slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
ESC Risk Management Process Training Version 1.0 PowerPoint Presentation
Download Presentation
ESC Risk Management Process Training Version 1.0

Loading in 2 Seconds...

play fullscreen
1 / 81

ESC Risk Management Process Training Version 1.0 - PowerPoint PPT Presentation


  • 143 Views
  • Uploaded on

ESC Risk Management Process Training Version 1.0. Joe Duquette. ESC Risk Management Process Agenda. Session 1 - ESC Risk Management Environment Session 2 - Identifying Risk Session 3 - Analysis and Handling Risk Session 4 - Implementation and Monitoring Risk.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

ESC Risk Management Process Training Version 1.0


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  1. ESCRisk Management Process Training Version 1.0 Joe Duquette

  2. ESC Risk Management ProcessAgenda • Session 1 - ESC Risk Management Environment • Session 2 - Identifying Risk • Session 3 - Analysis and Handling Risk • Session 4 - Implementation and Monitoring Risk Each Session is 45 - 60 minutes, between sessions we will have a 15 minute break

  3. Session 1 ESC RMP Training ESC Risk Management Environment

  4. ESC RMP TrainingSession 1 Agenda • Session 1 - ESC Risk Management Environment • Session 2 - Identifying Risk • Session 3 - Analysis and Handling Risk • Session 4 - Implementation and Monitoring Risk

  5. ESC RMP Training “And through all this welter of change and development, your mission remains fixed, determined, inviolable -- it is to win our wars.” General Douglas MacArthur

  6. Establish a Standard Risk Management Process That Will Assist in Achieving Overall Center Objectives ESC RMP TrainingRMP Objectives ESC Objectives ESC Risk Management Process Objectives • Shorter Time to Market • Integrated Command and Control and Combat Support • Harmonize Capabilities, Interoperability, User Needs, Budget, and Technology • Dealing With Uncertainty • Life-Cycle Systems Engineering • Streamline Communications • Address Acquisition and Operational Risks Across the Life Cycle • Insure Consistency with Current AF and DOD Policy • Incorporate the use of SPO Risk Management Tool • Address Risk from a Program Office Perspective (e.g. Tailored to Terminal Program Office Needs and Business Practices) • Provide a Value-Add Integrated into Everyday Program Management • Establish an ESC Risk management Process, Automated Tools, and use Instructions Accessible Via Web Technology • Aggressively Involve Major Stakeholders Over the Life Cycle of the Terminal

  7. Plan and Prepare for Risk Management Identify and Analyze Risks Establish a Risk Management Strategy Define Risk Parameters Determine Risk Sources and Categories Identify Risks Risk Responsibility Evaluate, Classify, and Prioritize Risks From Project Planning and Project Monitoring and Control Mitigate Risks Implement Risk Mitigation Plans Develop Risk Mitigation Plans DAR ESC RMP TrainingRMP Goals and Practices Only Provides A Generic Framework • Risk Management is a continuous, forward-looking process that is an important part of business and technical management processes. Risk management needs to address issues that could endanger critical objectives. A continuous risk management approach is applied to ensure effective anticipation and mitigation of risks with critical impact across the project life cycle. CMMI Continuous Representation, V1.0, August 2000

  8. Risk • “Risk is a measure of the inability to achieve system life cycle objectives ..” † such as the following: • Assurance of Program Viability • Provision of Operational Capability • Delivery Within Negotiated Baseline • Assurance of Operational Asset Survival • Assurance of Mission Success • Assurance of Personnel Safety and • Performance • Assurance of Integration with Operational • Environment • “Risk has two components: • The probability (or likelihood) of failing • to achieve particular system life cycle objectives • The consequences of failing to achieve those objectives” † ESC RMP TrainingRisk Management Defined • “Risk is a measure of the inability to achieve system life cycle objectives ...” † such as the following: • Assurance of Program Viability • Assurance of Operational Capability • Delivery Within Negotiated Baseline • Assurance of Operational Asset Survival • Assurance of Mission Success • Assurance of Personnel Safety and Performance • Assurance of Integration with Operational Environment • “Risk has two components: • The probability (or likelihood) of failing to achieve particular system life cycle objectives • The consequences of failingto achieve those objectives” † †Adapted from AFMCP 63-101, 9 July 1997

  9. DoD 5000 Block Lifecycle FOC IOC A B C Concept & Technology Development System Development & Demonstration Production & Deployment Operations & Support FRP Decision Review OT&E Sustainment Systems Acquisition (Engineering and Manufacturing Development, Demonstration, LRIP and Production) Pre - Systems Acquisition ESC RMP TrainingProgram Life Cycle

  10. Concept Definition q · Description - The threat is identified, the need established, the capability to counter the threat is conceived, the concept is discussed with potential vendors/contractors, and the cost is estimated. · Transition To Next Phase Indicator - Funding and Direction Acquisition Strategy q · Description - The period during which the acquirer prepares and contracts for the acquisition of, or modification to the system. · Transition To Next Phase Indicator - Contract Award or Modification Development Period q · Description - The period during which the vendor/contractor develops the system. · Transition to Next Phase Indicator - Development Test & Evaluation (DT& E) Complete. ESC RMP TrainingProgram Life Cycle (Continued)

  11. Mission Integration Operations and Support q The ESC RMP is a continuous activity over the program life cycle, where q · Description - The period during which the initial systems are delivered, · Description - The period during which the system is used operationally. multiple versions of a product may simultaneously exist in different phases of the training is accomplished, and the warfighter begins to use the The start of spiral development and/or modification efforts. life cycle. The life cycle phases were chosen to reflect the variability in program equipment to accomplish his mission. · Transition to Next Phase Indicator - The end of this phase is marked risks and program stakeholders. · Transition To Next Phase Indicator - Depot Start/Command Support by the eventual disposal of the system. Start. ESC RMP TrainingProgram Life Cycle (Continued)

  12. Process Modeling Concept Definition Mission Area Shortfalls & Acquisition Strategy Planning Opportunities Vision & Goals Funding & Direction ORD Risk Zone Experimentation SRD/TRD Acquisition Strategy User Requirements PPBS Development Development Capstone Risk Definition Spiral Feedback Architecture Zone ASP Risk Budgeting & Tradeoffs Threat Change Risk Risk Zone Zone Zone Requirements RFP Mission Shift Source Selection Operational & Risk Feasibility Preparation Technical Requirement Feasibility Existing Direction Architecture(s) Risk Contract Zone Contract Contract Form Program Funding & Direction Program Award Award Award Office Planning IPT Depot Funding & Contract System DT&E Start Award Complete Disposal Direction Contract Contract Contract Package Development Award Award Award System Life Cycle Form Post Award Product Design Product Integration Working Level Conference & Development IPT Define Post Award Work Packages Back to and IPTs Mission Operations & Package Concept Acquisition Development Fielding Partial Development Integration Support Definition Strategy Decision Zones FOC FOC IOC IOC A A B B C C Full Production & Production & Concept & Concept & System Development System Development Deployment Deployment Operations & Operations & Technology Technology & Demonstration & Demonstration Support Support FRP FRP Development Development Decision Decision Production OT&E OT&E Review Review Test Assets DT&E Test Assets Test Assets Readiness Sustainment Systems Acquisition Pre - Systems (Engineering and Manufacturing Acquisition Development, Demonstration, LRIP and Production) Operations & Support IOC Test Assets IOC Mission Integration IOC Test Assets Test Assets Form Begin Certification and Establish Test OT&E Test & Integration Operations Operate Accreditation Environments Form User Working Group and O&M Planning Group Labs Security Maintain Support Elements Begin Net Worthiness Test Assets Interoperability No Production Back to Sustainment Training Development Decision Deficiency Reports Yes Incident Reports Maint Data Analysis TCTOs , Reprocurement , Modifications, Phase Out & Disposal Infrastructure Finalize Production OT&E Phase Out & Disposal Phase Out & Disposal IOC IOC IOC SLEP Engineering, Mission Shift Readiness Readiness System Fixes Conduct Training, Connectivity, Installation, Deployment ESC RMP TrainingProgram Life Cycle (Continued)

  13. New Contract Action Functional or Performance Baseline Change ConceptDefinition Acquisition Strategy ATD Experiment ACTD COTS Product Integration Plug & Play or Bug Fix Beta or Development Only Package Development Program Direction Change Mission Integration Operations & Support ESC RMP TrainingProgram Life Cycle (Concluded)

  14. Concept Def. Acq. Strat. Mission Integ. Package Develop O&S ESC RMP TrainingObjectives & the Program Life Cycle System Life Cycle Objectives • Assurance of Program Viability • Assurance of Operational Capability • Delivery Within Negotiated Baseline • Assurance of Operational Asset Survival • Assurance of Mission Success • Assurance of Personnel Safety and Performance • Assurance of Integration with Ops. Environment

  15. The following is a list with amplifications of the possible stakeholders involved in the ESC RMP. This list and table are provided as an aid to the terminal program teams in determining the appropriate set of stakeholders to involve in the RMP. · Certification Community (NSA, JITC, DISA, AFCA.) · Congress (Congressperson, Committees, Commissions) · Contractor (On Contract Provider of Product) · Customer (MAJCOM HQ, Lead Operational Command) · Air Force Base CE - (Site Activation/Construction/Installation) · ESC (Single Manager, SPO, BP, CX, JA, PK, SE, MITRE, ITSP Contractors etc.) · Experimentation Community (EFX, Labs, S&T, DARPA, etc.) · Industry (Prospective Contractors Providing Technology / Business Opportunity) · Other Services (Providing product or using your product) · SAF & HQ USAF (AQ, FM, XO, PR, PEOs, DACs) · Sustainment Community (Depot, Field Maintainers) · Test Community (ESC/TE, AFOTEC, JTF) · Training Community (AETC or Contractor) ESC RMP TrainingLife Cycle Stakeholders

  16. ESC RMP TrainingLife Cycle Stakeholders (Continued)

  17. Joint Forces Global Info Grid Aeronautical Armament Command & Control Space ESC RMP TrainingESC Stakeholders (Concluded) Traditional View of Stakeholders No Longer Valid A More Effective Fighting Force Capabilities To Warfighter

  18. Operational Risk Management Acquisition Risk Management Concept & Technology Development System Development & Demonstration Production & Deployment Operations & Support ESC RMP TrainingRisk Management Space Mission Operations & Support Concept Definition Package Development Acquisition Strategy Integration IOC FOC A B C FRP Decision Review OT&E Sustainment Systems Acquisition (Engineering and Manufacturing Development, Demonstration, LRIP & Production) Pre - Systems Acquisition

  19. Operational Risk Management Acquisition Risk Management Concept & Technology Development System Development & Demonstration Production & Deployment Operations & Support ESC RMP TrainingContinuous Risk Management Mission Operations & Support Concept Definition Package Development Acquisition Strategy Integration IOC FOC A B C FRP Decision Review OT&E Sustainment Systems Acquisition (Engineering and Manufacturing Development, Demonstration, LRIP & Production) Pre - Systems Acquisition Applied Continuously Through The Life Cycle

  20. Step 1 Prepare Step 2 Identify Risks & Hazards Yes Revise Risk Plan Step 3 Assess & Prioritize Risks Is the Process Working ? New Phase or Key Stakeholder ? No Yes Yes (Continue Monitoring) Key Milestone Approaching ? No (Continue Monitoring) No (Continue Monitoring) Step 7 Monitor Handling Plans Step 4 Decide on Control Options (Continue Monitoring) No Months Since Last Assessment ? Yes Step 6 Implement Risk Handling Plans Step 5 Establish Handling Plans ESC RMP TrainingRisk Management Process (RMP)

  21. Session 2 ESC RMP Training Identifying Risk

  22. ESC RMP TrainingSession 2 Agenda • Session 1 - ESC Risk Management Environment • Session 2 - Identifying Risk • Step 1 - How to Prepare for Risk Management • Step 2 - Identification of Risks and Hazards • Exercise • Session 3 - Analysis and Handling Risk • Session 4 - Implementation and Monitoring Risk

  23. ESC Risk Toolbox Tool ESC RMP TrainingProcess Briefing Conventions Beginning of Process Step ESC Toolbox Contain Assets to Support Action Process Action Discussion Tool Support Step or Action

  24. ESC RMP TrainingStep 1 - Prepare for Risk Management Step 1 Prepare Step 2 Identify Risks & Hazards Step 1 Yes Revise Risk Plan Step 3 Assess & Prioritize Risks Is the Process Working ? New Phase or Key Stakeholder ? No Yes Yes (Continue Monitoring) Key Milestone Approaching ? No (Continue Monitoring) No (Continue Monitoring) Step 7 Monitor Handling Plans Step 4 Decide on Control Options (Continue Monitoring) No Months Since Last Assessment ? Yes Step 6 Implement Risk Handling Plans Step 5 Establish Handling Plans

  25. The Manager Becomes the Sponsor of the Risk Management Process • The Manager Sets Priority that Risk Management is Critical to the Program • The Manger Commits Sufficient Resource • The Manager Fosters Success Oriented Approach to the Risk Management Task • Stakeholders Become Co-Sponsors of the Risk Management Activity • Stakeholders Commit Sufficient Resource • Stakeholders Empower Risk Managers • Assemble Appropriate Set of Stakeholders • Makes Various Sources of Data and Information Available to All Stakeholders • Review Various Taxonomies and Risk Lessons Learned Sources • Each Stakeholder Formulates Individual Concerns/Uncertainties • Risk Identification is Mission Focused • The Risk Management Process is Focused on Successful Mission Accomplishment. All Stakeholders Must Become Familiar with the Program and Mission Requirements and Objectives (i.e. Goals of the Organization, Program & Implied Requirements, Life Cycle Requirements, etc.) Draft Risk Management Plan Evolves From These Actions ESC Risk Toolbox T Stakeholders Identify Mission Uncertainties Risk Management Becomes a Management Priority Risk Management Becomes a Mission Priority Risk Management Becomes a Program Priority ESC Risk Toolbox ESC RMP TrainingStep 1 Actions - Prepare Action 1: Obtain Commitment and Resources from PM On RMP Action 2: Identify Key Program/Mission Stakeholders and Request Their Participation Action 3: Identify and Distribute To Stakeholders the Key Program/ Mission Objectives & Rqmts. Action 4: Identify, Review, and Distribute Applicable Risk /Hazard Taxonomies To The Stakeholders

  26. ESC RMP TrainingStep 2 - Identify Risks & Hazards Step 1 Prepare Step 2 Identify Risks & Hazards Step 2 Yes Revise Risk Plan Step 3 Assess & Prioritize Risks Is the Process Working ? New Phase or Key Stakeholder ? No Yes Yes (Continue Monitoring) Key Milestone Approaching ? No (Continue Monitoring) No (Continue Monitoring) Step 7 Monitor Handling Plans Step 4 Decide on Control Options (Continue Monitoring) No Months Since Last Assessment ? Yes Step 6 Implement Risk Handling Plans Step 5 Establish Handling Plans

  27. ESC RMP TrainingStep 2 /Action 1 - Assemble Stakeholders Identify Risks & Hazards Action 1: Assemble Stakeholders for Risk Assessment Action 2: Review Program/Mission Objectives, Taxonomies and Risk Assessment Process Action 4: Group Related Risks Action 5: Consolidate Related Risks & Write “If - Then” Risk Statements Action 3: Conduct Risk Identification Through Stakeholder Discussion • Initial Risk Management Meeting • Bringing Stakeholders Together Provides Opportunity to Develop a Common Program Identity • Provides Focus and Insures that the Risk Management Team Develops a Common • Understanding of Mission, Program and Risk Management Philosophy • Punctuates the Need for Commitment to the Task and Commitment of Resource • Provides Opportunity for Training if Needed • Opens the Channels of Communication • Subsequent Risk Management Meetings • Alternative Meeting Methods Could be Use (i.e. • VTC, Teleconference, Web-Based, etc.) • However, if a Major Program Event is Prompting • the Meeting, Face-to-Face is Preferable • Communicate, Communicate, Communicate…...

  28. Mission Objectives Program Objectives Risk Assessment Process Taxonomies ESC Risk Toolbox ESC RMP TrainingStep 2 /Action 2 - Review Identify Risks & Hazards Action 1: Assemble Stakeholders for Risk Assessment Action 2: Review Program/Mission Objectives, Taxonomies and Risk Assessment Process Action 4: Group Related Risks Action 5: Consolidate Related Risks & Write “If - Then” Risk Statements Action 3: Conduct Risk Identification Through Stakeholder Discussion • Review Program/ Mission Objectives • Where can we find this information? • Letter From User • Capstone Requirements Document • Operational Requirements Document • Program Management Directive • How to do it:(Using a white board, flip chart, or electronic means) • Review and Capture the Key Program Requirements • Review the List and Check for Omissions • This Is an Aid to the Risk Identification That Follows • Review Risk Assessment Process • As Defined Earlier • Review Taxonomies • As Defined Earlier • Acquisition Program Baseline • Policy Directives (JTA, DII COE, 18mos, Etc.) • Funding Profile • Other (Objectives/goals)

  29. ESC RMP TrainingStep 2 /Action 3 - Identify Risks Identify Risks & Hazards Action 1: Assemble Stakeholders for Risk Assessment Action 2: Review Program/Mission Objectives, Taxonomies and Risk Assessment Process Action 4: Group Related Risks Action 5: Consolidate Related Risks & Write “If - Then” Risk Statements Action 3: Conduct Risk Identification Through Stakeholder Discussion • What is Risk? • The inability to achieve program objectives • What could go wrong? • How likely (probability that the risk will occur)? • When likely (time frame -- urgency)? • How badly (what’s the impact to the program if it occurs)? • What is the time frame of interest for this assessment? • Tools and Methods that Could be Used • Brainstorming • Periodic Risk Reporting • Project Profile Questions • Risk Forms / Information Sheets • Taxonomy-Based Tools ESC Risk Toolbox

  30. ESC RMP TrainingStep 2 /Action 4 - Group Related Risks Identify Risks & Hazards Action 1: Assemble Stakeholders for Risk Assessment Action 2: Review Program/Mission Objectives, Taxonomies and Risk Assessment Process Action 4: Group Related Risks Action 5: Consolidate Related Risks & Write “If - Then” Risk Statements Action 3: Conduct Risk Identification Through Stakeholder Discussion • Classification Perspectives • Predefined Structure - Places risks into a predefined structure by applying the selected criterion to • the statement of risk and context • Examples: • - Software Development Risk Taxonomy • - Work Breakdown Structure • - Critical Path Templates • - Other Taxonomies • Self-Organized Structure - Organizes risks into distinct categories based on common characteristics; • the structure and criteria emerge as a result of the classification process • Example: Affinity Grouping/Diagram ESC Risk Toolbox

  31. ESC RMP TrainingStep 2 /Action 5 - Write Risk Statements Identify Risks & Hazards Action 1: Assemble Stakeholders for Risk Assessment Action 2: Review Program/Mission Objectives, Taxonomies and Risk Assessment Process Action 4: Group Related Risks Action 5: Consolidate Related Risks & Write “If - Then” Risk Statements Action 3: Conduct Risk Identification Through Stakeholder Discussion • Write Clear and Quantifiable Risk Statements • Capturing a statement of risk involves considering and recording the conditions that are causing • concern for a potential loss to the project, followed by a brief description of the potential • consequences of these conditions • The objective of capturing a statement of risk is to arrive at a concise • description of risk, which can be understood and acted upon • The components and description of a statement of risk are • condition: a single phrase or sentence that briefly describes the key circumstances, situations, • etc., causing concern, doubt, anxiety, or uncertainty • consequence: a single phrase or sentence that describes the key, possible negative outcome(s) • of the current conditions ESC Risk Toolbox

  32. Objective : Identify the risks associated with the Vacation in Florida scenario: Background : In completing the exercise the following analogies apply · Program IPT = The family represented the “stakeholders” and would be the members of the IPT. · Program Budget = The time phased availability of the vacation money and the limit imposed by the use of the cash budget. · Program Requirements = Requirements listed in the Scenario Instructions : 1. For small groups of 4 to 8 people. Each of the small group members will assume one of the following roles: · Family Husband = Program Manager Mother = Chief Engineer 10 Year Old Son = Installation Manager 16 Year Old Daughter = Budget Manager · Unexpected Stakeholders Brother = Test Manager Sister-In-Law = Procurement Manager Baby Son = User Grandma = MAJCOM 2. Conduct the Risk Assessment Meeting as described. ESC RMP Training ExerciseRisk Identification & Assessment

  33. ESC RMP Training ExerciseRisk Identification & Assessment (Continued)

  34. ESC RMP Training ExerciseRisk Identification & Assessment (Concluded)

  35. 15 Minute Break ESC RMP TrainingBreak

  36. Session 3 ESC RMP Training Analysis and Handling Risk

  37. ESC RMP TrainingSession 3 Agenda • Session 1 - ESC Risk Management Environment • Session 2 - Identifying Risk • Session 3 - Analysis and Handling Risk • Step 3 - Assessing and Prioritizing Risk • Step 4 - Deciding on Control Options • Step 5 - Establishing Handling Plans • Exercise • Session 4 - Implementation and Monitoring Risk

  38. ESC RMP TrainingStep 3 - Assess & Prioritize Risk Step 1 Prepare Step 2 Identify Risks & Hazards Step 3 Yes Revise Risk Plan Step 3 Assess & Prioritize Risks Is the Process Working ? New Phase or Key Stakeholder ? No Yes Yes (Continue Monitoring) Key Milestone Approaching ? No (Continue Monitoring) No (Continue Monitoring) Step 7 Monitor Handling Plans Step 4 Decide on Control Options (Continue Monitoring) No Months Since Last Assessment ? Yes Step 6 Implement Risk Handling Plans Step 5 Establish Handling Plans

  39. Discuss the Severity of the Consequences or Level of Impact to the Program If the Risk Occurs Other Impact Definitions Operational Risk Management Severity Definitions Acquisition Risk Management Impact Definitions Equivalent Numerical Value Rating Definition Critical (C) — An event that, if it occurred, would cause program failure (inability to achieve minimum acceptable requirements). Serious (S) —An event that, if it occurred, would cause major cost and schedule increases. Secondary requirements may not be achieved. Moderate (Mo) —An event that, if it occurred, would cause moderate cost and schedule increases, but important requirements would still be met. Minor (Mi) —An event that, if it occurred, would cause only a small cost and schedule increase. Requirements would still be achieved. Negligible (N) —An event that, if it occurred, would have no effect on program. Catastrophic - Complete mission failure, death, or loss of system. Critical - Major mission degradation, severe injury, occupational illness or major system damage. Moderate - Minor mission degradation, injury, minor occupational illness, or minor system damage. Negligible - Less than minor mission degradation, injury, occupational illness, minor system damage. An event whose occurrence will impact the project’s cost Severe 1 (and/or schedule) so severely that the project will be terminated. An event that, if it occurs, will cause significant cost (and/or Defaults: 0.65, 0.83, 0.95 High schedule) increases (e.g., increases of more than 5 percent) on Range: 0.65 < Allowable Value < 1 the project. An event that, if it occurs, will cause noticeable cost (and/or Defaults: 0.35, 0.50, 0.60 Moderate schedule) increases (e.g., increases of not more than 5 Range: 0.35 < Allowable Value percent) on the project. An event that, if it occurs, will cause small cost (and/or Defaults: 0.05, 0.18, 0.30 Low ESC schedule) increases that, in most cases, can be absorbed by the Range: 0 < Allowable Value < 0.35 project. An event that, if it occurs, will cause no impact to cost (and/or None 0 schedule) of the project. ESC RMP TrainingStep 3 /Action 1 - Impact Assess & Prioritize Risks Action 1: Identify & Reach Consensus on Impact / Severity for Each Risk Action 2: Identify & Reach Consensus on Probability of Occurrence for Each Risk Action 3: Identify Time Window when Risk Could Occur Action 4: Reassess Any Existing Risks in Database Action 5: Prioritize Risks by Impact, Probability & Time Action 6: Identify Handling Bands

  40. Based on the Expertise Available Discuss Each Risk and Determine the Probability of Occurrence Acquisition Risk Management Probability Definitions Operational Risk Management Probability Definitions Other Risk Management Probability Definitions PROBABILITY Risk Event Interpretation Rating Frequent – Individual/Item. Occurs often in career/equipment service life. Everyone exposed. • The probability is a single percentage number and does not have to be exact as long as the group applies a consistent approach to estimating the probabilities for all the risks • Make sure everyone is in agreement before moving on or get a decision from the program manager When we assess the probability a risk may occur, we are technically assessing a conditional probability; that is, Probability Continuously experienced. £ Extremely sure not to occur Low Likely – Individual/Item. Occurs several times in career/equipment service life. All members > 0 - 0.05 exposed. Occurs frequently. £ Almost sure not to occur Low > 0.05 - 0.15 Occasional – Individual/Item. Occurs sometime in career/equipment service life. All members £ Not likely to occur Low > 0.15 - 0.25 exposed. Occurs sporadically, or several times in inventory/service life. 0 < Prob (AB) < 1 £ Not very likely to occur Low > 0.25 - 0.35 Seldom – Individual/Item. Possible to occur in career/equipment service life. All members £ Somewhat less than an even chance Medium exposed. Remote chance of occurrence; expected to occur sometime in inventory service life. > 0.35 - 0.45 Unlikely – Individual/Item. Can assume will not occur in career/equipment service life. All £ An even chance to occur Medium where, A is the Associated Risk Event and B is the Condition Present > 0.45 - 0.55 members exposed. Possible, but improbable; occurs only very rarely. £ Somewhat greater than an even chance Medium > 0.55 - 0.65 £ Likely to occur High > 0.65 - 0.75 £ Very likely to occur High > 0.75 - 0.85 £ Almost sure to occur High > 0.85 - 0.95 > 0.95 - < 1 Extremely sure to occur High ESC RMP TrainingStep 3 /Action 2 - Probability Assess & Prioritize Risks Action 1: Identify & Reach Consensus on Impact / Severity for Each Risk Action 2: Identify & Reach Consensus on Probability of Occurrence for Each Risk Action 3: Identify Time Window when Risk Could Occur Action 4: Reassess Any Existing Risks in Database Action 5: Prioritize Risks by Impact, Probability & Time Action 6: Identify Handling Bands

  41. For each risk identify the time period when the risk is likely to occur Timeframe Ratings and Definitions A timeframe is assessed for each identified risk. Risk timeframe refers to the time during which a risk, if it occurs, will impact the project. This rating is assessed according to the project-defined guideline in the following table. Rating Interpretation Equivalent Numerical Value A risk is short-term if the project will be Defaults: 0.65, 0.83, 0.95 Short impacted by the risk, if it occurs, in the next 30 Range: 0.65 < Allowable Value < 1 days. A risk is medium-term if the project will be Defaults: 0.35, 0.50, 0.60 Medium impacted by the risk, if it occurs, in the next 30 to Range: 0.35 < Allowable Value < 0.65 60 days. A risk is long-term if the project will be impacted Defaults: 0.05, 0.18, 0.30 Long by the risk, if it occurs, beyond the next 60 days. Note: Timing is generally used in ARM as a tie breaking mechanism. ORM does not identify a time window Range: 0 < Allowable Value < 0.35 ESC RMP TrainingStep 3 /Action 3 - Timing Assess & Prioritize Risks Action 1: Identify & Reach Consensus on Impact / Severity for Each Risk Action 2: Identify & Reach Consensus on Probability of Occurrence for Each Risk Action 3: Identify Time Window when Risk Could Occur Action 4: Reassess Any Existing Risks in Database Action 5: Prioritize Risks by Impact, Probability & Time Action 6: Identify Handling Bands

  42. Tool Probability Timing Impact ESC RMP TrainingStep 3 /Action 4 Existing Risks Assess & Prioritize Risks Action 1: Identify & Reach Consensus on Impact / Severity for Each Risk Action 2: Identify & Reach Consensus on Probability of Occurrence for Each Risk Action 3: Identify Time Window when Risk Could Occur Action 4: Reassess Any Existing Risks in Database Action 5: Prioritize Risks by Impact, Probability & Time Action 6: Identify Handling Bands • Incorporate existing identified Risks with newly • identified risks. Reassess existing risks as follows: Action 1- Reassess the severity of the consequences or level of impact to the program if the risk occurs. Action 2 - Discuss each risk and reassess the probability of occurrence. Action 3 - For each risk reassess the date when the risk is likely to occur. • The existing risks and newly identified risk can be automatically folded together by risk management tool

  43. When Complete Do A Common Sense Check ! When Complete Do A Common Sense Check ! Acquisition Risk Management - Risk Prioritization Operational Risk Management - Risk Prioritization Plotting • Prioritize Risks • Prioritizing risks involves the grouping of risks based upon the • assessment accomplished in Actions 1-4 (Impact, Probability, • and Time) then • The objective of prioritizing risks is to: • Identifying the most serious program risk (combination of high impact and high probability) • Help with ordering the allocation resources • Risk Management Tools will automatically prioritize the risk. • Prioritize Risks • Prioritizing risks involves the grouping of risks based upon the • assessment accomplished in Actions 1-4 (Impact, Probability, • and Time) then • The objective of prioritizing risks is to: • Identifying the most serious program risk (combination of high impact and high probability) • Help with ordering the allocation resources • Risk Management Tools will automatically prioritize the risk. Risk Matrix Risk Radar • The risk rating is based on the probability of impact and the level of impact • (manual mapping approach) • Built in ranking feature of the Risk Management Tools develop a most to least ranking • Do a common sense check of the results • Consider breaking Borda ties by using timeframe start date High RiskNav • Risk is the probability and severity of loss from exposure to the • hazard. The assessment step is the application of quantitative • or qualitative measures to determine the level of risk • associated with a specific hazard. This process • defines the probability and severity of an • undesirable event that could result from • the hazard. High X X • Establish probability scale on y-axis • Establish impact scale on x-axis • Priority regions are set by the risk assesors • Red- Highest Priority • Yellow - Medium Priority • Green - Low Priority High X X X X P Risk Score is used to rank a risk’s priority relative to the other identified risks. The risk with the highest risk score is ranked first in priority, the risk with the next highest risk score is ranked second in priority and so forth. The closer the risk score is to one the higher the priority; the closer a risk score is to zero the lesser the priority. X X To perform the prioritization process, subjective estimates must be made based on professional judgment of the probability that a risk will occur and its negative impact on the project if it does occur. A probability of between 1 and 99 percent and an impact value of between 1 (for very low) to 5 (for very high) is assigned for each risk in Risk Radar™. The program then multiplies these numbers together to calculate a risk exposure for each risk. X Borda Rank: The Borda rank represents the number of other risks in the risk matrix that are more critical. For example, a Borda rank of 0 represents the most critical risk and a Borda rank of 1 indicates that one other risk is more critical. The format is integer (0-N). R X X O X X B X X X X Low High Low IMPACT Risk Analysis Worksheet (RAW) … Prioritize Risks Segment Tool Tool IS Upgrade (ISU) Prioritize Risks Risk Impact Impact Risk Risk Priority Risk Priority ID Score Rating Score Rating Ranking ISU.001 0.627 Moderate 0.736 High 2nd ISU.002 1.000 Severe 1.000 Severe 1st ISU.003 0.643 Moderate 0.474 Moderate 3rd ESC RMP TrainingStep 3 /Action 5 Prioritize Risks Assess & Prioritize Risks Action 1: Identify & Reach Consensus on Impact / Severity for Each Risk Action 2: Identify & Reach Consensus on Probability of Occurrence for Each Risk Action 3: Identify Time Window when Risk Could Occur Action 4: Reassess Any Existing Risks in Database Action 5: Prioritize Risks by Impact, Probability & Time Action 6: Identify Handling Bands

  44. Tool ESC RMP TrainingStep 3 /Action 6 Handling Bands Assess & Prioritize Risks Action 1: Identify & Reach Consensus on Impact / Severity for Each Risk Action 2: Identify & Reach Consensus on Probability of Occurrence for Each Risk Action 3: Identify Time Window when Risk Could Occur Action 4: Reassess Any Existing Risks in Database Action 5: Prioritize Risks by Impact, Probability & Time Action 6: Identify Handling Bands • Identify Risk Handling Bands (High, Medium, Low) • Identify the prioritized risks which will be handled, watched, or ignored • The objective is to establish preliminary resource constraints • Use Risk Management Tool Plots to assist in handling decisions. Ultimately the • handling decisions will be made to support: • Management Position • Mission Benefit • Program Constraints

  45. ESC RMP TrainingStep 4 - Decide on Control Options Step 1 Prepare Step 2 Identify Risks & Hazards Step 4 Yes Revise Risk Plan Step 3 Assess & Prioritize Risks Is the Process Working ? New Phase or Key Stakeholder ? No Yes Yes (Continue Monitoring) Key Milestone Approaching ? No (Continue Monitoring) No (Continue Monitoring) Step 7 Monitor Handling Plans Step 4 Decide on Control Options (Continue Monitoring) No Months Since Last Assessment ? Yes Step 6 Implement Risk Handling Plans Step 5 Establish Handling Plans

  46. Choosing the Best Handling Option • Feasibility of technique Technical considerations Program Resources Adequacy of budget and schedule External Issues Operational issues • Expected effectiveness • Technical Perspective • ROI Perspective • Program manager selects an approach Operational Risk Management - Top “N” Risk List Handling Options Risk List Handling Options (Acquisition Perspective) Reject: refuse to take a risk if the overall costs of the risk exceed its mission benefits. Avoid: requires canceling or delaying the job, mission, or operation, but is an option that is rarely exercised due to mission importance. Delay: May be able to delay a risk. (no time deadline) Transfer: Risk to the original entity is greatly decreased due to losses or costs are shifted to another entity. Spread: Increase exposure distance or lengthen the time between exposure events. Compensate: Create redundant capability. Reduce: Plan missions or design systems that: (1) Plan or Design for Minimum Risk (2) Incorporate Safety Devices (3) Provide Warning Devices Risk Avoidance: adjust program requirements or constraints to eliminate or reduce the risk. This adjustment could be accommodated by change in funding, schedule, or technical requirements Risk Transfer: reassign organizational accountability, responsibility, and authority to another stakeholder willing to accept the risk. (key here is who is best able to manage/mitigate this risk) Risk Mitigation: management action to reduce probability of occurrence or minimize impact Risk Assumption: conscious decision to accept risk without allocating resources to Handling it (e.g. do nothing) Risk Monitoring: conscious decision to accept risk and monitor for change (e.g. triggers, cues). This monitoring could result in the exercise of a contingency plan or the change in status of a risk severity ESC Risk Toolbox ESC RMP TrainingStep 4 /Action 1 Identify Handling Options Decide on Control Options Action 1: Identify Handling Options Within Each Risk Band Action 2: Identify Which Risks will be Assumed or Watched Action 3: Identify Which Risks will be Avoided, Transferred or Mitigated Action 4: Assign Plan OPRs for Avoided, Transferred, or Mitigated Risks Action 5: Establish or Update Risk Database

  47. Decide on Control Options Action 1: Identify Handling Options Within Each Risk Band Action 2: Identify Which Risks will be Assumed or Watched Action 3: Identify Which Risks will be Avoided, Transferred or Mitigated Action 4: Assign Plan OPRs for Avoided, Transferred, or Mitigated Risks Action 5: Establish or Update Risk Database • Triggers • Thresholds for indicators that specify when an action, such as implementing a contingency plan, • may need to be taken. • Triggers are generally used to: • Provide warning of an impending critical event • Indicate the need to implement a contingency plan • Require immediate attention for a risk • What makes a good trigger • Gives early warning to prepare • Doesn’t trip unnecessarily • Easy to calculate or collect and report • Risk to be Assumed • In this instance the program will do nothing. The risk will be handled as a problem if it • occurs in the program life cycle. No further resources will be allocated or expended in • managing the risk. • Risk to be Watched • The first category of risk to be monitored are those with established cues that indicate • there has been a change in impact, probability or timing. When this occurs the risk is • reassessed.. • Another type of risk that is monitored are risks that have established • indicators or “triggers” that when reached a contingency plan is activated. • Risk to be Assumed • In this instance the program will do nothing. The risk will be handled as a problem if it • occurs in the program life cycle. No further resources will be allocated or expended in • managing the risk. • Risk to be Watched • The first category of risk to be monitored are those with established cues that indicate • there has been a change in impact, probability or timing. When this occurs the risk is • reassessed.. • Another type of risk that is monitored are risks that have established • indicators or “triggers” that when reached a contingency plan is activated. • Risk Cues • Describes the Consequence for varying levels of Risk (e.g. high, medium, low) for a given risk • within a project. • Generally used in conjunction with a “Watch List”. • Example: In monitoring the Risk Factor Shown if metrics that measure fit to the customer organization, mission, and goals show a change the program team can quickly access the level of risk and take the appropriate management action.  Schedule Trigger  WBS  Staffing  Staffing 10% below planned level to accomplish planned work at this point in the program ESC Risk Toolbox ESC Risk Toolbox ESC RMP TrainingStep 4 /Action 2 Assumed/Watched Risks

  48. Risk to be Avoided • Adjust program requirements or constraints to eliminate or reduce the risk. This adjustment could • be accommodated by change in funding, schedule, or technical requirements. • Risk to be Transferred • Reassign organizational accountability, responsibility, and authority to another stakeholder • willing to accept the risk. (key here is who is best able to manage/mitigate this risk) • Risk to be Mitigated • Mitigation management action to reduce probability of occurrence or minimize • impact • Brainstorm Handling Strategies • Use freeform (or unstructured) brainstorming to identify potential strategies • Participants contribute ideas as they come to mind • Achieve consensus on handling options • Types of Risk Handling Plans • Research Plan • Program Restructure • Change in Direction or Funding • Mitigation Plan • Contingency Plan Note: Handling plans are generally developed outside risk assessment meetings. Preliminary assignment of handling options (Avoid, Transfer, or Mitigate) are assigned during the risk assessment meeting. Tool Each of these Handling Options Requires the Development of a Plan ESC RMP TrainingStep 4 /Action 3 Avoided/Transferred/Mitigated Decide on Control Options Action 1: Identify Handling Options Within Each Risk Band Action 2: Identify Which Risks will be Assumed or Watched Action 3: Identify Which Risks will be Avoided, Transferred or Mitigated Action 4: Assign Plan OPRs for Avoided, Transferred, or Mitigated Risks Action 5: Establish or Update Risk Database

  49. Tool ESC RMP TrainingStep 4 /Action 4 Assign OPRs Decide on Control Options Action 1: Identify Handling Options Within Each Risk Band Action 2: Identify Which Risks will be Assumed or Watched Action 3: Identify Which Risks will be Avoided, Transferred or Mitigated Action 4: Assign Plan OPRs for Avoided, Transferred, or Mitigated Risks Action 5: Establish or Update Risk Database • OPR for Risk to be Avoided • Responsibility for the development of a plan to avoidance of this risk should be assigned to an • individual who has the understanding of how to change program requirements or • constraints (this OPR is the likely action person for the execution of the plan) • OPR for Risk to be Transferred • Responsibility for the development of a plan to transfer the risk to another stakeholder should be • assigned to an individual capable of negotiating the necessary changes in responsibility, • accountability and authority. Action taken is up to the stakeholder assuming the risk • OPR for Risk to be Mitigated • Responsibility for the development of a plan (including estimate of resources) should be assigned to • an OPR that can provide the maximum effectiveness (expertise) to mitigate the risk within the • resources available (this OPR is the likely action person for the execution of the plan

  50. ESC RMP TrainingStep 4 /Action 4 Assign OPRs(Concluded) Decide on Control Options Action 1: Identify Handling Options Within Each Risk Band Action 2: Identify Which Risks will be Assumed or Watched Action 3: Identify Which Risks will be Avoided, Transferred or Mitigated Action 4: Assign Plan OPRs for Avoided, Transferred, or Mitigated Risks Action 5: Establish or Update Risk Database • Considerations in Assigning Responsibility • Who could solve the risk? • Expertise • Resources (People, Facilities, Tools etc.) • Access • Who would have the power and authority to allocate resources? • Funding • Personnel • Program Assets • Who is accountable or can be held accountable for this risk? • Area of Responsibility • Who has the time to manage this risk? • Who has the opportunity to take action