||DAU RMG 5th: Risk Management Guide for DoD Acquisition
2.9 RISK DOCUMENTATION
2.9 RISK DOCUMENTATION
A primary criteria for successful management is formally documenting the
ongoing risk management process. This is important because:
- It provides the basis for program assessments and updates as the program
- Formal documentation tends to ensure more comprehensive risk assessments
than if it is not documented.
- It provides a basis for monitoring riskhandling actions and verifying
- It provides program background material for new personnel.
- It is a management tool for the execution of the program.
- It provides the rationale for program decisions.
The documentation should be done by those responsible for planning,
collecting, and analyzing data, i.e., IPT level in most cases.
Risk management reports vary depending on the size, nature, and phase of
the program. Examples of some risk management documents and reports that may
be useful to a PM are:
- Risk management plan,
- Risk information form,
- Risk assessment report,
- Prioritized list of risks,
- Risk handling plan,
- Aggregated risk list,
- Risk monitoring documentation:
– Program metrics,
– Earned value reports,
– Watch list,
– Critical risk processes reports.
Most PMOs can devise a list of standard reports that will satisfy their
needs most of the time; however, since there will always be a need for ad hoc
reports, briefings, and assessments, it is advisable to store risk information
in a management information system (MIS). This allows the creation of both
standard and ad hoc reports, as needed. Paragraphs 4.8
discuss an MIS to support a risk management program.
Acquisition reform discourages Government oversight; therefore, formal
contractor-produced risk documentation may not be available for most programs.
However, program insight is encouraged, and PMOs can obtain information about
program risk from contractor internal documentation such as:
- Risk Management Policy and Procedures. This is a
description of the contractor’s corporate policy for the management of risk.
The procedures describe the methods for risk identification, analysis,
handling, monitoring, and documentation. It should provide the baseline
planning document for the contractor’s approach to risk management.
- Corporate Policy and Procedures Documents. Corporations
have policy and procedures documents that address the functional areas that are critical to
the design, engineering, manufacture, test and evaluation, quality,
configuration control, manufacture, etc., of a system. These
documents are based on what the company perceives as best practices, and
although they may not specifically address risk, deviation from these
policies represents risk to a program. Internal company reports address how
well programs comply with policy may be required and will provide valuable
- Risk Monitoring Report. Contractors should have
internal tracking metrics and reports for each moderate- or high-risk item.
These metrics may be used to determine the status of risk reduction