The DoD risk management concept is based on the principles that risk management must be forward-looking, structured, informative, and continuous. The key to successful risk management is early planning and aggressive execution. Good planning enables an organized, comprehensive, and iterative approach for identifying and assessing the risk and handling options necessary to refine a program acquisition strategy. To support these efforts, assessments should be performed as early as possible in the life cycle to ensure that critical technical, schedule, and cost risks are addressed with mitigation actions incorporated into program planning and budget projections.
PMs should update program risk assessments and tailor their management strategies accordingly. Early information gives them data that helps when writing a Request for Proposal and assists in Source Selection planning. As a program progresses, new information improves insight into risk areas, thereby allowing the development of effective handling strategies. The net result promotes executable programs.
Effective risk management requires involvement of the entire program team and also requires help from outside experts knowledgeable in critical risk areas (e.g., threat, technology, design, manufacturing, logistics, schedule, and cost). In addition, the risk management process should cover hardware, software, the human element, and integration issues. Outside experts may include representatives from the user, laboratories, contract management, test, logistics, and sustainment communities, and industry. Users, essential participants in program trade analyses, should be part of the assessment process so that an acceptable balance among cost, schedule, performance, and risk can be reached. A close relationship between the Government and industry, and later with the selected contractor(s), promotes an understanding of program risks and assists in developing and executing the management efforts.
Successful risk management programs generally have the
Feasible, stable, and well-understood user
requirements and threat;
A close relationship with user, industry, and
other appropriate participants;
A planned and structured risk management process,
integral to the acquisition process;
An acquisition strategy consistent with risk level
and risk-handling strategies;
Continual reassessment of program and associated
A defined set of success criteria for all cost,
schedule, and performance elements, e.g., Acquisition Program Baseline (APB)
Metrics to monitor effectiveness of risk-handling
Effective Test and Evaluation Program;
PMs should follow the guidelines below to ensure that
a management program possesses the above characteristics.
Assess program risks, using a structured process,
and develop strategies to manage these risks throughout each acquisition
Identify early and intensively manage those design
parameters that critically affect cost, capability, or
Use technology demonstrations/modeling/simulation
and aggressive prototyping to reduce risks.
Use test and evaluation as a means of quantifying
the results of the risk-handling process.
Include industry and user participation in risk
Use Developmental Test and Evaluation (DT&E)
and early operational assessments when appropriate.
Establish a series of "risk assessment reviews" to
evaluate the effectiveness of risk handling against clearly defined success
Establish the means and format to communicate risk
information and to train participants in risk management.
Prepare an assessment training package for members
of the program office and others, as needed.
Acquire approval of accepted risks at the
appropriate decision level.
In general, management of software risk is the same as
management of other types of risk and techniques that apply to hardware
programs are equally applicable to software intensive programs. However, some
characteristics of software make this type of risk management different,
primarily because it is difficult to:
Identify software risk.
Estimate the time and resources required to
develop new software, resulting in potential risks in cost and
Test software completely because of the number of
paths that can be followed in the logic of the software.
Develop new programs because of the rapid changes
in information technology and an ever-increasing demand for quality software