QDT "Volunteer" subteam meeting 19-Mar-2008 Jed, Ed, Frank, Irwin, Ray. Bob, Bakul, Berline We will not meet Friday (Ed and Jed are not here); just until noon today. We review for Frank and Ray what went on last week in some detail Nagging in the back of Jed's mind (which is also nagging Jeff) is how we do risk analysis in a uniform way. We attempted to address this is the words in the graded approach procedure. Bakul says there is a DOE order about risk. Next week we will plan on completing the graded approach procedure! For today we step back and look at the form Bakul sent around. We begin trying to understand what highest level of activity means. Bakul has a different interpretation about what this means than others, so perhaps it should be left out for now. Irwin (and Jed) like the idea of recording an activity hierarchy, to make it clear whether you inherit controls from something else. Jed suggests "what else goes south if this activity fails". Irwin says "what other activities is this one a component of so it inherits controls and risks" We need to put in activity name (or short description), before we get to activity description. We change date to date submitted Jed starts putting in comments in each block about what we think the form wants. Activity owner is responsible organization change person responsible for evaluation to person performing evaluation Talking about acctivity name we get into a discussion about granularity; do we use project/task codes, or activities, or something more granular. Probably should not tie this to task code, but keep activity name as a more informal thing. Activity description is optional, only necessary to extend activity name when character delimited short name is not sufficiently descriptive We move activity name and description to top of form, followed by selection criteria check boxes. "description of current state and existing controls" to identifying risks and existing controls. We want people to expand on just what the risks are associated with each selection criteria, and for each of these risks you list what existing controls mitigate them and check "effectively mitigated" or "residual risk" Irwin suggests an interactive web based way of getting this information; Bakul suggests a multi column table or maybe a spreadsheet. We agree that we want a set of cascading tables (in word, excel, or web) to show the flow: first the table of al risks and existing controls (with checks for mitigated/unmitigated), then a table of unitigated risks with risk mgmt strategies chosen, then a chart of treated risks with new controls and reference to table 2. Irwin is trying to do some demo web forms. change "control choice" to "risk management strategy choice" We discuss fo a while what approvals and reviews should be embodied in the form. We do not want the review of implementation of new controls to be part of this form, nor is the OQBP review. We change date of closeout to date of approval. We save further changes to the next version of the form Finally we take a quick look at Jed's proposed risk management appendix. He quickly walks us through the document. We suggest a few minor changes but mostly like the document and agree to have it included as appendix X. We eliminate the starred stuff at the end of the appendix. Formal inclusion awaits a vote of the full team. Jed will work on incorporating table 1 and 2 into the draft procedure over the next week. He will probably take out the quoted from the DOE order but wil retain these for a possible implementation guide aimed at the QARs. next meeting is next weds.