Definition
A risk is an event that, if it occurs, adversely affects the ability of a project to achieve its outcome objectives. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Risk management lies at the intersection of project functions performed by the systems engineer and the project manager. Historically, risk management focused more on management elements such as schedule and cost and less on technical risks for well-defined or smaller projects. However, larger and more complex projects and environments have increased the uncertainty for the technical aspects of many projects. To increase the likelihood of successful project and program outcomes, the systems engineer and project manager must be actively involved in all aspects of risk management.
A substantial body of knowledge has developed around risk management. In general, risk management includes the development of a risk management approach and plan, identification of components of the risk management process, and guidance on activities, effective practices, and tools for executing each component.
Necessary Steps to Risk Management Process
Step 1: Risk Identification
Risk identification is the critical first step of the risk management process. Its objective is the early and continuous identification of risks, including those within and external to the engineering system project.
Step 2: Risk Impact or Consequence Assessment
In this step, an assessment is made of the impact each risk event could have on the engineering system project. Typically, this includes how the event could impact cost, schedule, or technical performance objectives. Impacts are not limited to only these criteria. Additional criteria such as political or economic consequences may also require consideration. In addition, an assessment is made of the probability (chance) each risk event will occur.
Step 3: Risk Prioritization
At this step, the overall set of identified risk events, their impact assessments, and their occurrence probabilities are “processed” to derive a most critical to least critical rank-order of identified risks. A major purpose for prioritizing risks (see Table 1) is to form a basis for allocating critical resources. Ranking risks in terms of their criticality or importance provides insights to the project’s management on where resources may be needed to manage or mitigate the realization of high probability/high consequence risk events. When assessing risk, it is important to match the assessment impact to the decision framework. For program management, risks are typically assessed against cost, schedule, and technical performance targets.
Table 1: Risk Management Assessment Scale Example
| 1.00
0.95 – 0.99 0.85 – 0.95 0.75 – 0.85 0.65 – 0.75 0.55 – 0.65 0.45 – 0.55 0.35 – 0.45 0.25 – 0.35 0.15 – 0.25 0.00 – 0.15 |
Issue:
High: High: High: High: Medium: Medium: Medium: Low: Low: Low: |
1
> 0.95 < 1 > 0.85 <= 0.95 > 0.75 <= 0.85 > 0.65 <= 0.75 >0.55<= 0.65 >0.45<= 0.55 > 0.35 <= 0.45 > 0.25 <= 0.35 > 0.15 <= 0.25 > 0.00 <= 0.15 |
Certain to occur
Extremely sure to occur Almost sure to occur Very likely to occur Likely to occur Somewhat greater than an even chance An even chance to occur Somewhat less than an even chance Not very likely to occur Not likely to occur Almost sure not to occur |
Step 4: Risk Mitigation Planning
This step involves the development of mitigation plans designed to manage, eliminate, or reduce risk to an acceptable level. Once a plan is implemented, it is continually monitored to assess its efficacy with the intent to revise the course of action, if needed.
Two other steps are involved in executing risk management: developing the approach and plan, and selecting the risk management tools. The risk approach determines the processes, techniques, tools, team roles, and responsibilities for a specific project. A risk management plan describes how risk management will be structured and performed on a project. Risk management tools support the implementation and execution of program risk management in systems engineering programs. In selecting the appropriate tools, the project team considers factors such as program complexity and available resources.
Risk Mitigation Strategies
A. Risk Mitigation Handling Options
Risk mitigation handling options include:
Assume/Accept: Acknowledge the existence of a particular risk, and make a deliberate decision to accept it without engaging in special efforts to control it.
Avoid: Adjust program requirements or constraints to eliminate or reduce the risk. This adjustment could be accommodated by a change in funding, schedule, or technical requirements.
Control: Implement actions to minimize the impact or likelihood of the risk.
Transfer: Reassign organizational accountability, responsibility, and authority to another stakeholder willing to accept the risk.
Watch/Monitor: Monitor the environment for changes that affect the nature and/or the impact of the risk.
B. Risk Management Tools
It is meant to support the implementation and execution of program risk management in systems engineering programs. Risk analysis and management tools serve multiple purposes and come in many shapes and sizes.
Some risk analysis and management tools include those used for:
Strategic and Capability Risk Analysis: Focuses on identifying, analyzing, and prioritizing risks to achieve strategic goals, objectives, and capabilities.
Threat Analysis: Focuses on identifying, analyzing, and. prioritizing threats to minimize their impact on national security.
Investment and Portfolio Risk Analysis: Focuses on identifying, analyzing, and prioritizing investments and possible alternatives based on risk.
Program Risk Management: Focuses on identifying, analyzing, prioritizing, and managing risks to eliminate or minimize their impact on program objectives and probability of success.
Cost Risk Analysis: Focuses on quantifying how technological and economic risks may affect the system’s cost. Applies probability methods to model, measure, and manage risk in the cost of engineering advanced systems.
How to Select the Right Tool
It is important that the organization defines the risk analysis and management process before selecting a tool. Ultimately, the tool must support the process. Below are the criteria to consider when selecting risk analysis and management tools.
Aligned to risk analysis objectives: Does the tool support the analysis that the organization is trying to accomplish? Is the organization attempting to implement an ongoing risk management process or conduct a one-time risk analysis?
Supports decision making: Does the tool provide the necessary information to support decision making?
Accessibility: Is the tool accessible to all users and key stakeholders? Can the tool be located/hosted where all necessary personnel can access it?
Availability of data: Is data available for the tool’s analysis?
Level of detail: Is the tool detailed enough to support decision making?
Integration with other program management/system engineering: Does the tool support integration with other program management/system engineering processes?
