DiPaolo Brittany FPX 5334 3-2

Risk Management Plan Project Name: Bausch + Lomb Project Learner Name: Brittany DiPaolo Course Name: FPX5334: Project Risk Assessment and Control Date: November 2, 2023 Table of Contents Sec$on 1 – Introduc$on to the Plan 4 ______________________________________________________________________________ 1.1 Benefits of Risk Management 4 _______________________________________________________________________________________ 1.2 Project Goals and Objec?ves 4 ________________________________________________________________________________________ 1.3 Company Background 4 _____________________________________________________________________________________________ 1.4 Risk Iden?fica?on 6 _________________________________________________________________________________________________ Sec$on 2 – Risk Scope, Components, and Value 6 ____________________________________________________________________ 2.1 Scope of the Risk Management Plan 6 __________________________________________________________________________________ 2.3 Expected Monetary Value 10 _________________________________________________________________________________________ 2.4 Determine the Risks 11 ______________________________________________________________________________________________ Risk iden?fica?on techniques involve accessing threats and vulnerabili?es to determine the likelihood of iden?fied threat sources exploi?ng vulnerabili?es and causing one or more adverse events. 11 ___________________________________________________________ Stakeholder interviews, brainstorming, checklists, assump?on analysis, the Delphi technique, and affinity diagrams are some of the tools used for determining risks. 11 ___________________________________________________________________________________________ Stakeholder interviews involve defining specific ques?ons and repea?ng them for every customer. 11 ________________________________ Brainstorming involves gathering team members and other dependent partners and shareholders and holding a brainstorming exercise. 11 _ Checklists involve determining if the company has a risk checklist from past projects and reviewing it. 11 _____________________________ Assump?on analysis involves asking stakeholders to iden?fy their project assump?ons and reviewing them for poten?al risk. 11 __________ The Delphi technique involves a group of experts answering ques?ons to arrive at a group decision. 11 _______________________________ 1

The affinity diagram involves brainstorming risks and recording them on a s?cky note. Risks are then sorted into groups or categories and recorded. 11 __________________________________________________________________________________________________________ 2.5 Evaluate and Assess the Risks 12 ______________________________________________________________________________________ 2.6 Qualita?ve and Quan?ta?ve Processes 12 ______________________________________________________________________________ Sec$on 3 – Risk Analysis and Assessment 13 ________________________________________________________________________ 3.1 Major and Minor Risks 13 ____________________________________________________________________________________________ 3.2 Risk Probability 15 __________________________________________________________________________________________________ 3.3 Risk Matrix Template 15 _____________________________________________________________________________________________ 3.4 Risk Data Quality Strategy 15 _________________________________________________________________________________________ 3.5 Risk Reviews 16 ____________________________________________________________________________________________________ Risk reviews are a forward-looking technique for monitoring and controlling risk. A risk review helps in modifying the risk response plans and risk management processes to improve the chances of success in the future. It is important to remember that the impact and probability of risk can change over ?me, and therefore, regular review and reevalua?on of the risks is necessary (How to Conduct a Risk, n.d., para. 12). A good cadence for conduc?ng a risk review is shown in the example below. 16 ______________________________________ Sec$on 4 – Correc$ve Ac$on and Monitoring 17 _____________________________________________________________________ 4.1 Risk Tolerance 17 ___________________________________________________________________________________________________ In project management, risks refer to the amount of uncertainty that a project-driven organiza?on can bear. The risk tolerance of such an organiza?on is an indicator of its willingness, as well as that of its personnel, to either avoid or accept risks (Zamaeatski, n.d., para. 1). Risk tolerance can be analyzed from different perspec?ves, including those of the company, project manager, and stakeholder. 17 _____________ 4.2 Risk Mi?ga?on 17 __________________________________________________________________________________________________ 4.3 Correc?ve Risk Management Strategy 17 _______________________________________________________________________________ 4.4 Correc?ve Ac?on Plan 18 ____________________________________________________________________________________________ Sec$on 5 – Postmortem Plan 18 __________________________________________________________________________________ 5.1 Results 18 _________________________________________________________________________________________________________ 5.2 Follow Up 19 ______________________________________________________________________________________________________ 6.1 Cita?ons 21 _______________________________________________________________________________________________________ 2

Section 1 – Introduction to the Plan 1.1 Benefits of Risk Management Effective risk management is a crucial aspect of any project, allowing for efficient handling of project risks, reduction of negative risks, and maximization of potential opportunities. By rating and scoring risks related to staffing, design, budgets, and timelines, project leaders can accurately evaluate potential issues and make informed decisions. The benefits of risk management are numerous, including the ability to rapidly forecast probable issues, avoid catastrophic events, enable growth, stay competitive, improve business processes, and enable better budgeting (Benefits of Risk Management, n.d., paras. 2-12). 1.2 Project Goals and Objectives The project goal and objectives are as follows: - A study team will evaluate the value and risks associated with a no-value-add project. - A feasibility study will be conducted, followed by a design review and evaluation of national and international regulatory compliance. The plan will then be signed off by the project team and senior management. - A realistic project timeline will be created, which will include regulatory clinical trials and filings for devices and pharmaceuticals. - The plan will encompass all pre-product launch testing and training. - The team will adhere to all standardized product development processes, ensuring compliance adherence and quality performance. - Project leaders will follow project management practices and use Microsoft Project program to ensure proper project tracking and management. 1.3 Company Background Bausch + Lomb's website describes the company's mission and vision is to help people see better and live better all over the world.Through unwavering focus rooted in innovation, quality, and craftsmanship, they continue to pursue our lifelong vision of protecting and enhancing the gift of sight through every phase of life (Bausch Lomb, n.d., para. 2). PitchBook, a financial data and software company, reports that as of 2021, Bausch + Lomb employs 12,500 individuals and generated $3,765,000 in revenue. According to PitchBook, the company is headquartered in Laval, Quebec, Canada, and is currently the fourth-largest vision care firm in the United States by sales. Bausch + Lomb is the leading consumer vision care company in India and China. Previously a subsidiary of Bausch Health, the company became a public entity in May 2022. Bausch + Lomb operates in three segments: vision care and consumer (60% of revenue), surgical (20%), and ophthalmic pharmaceuticals (20%). The company is geographically diverse, with 48% of revenue generated in the Americas, 30% in EMEA, and 22% in the Asia-Pacific region (Bausch Lomb General Info, n.d., para. 1). 4

The process begins when a project idea is submitted to the steering team. The team is comprised of senior leadership representatives from marketing, strategy, research, development, engineering, and supply chain. Together, they review all of the ideas and select the most promising ones. In Phase 2, the project is handed over to a study team. This team investigates the project's feasibility, offering a way forward (time and budget) or recommending that the project be dropped. The study team reports back to the steering committee. If approved, the project moves on to Phase 3 - Development/Scale up and then to Phase 4 - Design/ Technology Transfer. During this time, regulatory clinical trials and filling are carried out. The project concludes with a launch at the end of Phase 5. Risks are identified and addressed throughout all stages of the cycle. 5 (Kohli, 2022)

There are five basic steps to manage risk as shown in the diagram below (Qualtrics // September 12, 2023) 7

The Risk Management Process begins by recognizing and identifying potential risks and recording them in a risk log and a risk breakdown structure. These artifacts are especially useful after project completion. Once the potential problem is identified, the team investigates the possible consequences and mitigations. After analysis, the project is prioritized, and a solution/mitigation is enacted based on priority. After resolution, the risk is monitored to avoid unintended consequences. Scoping Risk In order to effectively manage risks, Professor Georgi Popov of the University of Central Missouri has identified three essential tools and techniques that should be included in a Risk Management Plan. The first tool is to establish risk criteria, which involves defining key elements such as consequences, likelihood, risk levels, risk acceptability, risk treatments, and combined risk. This initial step helps to guide the rest of the process. Once the risk criteria have been established, safety professionals can then make use of various tools such as risk assessment matrices, failure mode and effects analysis, and risk heat maps to further evaluate the potential likelihood and consequences of identified risks and hazards (Setting the Scope and Limits, 2018, para. 4). These evaluations can be conducted through one of three methods: qualitative risk assessment, semi-quantitative risk assessment, or quantitative risk assessment. After the risk assessment has been conducted, the team must determine an acceptable level of risk. This involves taking into account factors such as the organization's objectives, culture, regulatory requirements, and technology. It is crucial that all stakeholders understand and agree on what constitutes an acceptable level of risk. By following these three essential steps, organizations can create a comprehensive and effective Risk Management Plan. Best Practices In order for a project to be successful, it is crucial for the organization to have clear and effective management practices in place, particularly when it comes to risk management. There are several best practices that can be implemented in order to ensure that risks are identified and managed in a timely and effective manner. Firstly, stakeholder involvement is essential. This includes not only employees and managers, but also clients, subcontractors, and unions. Each of these groups has a stake in the success or failure of the project, and understanding their risk tolerances, ability to respond to risk mitigation, and communication needs is vital for effective risk management. Another important element is the creation of a risk culture within the organization. This refers to the beliefs, attitudes, and values that an organization holds with regard to risk. Encouraging risk awareness throughout the organization can help to ensure that risks are identified and managed at all levels. 8

2.3 Expected Monetary Value Project managers use Expected Monetary Value (EMV) as a quantitative risk analysis technique to compare and quantify projects. This technique relies on specific numbers and quantities to perform calculations. Using high-level approximations like high, medium, and low is not sufficient. As a three-step process, the EMV formula requires determining the probability of an outcome, the monetary value or impact of the outcome, and multiplying them to calculate the EMV. If the risk mitigation has multiple possible outcomes, calculate the EMV for each outcome and add them together to get the overall EMV. In most cases, a positive EMV is worth pursuing. When choosing between multiple options, compare the overall monetary value for each potential scenario to determine the best option. There are three risk elements that a project manager must consider: cost, schedule, and quality/performance. Risk identification is critical at the beginning of a project when uncertainty is high, and there are a lot of unknown project details. Issues of time and budget are easy to underestimate. The best risk determination practices include starting early in the project, conducting frequent risk evaluations on a set schedule (weekly), and repeating the process during change control and major milestones. Additional risks can be determined for agile projects during sprint planning, release planning, daily standup meetings, and prior to each sprint. 10

2.4 Determine the Risks Risk identification techniques involve accessing threats and vulnerabilities to determine the likelihood of identified threat sources exploiting vulnerabilities and causing one or more adverse events. Stakeholder interviews, brainstorming, checklists, assumption analysis, the Delphi technique, and affinity diagrams are some of the tools used for determining risks. Stakeholder interviews involve defining specific questions and repeating them for every customer. Brainstorming involves gathering team members and other dependent partners and shareholders and holding a brainstorming exercise. Checklists involve determining if the company has a risk checklist from past projects and reviewing it. Assumption analysis involves asking stakeholders to identify their project assumptions and reviewing them for potential risk. The Delphi technique involves a group of experts answering questions to arrive at a group decision. The affinity diagram involves brainstorming risks and recording them on a sticky note. Risks are then sorted into groups or categories and recorded. 11

On the other hand, quantitative risk analysis converts the impact of a risk into numerical terms, which can be used to determine the cost and time impacts on the project. The quantitative risk analysis can be broken down into two types: absolute and relative risk. Absolute risk is the odds of something happening over a stated period, while relative risk compares the odds of a risk in two different groups. To evaluate quantitative risk, the team can use Monte Carlo simulation, sensitivity analysis, decision tree analysis, or expected monetary analysis. Other methods for determining risk and contingencies include heuristic methods, probability distribution methods, mathematical modeling, and interdependency models. Heuristic methods use expert techniques to estimate contingency, while probability distribution methods base calculation on predefined statistical distributions. Mathematical modeling methods use theoretical mathematical models, and interdependency models use logical and resource-constrained dependencies between activities to determine contingency. Empirical methods, also known as benchmarking, use historical projects to identify risk factors that drive contingency. Section 3 – Risk Analysis and Assessment 3.1 Major and Minor Risks Project risk analysis is a crucial process that helps to identify and evaluate potential risks associated with a project. In this process, both major and minor risks are identified, and appropriate measures are taken to mitigate them. Major risks are those that have a high probability of occurrence and a significant impact on the project's objectives. These risks require the involvement of the entire project team, as determined by the organizational risk monitoring process. The major risk types can be classified into four categories: scope risk, schedule risk, resource risk, and technology risk. Scope risks are related to uncertain events or conditions associated with the project's scope. These risks can be mitigated by documenting project requirements, setting up a change control process, creating a clear project schedule, and verifying project scope with stakeholders and team members. 13 Qualitative Risk Risk Impact Likelihood Pandemic Shutdown 4- Serious Impact Medium Supply Chain Issues 3- Medium Impact High Global Natural Catastrophic Event 5- Project Failure Low

(Chai, 2021) Schedule risks pertain to the probability of failing to meet project deadlines. Mitigating schedule risks involves limiting the number of critical paths, and dependencies, and beginning risky activities early in the project. Resource risks refer to the possibility of project 14

the risk to the project. To evaluate data quality, the project manager asks four questions: Is the data credible? Is the data of high quality? Is the data and/or information accurate? There are four main risk categories to consider in a RDQA. These categories are areas that could potentially go wrong during the planning, implementation, or post-project stages. Each category should be considered in terms of its impact on cost, staffing, inventory, timeline, and reception from customers. The four main risk categories are technical risks (related to software, hardware, or documentation), external risks (such as natural disasters and geopolitical events), organizational risks (related to company structure and culture), and project management risks (related to the culture, interpersonal dynamics, and morale of the project team). 3.5 Risk Reviews Risk reviews are a forward-looking technique for monitoring and controlling risk. A risk review helps in modifying the risk response plans and risk management processes to improve the chances of success in the future. It is important to remember that the impact and probability of risk can change over time, and therefore, regular review and reevaluation of the risks is necessary (How to Conduct a Risk, n.d., para. 12). A good cadence for conducting a risk review is shown in the example below. 16

Section 4 – Corrective Action and Monitoring 4.1 Risk Tolerance In project management, risks refer to the amount of uncertainty that a project-driven organization can bear. The risk tolerance of such an organization is an indicator of its willingness, as well as that of its personnel, to either avoid or accept risks (Zamaeatski, n.d., para. 1). Risk tolerance can be analyzed from different perspectives, including those of the company, project manager, and stakeholder. 4.2 Risk Mitigation One of the most important strategies for responding to negative risks with an impact on a project is mitigation. It involves the project team taking active steps to reduce the probability or impact of a negative risk on a project. The goal of mitigation is to minimize the probability and/or impact of an adverse risk to be within acceptable limits (Sotille, 2016, para. 1). This strategy is one of four strategies for responding to risk. 4.3 Corrective Risk Management Strategy 17

The process of planning a project post-mortem involves several steps, as shown in the diagram below. The first step is for the moderator to send out a pre-meeting survey to all members. This survey contains questions that the members are expected to fill out before the meeting. By doing this, everyone attending the meeting has a chance to think through their answers and remember the project's details and outcomes (Eby). It also gives the moderator time to review the survey results and come to the meeting prepared with themes and questions that need to be addressed. During the post-mortem meeting, the moderator or facilitator chosen to lead remains objective and does not attempt to influence the meeting's outcome. The meeting begins with a restatement of the project's scope, followed by team members and business owners sharing their answers to questions about what worked well and what did not work well for the team. The facilitator ensures that everyone is heard, and detailed notes are taken. To conduct a successful post-mortem, it is important to address several issues. First, relevant metrics should be decided upon, and data should be collected at the end of the project to determine if the goals were met. Based on the project's deliverables, post- mortem questions can be answered to pinpoint wins and losses. Next, the specific items that produced success should be identified, while the shortcomings and drawbacks should be listed. Any factors that posed a challenge or stumbling blocks should also be identified. Questionnaires can be used to get feedback from different stakeholders and team members. To wrap up the post-mortem, the findings are compiled, and key takeaways are drawn. For example, steps that streamlined the process, kept the team agile or improved the workflow can be outlined. This way, the wins can be incorporated into the next project. There are many methods for data gathering and analysis, but data-based results are the best way to address the most questions. To do this, it is useful to determine why the outcome occurred. The answer is a starting point for the next question. One valuable tool for data analysis is the five whys analysis, which is an effective way to determine the root cause of project failure or breakdown. 5.2 Follow Up Finally, after the post-mortem is complete, the feedback is distributed widely, including to corporate leaders and stakeholders. The goal is to determine how the project went and what changes need to be made. The postmortem report should be meticulously documented to include as much context as possible so that someone unfamiliar with the project can look at it a year later and understand it. The report should include the dates the project was live, why the project was launched, what was launched (including screenshots and data on what was changed), the results of the project (including more metrics that were tracked), feedback from all team members, why the results were obtained, what the next action steps are, and what will be done differently next time. Actionable takeaways and tasks should be identified and assigned to the person suited to follow up. A regular cadence should be set up to follow-up on these uses. This process ensures continuous process improvement is achieved. 19

20