My new Program Manager stated that in her training in regards to Risk Management she was instructed that risk mitigation steps’ consequence ratings never change. Meaning, once a consequence rating is assigned to a risk, the consequence rating would remain the same throughout the life of the risk. Meaning all mitigation steps would carry the same rating. I have never actually heard this. According to how we have been tracking risks through the burn down process, many of our risks’ mitigation steps’ consequence ratings burn down from a 4 to a 3 to a 2. What is the correct way to report consequence ratings for risks? Any information you can provide would be greatly appreciated.
Program risks are not static. Risks should be reviewed by the whole program team on a regular basis to ensure you have portrayed them correctly, and to see if there are any changes. Along with that, the assumptions you used to develop the risks should also be regularly re-evaluated. Assumptions change over time, and some that were made early in the program may now be different or even completely erroneous. New risks appear over time that were not identified initially. It is true that as you have more information on your program or as it matures, the probability of occurrence may change for sure - increasing or diminishing. Consequence is then evaluated on the impact to cost, schedule and performance of the program. The consequence may also change, for example, the cost impact of a redesign may go up and therefore the consequence of a cost risk will increase. If your development test articles are unable to pass a number of tests, the consequence of the design not meeting the specifications increases. Consequence probably changes less often then likelihood, but it can change.
One way to categorize the changes would be to use the consequence thresholds in the DOD Risk Issue and Opportunity Management Guide, (2017 edition) page 25, Table 3.1. You would categorize them during your initial risk assessment then as your program proceeds, you evaluate if the consequence has crossed any of those thresholds up or down.
The key is really to do a regular review of the risks to verify that they are still captured as accurately as possible with the information you have at the time. Don't be too anchored to your initial risk assessment. The risk review should be integrated in that it should address not only contractor risks, but Government risks as well - those that the contractor may not be aware of, or that do not impact them directly.