===Risk Planning===
Risk planning involves establishing and maintaining a strategy for identifying, analyzing, handling, and monitoring risks, and how the strategy will be implemented on the project.  The strategy, both the process and its implementation, is documented in a risk management plan (RMP).
The risk management process and its implementation should be tailored to each project, updated as appropriate throughout the life of the project, and the RMP transmitted in an appropriate means to the project team and key stakeholders.  
The RMP should contain key risk management information, including:  1) a project summary; 2) project acquisition and contracting strategies; 3) key definitions; 4) a list of key documents; 5) process steps; 6) inputs, tools and techniques, and outputs per process step; 7) linkages of risk management with other project processes, 8) key ground rules and assumptions; 9) risk categories, 10) seller and buyer roles and responsibilities, 11) organizational and personnel roles and responsibilities. (Conrow 2003).  The level of detail should be risk-driven: simple plans for low risk projects; detailed plans for high risk projects.

The purpose of risk management is to evaluate concerns and take action to reduce potential risks to an acceptable level before they occur throughout the life of the product or project. Risk management is a continuous, forward-looking process that is applied to anticipate and avert risks that may adversely impact the project. Risk management can be considered a project management or a systems engineering process. A balance must be achieved on each project in terms of overall risk management ownership, implementation, and day-to-day responsibility between by these two top-level processes.

Risk is a measure of the potential inability to achieve overall program objectives within defined cost, schedule, and technical constraints. It has two components: 1) the probability (or likelihood) of failing to achieve a particular outcome, and 2) the consequences (or impact) of failing to achieve that outcome. (DAU, 2003a) (In the domain of catastrophic risk analysis, risk has three components: 1) threat, 2) vulnerability, and 3) consequence.) (Willis et al. 2005)

Risk management involves defining a risk management strategy, identifying and analyzing risks, handling selected risks, and monitoring the progress in reducing risks to an acceptable level. (SEI 2010; DoD 2006; DAU 2003a; DAU 2003b; PMI 2008) (Opportunity and opportunity management is briefly discussed in Subsection 3 below.)

Risk Management Process Overview

The SE risk management process includes the following activities:

  • Risk planning
  • Risk identification
  • Risk analysis
  • Risk handling
  • Risk monitoring

Risk Planning

Risk planning involves establishing and maintaining a strategy for identifying, analyzing, handling, and monitoring risks, and how the strategy will be implemented on the project. The strategy, both the process and its implementation, is documented in a risk management plan (RMP).

The risk management process and its implementation should be tailored to each project, updated as appropriate throughout the life of the project, and the RMP transmitted in an appropriate means to the project team and key stakeholders.

The RMP should contain key risk management information, including: 1) a project summary; 2) project acquisition and contracting strategies; 3) key definitions; 4) a list of key documents; 5) process steps; 6) inputs, tools and techniques, and outputs per process step; 7) linkages of risk management with other project processes, 8) key ground rules and assumptions; 9) risk categories, 10) seller and buyer roles and responsibilities, 11) organizational and personnel roles and responsibilities. (Conrow 2003). The level of detail should be risk-driven: simple plans for low risk projects; detailed plans for high risk projects.

Risk Identification

Risk identification is the process of examining the project products, processes, and requirements to identify and document candidate risks. Risk identification should be performed continuously at the individual-level as well as through formerly structured events at both regular intervals and following major program changes (e.g., project initiation, re-baselining, change in acquisition phase).

It should use one or more top-level approaches (e.g., Work Breakdown Structure, key processes evaluation, key requirements evaluation) and one or more lower-level approaches (e.g., affinity, brainstorming, checklists and taxonomies, examining critical path activities, expert judgment, fishbone diagrams). (Conrow 2009) For example, lower-level checklists and taxonomies exist for software risk identification (Conrow and Shishido 1997, 83-89, p. 84; Boehm 1989, 115-125, Carr et al. 1993, p. A-2) and operational risk identification (Gallagher et al. 2005, p. 4), and have been used on a wide variety of programs. Both the top and lower-level approaches are essential but there is no single acceptable method—all approaches should be examined and used as appropriate.

Candidate risk documentation should include the following items where possible: 1) risk title; 2) a structured risk description; 3) applicable risk categories; 4) potential root causes; 5) relevant historical information (e.g., actions to date); and 6) responsible individual and manager. (Conrow 2003, p. 198)

It’s important to use structured risk descriptions such as an If (an event occurs--trigger) Then (an outcome or affect occurs) Because (of the following reasons, or root cause) format. Another useful construct is a Condition (that exists) which leads to a potential Consequence (outcome). (Gluch 1994) These approaches help the analyst to better think through the potential nature of the risk.

Risk analysis and risk handling activities should only be performed on approved risks because of the scarcity of resources and opportunity costs in not efficiently focusing on the correct risks.

Risk Analysis

Risk analysis is the process of systematically evaluating each identified, approved risk to estimate the probability of occurrence (likelihood) and consequence of occurrence (impact), converting the results to a corresponding risk level or rating.

While there is no single “best” approach for a given risk category, risk scales and a corresponding matrix, simulations, and probabilistic risk assessments are often used for technical risks, while decision trees, simulations, and payoff matrices are used for cost risk, and simulations are used for schedule risk. Risk analysis approaches are sometimes grouped into qualitative and quantitative methods. A structured, repeatable methodology should be used in order to increase analysis accuracy and reduce uncertainty.

The most common qualitative method uses (typically) ordinal probability and consequence scales coupled with a risk matrix (also known as a risk cube or mapping matrix) to convert the resulting values to a risk level. Here, one or more probability of occurrence scales, coupled with three consequence of occurrence scales (cost, performance, schedule) are typically used. Mathematical operations should not be performed on ordinal scale values to prevent erroneous results. (Conrow 2003, pp. 187-364)

Once the risk level for each risk is determined, the risks need to be prioritized. Prioritization is typically performed by risk level (e.g., low, medium, high), risk score [the pair of max (probability), max (consequence) values], and other considerations such as time-frame, frequency of occurrence, and interrelationship with other risks. (Conrow 2003, pp. 187-364) An additional prioritization technique is to convert results into an estimated cost, performance, and schedule value (e.g., probability * dollar consequence). However, the result is only a point estimate and not a distribution of risk.

Widely used quantitative methods include decision trees and the associated expected monetary value analysis (Clemen and Reilly 2001), modeling and simulation (Law 2007; Mun 2010; Vose 2000), payoff matrices (Kerzner 2009, pp. 747-751), probabilistic risk assessments (Kumamoto and Henley 1996; NASA 2002), and other techniques. Risk prioritization can directly result from the quantitative methods employed.

For quantitative approaches, care is needed in developing the model structure, since the results will only be as good as the accuracy of the structure coupled with the characteristics of probability estimates or distributions (Law 2007; Evans, Hastings, and Peacock 2000) used to model risk that is present.

If multiple risk facets exist for a given item (e.g., cost risk, schedule risk, and technical risk), the different results should be integrated into a cohesive three-dimensional “picture” of risk. Sensitivity analyses can be applied to both qualitative and quantitative approaches in an attempt to understand how potential variability will affect results. Particular emphasis should be paid to compound risks (e.g., highly coupled technical risks with inadequate fixed budgets and schedules).

Risk Handling

Risk handling is the process that identifies and selects options and implements the desired option to reduce a risk to an acceptable level, given program constraints (budget, other resources) and objectives. (DAU 2003a, pp. 20-23, 70-78)

For a given system of interest, risk handling is primarily performed at two levels. At the system level, the overall ensemble of system risks is initially determined and prioritized, and second-level draft risk element plans (REPs) are prepared for handling the risks. For more complex systems, it is important that the REPs at the higher system-of-interest level are kept consistent with the system RMPs at the lower system-of-interest level, and that the top-level RMP preserves continuing risk traceability across the systems of interest.

The risk handling strategy selected is the combination of the most desirable risk handling option coupled with a suitable implementation approach for that option. (Conrow 2003) Risk handling options include assumption, avoidance, control (mitigation), and transfer. All four options should be evaluated and the best one chosen for each risk. An appropriate implementation approach is then chosen for that option. Hybrid strategies can be developed that include more than one risk handling option, but with a single implementation approach. Additional risk handling strategies can also be developed for a given risk and either implemented in parallel with the primary strategy or made a contingent and implemented if a particular trigger event occurs during the execution of the primary strategy. Often, option choice is difficult because of uncertainties in the risk probabilities and impacts. In such cases, buying information to reduce risk uncertainty via prototypes, benchmarking, surveying, modeling, etc. will clarify risk handling decisions (Boehm, 1981).

Risk Handling Plans

A risk handling plan (RHP, a REP at the system level), should be developed and implemented for all high and medium risks and selected low risks as warranted.

Each RHP should include : 1) a risk owner and management contacts, 2) selected option, 3) implementation approach, 4) estimated probability and consequence of occurrence levels at the start and conclusion of each activity, 5) specific measurable exit criteria for each activity, 6) appropriate metrics, and 7) resources needed to implement the RHP (e.g., personnel, funding, test equipment, etc.). (Conrow 2003, pp. 365-387)

Metrics included in each RHP should provide an objective means of determining whether the risk handling strategy is “on track,” and whether it needs to be updated. On larger projects these can include earned value, variation in schedule and technical performance measurements (TPMs), and changes in risk level vs. time.

The activities present in each RHP should be integrated into the project’s integrated master schedule or equivalent; otherwise there will be ineffective risk monitoring and control.

Risk Monitoring

Risk monitoring is used to evaluate the effectiveness of risk handling activities against established metrics and provide feedback to the other risk management process steps. Risk monitoring results may also provide a basis to update RHPs, develop additional risk handling options and approaches, and re-analyze risks. In some cases, monitoring results may also be used to identify new risks, revise an existing risk with a new facet, or revise some aspects of risk planning. (DAU 2003a, p. 20) Some risk monitoring approaches that can be applied include: 1) earned value, 2) program metrics, 3) TPMs, 4) schedule analysis, and 5) variations in risk level. Risk monitoring approaches should be updated and evaluated at the same time and WBS level; otherwise, the results may be inconsistent.

Opportunity and Opportunity Management

In principle, opportunity management is the dual of risk management, with two components: probability of achieving an improved outcome, and impact of achieving the outcome. Thus, both should be addressed in risk management planning and execution. In practice, however, a positive opportunity exposure will not match a negative risk exposure in utility space, since the positive utility magnitude of improving an expected outcome is considerably less than the negative utility magnitude of failing to meet an expected outcome [Canada, 1971; Kahneman-Tversky, 1979]. Further, since many opportunity-management initiatives have failed to anticipate serious side effects, all candidate opportunities should be thoroughly evaluated for potential risks to prevent unintended consequences from occurring.

Linkages to Other Systems Engineering Management Topics

The measurement process provides indicators for risk analysis. Project planning involves the identification of risk and planning for stakeholder involvement. Project Assessment and Control monitors project risks. Decision management evaluates alternatives for selection and handling of identified and analyzed risks.

Practical Considerations

Key pitfalls and good practices related to systems engineering risk management are described in the next two sections.


Some of the key pitfalls encountered in performing risk management are below.

Risk Management Pitfalls
Name Description
Process Over-reliance
  • Over-reliance on the process side of risk management without sufficient attention to human and organizational behavioral considerations.
Lack of Continuity
  • Failure to implement risk management as a continuous process. Risk management will be ineffective if it’s done just to satisfy project reviews or other discrete criteria. (Charette, Dwinnell, and McGarry 2004, 18-24 and Scheinin 2008).
Tool and Technique Over-reliance
  • Over-reliance on tools and techniques, with insufficient thought and resources expended on how the process will be implemented and run on a day-to-day basis.
Lack of Vigilance
  • A comprehensive risk identification will generally not capture all risks; some risks will always escape detection, which reinforces the need for risk identification to be performed continuously.
Automatic Mitigation Selection
  • Automatically select the risk handling mitigation option, rather than evaluating all four options in an unbiased fashion and choosing the “best” option.
Sea of Green
  • Tracking progress of the risk handling plan, while the plan itself may not adequately include steps to reduce the risk to an acceptable level. Progress indicators may appear “green” (acceptable) associated with the risk handling plan: budgeting, staffing, organizing, data gathering, model preparation, etc. But the risk itself may be largely unaffected if the handling strategy and the resulting plan is poorly developed, does not address potential root cause(s), and does not incorporate actions that will effectively resolve the risk.
Band-Aid Risk Handling
  • Handling risks (e.g., interoperability problems with changes in external systems) by patching each instance, rather than addressing the root cause(s) and reducing the likelihood of future instances.

Good Practices

Some good practices, gathered from the references are below.

Risk Management Good Practices
Name Description
Top Down and Bottom Up
  • Risk management should be both “top down” and “bottom up” in order to be effective. The project manager or deputy need to own the process at the top level. But risk management principles should be considered and used by all project personnel.
Early Planning
  • Include the planning process step in the risk management process. Failure to adequately perform risk planning early in the project phase, contributes to ineffective risk management.
Risk Analysis Limitations
  • Understand the limitations of risk analysis tools and techniques. Risk analysis results should be challenged because considerable input uncertainty and/or potential errors may exist.
Robust Risk Handling Strategy
  • The risk handling strategy should attempt to reduce both the probability and consequence of occurrence terms. It is also imperative that the resources needed to properly implement the chosen strategy be available in a timely manner, else the risk handling strategy, and the entire risk management process, will be viewed as a “paper tiger.”
Structured Risk Monitoring
  • Risk monitoring should be a structured approach to compare actual vs. anticipated cost, performance, schedule, and risk outcomes associated with implementing the RHP. When ad-hoc or unstructured approaches are used, or when risk level vs. time is the only metric tracked, the resulting risk monitoring usefulness can be greatly reduced.
Update Risk Database
  • The risk management database (registry) should be updated throughout the course of the program, striking a balance between excessive resources required and insufficient updates performed. Database updates should occur at both a tailored, regular interval and following major program changes.


control issue opportunity problem risk


Acronym Definition

AIAA American Institute of Aeronautics and Astronautics

REP Risk Element Plan

CDF Cumulative Distribution Function

EV Earned Value

IEC International Electronical Commission

IEEE Institute of Electrical and Electronics Engineers

INCOSE International Council on Systems Engineering

ISO International Organization for Standardization

PDF Probability Density Function

RHP Risk Handling Plan

RMP Risk Management Plan

TPM Technical Performance Measurement


Issue—(1) An area of concern that may impact the achievement of program/organizational objectives – a problem (existing), a risk (future uncertainty), or lack of information (existing). (ISO/IEC 15939, PSM) (2) A concern that has a probability of occurrence equal to one, a consequence of occurrence greater than zero, and a time-frame in the future. An issue will occur and have a negative impact to the project, but it will not immediately occur. (Conrow, 2008)

Problem—A problem is a concern that has a probability of occurrence equal to one, a consequence of occurrence greater than zero, and a time-frame that is current (now). A problem is a concern that has occurred and has a negative impact to the project. (Conrow, 2008)

Risk-1) Risk is a measure of the potential inability to achieve overall program objectives within defined cost, schedule, and technical constraints and has two components: 1.The probability (or likelihood) of failing to achieve a particular outcome and 2.The consequences (or impact) of failing to achieve that outcome. (DAU, 2003a) A risk has a probability of occurrence that is greater than zero but less than one, a consequence of occurrence greater than zero, and a time-frame in the future. (Conrow 2008) (2) In the domain of catastrophic risk analysis, such as for terrorist attacks or natural disasters, risk has three components: 1.Threat (the probability that a specific target is attacked in a specific way during a specified period) 2.Vulnerability (the probability that damage occurs given a threat), and 3.Consequence (the magnitude and type of damage resulting from an attack or disaster). (Willis et al. 2005)

Risk management—Risk management is the act or practice of dealing with risk. It includes risk management planning, identification, analysis, responses (handling), and monitoring and control and associated documentation. Given that risk emergence and risk management are continuous processes, these activities will be performed concurrently rather than sequentially.

Opportunity-The likelihood and impact of a beneficial outcome. In risk management a variety of different classes of outcomes can be termed an opportunity, which may not be uniquely specified. Risk can be defined in terms of specific bounds on probability (0 < P < 1), consequence (> 0), and time-frame (future), as can issue [P = 1, C > 0, and time-frame (future)] and problem [P = 1, C > 0, and time-frame (present)]. However, similar definitions are unavailable for opportunity because of the inability to uniquely specify whether the case of P = 1 is included or excluded, consequence (can be positive or negative) and time-frame (present, future, with no analog to issue and problem). (Conrow 2008)



