12 KiB
Risk Management
Key Terms, Descriptions, and Principles
Risk
Risks are characterized by probability of occurrence and consequence. Through risk management, the company applies resources to lessen the likelihood of a future event occurring and/or the consequence should it occur. As risks increase in probability, the company should anticipate that the events will occur and should put plans in place early to mitigate the consequences.
Risk Components
Risks have three components:
- A future cause (yet to happen), which if eliminated or corrected, would prevent a potential consequence from occurring
- A probability (or likelihood) assessed at the present time of that future cause occurring
- The consequence (or effect) of that future occurrence
Risk Management
Risk Management Process
Risk management is a continuous process. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selection, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction.
Risk Management Process Model
The following four-steps represent the management process
- Identification: What has, can or will go wrong?
- Assessment: What is the likelihood of the risk and the consequence of the risk?
- Mitigation: What, if anything, will be done about the risk?
- Monitoring: How was the risk changed?
Top-Level Guidelines for Effective Risk Management
- Assess the causes of risks and develop strategies to manage these risks
- Identify as early as possible, and intensively manage those that critically affect OMS
- Include tests and evaluations as part of the risk management process.
- Include industry knowledge in risk management. Likelihood and consequence should be compared with experiences from similar industries.
- Use a proactive, structured risk assessment and analysis to identify and analyze root causes.
- Utilize risk assessment checklists if applicable
- Establish risk mitigation plans and obtain resources for such plans
- Include internal processes as part of risk assessment.
- Clearly define a set of evaluation criteria for assigning risk ratings for identified root causes.
Risk Identification
The intent of risk identification is to answer the question “What can go wrong?” by:
- Looking at current and proposed staffing, processes, suppliers, products, resources, dependencies, etc.
- Reviewing potential shortfalls against expectations
- Analyzing negative trends
Risk identification is the activity that examines each element of the company to identify associated causes, begin their documentation, and set the stage for their successful management. Risk identification begins as early as possible and continues with regular analyses.
Company: The identification is performed constantly, however formally once a year.
Risk Categories
- Operational Risk
- Financial Risk
- Compliance Risk
- Strategic Risk
- Other Risk
Risk Analysis
Risk analysis answers the question “What are the likelihood and consequence of the risk?” and “How high is the risk?”. The following tasks are part of the risk analysis:
- Estimate the likelihood the risk event will occur
- Estimate the possible consequence in terms of cost, schedule and performance
- Determine the resulting risk level and prioritize for mitigation
Risk analysis provides an estimate of each risk’s likelihood and consequence, and the resulting risk level in order to more effectively manage risks and prioritize mitigation efforts. Consistent predefined likelihood and consequence criteria provide a structured means for the evaluating risks so decision makers can make objective comparisons.
Likelihood
Risk likelihood is the evaluated probability an event will occur given existing conditions. The estimated likelihood of the risk should be tied to a specific well-defined risk event or condition and risk statement. The following table provides the criteria for establishing the initial assessment of likelihood of a risk occurring.
| Level | Likelihood | Probability of Occurrence |
|---|---|---|
| 5 | Near Certainty | > 80% |
| 4 | Highly likely | > 60% ≤ 80% |
| 3 | Likely | > 40% ≤ 60% |
| 2 | Low Likelihood | > 20% ≤ 40% |
| 1 | Not Likely | > 0% ≤ 20% |
The initial assessment of probability of occurrence needs to be considered in combination with consequences, should the event be realized, and also the effectiveness of mitigation actions when making decisions on whether a given probability level is too high and would preclude proceeding on a planned course of action. Depending on the circumstances, there may be cases in which a risk (probability and consequence) is high enough to change course, in the absence of assured mitigation.
While dealing with individual risks, decision makers should understand the overall risk exposure of the company and the threat that cumulative or compounding effects of multiple risks pose to successfully satisfying business objectives. Multiple risks may expose the company to a greater risk than any individual risk due to complexity, stretched resources, risk interactions, or the aggregate likelihood of the risk realization.
Consequence
During analysis, each risk should be evaluated in terms of impact should the risk be fully realized. Risk consequence is measured as a deviation against historic company or business specific baselines.
| Level | Impact | Cost over Budget | Schedule | Performance |
|---|---|---|---|---|
| 5 | Critical Impact | > 10% | Schedule slip will require a major schedule rebaselining | Degradation precludes system from meeting a KPP or key technical/supportability threshold. Unable to meet mission objectives |
| 4 | Significant Impact | > 5% ≤ 10% | Schedule slip puts funding at risk | Degradation impairs ability to meet a KSA. Technical design or supportability margin exhausted in key areas. Significant performance impact affecting System-of System interdependencies. Work-arounds required to meet mission objectives |
| 3 | Moderate Impact | > 1% ≤ 5% | Schedule slip impacts synchronization with interdependent expectations by greater than 3 months | Unable to meet lower tier attributes, TPMs, or CTPs. Design or supportability margins reduced. Minor performance impact affecting System-of System interdependencies. Work-arounds required to achieve mission tasks. |
| 2 | Minor Impact | ≤ 1% | Some schedule slip, but can meet dates within 1 month | Reduced technical performance or supportability; can be tolerated with little impact on program objectives. Design margins reduced, within trade space |
| 1 | Minimal Impact | +0% | Minimal schedule impact | Minimal consequences to meeting technical performance or supportability requirements. Design margins will be met; margin to planned tripwires |
Risk Mitigation
The risk mitigation strategy includes the options or combination of options and the specific implementation approach. It answers the question “What is the plan to address the risk?” or “Should the risk be accepted, avoided, transferred, or controlled?”. After analyzing the risks, the company should develop a strategy to manage risks by evaluating the four risk mitigation options:
- Avoiding risk by eliminating the cause and/or the consequence
- Controlling the cause or consequence
- Transferring the risk to other entities
- Assuming the level of risk and continuing on the current plan
Some risk mitigation activities may be implemented as contingency plans when a specific triggering event occurs. The level of detail in risk mitigation depends on the nature of the risk to be addressed. When selecting the mitigation option(s) and formulating the implementation approach, the risk owner should address questions such as:
- Is the risk mitigation plan feasible (options and implementation approach)?
- Is the risk mitigation plan affordable in terms of funding and any needed additional resources (e.g. personnel, equipment)?
- Is adequate time available to drop and implement the risk mitigation plan?
- What impact does the risk mitigation plan have?
- Are the expectations realistic given circumstances, constraints, and objectives?
Risk Acceptance (and Monitoring)
By accepting the risk, the company acknowledges that the risk event or condition may be realized and is prepared to accept the consequences. Accepting a risk does not mean it should be ignored. The company should continue to track the risk to ensure the accepted consequences do not change for the worse or the likelihood increase. Monitoring implies the company establishes knowledge points that provide opportunities to reevaluate the risk. Before accepting the risk, the company should identify the resources and schedule that would be needed should the risk be realized.
Risk Avoidance
Through risk avoidance, a program the company reduces or eliminates the risk event or condition by taking an alternate path. It eliminates the source of the risk and replaces it with another solution.
Risk Transfer
Risk transfer includes reassigning or delegating responsibility for tasks to mitigate a risk to another entity. This might include transferring the financial responsibility as well. This approach may involve reallocating risk management tasks from one party to another. The same risk may be carried by multiple entities. However, it should be recognized that the transference of risk does not eliminate all responsibility and risks must be monitored for potential consequences.
Risk Control
The risk control option seeks to actively reduce risk to an acceptable level. Control generally entails taking action to reduce the likelihood, or the consequence, of a risk to as low as practical in order to minimize potential impacts.
Control options should result in reduced risk likelihood and/or consequence. Risk control activities often reduce the likelihood of the risk event occurring or accelerate knowledge affecting the likelihood. The result may be a new risk description with revised consequences and an updated prioritization and mitigation strategy.
Risk Monitoring
Risk monitoring answers the question “How has the risk changed?” or “How are the risk mitigation plans working? Based on results, should additional actions be taken to mitigate or control the risk?”.
Risk monitoring includes a continuous process to systematically track and evaluate the performance of risk mitigation plans against established metrics. Not all risk mitigation will be successful. The company should reevaluate the risk mitigation approach and associated activities to determine effectiveness and whether action is needed.
Risk monitoring includes recording, maintaining, and reporting risks, risk analysis, risk mitigation, and tracking results. If a risk changes significantly, the company should adjust the risk mitigation strategy accordingly. If the risk is lower than previously analyzed, the company may reduce or cancel risk mitigation activities and consider freeing resources for other uses. If risk severity increases, appropriate risk mitigation efforts should be developed and implemented.
Company: The monitoring is performed constantly, however formally once a year.
Review
The Risk Management System needs to be reviewed on a regular basis in terms of effectiveness and efficiency. The review should be performed by independent personnel (either internal or external) and adjusted to changes accordingly.
Company: The review is performed annually.
2022-01-01 - Version 1.0