U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Risk Management

Risk and issue management are closely related and use similar processes. All defense programs encounter risks and issues and must anticipate and address them on a continuing basis.

Risks are commonly characterized by likelihood and consequence. Through risk management, programs apply resources to lessen the likelihood of a future event occurring or the consequence should it occur.Risk and Issue Management Process

An issue differs from a risk in that its occurrence is certain, not probabilistic. An issue is characterized by its consequence, and issue management applies resources to address and reduce the potential negative consequences associated with a past, present, or future certain event. Issues may occur when a previously identified risk is realized, or they may occur without prior recognition of a risk. In addition, issues may spawn new risks.

The five-step Risk and Issue Management Process may be applied to a risk or issue.  The process for managing risks consists of:

  • Risk Management Process Planning:  Consists of the program’s activities to develop, implement, and document steps the program will take to manage individual risks.
  • Risk Identification:  Answers such questions as What can go wrong? or What is particularly difficult in this program development? What information is lacking?
  • Risk Analysis:  Answers the questions, What are the likelihood and consequence of the risk? and How high is the risk?
  • Risk Mitigation:  Answers the question, What is the plan to address the risk?  The four risk mitigation options are: 
  1. Accept - acknowledges that the risk event or condition may be realized, and the program is prepared to accept the consequences.
  2. Avoid - reduce or eliminate the risk event or condition by taking an alternate path. It eliminates the source of the risk and replaces it with another solution.
  3. Transfer - includes reassigning or delegating responsibility for tasks to mitigate a risk to another entity. This might include transferring the financial responsibility as well.  A warranty is an example of a way to transfer risk.
  4. Control - seeks to actively reduce risk to an acceptable level.  An example may be reviews, walk-throughs, and inspections to reduce the probability/likelihood and potential consequences/impacts of risks through early assessment of actual or planned events, allowing earlier adjustments to planned work.
  • Risk Monitoring:  Answers the question, How has the risk changed? or How are the risk mitigation plans working? Based on results, should additional actions be taken to mitigate or control the risk?

The Program Manager is responsible for implementing effective risk management within program constraints. Successful risk management requires planning and resourcing, and should be implemented early in the life cycle beginning with the Materiel Solution Analysis (MSA) phase or earlier based on early collaboration among the operational, acquisition, and technology communities. The goal is to identify risks to inform decisions on structure and content, and develop mitigation strategies for the risks that must be addressed to deliver intended capabilities.

The practice of risk management constitutes a significant aspect of program management and draws from all disciplines, including systems engineering, use of models and simulation, requirements definition, developmental and operational test, earned value management (EVM), production planning, quality assurance, and logistics. Risk management needs to be both top-down (program leadership) and bottom-up (from working-level staff members) to be successful. PMs should encourage everyone on their program to take ownership of the risk management program and should be careful not to cultivate a “shoot the messenger” culture. All personnel should be encouraged to identify risks, issues, and opportunities and, as appropriate, to support analysis, mitigation, and monitoring activities.

Making risk management work depends on process, but more importantly on people with knowledge and experience in the disciplines relevant to the product, and with the resolve to identify and address the risks that could influence program objectives. An organizational climate, open to external perspectives, that seeks independent board members for design reviews can strengthen the effectiveness of a program’s risk management. Well-understood requirements flowed to the product, an integrated schedule coupled to earned value management (EVM), an independent cost estimate, and the tenacity to pull on the threads that reveal problems all contribute to prospects for success.

Programs should define, implement, and document an appropriate, tailored risk process. The process should address planning, identification, analysis, mitigation, and monitoring of risks and issues.