4.3.6. Risk Management Process
4.3.6. Risk Management Process
The Risk Management process is the overarching process that encompasses identification, analysis, mitigation planning, mitigation plan implementation, and tracking of program risks. Risk management is the primary method of mitigating program uncertainties and is therefore critical to achieving cost, schedule, and performance goals at every stage of the life cycle. Effectively managing risks helps the Program Manager and Systems Engineer develop and maintain a system’s technical performance, and ensure realistic life-cycle cost and schedule estimates.
DoDI 5000.02 requires that technical and programmatic risks be managed in all life cycle phases. A program’s Technology Development Strategy (TDS) or Acquisition Strategy (AS), and Systems Engineering Plan (SEP) should address risks and should describe the program’s risk management process. DAG section 4.3.18.9. Environment, Safety, and Occupational Health contains information regarding ESOH related risk management.
Risk Management is most effective when fully integrated with the program’s SE and management processes. Identification of risk drivers, dependencies, root causes, and corrective action, as well as consequence management are key elements of this integration.
By definition, a risk is an unwanted event that may or may not occur in the future. A risk has three components:
- A future (yet-to-happen) root cause that, if corrected or eliminated, would be prevented along with its potential consequences
- A probability (or likelihood), assessed at the present time, of that future root cause occurring
- The consequence (or impact) of that future occurrence
A “Condition-If-Then” construct expresses risk as a function of its root cause, probability, and consequence. This construct generally reveals opportunities to not only mitigate the potential consequences of the risk occurring but also eliminate its root cause(s). As a best practice, risk mitigation plans should focus more on the causal factors that enable the risk’s existence rather than on consequence management. Eliminating the root cause of a risk avoids its consequences.
A risk is an unwanted future event that may or may not occur, meaning it has a probability of occurrence of less than one. An issue is an unwanted event that has occurred or is certain to occur in the future (in other words, a probability equal to one). Thus, an issue differs from a risk only in that it is not a probabilistic event. While Program Managers and Systems Engineers can use Risk Management approaches to deal with issues, they should remember that issue management applies resources to current issues or problems. In contrast, risk management proactively applies resources to identify and mitigate future potential root causes and their consequences. Risk management includes the condition when mitigation attempts fail and the risk is realized. The challenge for the Program Manager and Systems Engineer is to balance how they choose to deal with issues and risks, since they encounter both over the life of the program. The Program Manager and Systems Engineer should clearly define, assess, and consider technical and programmatic off ramps if the program cannot be adequately advanced given schedule and budget.
Activities and Products
Because risks can occur in any aspect of a program, it is important to recognize that all program team members and stakeholders have a responsibility to identify risks and report them to the Program Manager and Systems Engineer. Stakeholders also should be invited to participate in risk analysis and mitigation activities as requested or directed.
The Systems Engineer is responsible for prioritizing identified technical risks and developing mitigation actions. The Program Manager reviews and approves the risk priorities and mitigation plans and ensures required resources are available to implement the mitigation plans.
Risk Management encompasses several significant activities as outlined in Table 4.3.6.T1.
Table 4.3.6.T1. Risk Management Process Activities
Activity
|
Intent is to answer the question
|
Risk Identification
|
What can go wrong? What is the root cause?
|
Risk Analysis
|
How big is the risk? What is the probability of occurrence? What is the consequence of occurrence?
|
Risk Mitigation Planning
|
What is the program approach (cost, schedule, and technical) for addressing this potential root cause or unfavorable consequence?
|
Mitigation Plan Implementation
|
How can the planned risk mitigation be implemented? How do we ensure successful risk mitigation occurs?
|
Risk Tracking
|
How are risk mitigation plans going?
|
Early identification of affordability risk drivers is critical to program success. The investigation of both budgetary (long-term) and cost (near-term) aspects of affordability should continue throughout the acquisition life cycle. The Program Manager and Systems Engineer should carefully examine the technical trade space around budget and cost drivers for opportunities to eliminate or manage affordability concerns before they materialize. See DAG section 4.3.18.2. Affordability – Systems Engineering Trade-Off Analyses for more information on SE trades related to affordability.
Additional information on Risk Management is available in:
Table 4.3.6.T2 provides insights into the emphasis of Risk Management throughout the acquisition life cycle. Regardless of phase, several best practices may apply to a program’s Risk Management process:
- As designs mature, understanding of schedule alignment, integration challenges, and programmatic functions increase, allowing the decision makers to better assess the risks associated with a given approach.
- Trade studies at various levels (e.g., technology maturation approaches, contracting strategy, material selections, etc.) provide decision support information in the context of risk and affordability throughout the life cycle. See DAG sections 4.3.3. Decision Analysis Process and 4.3.18.2. Affordability – Systems Engineering Trade-Off Analyses for additional information.
- Supply chain risk management (SCRM) should occur throughout the acquisition life cycle. SCRM includes working with appropriate DoD and Office of the Director of National Intelligence (ODNI) organizations on program threats (foreign and counterintelligence), technology vulnerabilities, contractor threat assessments, counterintelligence vulnerabilities, and global distribution risks.
- Quality risks throughout the supply chain can have a drastic impact on performance, cost, and schedule, as well as overall customer satisfaction. Robust quality management systems and processes focused on continuous improvement are essential to the delivery of safe, reliable, and affordable products.
Table 4.3.6.T2. Focus of Risk Management Process by Phase
Phase
|
Focus
|
Products / Outputs
(Risk Considerations)
|
Measures / Metrics
|
Pre-MDD
|
Risk assessment of the effort/approach, early assessments of complexity, technical maturity, ability to close or reduce gaps
Mitigation measures include resourcing teams for further detailed evaluation
|
|
Identify operational risks associated with capability gaps, measured in terms of probability and consequence
Estimate resources to implement recommendations to close or mitigate capability gaps and reduce operational risk
Identify dependencies and constraints (e.g., capability integration and interoperability with other systems or materiel solutions) associated with closing or mitigating capability gaps
|
MSA
|
Risk identification as an element of the Analysis of Alternatives (AoA), other technical analysis, and Milestone A entrance criteria
Risk assessments to support selection of the preferred materiel solution and appropriate acquisition strategy
Vendor viability, contract strategy, acquisition strategy, technology maturity, resource availability, user expectations
Acquisition strategy evaluations include risk considerations of contractor availability, technical maturity, environmental, and operational dimensions
Mitigation approaches include contract approach, prototype, and parallel development
|
SE contributions to AoA Report
SEP and SE contributions to TDS that highlight how risk areas identified in the AoA are managed or mitigated in the TD phase
Selection of alternative solutions to include overall risk of achieving desired capabilities within cost and schedule estimates
Risk input to AoA; overall risk assessment and its integration into cost and schedule estimates
|
A quantitative analytical comparison of the operational effectiveness, suitability, and life-cycle cost of candidate materiel solutions
A list of critical technologies (CT) associated with each candidate materiel solution, including measures of technology maturity, integration risk, manufacturing feasibility, CT supply chain risk
Quantification of performance, cost, and schedule risks associated with each alternative
|
TD
|
Risk Management as a driver for technology readiness, preliminary design, and Milestone B entrance criteria
|
Technology maturity and risk reduction
Validation of CT maturity for a materiel solution from prototypes, experimentation, or other form of demonstration
Validation of CT supplier/vendor trustworthiness from a supply chain integrity risk perspective
Risk reduction through competitive prototyping:
- Broadens the opportunity for technology maturation by engaging multiple parties to compete for technology prototypes
- Can help the program identify the nature of risk at the subsystem/ system level (functionality, performance, or affordability)
Risks associated with preliminary design
|
Measures that demonstrate reduced technology maturity risks with respect to CT developers and producers
- Vendor viability in terms of business health, market position, industry outlook stability
- Assessments of the CT competitive environment to assess reliance risk on a single vendor/supplier
Technology Readiness Levels (TRL) as the metric to assess CT maturity
Affordability monitoring
Continuous should cost estimation
Assessment that preliminary design has high likelihood of satisfying the need within cost and schedule constraints
|
EMD
|
Risk Management as an element of development, full system integration, and Milestone C entrance criteria
|
EMD Risk Management processes, procedures, and plan
Risk mitigation for establishment of qualification requirements throughout the supply chain
Special emphasis:
- Requirements
- Risk management
- Affordability risk management
- Supply chain risk management
Should cost assessments
EMD risk management plan that includes addressing the above focus areas; include a sustainment risk management plan as part of the program’s overall EMD risk management plan (Life-Cycle Sustainment Plan (LCSP))
At the Critical Design Review (CDR), identify risks and mitigation plans for achieving a fully verified functional baseline in a timely fashion
|
PM’s Risk Management Dashboard focused on EMD:
- KPP risk management
- TPM analyses and monitoring
- Risk burn-down and closure rates
- Cost growth monitoring
EMD schedule monitoring (e.g., IMS model measurements for schedule slips)
Affordability monitoring
Continuous should cost estimation
|
P&D
|
Risk Management as an element of operational test and evaluation, production, and IOC
|
P&D Risk Management processes, procedures, and plan
Special emphasis: P&D SCRM
P&D risk management plan that includes addressing the above focus areas; include updates or refinements to the LCSP/ sustainment risk management, initially created as part of the program’s overall EMD risk management plan
|
PM’s Risk Management Dashboard focused on P&D
- Funding streams
- Continuity of production levels and frequency of breaks
- Production failure rate, supplier quality non-conformances, and cost impact metrics
- Impact of supplier and design changes to the qualified baseline
Deployment and fielding schedules
|
O&S
|
Risk Management as an element of operational readiness and FOC
|
O&S Risk Management processes, procedures, and plan
Special Emphasis: O&S SCRM
O&S risk management plan that includes addressing the above focus areas
|
PM’s Risk Management Dashboard focused on O&S:
- O&S funding streams
- Management and burn-down of technology obsolescence risks
- Technology insertion upgrade schedules and refresh rate
- Qualification and product verification of spares suppliers, field failure rates, and depot failure rates
O&S contract monitoring
|