2.6.2 Risk Assessment Process
Risk assessment is the problem definition stage of management that
identifies and analyzes (quantifies) prospective program events in terms of
probability and consequences/impacts. The results form the basis for most risk
management actions. It is probably the most difficult and time-consuming part
of the management process. There are no quick answers or shortcuts. Tools are
available to assist evaluators in assessing risk, but none are totally
suitable for any program and may be highly misleading if the user does not
understand how to apply them or interpret the results. Despite its complexity,
risk assessment is one of the most important phases of the risk process
because the caliber and quality of assessments determine the effectiveness of
a management program.
The components of assessment, identification and analysis, are performed
sequentially with identification being the first step.
Risk identification begins by compiling the programís risk events. PMOs
should examine and identify program events by reducing them to a level of
detail that permits an evaluator to understand the significance of any risk
and identify its causes, i.e., risk drivers. This is a practical way of
addressing the large and diverse number of potential risks that often occur in
acquisition programs. For example, a WBS level 4 or 5 element may generate
several risk events associated with a specification or function, e.g., failure
to meet turbine blade vibration requirements for an engine turbine design.
Risk events are best identified by examining each WBS product and process
element in terms of the sources or areas of risk, as previously described in
Risks are those events that evaluators (after examining scenarios, WBS, or
processes) determine would adversely affect the program. Evaluators may
initially rank events by probability and consequence/impact of occurrence
before beginning analysis to focus on those most critical.
Risk analysis is a technical and systematic process to examine identified
risks, isolate causes, determine the relationship to other risks, and express
the impact in terms of probability and consequences/impacts.
In practice, the distinction between risk identification and risk analysis
is often blurred because there is some risk analysis that occurs during the
identification process. For example, if, in the process of interviewing an
expert, a risk is identified, it is logical to pursue informa-tion on the
probability of it occurring, the consequences/impacts, the time associated
with the risk (i.e., when it might occur), and possible ways of dealing with
it. The latter actions are part of risk analysis and risk handling, but often
begin during risk identification.
Prioritization is the ranking of risk events to determine the order of
importance. It serves as the basis for risk-handling actions. Prioritization
is part of risk analysis.
Integrated Product Teams (IPTs) typically perform risk assessments in a
decentralized risk management organization as described in Paragraph
4.4. If necessary, the team may be augmented by people from other program
areas or outside experts. Paragraph 5.4, Risk
Assessment Techniques, elaborates on this for each of the described