney and Melbourne,
respectively), marketing opening, and closure of the formal pilot project. The formal start

Murdoch University Page 3

Assignment 2 - RMP EduStream

date of the pilot project will be on the 26th of April 2021, and the formal end date will be
on the 3rd of June 2022.

3 RISK MANAGEMENT ORGANISATION

3.1 Process Responsibility

The Project Risk Manager (PRM) will be the EdMedia International (EdMI) Quality Team
Manager (QTM) for this project. In this role, the PRM is directly responsible to the Project
Manager for all aspects related to Risk Management.

The PRM has overall responsibility for:

 developing and implementing Risk Mitigation Plans;
 maintaining the Risk Management Plan, in line with the standard configuration
management procedures;
 generating risk reports, including trends and metric analysis;
 clarifying, consolidating and documenting risks;
 maintaining and monitoring data in the Risk Register;
 monitoring the status of risk mitigation;
 communicating the status of risks and mitigations to risk owners;
 escalating communication/action, if expected mitigation action deadlines are unlikely to
be met; and
 executing the risk closure process.

The PRM may delegate these responsibilities to other team members for implementation, but
the accountability to the Project Manager will always rest with the PRM.

The Project Manager will have overall responsibility for ensuring the Risk Management Plan
is executed appropriately. Specific Risk Management responsibilities of the Project Manager
include:
 approving the mitigation of very high severity level risks;
 supporting mitigation implementation as appropriate; and
 assisting in cross-organisation and controversial risk mitigation, to facilitate involving
senior personnel from other organisations and their resources.

3.2 Risk Owners

The Risk Owner (RO) is the person to whom the PRM assigns primary responsibility for
managing/mitigating the risk. This assignment of responsibility will be based on the type of
risk and will normally be delegated to the team member who can be empowered to assure this
risk is managed/mitigated. This will typically be a Team Leader and/or their respective co-
lead. Other stakeholders can also be delegated as Risk Co-Owners (RCO), so appropriate
skills and authority can be applied to manage and mitigate the risk. However, the RO will
always be directly responsible to the PRM for managing/mitigating the assigned risk.

The RO and RCOs (as appropriate) will take the following actions:
 assessing the risk and creating a Risk Response Plan that meets the PRM approval
criteria;
 mitigating/controlling risks in accordance with the specified Risk Response Plan;

Murdoch University Page 4

Assignment 2 - RMP EduStream

 recommending risk closure to the PRM once the risk has been mitigated/controlled/
ameliorated appropriately; and
 presenting risk status information at Quality Team meetings, as required.

4 RISK MANAGEMENT PROCESS

Apart from Planning, risk management involves five major phases, which are: Identify Risks,
Analyse Risks (Qualitative & Quantitative), Plan Risk Responses, Implement Risk
Responses, and Monitor Risks. These are discussed in the following subsections.

4.1 Identify Risks

The ability of our team to identify risks that may affect project outcomes is extremely
important. Once a risk has been identified, it must be logged into the Project Risk Register.
The Risk Register includes the following information:
1. REF ID. This is a unique identifier for each risk. Typically, it is a sequential number.
2. Description of the Risk. A description of each potential risk event is provided in this
column of the Risk Register. In many cases, this is supported by more detailed
information in separate documentation or notes associated with the Risk Register.
3. Potential Impact of the Risk. A short explanation of how the risk could affect the
project is included in this cell. These are typically defined in terms of aspects such as
the impacts on safety, pricing/costs, scheduling, technical, etc. In many cases, this is
supported by more detailed information in separate documentation, or notes associated
with the Risk Register.
4. Risk Level. The risk level is typically developed from qualitative analysis. This uses a
matrix that includes the probability of occurrence and the impact/seriousness if it does
(see Figure 1). The information within this cell should be VH, H, M, L or VL, which
equate to Very High, High, Medium, Low, or Very Low. Additionally, a risk score can
be added in this section. Risk scores are often developed from Qualitative Analysis
(see Section 4.2.2) but may also be defined through different Quantitative Analysis
models.
5. Risk Owners. This column of the Risk Register is used to provide details of the RO
and any RCOs who will be responsible for managing the risk. In some cases, this
includes contact details, however, this is not required in this version of the Risk
Register.
6. Date Reported. The date on which the risk was reported is included in this column.
This allows the age of the risk to be identified effectively, so it becomes clear which
risks are slow to be addressed.
7. Control/Contingency/Fallback Strategies. Include the strategies proposed for dealing
with the risk (preventative, contingency, contingency reserves, fallback, etc.). Where
necessary, these should be provided as fuller descriptions in separate documents or
notes attached to the Risk Register. It is important that this information provides
enough content to allow a reader to understand the steps/strategies that will be taken to
manage the risk.
8. Due Date. The due date assigned for completing the risk mitigation/controls defined in
the preceding column should be included in this column. When developing this due
date, the team should ensure that the projected resolution duration is appropriate (e.g. if
it is a Very High Risk or High Risk it should be addressed in a very short time frame).
9. Risk Status. The risk status is typically defined as Open or Closed. However, some
organisations include other terms such as Escalated or Pending. The information in

Murdoch University Page 5

Assignment 2 - RMP EduStream

this cell can then be used to find specific types of risk, such as those ones that are still
open.
10. Date Closed. The column for Date Closed refers to the day on which the risk was
officially closed. In some cases, this is an automatic field that updates when the risk
status is changed. Including this field allows the team to investigate metrics such as
average time for closure of risks (i.e. the average for Date Closed minus Date
Reported).
11. Lessons Learnt. The lessons learnt is an important field, because it allows future
projects to proactively identify risks and solutions that worked or did not work. This
information is often provided as a link/field for a detailed file, or a note in the Risk
Register, which explains issues related to the root cause, and other key factors that
could need to be addressed in future projects.

4.2 Analyse Risks

Risks are analysed using Qualitative and Quantitative methods. Such analysis can be
conducted in parallel or in tandem (e.g. one after the other). These types of analysis can be
categorised as explained in the following subsections.
4.2.1 Qualitative Analysis

Qualitative Analysis is a method for assessing the level of risk, by entering the probability of
occurrence and the impact of an occurrence using a matrix, such as the one provided in
Figure 1. This is achieved by defining each issue in terms of the general criteria to the right
of this diagram.

Figure 1: Qualitative Analysis Matrix

Once this qualitative analysis has been completed, take appropriate action as defined in Table
1
Table 1: Actions to be taken for different levels of Qualitative Risk

Score Definition/Actions to be taken

Very High Anything classified as Very High indicates that this risk is extremely or very likely to occur.

Murdoch University Page 6

Assignment 2 - RMP EduStream

(25) Additionally, the occurrence could have a profound impact on the project’s safety, technical,
cost, and/or schedule, which may cause the project to be terminated or can cause significant
cost/schedule changes (e.g. increases of more than 5 percent). The management of this level
of risk should be escalated, and that aspect of the project must be implemented with extreme
care until the risks can be mitigated/controlled effectively.
High Risk High Risks may cause significant safety, technical, cost, and/or schedule increases (e.g.
(15) increases of 2 to 5 percent) for the project. These risks are to be managed proactively, and a
priority must be applied to mitigate/control the risks as soon as practicable. In the meantime,
the elements of the project associated with this risk must be managed with due care.
Moderate This refers to risks that are Moderate, because they may have a relatively small but significant
Risk impact on the project’s safety, technical, cost, and/or schedule (e.g. generally less than 2
(5 or 9) percent variance). Appropriate mitigation/control strategies should be implemented as soon as
it is practicable. Obviously, risks with a score of nine (9), should be addressed with higher
priority than those with a score of (5). While awaiting mitigation/controls to be implemented,
the team should still manage this aspect of the project with care.
Low Risk A Low Risk refers to an event that is relatively unlikely to occur, or the impact would be low if it
(3) did occur. In other words, this refers to situations in which the combination of likelihood and
impact means that this risk would not be expected to have a significant impact on the project’s
safety, technical, cost and/or schedule. Typically, consolidated risk management is not applied
to these types of risks. However, the team associated with this aspect should keep it in mind
while implementing the project and monitor the issue with an appropriate level of caution.
Very Low A Very Low Risk refers to matters where it would be unlikely for the risk to occur and even if it
Risk did, the impact is expected to be minimal. In these circumstances, consolidated risk
(1) management would not be applied. However, as with all aspects of Risk Management, those
involved with the project should continue to monitor evolving levels of risk and take proactive
action when considered appropriate.

4.2.2 Quantitative Analysis

Where considered appropriate, Quantitative Analysis should be conducted. This may entail
techniques such as statistical analysis (including Expected Monetary Value) and decision
trees, simulations, or sensitivity analysis.

4.3 Plan and Implement Risk Responses

Where the risks are identified as being Very High, High, or Moderate, an RO (and possibly
one or more RCO) will be allocated to manage the risk. They will begin this activity by
developing a Risk Response Plan. This plan is used to provide options and action plans,
which can help to reduce the threats associated with the identified risk.

To facilitate these activities the RO/RCO will be required to interact with all appropriate
stakeholders, to identify suitable solutions/options for mitigation/control. They will then
submit their plan to the PRM (or their delegate for that level of risk). Once the plan is
approved, the Risk Register is to be updated with specific and suitable details related to the
proposed plan. Additionally, appropriate changes are to be implemented through the Change
Management, Configuration Management, Problem Management, and/or Issue Management
systems. Where necessary, such changes should also be applied to other documentation,
including the Project Management Plan (and its sub-documents) and the Work Breakdown
Structure/Schedule. Appropriate steps must then be taken to implement the approved risk
management steps within an appropriate timeframe.

Murdoch University Page 7

Assignment 2 - RMP EduStream

4.4 Monitor Risk – to trigger steps to control risks

Risk Monitoring and Control is the process of identifying, analysing, and planning for newly
identified risks, monitoring previously identified risks, and re-evaluating existing risks, to
verify the effectiveness of planned risk response strategies.

Activities involved in Risk Monitoring include:

 establishing periodic reviews and scheduling them in the project plan;
 ensuring that all requirements of the Risk Management Plan are being implemented;
 assessing identified risks that are defined in the Risk Register;
 identifying the status of actions to be taken;
 validating previous risk assessments (in terms of assessed likelihood and impact or the
utilisation of qualitative methods);
 validating previous assumptions and stating any new assumptions that are defined;
 evaluating the effectiveness of actions taken to mitigate/control risks;
 identifying new risks;
 tracking risk responses; and
 communicating Risk Management status (and risk response follow-through as
appropriate) to pertinent stakeholders.

Activities involved in risk control include:

 validating risk mitigation strategies and alternatives;
 taking appropriate corrective action when actual events occur;
 assessing the impact on the project of actions taken (cost, time, resources);
 identifying new risks resulting from risk mitigation actions;
 ensuring that the project plan (including the Risk Management Plan) is maintained;
 ensuring that Change Management addresses risks associated with the proposed change;
 revising Risk Management documents, to capture the results of mitigation/control actions;
 updating the Risk Register; and
 communicating Risk Management status (and risk response follow-through as
appropriate) to pertinent stakeholders.

4.5 Risk Escalation Procedures

Most Risk Management decisions will be made within the Quality Group (QG) led by the
EdMI Quality Team Manager (QTM). Escalation to the Project Manager will take place
when:
 Very High, or High, risk issues are identified;
 there is a need to coordinate Risk Management across organisations and the level of
authority needed to manage the risks is beyond the capabilities/authority of the
members of the QG; and
 when the QTM or Project Manager considers it appropriate.

Such escalations are implemented to help ensure that the risks can be mitigated or
ameliorated effectively within the appropriate timeframe.

Murdoch University Page 8

Assignment 2 - RMP EduStream

4.6 Risk Closure

Once an identified risk has been appropriately controlled/mitigated, this should be reported to
the QTM by the RO as soon as possible. Where a risk has been escalated, the QTM is to
advise the Project Manager as soon as it is practicable.

Prior to closure, the QTM (or the Project Manager if the risk has been escalated) is to take
appropriate steps to ensure that the risk has been appropriately mitigated. Once they are
confident that appropriate mitigation has been implemented, they will officially change the
status in the Risk Register to closed.

4.7 Risk Management Closeout

At the completion of the project, there will be a transition of any open risks, and the capturing
and harvesting of lessons learnt. These are important for future project maintenance and
support. Additionally, this activity can assist in the management of future projects. Key
activities that are to be undertaken during this phase include the following:
 validating the closure of identified risks (i.e. ensuring that they have been closed
appropriately);
 for any open risks, assess whether there are ongoing operational/technical risks that
warrant communication of these matters to other stakeholders;
 documenting remaining open risks within an accessible final report;
 producing final Risk Management metrics and evaluating the process effectiveness
against established benchmarks; and
 capturing risk factors and Risk Response Plans for inclusion in Risk Reference Models.

5 WHAT YOU NEED TO DO

5.1 Task 1

5.2 Task 2

Your team has been contacted by the Project Sponsor because the Board is thinking about
adding a fourth Pilot site into the project. The options for this are Brisbane, Adelaide and
Darwin. Your team has been asked to implement an Expected Monetary Value (EMV)
analysis based on the following information. This data was developed by the EdMI
Marketing Department based on:
 the expected additional costs associated with implementing that node in Year 0;
 the probabilities for different levels of demand for the EduStream services, based on a
statistical analysis of various prospective clients (defined as probabilities of Strong,
Moderate or Weak demand);
 costs are based on establishment and operation of the additional node for Year 0 and Year
1; and
 the expected revenue that is likely to be generated within the first year if the demand is
Strong, Moderate or Weak (please note that these figures have already been adjusted
for Net Present Value).

Murdoch University Page 9

Assignment 2 - RMP EduStream

Decision Cost Chance Chance Expected Differential Profit/Loss x

Node Node Probability Revenue for (Profit/Loss) Probability
Demand
Type
Option $ 1A: Strong
20% $3,700,000 $1,600,000 $3,200,00
1: 2,100,000 Demand
Brisbane 1B:
Node Moderate 30% $2,600,000 $5,000,00 $1,500,00
Demand
1C: Weak
50% $1,700,000 $-4,000,00 $-2,000,00
Demand
Option $ 2A: Strong
35% $3,500,000 $1,100,000 $3,850,00
2: 2,400,000 Demand
Adelaide 2B:
Node Moderate 40% 2,800,000 $4,000,00 $1,600,00
Demand
2C: Weak
25% $1,500,000 $-9,000,00 $-2,250,00
Demand
Option $ 3A: Strong
30% $3,100,000 $1,300,000 $3,900,00
3: 1,800,000 Demand
Darwin 3B:
Node Moderate 30% $2,200,000 $4,000,00 $1,200,00
Demand
3C: Weak
40% $1,400,000 $-4,000,00 $-1,600,00
Demand

EMV Option 1 (Brisbane) EMV Option 2 (Adelaide) EMV Option 3 (Darwin)

$2,700,00 $3,200,00 $3,500,00
Recommendation on which Project to Implement
Option 3 provides the highest EMV, but our recommendation is to choose option 2, Adelaide
Node. The decision is made by considering the size of the market in different nodes.
Adelaide is the capital city of South Australia and has 5% of the country's total population.
There is a massive difference in the number of residents in Adelaide and Darwin.

REF ID

Description of the Risk

(Insert a short description of the risk)

Potential Impact of the Risk

(Explain the impact of the risk in terms of safety, pricing/costs, schedule, technical, security, etc.)

Risk Level

(VH/H/M/L/VL)

Risk Owner/s

(RO/RCO)

Date Reported

Murdoch University Page 10

Assignment 2 - RMP EduStream

Control/Contingency/Fallback Strategies

(Provide a synopsis of the approaches that you are proposing to manage this risk. Remember that this approach must conform to the RMP
framework.)

Due Date

(For Plan/Action)

Netflix not providing rights to utilise OCA Equipment (see Note # 1 for more information)

EduStream will not have a video streaming server. As this is a core element of the system, this lack would have significant cost, schedule
and technical impacts

H (15)

CIO/ EdMI PM, StreamTech PM

22/02/21

Control: Continue negotiations and secure the utilisation of the OCAs. Offer resource sharing.

Contingency: Deploy through Netflix and become a content provider (this has significant business & technical implications).

Fallback: Utilise another video streaming engine (develop or reuse another COTS solution). This fallback could have a significant
business/technical impact.

16/03/21 (See Note 2)

Planned client software tokens may not stop unauthorised usage of the system

Unless the token system can be made foolproof there is a high probability that security protocols can be breached, and unauthorised users
will gain access to content. This will have significant cashflow, technical and security ramifications.

VH (25)

DemSet PM/ StreamTech PM, EdMI Security Advisor

31/05/21

Control: Investigate and implement 128b token solution including storage of tokens in the Client DB. Do extensive white hat hacker
security testing.

Contingency: Option up to a 256b token. Do extensive hacker security testing.

Fallback: Option up to a 512b token and implement more rigorous multi-level security measures.

09/07/21 (See Note 3)

Inability to recruit appropriately skilled personnel to provide Level 2/3 Support

This means that we would only be able to deliver Level 1 support through the MBSD. Lack of this Level 2/3 service may make it difficult to
resolve technical risks quickly. A shortfall of this nature could adversely impact on our ability to deploy a stable system and encourage
corporate groups to engage. This will have significant cashflow and technical development implications

M (5)

CIO/ EdMI HR Manager

Murdoch University Page 11

Assignment 2 - RMP EduStream

22/02/21

Control: Start the recruitment process early and engage the recruited staff member during project and document development, so they
have time to understand the system intimately prior to deployment. To help ensure the right people are engaged, ensure that the
monetary offering and conditions are competitive.

Contingency: Engage StreamTech and DemSet on long term support contracts to provide the support. This would have to be a tight
contract to control cost blowouts.

Fallback: Headhunt a person with the appropriate skills from an employment agency.

05/04/21 (See Note 4)

A glitch in the DB replication system may create a loss of financial and customer records

financial records are important for budgeting, expenses and especially government audits and customer records store details of the
customer, their subscription detail etc and losing both or any can result in losing track of who all did the payment, which services they
subscribed for, their subscription period etc and can cause huge loss to the company and losing reputation with users.

VH(25)

DemSet Client DB Team Lead, DemSet DB Security

03/12/21

Control: Have the records backed up to a server every day

Contingency: Select DB like Oracle that are known to perform quite a powerful replication system with relatively little
development/tailoring required.

Fallback: inform the users about the issue and try to retrieve data as much as possible.

20/04/2022 (see note 5)

Contractors may leak the confidential information to anyone else or to another company

Leaking the information about the EduStream project to other companies may lead to compromising confidential data and other
companies doing the same project or better one than ours and hence might reduce our market share

M(9)

CIO/EdMI HR Manager

22/02/21

Control: steps in place to avoid unauthorised access to information and to make sure security

Murdoch University Page 12

Assignment 2 - RMP EduStream

Contingency: specify the actions taken towards the contractor if proven guilty of sharing any confidential information with others in the
contract

Fallback: Vigilant of the contractors move and limit the access of contractor to confidential info.

20/04/2022 (see note 5)

A staff may unintentionally download a trojan software or file. A trojan is a software that has malware secretly hidden inside.

Malware can infect the computer and system and compromise confidential information or block access to the computer.

H(15)

Security

Management

Team (SMT)

16/06/21

Control: ask for admin password to download software.

Contingency: Customize firewall to scan downloads for malware prior to downloading.

Fall back: remove the trojan from the system.

20/11/21 (see note 10)

No Disaster Recovery Contingency Plans

Employees, equipment and Data are at risk without having a DRC plan.

M(9)

CEO/CIO

22/02/21

Control: Create a DRCP that details how the company will manage and get back after a disaster.

Contingency: move equipment and staff to a safer location and backup dat to cloud as much as possible.

Fall back: ask for government funds allocated for disaster recovery.

20/11/21 (see note 10)

DemSet is unwilling to share their whole security protocol with other contractors.

DemSet is in charge of creating all of the database system's security protocols and may prefer to hide their secret codes and programs
for securing the organizational knowledge.

M(5)

Security

Management

Murdoch University Page 13

Assignment 2 - RMP EduStream

Team (SMT)

16/06/21

Control: In order to ensure that the DemSet shares all project-related security firewalls, accurate documentation must be produced
through the project legal manager hence securing overall system from all hijackers.

Contingency: To ensure the whole security plans, the Document Management Group (DMG) must document all
of the legal sharing the project associated security standards.

Fallback: Involving the Board of Directors in the solution of the rising risk.

27/08/21( see note 7)

RTSP Security concerns resulting in various cyber-abuses.

The RTSP protocol is based on the HTTP protocol. As a result, whilst streaming media, various exploitable vulnerabilities due to
carelessness, RTSP implementations may occur.

H(15)

DemSet Manager/ Demset Security team

16/06/21

Control: Can be secured using various technologies such as TLS, which allows it to be secured in the event of a security breach.

Contingency: DemSet may seek the help of additional contractors to guarantee that all security loop holes are plugged.

Fallback: Using contingency funds to hire advanced security contractors

21/07/21(see note 8)

10

Social engineering

Can compromise confidential information and client data as well as result in financial loss

H(15)

Security

Management

Team (SMT)

16/06/21

Control: Policies on how information can be shared securely and with whom and the proper procedure for data disposal

Contingency: Routine social awareness training.

Fall back: file a case in court to find the culprit

20/11/21 (see note 10)

12

Denial of Service Attack (DDoS)

Murdoch University Page 14

Assignment 2 - RMP EduStream

It occurs when an attacker sends huge amount of data over to the system that it overwhelms the system, and it cannot process real
requests and eventually the service/system crashes and teams may not be able to access it or do the activity they need to do...

H(15)

Security

Management

Team (SMT)

16/06/21

Control: Limit firewall so that only allowed sites can send information and other sites are blocked

Contingency: use firewall to monitor traffic and identify abnormal network traffic
Fall back: Bring back the site as quick as possible.

20/11/21 (see note 10)

13

Operating System, Server OS and hardware going outdated

An outdated system maybe much slower, less compatible and more prone to attacks, errors, and compatibility issues, as well misses
updated features

M(9)

CIO/ EdMI PM, StreamTech PM

6/05/21

Control: Createa plan to upgrade computers, OS and hardware

Contingency: Identify systems component that requires upgradation urgently and create a plan of what to upgrade and when it will be
upgraded.

Fall back: have good defense mechanisms to reduce attack.

15/11/21 (see note 10)

14

High cost of implementing Oracle in a client DB system.

DemSet will utilize Oracle for the Client Database System. Oracle have not offered any price details of compatibility testing for PHP-based
Web Front Ends and Oracle-based Client Database systems.

M(5)

Client Database

team of DemSet

16/06/21

Control : Ensure that DemSet discloses their pricing in the client DB system development for using oracle

Contingency: Reserve the fund for additional costs.

Murdoch University Page 15

Assignment 2 - RMP EduStream

Fallback: Get opinion from a third-party who is expertise in developing client DB systems using Oracle

and its pricing

20/08/21( see note 7)

15

DCPlus unable to supply additional bandwidth for EdMI’s DB and server connectivity.

DCPlus agrees to offer EdMI with as much bandwidth as they require, which may increase in the near future when EdMI prepares to
conduct their second pilot project and DCPlus might be unable to offer the bandwidth as they agreed.

M(7)

DCPlus service

Team/ DCPlus

manager

3/12/21

Control: Verify that DCPlus is capable of providing the bandwidth of its agreements with significant telecos in order

Contingency: Install reserve bandwidth at first.

Fallback:. Ready to face the consequences

21/1/22(see note 9)

16

Unable to procure all end-user licenses required for the project.

The EdMI’s legal team failed to procure all end-user licenses required for the project resulting in creating a significant legal gap in
the end user product.

M(9)

EdMI

legal advisor

3/12/21

Control: From the side of the legal team, work in alignment with

the installation systems to obtain accurate end-user

licensing.

Contingency: The legal team finishing all the support

documentation before the full market opening

Fallback: Hire an experienced and efficient legal team for it.

19/04/2022 (see note 5

18

Issues of including schools for beta Acceptance testing

Murdoch University Page 16

Assignment 2 - RMP EduStream

Communicating with school students and making them understand the testing process is harder.

M(5)

TDG and Project

Communication

Manager/ Sales office

22/02/21

Control: The TDG and

communication team must effectively elaborate and

manage the process for Beta acceptance testings

Contingency: The sales team must get the permission

verifications from the company's genuine customers who are ready to test the company's new product.

Fallback: choose another category

20/11/21 (see note 10)

19

Not being able to convert all the current files and DVDs to the FLV/MP4 format.

ST is in charge of transforming EdMI's current content into appropriate formats. Sometimes, failure to convert the files can occur,
and file will not be possible to stream through RTSP.

H(15)

StreamTech

Project Manager

3/12/21

Control: developed Organizational information must be used for conversion process. Ensure that all content is correctly encoded
before submitting it to the OCA system.

Contingency: We can record the content with the help of our content creator.

Fallback: Backing up the content.

20/04/2022 (see note 5)

20

Contractors and vendors may not have the skills they claim they have

Loss of resources, time and money

L(4)

CIO/EdMI HR Manager

Murdoch University Page 17

Assignment 2 - RMP EduStream

16/06/21

Control: Have a probation period to check their skills

Contingency: specify the actions taken towards the contractor if proven guilty in the contract

Fallback: Ask for compensation

20/06/21

(see note 6)

21

Lack of communication between

the EdMI representatives and

contractors.

Lack of communication can result in misunderstanding and leads to substantial financial losses and technical faults.

H (15)

Project Steering

Group (PSG)/

Project

Communication

Manager

16/06/21

Control: PST checks for proper communication between all project stakeholders.

Contingency: Design and implement an efficient platform for all members to communicate and meet up

Fall back: warn contractors and representatives of the negative impact for lack of communication

20/08/21( see note 7)

22

Kernel and systems are rarely updated

Vulnerable to cyber-attacks and can cause compatibility issues

M(9)

StreamTech PM

19/06/21

Control: Ensure that systems and kernels are updated regularly

Contingency: Update the system as fast as possible

Fall back: Have firewall installed to reduce attacks.

20/11/21 (see note 10)

Murdoch University Page 18

Assignment 2 - RMP EduStream

23

EdMI's future videos and games may not be compatible with the

ST’s installed

system.

EdMI converts and creates new content and upload it using OCA systems. However, since the new OCA system has not been tested
by ST it can pose a moderate risk of system failure. Ultimately, resulting in the RTSP database failing to work

M(6)

ST’s Media File

Conversion

Team

3/12/21

Control: Test run and upload Video and game content through OCA system utilizing the CDN system as soon as some of the systems are
installed, to ensure that the environment factors are compatible.

Contingency: Set up time and cost in the contingency plan to test OCA uploading.

Fallback: This will need the use of contingency reserves.

20/04/2022 (see note 5

24

Hardware purchased by EdMI arrives late

Due to shipment issues of trade routes of Australia and China causing delayed arrival of the hardware to at functional site and
delayed OCA and gaming server installation.

H(15)

Procurement Manager of EdMI

16/06/21

Control: understand the shipment routes before the starting of the actual procurement time to arrive and plan accordingly.

Contingency: engage third-party freight forwarders for shipment to avoid delayed arrival of hardware

Fallback: Purchase Inventory month earlier than anticipated.

19/08/21(see note 7)

25

Travel restrictions due to COVID-19

Murdoch University Page 19

Assignment 2 - RMP EduStream

Travel restrictions due to covid-19 resulting in many stakeholders and technical staff not being able to make it to the pilot testing

VH(25)

customer support manager/ EdMI CEO

10/06/21

Control: it’s a natural disastrous situation which requires decision making on every day basis. EdMI may train their own staff for the
customer support via video links with MDSB.

Contingency: MDSB coming up with the problem solution by developing remote support providing criteria.

Fallback: Hire a local third-party contractor for the customer support work.

depends on the Covid-19 situation (see note 11)

26

Users taking the acceptance test can give biased and unrealistic data outputs.

Beta testing can be biased and inaccurate if the test samples are selected from people who are satisfied by our services or if test samples
do not include a variety of audience.

M(9)

EdMI Marketing Manager

10/11/21

Control: Insist all the users undertaking the Beta testing to develop a sense of credible data reporting mechanism in order to generate
realistic customer reviews.

Contingency: Add new groups of people and institutuions who have never done business with EdMI

Fallback: Hire a third-party contractor to provide a proper market analysis.

20/11/21( See note 12)

27

COVID-19 resulted in a shift towards online studies in school creates a positive oppurtunity

COVID-19 has brought EdMI a huge opportunity, as schools and other institutions started offering online classes, to increase the
market share from 40%

VH(25)

EdMI Project Manager / JPMedia

Murdoch University Page 20

Assignment 2 - RMP EduStream

10/11/21

Control: technical and marketing support staff must utilize this big opportunity generated due to COVID-19 since more and more
institutions are moving towards online education.

Contingency: Allocate extra cost and schedules for making sure about capturing this opportunity and Media strategy needs to be
developed in accordance with the new dynamics

Fallback: Do extensive and aggressive campaigns.

20/12/21

(See note 13)

28

Open ports in the network maybe attacked since they are not monitored

If an open port is attacked then an intruder can get access to the network, user information, and operating system information.

H(15)

Security

Management

Team (SMT)

10/10/21

Control: Customize firewall to monitor the open ports

Contingency: Customize firewall to block monitor traffic and block access to doubtful traffics

Fall back: Encrypt the data to make it harder for the attacker to access it

20/11/21 (see note 10)

29

Delay in designing the client software by StreamTech

This delay can severely escalate the operational budget and can increase the project duration.

VH(25)

StreamTech Project Manager/ ST’s Software team lead.

14/6/21

Control: Allocate best programmers to the task so that software will be quickly finished

Contingency: Allocate resources and contingency budget for overtime jobs to ensure the completion of software before the deadline.

Murdoch University Page 21

Assignment 2 - RMP EduStream

Fallback: Complete the software as quick as possible.

23/6/21 (See Note 14)

30

Varying client needs with more educational institutions are opting for digital educational content

EdMI have a diverse client base from educational institutions to government agencies. This brings out many challenges in content creation
and varying specific demands.

M (9)

EdMI Marketing manager/ Marketing field officers

14/6/21

Control: Conduct a thorough study about the content creation and already available EdMI organisational assets to verify their need and
demand.

Contingency: Must have resources to create new content if needed.

Fallback: Updated content targeting selective sample space be generated immediately.

18/8/21 (See Note 15)

31

Unemployment due to COVID-19 reducing the buying power of users.

Unemployment due to COVID-19 reducing the buying power of users affects the pricing of products and revenue of EdMI

M (9)

Finance Manager/ Project Investor

14/6/21

Control: subscription charges and product pricing must be reduced due to the dramatical change in the end user’s pocket.

Murdoch University Page 22

Assignment 2 - RMP EduStream

Contingency: Lowering prices for products temporarily until market dynamics normalized.

Fallback: Increasing quality standards to attract more customers for the same price.

18/7/21 (See Note 16)

32

Change in government policies can affect the overall budget and taxation scheme of the project

Can affect the project budget estimations as well as technological objectives.

M(9)

CIO/ Board

14/6/21

Control: Do strategic planning about the possible government policies affecting directly or indirectly towards our project.

Contingency: A proper political analysis report submitted to the board.

Fallback: Hire a third-party political influencer to study and submit possible variations in project decision making.

18/7/21 (See Note 17)

33

There is a possibility of sales scams. Sales order entry can be affected if orders are taken erroneously or not at all.

Fraud might result in invalid orders. The company's workflow and production can be affected.

H(15)

Marketing and Sales office

15/8/21

Control: Allocate best programmers and software for staff members to use that helps with using anti-scam websites.

Contingency: Proper staff training provided.

Fallback: Hire a third-party trainer that does hand on work and providing scam tests for the staff members

Murdoch University Page 23

Assignment 2 - RMP EduStream

29/8/21 (See Note 18)

NOTES: [Add your notes below. Autonumbering is used, so to add a new note, just press enter at the end of the note.]

(1) At this stage, our team has assumed that EduStream can utilise OCAs, which may be
provided for free or at low cost. However, negotiations with Netflix are ongoing and
the use of this technology has not been finalised.
(2) This needs to be done before we go out to tender, which is why the early date has been
selected.
(3) This date is late in the design and prototype phase, so we would test this carefully
before making a decision, but also leave scope in the design to change it out if
necessary, without making fundamental changes to the architecture.
(4) This should kick off early engagement through recruitment.
(5) This risk needs to be resolved before the full market opening
(6) This risk needs to be resolved before signing the contract
(7) This risk needs to be resolved before establishing main components
(8) This risk needs to be resolved in planning phase
(9) This risk needs to be resolved before second pilot testing
(10) This risk needs to be resolved before first pilot testing
(11) Travel bans cannot be predicted as it depends on the COVID-19 sitution and
government decision. So we can only hope for the situation to get better or else go with
our fall back plan.
(12) To get realistic Beta testing results introduce individual customers before Beta testing
happens.
(13) Utilizing this positive business opportunity as early as possible and in accordance with
it.
(14) An early mitigation date is selected so that StreamTech’s client Software is ready before
that.
(15) An early date is selected so that Content creator team find solution to this risk way
before going live.
(16) In order to develop a user-friendly cost policy, a preliminary analysis of buyer power
was conducted.
(17) Selected this date to consider early and take measures for the possibility of changes in
taxation policies
(18) This date was selected to conduct early training for sales staff members regarding scam
sales to consider providing early mitigation before the sales commences

Murdoch University Page 24