The following summary is an attempt to highlight the essence of the DOD Guide in order to give us some direction and a quick reference for our project. Please feel free to add any concepts that you feel may have been neglected.
The purpose of addressing risk on programs is to help ensure program cost, schedule, and performance objectives are achieved at every stage in the life cycle and to communicate to all stakeholders the process for uncovering, determining the scope of, and managing program uncertainties. The focus is on risk mitigation planning and implementation rather on risk avoidance, transfer, or assumption.
1. Key Terms, Descriptions, and Principles:
Risk is the likelyhood and consequence of the root cause of future uncertainties associated with all aspects of the IMS and WBS. A risk should not be confused with an issue!
Risk Management is the overarching process that encompasses indentification, analysis, mitigation planning, mitigation plan implementation, and tracking. It is most effective when fully integrated with the programs system engineering and program management process.
Risk Management Objective requires a stable and recognized baseline from which to acess, mitigate and manage program risk derived from an IMP/IMS. The objective is to provide a repeatable process for balancing cost, schedule and performance goals.
Sharing the Risk is a key concept, and the government must take care not to transfer all risks to the contractor. The program office and the developer must work from a common risk management process and database.
2. Risk Management
Risk Management Process is a continuous process of identifying and measuring uncertainties throughout a systems lifecycle. Effective risk management depends on risk management planning, early identification and analyses of risks, early implementation of corrective actions, continuous monitoring and reassessment, and communication, documentation, and coordination.
Risk Management Process Model consists of:
- Risk Identification
- Risk Analysis
- Risk Mitigation Planning
- Risk Mitigation Plan Implementation
- Risk Tracking
Top-Level Guidelines require assessments via technical reviews as early in the life cycle as possible along with mitigation actions incorporated into program planning and budget projections.
3. Risk Identification
Purpose of risk indentification is to answer the question "What can go wrong?". Risk Identification is the activity that examines each element of the program to identify associated root causes, begin their documentation, and set the stage for their successful management. Program decomposition may be oriented to requirements, processes, functional areas, technical baselines, or acquisition phases. A structured approach to determining risk entails describing each WBS element and process in terms of causes, sources, or areas of risk.
Identifying root causes of risk:
- List WBS product or process elements
- Examine each in terms of risk sources or areas
- Determine what could go wrong
- Repeatedly ask “why” until the source(s) is discovered.
Typical risk sources include:
Threat, Requirements, Technical Baseline, Test and Evaluation, Modeling and Simulation, Technology, Logistics, Facilities, Concurrency, Industrial Capabilities, Cost, Management, Schedule, External Factors, Budget, Earned Value Management System.
4. Risk Analysis
Risk Analysis answers the question “How Big is the Risk?”. It involves examining each identified risk to refine the description of the risk, isolate the cause, determine the effects, and aid in setting risk mitigation priorities. It refines each risk in terms of its likelihood, its consequence, and its relationship to other risk areas or processes.
Levels of Likelihood and Consequence
Levels are assigned in terms of their probability of occurrence. Levels and types of consequence based on projected effect on performance, schedule, or cost.
Risk Reporting Matrix
Used to determine the level of risk for each root cause as low(green), moderate(yellow), or high(red). Results can include risk title(p, s, c), risk causal factor, and mitigation approach.
Risk analysis sequence of tasks include:
- Develop probability and consequence scales by allocating consequence thresholds against the WBS or other breakout
- Assign a probability of occurrence to each risk using some specified criteria.
- Determine consequence in terms of (P)erformance, (S)chedule, and/or (C)ost impact based on specified criteria.
- Document the results in the program risk database.
5. Risk Mitigation Planning
The process of that identifies, evaluates, and selects options to set risk at acceptable levels given program constraints and objectives. Answers the questions Who is responsible, What should be done, When should it be done, and Where will the funding come from. Risk can be Avoided, Controlled, Transferred, and/or Assumed.
The risk mitigation plan needs to be realistic, achievable, measurable, and documented.
6. Risk Mitigation Plan Implementation
Implementing risk mitigation should be accomplished by risk category at the IPT level. The risk mitigation plan:
- Determines what planning, budget, and requirements and contractual changes are needed.
- Provides a coordination vehicle with management and other stakeholders.
- Directs the teams to execute the defined and approved risk mitigation plans.
- Outlines the risk reporting requirements for on-going monitoring.
- Documents the change history.
7. Risk Tracking
Risk tracking is systematically tracking and evaluating the performance of risk mitigation actions against established metrics throughout the acquisition process. It answers the question “How are things going” by:
- Communicating risks to all affected stakeholders
- Monitoring risk mitigation plans
- Reviewing regular status updates
- Displaying risk management dynamics by tracking risk status within the Risk Reporting Matrix
- Alerting management as to when risk mitigation plans should be implemented or adjusted
Risk tracking documents include: program metrics, technical reports, earned value reports, watch lists, schedule performance reports, technical review reports, and critical risk processes reports.
The key to risk tracking is to establish a management indicator system over the entire program. It should provide early warning when the likelihood of occurrence or the severity of consequence exceeds pre-established thresholds or is trending toward them so timely management actions can be taken.