CONFIDENTIAL & DELIBERATIVE – FOR INTERNAL USE ONLY

Instructions for the Risk Management Matrix

The IT Risk Management Matrix document must be completed and submitted with all Information Technology (IT) Request for Proposals (RFPs). This document looks at individual risk factors within IT projects and assigns a score, ranking projects as a Low Risk, Moderate Risk or High Risk. The project score allows the State of New Jersey (SONJ) to determine the liability level that the contractor will be responsible to meet. The higher the project risk, the higher the level of liability will be for the contractor. If the score determines that this project is a High Risk, contact the Division of Risk Management, William M. Mayo, Director, 609-292-3477, or, Michele Mochel, 609-292-3148.

The IT Risk Management Matrix must be submitted to both the Office of Information Technology (OIT) and the Division of Purchase and Property (DPP) as part of the RFP review and approval process.

Completing the document:

In order to determine the level of liability in the RFP, the risks associated with the solution must be determined. ARisk Management Matrix was developed to assist Agencies by providing specific factors that are to be considered in determining the project risk level. Each factor has multiple selections and each selection has an associated value. After all factors have been scored, an overall Risk Score is established that sets the contractor’s liability level to include in the RFP.

The Risk Matrix is comprised of six criteria, Technology, Interfaces, Political Visibility, Resources, Funding and Project Management. The criteria are further refined into several factors.

The Technology criterion looks at the anticipated solution in the RFP, the success rate of the implementation, the testing requirements and the impact of the solution to the users.

  • Solution Type is the level of customization required for the solution. Is this an Off the Shelf Product or is this a brand new application?
  • Implementation Success of Solution is the success of implementing this solution. Has this solution been successful in the past?
  • Testing is the level needed to implement the solution. How much testing needs to be done before this is ready for use?
  • Impact to Users is the number of agency users and the customers that will be impacted by the solution. How many people will be using this new system?

The Interfacescriterion looks at the complexity of the solution based on the need to interact with other applications or systems.

  • Interface complexity within application is the number and complexity of new interfaces required for the solution to work. Do I need this system to do complicated actions within the application?

CONFIDENTIAL & DELIBERATIVE – FOR INTERNAL USE ONLY

  • Interfaces with other applications and/or systems is the changes required to existing interfaces within the current application that may be impacted by this new solution. Does this system need anything from or provide anything to other systems that my department manages?
  • Interfaces with another application and/or system are the number and complexity of interfaces with other applications outside of the using Agency. Does this system need anything from or provide anything to other systems that other state or federal departments or any other parties?

The Political Visibility criterion looks at the impact to the state of the application, the stakeholder input and support and if this solution is the result of a legislative or political mandate.

  • State Liability is the impact to the state if the application is not working. What are the chances that this will hit the papers if it is not available?
  • Stakeholder Involvement is the frequency with which the stakeholders input is sought or provided. How often do the people that need to be involved, get involved?
  • Mandate is looking to see if the driver for the project or the project end date is mandated by legislation, regulation, legal compliance and any other political considerations. Are any outside forces influencing the direction or duration of this system?

The Resourcescriterion looks at the experience needed to build, deploy and/or maintain the system as well as the ability to accurately estimate and control costs.

  • Contractor Experience is the level of success that the contractor has had implementing the same or similar solution(s). Has the contractor implemented this type of solution successfully, or is NJ the guinea pig?
  • State Resource Availabilityis the availability of state resources to serve as subject matter experts and team members on this project. Do you have enough people to do the job?
  • State Resource Skills Requireis the skill level of state resources to serve as subject matter experts and team members on this project. Do you have the right people to do the job?
  • Time to Implementlooks at the learning curve for the new system and the time to implement the system. Do I have enough timeto develop this and train people how to use it?
  • Cost Controllooks at the confidence level that most of the costs for this solution have been identified. How likely is it that there are more costs to implement this solution?

The Fundingcriterion looks at the costs and duration of implementing this solution.

  • Estimated Costis the estimated cost for this solution. How much money will this be?
  • Estimated Timeframe is the estimated duration to implement this solution. How long will this take?
  • Certainty of Timeframe looks at the confidence level used when determining the length of implementing this solution. Was the timeframe a complete guestimate?

CONFIDENTIAL & DELIBERATIVE – FOR INTERNAL USE ONLY

The Project Management criterion looks at the level of project management that will be applied to implement the solution and manage this project.

  • OIT PMO Complianceis to determine if project management best practices are being applied to this project. If needed, do I have a certified project manager and business analyst working on this project?
  • Project Management Plan is to determine how the project is being managed. Are the project management methodologies documented and have they been documented specifically for how this project will be managed?
  • Requirementsto determine if the requirements have been documented following best practices. Has the As Is system been documented, have the requirements for the new solution been documented to a point that I can evaluate bid responses and develop test cases?
  • Project Documentationis the project management artifacts for the project. Are meeting minutes, a Risk Log, an Issues Log, Requirements, Test Cases, Test Results, Project Schedule and other project management documents kept, stored and easily accessible by project team members?
  • Collaboration with Stakeholdersis the level of involvement from the people that need to provide input into the design of the system, and the end users of the system. Have the right people been involved in this project at the right time?

After each factor has been score, the project receives a final Risk Score. The Score can vary from 23 – 138.

Low Risk
23 - 64 points / Minimal threat with little to no potential to cause disruption to the business, negative impact to project schedule, financial loss, increased implementation cost or lack of improvement in productivity, performance and/or effectiveness.
Moderate Risk
65 - 95 points / Some threat with a potential to cause disruption to the business, possible negative impact to project schedule, some financial loss, some increased implementation cost or less than expected improvement in productivity, performance and/or effectiveness.
High Risk
96 - 138 points / High threat with a potential to cause disruption to the business, possible negative impact to project schedule, some financial loss, some increased implementation cost or less than expected improvement in productivity, performance and/or effectiveness.

CONFIDENTIAL & DELIBERATIVE – FOR INTERNAL USE ONLY

Projects that have scored as High Risk, 96 – 138 points will be required to have a Steering Committee that includes a representative from OIT, DPP and OMB. These projects also need to contact the Division of Risk Management, William M. Mayo, Director, 609-292-3477, or, Michele Mochel, 609-292-3148 as soon as the score is calculated for additional language to include in the RFP.

Below is a listing of insurance coverage that may be required in the RFP. The Division of Risk Management, in conjunction with the Division of Purchase and Property will determine the types of coverage to be included in the proposal.

  • COMMERCIAL GENERAL LIABILITY. Commercial General Liability Insurance covering bodily injury, death and property damage with combined single limits not less than $10 Million per occurrence and $10 Million Annual Aggregate. The Commercial General Liability insurance shall be written on an occurrence form basis or its equivalent with coverages that are satisfactory to the State, including but not limited to personal injury, advertising, products and completed operations. The coverage shall name the State, its officers, and employees as “Additional Insureds” and include the blanket additional insured endorsement or its equivalent.
  • AUTOMOBILE LIABILITY. Automobile Liability Insurance covering bodily injury, death and property damage, including all owned, non-owned, or hired autos, with combined single limits not less than $10 Million per occurrence. This coverage may be written in combination with the Commercial General Liability Insurance (with separate limits for “Commercial General Liability” and “Automobile Liability”). The coverage shall name the State, its officers, and employees as “Additional Insureds” and include the blanket additional insured endorsement or its equivalent.
  • WORKERS COMPENSATION. Worker’s Compensation Insurance applicable to the laws of the State of New Jersey and Employers Liability Insurance with limits not less than:
  • $1,000,000 BODILY INJURY, EACH OCCURRENCE
  • $1,000,000 DISEASE EACH EMPLOYEE
  • $1,000,000 DISEASE AGGREGATE LIMIT

Contractor shall require and ensure that each of its subcontractors complies with these statutory requirements.

  • PROFESSIONAL LIABILITY. Professional Errors and Omissions Insurance covering damages caused by a breach of duty, error, omission, fault or any negligent acts related to Contractor’s professional obligations to be performed under this Agreement, including but not limited to errors and omissions related to System downtime during times terminals are expected to be operational, machine error, and faulty products, related to instant games, online games, advertising, and back office software, with limits of not less than $10 Million per claim and $10 Million Annual Aggregate.
  • NETWORK SECURITY & PRIVACY (CYBER) LIABILITY. Network Security and Privacy (Cyber) Liability Insurance with minimum limits of $10 Million per claim and $10 Million Annual Aggregate covering damages to the State or third parties due to a security breach of duty, neglect act, error or omission resulting in the disclosure of customer’s private data, personal and credit card information, release of confidential data, failure of IT System/IT Security, including unauthorized

CONFIDENTIAL & DELIBERATIVE – FOR INTERNAL USE ONLY

  • access to, authorized use of, a denial of service attack directed against, or transmission of malicious code to Contractor’s computer system, loss of business income and expense due to inability to access systems, and media liability arising material on websites or off-line publications.
  • FIDELITY BOND. Prior to execution of this Agreement, Contractor shall obtain a Fidelity Bond in the amount of $10 Million covering any loss to the State Lottery due to any fraudulent or dishonest act on the part of Contractor’s officers, employees, agents or subcontractors. Such an event, in the sole discretion of the State, could be grounds for termination of the Agreement, whether or not the losses arising as a result were paid under the crime insurance policy. If Contractor’s fidelity bond does not cover subcontractors, Contractor must ensure that these entities have equivalent insurance in place. This fidelity bond is not in lieu of any other actions deemed appropriate by the State.
  • CRIME/EMPLOYEE DISHONESTY. Crime insurance with minimum limits not less than $10 Million per occurrence for financial loss due to dishonest acts of Contractor’s employees, including coverage for third party theft of property located on premises under State’s control or while in transit, loss due to forgery or alteration of negotiable instruments (e.g. checks) or loss due to electronic funds transfer fraud.
  • PROPERTY AND BUSINESS INTERRUPTION INSURANCE. Contractor shall maintain property insurance on all buildings, fixtures and equipment provided or used in providing service and systems under this Agreement in the amount of the actual replacement cost thereof. The policy must be written on an “all-risk” coverage basis, including earthquake, flood and named wind and insure real and personal property including, contents, equipment, inventory, mobile items, business interruption and extra expense. Business Interruption Insurance shall be in an amount of at least $[__] Million.
  • OTHER. Such other types and amounts of insurance that are reasonably required and are mutually agreed upon by the State and the Contractor in writing after consultation with their respective insurance brokers.
  • TAIL COVERAGE. If any of the required professional liability insurance is on a "claims made" basis, Contractor shall maintain either “tail" coverage or continuous "claims made" liability coverage, provided the effective date of the continuous “claims made” coverage is on or before the effective date of this Agreement, for a minimum of 24 months following Contractor’s completion of all Services required under this Agreement or exercise an extended reporting period of at least one year after cancellation of said policy. Notwithstanding the foregoing 24-month requirement, if Contractor elects to maintain “tail” coverage and if the maximum time period “tail” coverage reasonably available in the marketplace is less than the 24-month period described above, then Contractor shall maintain “tail” coverage for the maximum time period that “tail” coverage is reasonably available in the marketplace for the coverage required under this Agreement. Contractor shall provide to the State, upon State’s request, certification of the coverage required under this Section 4.C.