Excepts from DoD’s Risk, Issue, and Opportunity Management Guide, Jan 2017
Risk management is a five step iterative process to plan, identify, analyze, handle, and monitor program risks.
Risks are potential future events or conditions that may have a negative effect on achieving program objectives for cost, schedule, and performance. Risks are defined by (1) the probability (greater than 0, less than 1) of an undesired event or condition and (2) the consequences, impact, or severity of the undesired event, were it to occur.
Risk management is an endeavor that begins with requirements formulation and assessment, includes the planning and conducting of a technical risk reduction phase if needed, and strongly influences the structure of the development and test activities. Active risk management requires investment based on identification of where to best deploy scarce resources for the greatest impact on the program’s risk profile. PMs and staff should shape and control risk, not just observe progress and react to risks that are realized. Anticipating possible adverse events, evaluating probabilities of occurrence, understanding cost and schedule impacts, and deciding to take cost effective steps ahead of time to limit their impact if they occur is the essence of effective risk management. Risk management should occur throughout the lifecycle of the program and strategies should be adjusted as the risk profile changes.
Successful risk management requires thoughtful planning and resourcing, and should be implemented as early as possible in the life cycle beginning with the Materiel Solution Analysis phase. The goal is to identify risks to inform decisions and handling strategies before the risks become issues.
Risk management needs to be both top-down (embraced by the PM and others) and bottom-up (from working-level engineers) to be successful. PMs should encourage everyone on their program to take ownership of the risk management program and should be careful not to cultivate a “shoot the messenger” culture. All personnel should be encouraged to identify risks, issues, and opportunities and, as appropriate, to support analysis, handling, and monitoring activities.
Organizational implementation and process quality are equally important in determining a program’s risk management effectiveness. A poorly implemented risk management process will not contribute to program success but may lead to program inefficiency. It is essential that programs define, implement, and document an appropriate risk management approach that is organized, comprehensive, and iterative, by addressing the following questions:
- Risk Planning: What is the program’s risk management process?
- Risk Identification: What can go wrong?
- Risk Analysis: What are the likelihood and consequence of the risk?
- Risk Handling: Should the risk be accepted, avoided, transferred, or mitigated?
- Risk Monitoring: How has the risk changed?
Twenty-One “Musts” of Risk Management
Source: Analytical Methods for Risk Management, A Systems Engineering Perspective, Paul R. Garvey, 2009.
- Risk management must be a priority for leadership and throughout the program’s management levels.
- Risk management must never be delegated to staff that lack authority.
- A formal and repeatable risk management process must be present – one that is balanced in complexity and data needs, such that meaningful and actionable insights are produced with minimum burden.
- The management culture must encourage and reward identifying risk by staff at all levels of program contribution.
- Program leadership must have the ability to regularly and quickly engage subject matter experts.
- Risk management must be formally integrated into program management.
- Participants must be trained in the program’s specific risk management practices and procedures.
- A risk management plan must be written, with its practices and procedures consistent with process training.
- Risk management execution must be shared among all stakeholders.
- Risks must be identified, assessed, and reviewed continuously – not just prior to major reviews.
- Risk considerations must be the central focus of program reviews.
- Risk management working groups and review boards must be rescheduled, instead of canceled, when conflicts arise with other program needs.
- Risk mitigation plans must be developed, success criteria defined, and their implementation monitored relative to achieving success criteria outcomes.
- Risks must be assigned only to staff with authority to implement mitigation actions and obligate resources.
- Risk management must never be outsourced.
- Risks that extend beyond traditional impact dimensions of cost, schedule, and technical performance must be considered (e.g., programmatic, enterprise, cross-program/cross-portfolio, and social, political, economic impacts).
- Technology maturity and its future readiness must be understood.
- The adaptability of a program’s technology to change in operational environments must be understood.
- Risks must be written clearly using the Condition-If-Then
- The nature and needs of the program must drive the design of the risk management process, within which a risk management tool/database conforms – not the other way around!
- Risk management tool/database must be maintained with current risk status information; preferably, employ a tool/database that rapidly produces “dashboard-like” status reports for management.
Additional Risk Management Resources:
- DoD Risk, Issue, and Opportunity Management Guide, DASD/SE, Jan 2017
- DAU Risk Resources
- Software Engineering Institute Risk Management
- AcqNotes Risk & Safety Management
- Managing Risk in Government: An Introduction to Enterprise Risk Management, IBM Center for The Business of Government, 2010
- Improving Government Decision Making through Enterprise Risk Management, IBM Center for The Business of Government, 2015
- Risk Identification, MITRE Systems Engineering Guide, 2014