Develop+the+Policy

9.1 Obtain Commitmenttoc
A risk ethic is having the right policies in place that characterize the right risk management philosophy. Setting up the right risk ethic requires the commitment from all the members involved. At my job part of our risk ethic is the way that we handle classified materials; we have rules set up if there’s a security incident where classified material was communicated through unclassified platforms. If everyone in our organization did not commit to the need to lower the risk of security accidents, our program would not work. The rules of the risk ethic are:
 * 1) Take responsibility for risk. When a security accident happens; the person responsible should take responsibility so that the breach doesn’t get any worst, if you come forward than the breach could just stay to your location, instead of spreading over different organization and locations.
 * 2) Do not blame people for risk. Everyone make mistakes; use the time to fix the issue instead of finger pointing.
 * 3) Communicate risk to the right people. When a security breach happens at work, we have to report it to our immediate supervisor, who has to report it to his supervisor.
 * 4) Be proactive in managing risk.
 * 5) Learn from unexpected outcomes.

9.2 Allocate Resources
Sources are the fuels that are needed to set the risk ethic policy. If you are serious about anything in life, you have to invest time, money, and other resources to make sure that it’s successful. This section is about the sources that are needed to build a strong infrastructure. Below is graph that shows the amount of commitment needed as you implement the risk ethic infrastructure. The commitment increases over time.

9.2.1 Apportion the Budget
In order to build a risk infrastructure, you have to have a budget allocated toward the risk ethic policies. Everyone might have a different interest in certain policies; you have to find the right person that would have an interest in the policies that you want to put in place. If it’s an engineering risk, you might want to go get money from the engineering lead.

9.2.2 Apportion the Schedule
Schedules control the time for each activity, so having a schedule is very important. The schedule is dependent on the money that’s allocated toward the objective. Below is a table with activities, cost and time. This will give a visual to all sponsors, so that they can keep track of progress.
 * **Action Team Name** || **Duration** || **Cost** || **Work** ||
 * Software Risk Management || 16 weeks || $12,000 || 8 weeks ||
 * -Policy Recommendation || 8 weeks || $6,000 || 4 weeks ||
 * -Initial Media Updates || 4 weeks || $3,000 || 2 weeks ||
 * -Final Media Updates || 4 weeks || $3,000 || 2 weeks ||

9.2.3 Assign the Personnel
Personnel are the people that are going to push the objects and get the ball moving on all the activities. At work, we have safety volunteers that love their job even though it does not add any additional money to their project. The personnel added to the project have to be committed to the ideology of the project and would like to see a successful result.

9.3 Survey Existing Practice
The task of the volunteered personnel team is to survey the existing policies that are in place. Knowing the existing policies gives you an idea on how to implement the new policies for different organization departments.

9.3.1 New Business Practices
New business introduces new costumers, new demands, and new requirements. If they are demanding new requirements that have never been done before, the risk is that it might not be feasible. Survey the marketing team about how they handle changes and new costumers, they might have valuable ideas.

9.3.2 Proposal Practices
Writing proposals comes with the risk of investing resources without getting the contract. That would be money lost, which I do have experience in when contracting task at work. You have to balance the chance of getting the job with the amount of investment into getting the work. Using Risk philosophy would help the proposal team to quantify their chances of winning the contract.

9.3.3 Project Practices
Projects usually have risks management; the team should survey the members of the project and see what issues and problems that they are facing. The team needs to get a fair assessment of the project team attitude towards risk. Sometimes in trying to finish up a project, risk management process are thrown on the back burner.

9.3.4 Research and Development Practices
Research and Development presents new risk opportunities. Coming up with new innovative ideas are very risky, since it has never been done before. The team needs to survey the R&D department about risk policies. You have to develop a different a policy that will fit the R&D, a mistake in the Project team, is not necessarily one in the R&D department.

9.4 Define Draft Policy
The draft policy will have all the policies but is not final; it involves adding the ideas of the opinion leaders in the change process. This would help get a higher level of commitment since they are involved in the process.

9.4.1 Involve the Opinion Leaders
Involving the opinion leaders let them know that there is a new risk policy taking place. Opinion leaders are those who influence others, and they are vocal about their opinion. You don’t want to involve them late into the process, you need to involve them early, and get their support, and they will make implementing the new policy a little simpler.

9.4.2 Outline the Policy Contents
The outline of the policy content should include a subject, the policy references, the purpose of the policy, the policy, the scope of the policy, and the objective of the policy, the responsibility associated with the new policy, the authority, and the procedures.

9.5 Review Draft Policy
This section about having a draft of the policies from the risk team, that the right people would review and implement their own suggestions. The policy review purpose is to promote understanding of the risk management.

9.5.1 Promote Understanding
The policy should be one page. People usually get discourage to read anything longer than one page. The Policy should be easy to understand, and should use words that are easy to understand, and should use the right terminology depends on who the policy is directed towards.

9.5.2 Incorporate the Feedback
The risk team is responsible to make changes after all the feedback have been gathered. Not all changes should be implemented, only those who is still following the intent and ideology of the policy.

9.6 Document Policy
The risk policy should be documented in a manual of operating procedures. At my job, the risk policy depending on whom it affects would be incorporated in the Aircraft or the system technical orders and manual.

9.7 Approve Policy
The risk policy should be approved by senior management and they should agree with implementing the changes. At my job, depending on the policy, it might require approval from the wing director, the base general, or it might need head quarter approval. Depending on the level of approval, the longer the implantation time is.

9.8 Communicate Policy
The policy should be communicated through a memo that states what the policy is, and when it will be implemented.