Risk is a measure of future uncertainties in achieving program performance goals, requirements, and objectives within defined cost, schedule, and performance constraints. Risk can be associated with all aspects of a program (e.g., threat, System Safety, technology maturity, supplier capability, design maturation, performance against plan) as these aspects relate across the Work Breakdown Structure (WBS), Integrated Master Schedule (IMS) and Integrated Master Plan (IMP). Risk addresses the potential variation in the planned approach and its expected outcome. [1]
Risks Management Components
- A future root cause (yet to happen), which, if eliminated or corrected, would prevent a potential consequence from occurring,
- A probability (or likelihood) assessed at the present time of that future root cause occurring, and
- The consequence (or effect) of that future occurrence.
Risk Management
Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction. Effective risk management depends on risk management planning; early identification and analyses of risks; early implementation of corrective actions; continuous monitoring and reassessment; and communication, documentation, and coordination. It’s most effective if it is fully integrated with the program’s Systems Engineering, Program Management, and Test & Evaluation processes.
Risk Management Process
The risk management process includes the following continuous key activities as shown above:
- Risk Identification
- Risk Analysis
- Risk Mitigation Planning
- Risk Mitigation Plan Implementation
- Risk Tracking
Risk Management Objectives
The Risk Management Objectives of a well-managed risk management program is to provide a repeatable process for balancing cost, schedule, and performance goals within program funding. This is especially true on programs with designs that approach or exceed the state-of-the-art or have tightly constrained or optimistic cost, schedule, and performance goals. Without effective risk management, the Program Management Office (PMO) may find itself doing crisis management, a resource-intensive process that is typically constrained by a restricted set of available options. Successful risk management depends on the knowledge gleaned from assessments of all aspects of the program coupled with appropriate mitigations applied to the specific root causes and consequences. [1]
Risk Management Framework (RMF)
The DoD Risk Management Framework (RMF) describes the DoD process for identifying, implementing, assessing, and managing cybersecurity capabilities and services, expressed as security controls, and authorizing the operation of Information Systems (IS) and Platform Information Technology (PIT) systems. RMF brings a risk-based approach to the implementation of cybersecurity, supports cybersecurity integration early and throughout the system lifecycle, promotes reciprocity to the maximum extent possible, and stresses continuous monitoring. RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP).
Risk Management Plan
A Risk Management Plan (RMP) is prepared by a project manager to address risks, their potential impact on a program and consists of ways to reduce these risks. The RMP tells the government and contractor team how they plan on reducing risks to a certain level by a certain time.
Risk Management Topics
As a Program Manager (PM), systems engineer, risk manager, or safety manager there are many areas of risk and safety management that need to be understood in order to successfully execute a program. A few of these areas include:
- Systems Safety Process
- Software Risk Estimation
- Risk Register
- Risk Reporting
- Consequence & Probability
- Typical Risk Sources
- Risk Training
System Safety
System Safety is the application of engineering and management principles, criteria, and techniques to achieve acceptable risk within the constraints of operational effectiveness and suitability, schedule, and cost throughout the system’s lifecycle. System safety covers the entire spectrum of environment, safety, and occupational health (ESOH) considerations. It is an integral part of the Systems Engineering (SE) process and specific activities are required throughout the different phases of the acquisition lifecycle. [2]
AcqTips:
- For a more detailed explanation on risk, visit the DoD Risk Issue and Opportunity Management Guidance for Defense Acquisition Programs – June 2015
AcqLinks and References:
- DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs – Jan 2017
- DoD Risk Issue and Opportunity Management Guidance for Defense Acquisition Programs – June 2015 (Outdated)
- DoD Risk Management Guide (interim) – Dec 2014 (Outdated)
- DoD Risk Management Guidebook – Section 4.0 – Aug 06 (Outdated)
- Defense Acquisition Guidebook (DAG)
- MIL-STD-882E “Standard Practice for System Safety” – 11 May 2012
- Risk Assessment Checklist
- Risk Assessment Worksheet and Management Plan
- Continuous Risk Management Guidebook by Carnegie Melon
- Air Force System Safety Handbook – July 2000
- Template: Risk Management Plan
- Template: Project Rick Management Template
- Template: DoD Risk, Issue, and Opportunity Management Guide – Jan 2017
Updated: 7/22/2021
Rank: G