Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Cynthia.calhoun
1. National Aeronautics and Space Administration
National Aeronautics and Space Administration
Risk Management
Getting Started
APPEL PM Challenge Conference
APPEL PM Challenge Conference
February 2008
February 2008
Cynthia Calhoun
Cynthia Calhoun
NASA Glenn Research Center
NASA Glenn Research Center
www.nasa.gov
www.nasa.gov
2. Introduction
Implementing a formal risk management program into any
project can be challenging when most people only focus on
the costs and schedule of getting the job done.
Projects know risks exists, but have decided that they do not
need anything getting in the way of completing their tasks on
time or adding costs to their budget.
Projects need to understand that the risk management
process is a basis for decisions to mitigate threats not only to
their costs and schedule, but threats to the technical,
environmental, security, or safety aspects of the project.
1/31/2008 PMC 2008 Risk Management Program 2
3. Risk Management Defined
An organized, systematic decision-making
process that efficiently identifies, analyzes,
plans, tracks, controls, communicates, and
documents risk to increase the likelihood of
achieving program/project goals.
NPR 7120.5 NASA Program and Project
Management Requirements
1/31/2008 PMC 2008 Risk Management Program 3
4. NASA Risk Management Growth
NASA Risk
Develop
Reporting Governance
CRM
5 X 5 Matrix Model
Process
1998 1999 2002 2005 2006 2007
* SMA RBAM NPR NASA Update
8000.4 Exploration NPR
Kick-off
Risk Mgt Safety 8000.4
Formal
Reqts Study • Costs risks
Risk
• Schedule Risks
Mgt Pgm • EVM
per • Safety Risks (PRA)
NPR • Sys Eng and Integration
7120.5A
•Note—While Risk Management was not new to NASA, the Agency had never
required a structured risk management effort to be a standard element of all
programs and projects.
1/31/2008 PMC 2008 Risk Management Program 4
5. NASA Continuous Risk Management (CRM)
Identify—Search for and locate risks before
they become problems
Analyze—Convert risk data into useable
information for determining priorities and
making decisions
Plan—Translate risk information into planning
decisions and mitigating actions (both present
and future), and implement those actions
Track—Monitor risk indicators and mitigation
actions
Control—Correct risk mitigation plan
deviations and decide on future actions
Communicate and Document—Provide
information to project on risk activities and
current/future risks
1/31/2008 PMC 2008 Risk Management Program 5
6. Implement and Integrate Risk Management
A few examples on how a project can begin
implementing risk management methods and
techniques into every aspect of the project, and the
barriers and successes of integrating risk
management into day-to-day project activities will
be covered for the following actions:
Assign a risk facilitator
Conduct risk management training
Develop risk management plan
Execute risk management plan
Apply continuous improvement
1/31/2008 PMC 2008 Risk Management Program 6
7. Assign a Risk Facilitator
Ensure programs/projects utilize risk-based decision making
to continuously manage the acquisition, safety, technical,
and programmatic risks. This includes:
Provide CRM training and Risks Identification Workshops
Assist with developing, implementing, and updating risk
management plans.
Review risk statements for clarity and conciseness.
Provide guidance on estimating the likelihood, consequences,
and timeframe of the risks.
Review risk mitigations to ensure the mitigation will actually
reduce the likelihood and consequence of the risk occurring.
Assure risks are tracked and used to measure the progress of
the risk management program.
Monitoring risk closures and reporting.
1/31/2008 PMC 2008 Risk Management Program 7
8. Assign a Risk Facilitator (continued)
Assure their respective project/element risk information is
documented in the respective risk database and kept current.
Ensuring the project is adhering to a continuous risk
management process.
Research methods, tools, and techniques to enable and
improve the continuous risk management process.
Review and assess the effectiveness of the risk management
process and provide recommendations for improvement.
Stay abreast of developments, enhancements, and
assessments of Agency risk management related policies,
standards, and guidelines.
1/31/2008 PMC 2008 Risk Management Program 8
9. Assign a Risk Facilitator (continued)
Risk facilitator IS NOT responsible for implementing risk
management in the project; this is the PM’s responsibility.
Risk facilitator SHOULD NOT be looked upon or used as
the ONLY person performing risk management on the
project.
Depending on the size of the project, the risk facilitator
could perform a dual role.
For example, serve as the risk facilitator and perform
Systems Engineering, Quality Assurance, or Reliability
Engineering.
1/31/2008 PMC 2008 Risk Management Program 9
10. Conduct Risk Management Training
Tailor course language and exercises to the theme
of the Project.
Be consistent in terminology:
Risk Statements—“One condition per risk statement,”
“one consequence per risk statement,” “two or more
consequences per risk statement?”
Attributes—“Probability vs. Impact” or
“Likelihood vs. Consequence”
Risk Planning Approach—“Mitigate,” “Watch,” “Monitor,”
“Accept,” “Research?”
New Risks—“Candidate,” “New?”
Closed Risks—“Retire,” “Transfer,” “Close,” “Accept,”
“Escalated?”
Risk matrix colors and orientation
1/31/2008 PMC 2008 Risk Management Program 10
11. Conduct Risk Management Training (continued)
5
5 4 5 1 2
Tot: 32
L 5 Tot: 8
I 4 9 6 3
K 4 4
Likelihood
E
L 33 3
7 8
I
2 Tot: 18
H
10
O 22
O 1
D 1 2 3 4 5
11
Consequences
11 2
2 33 4
4 5
5
CONSEQUENCES
1/31/2008 PMC 2008 Risk Management Program 11
12. Conduct Risk Management Training (continued)
Ensure course content is consistent with Agency’s
requirements.
Require project to include a “Risk Identification Workshop”
as part of training.
Use project documentation to help identify threats to
goals and objectives, and to develop definitions for
likelihood, consequence, and timeframe risk attributes.
Walk through the whole CRM process for at least one risk.
1/31/2008 PMC 2008 Risk Management Program 12
13. Develop Risk Management Plan
Risk Management Plan should be project specific, configuration
controlled, and compliant with Agency requirements.
Overview of Risk Management (RM) process
Project organization and responsibilities
—Especially interfaces with the contractor; ensure Data
Requirements Document (DRD) specifies compliance with
Agency RM requirements.
Risk management activities in detail
Budget, resources, and milestones for risk management activities
Procedure for documenting risks
Assumptions and technical considerations
Constraints
Descope options
1/31/2008 PMC 2008 Risk Management Program 13
14. Execute Risk Management Plan
Use Engineering Review Board/Risk Board/Risk Panel as
gatekeeper to vet risks.
Focus facilitator on risk in project discussions.
Conduct Risk Identification Workshop against WBS elements
and prior to major milestones.
Include and track risk mitigations in project schedule.
Talk to other “-ility” disciplines.
Ensure consistent communication between interfaces.
Present/report high risks to senior management, especially
where technical challenges and resources for mitigations are
a concern.
1/31/2008 PMC 2008 Risk Management Program 14
15. Execute Risk Management Plan (continued)
Review risks in technical, cost, schedule, and safety
discussions.
Evaluate how well risk mitigations are working.
Perform trend analysis on risks; any areas of concern
starting to appear.
Adjust risk attributes (likelihood and consequence) levels.
Celebrate successes!
Positive impacts to schedule and costs
Technical challenges overcame
Track “what ifs”
Show concrete value and benefits
1/31/2008 PMC 2008 Risk Management Program 15
16. Continuous Improvement
Evaluate frequency of risk reporting for possible timesavers.
Remove burdensome tasks or activities that have no affect
on risk management process.
Audit risk management process for inefficiencies.
Solicit recommendations from project team members.
Share lessons learned with similar projects.
Tap into unused features of risk tool(s).
Attend risk management conferences and/or join risk
management working groups.
1/31/2008 PMC 2008 Risk Management Program 16
17. Summary
Projects can apply continuous risk management principles
as a decision-making tool by:
Identifying the threats to project objectives and mission
success, along with any project constraints.
Assessing the likelihood and consequences of these threats
against project criteria (e.g., schedule, budget, milestones, etc.).
Developing risk mitigation strategies and tasks to buy down the
threats and reduce the risks.
Integrating the risk mitigation strategies into the project schedule
and budget.
Reviewing the effectiveness of risk mitigation activities and
residual risks.
Documenting and communicating risks information throughout
the project’s life cycle.
1/31/2008 PMC 2008 Risk Management Program 17
18. Conclusion
It is very important that the risk management process:
Begin early in formulation.
Involve the project team to assess all identifiable risks up
front.
Be addressed in the Project Plan and detailed in the Risk
Management Plan.
Be continually reviewed for the disposition and tracking of
all identified risks throughout the implementation and
operations phases.
1/31/2008 PMC 2008 Risk Management Program 18