Risk is a measure of the potential inability to achieve overall program objectives within defined cost, schedule, and technical constraints and has two components: (1) the probability/likelihood of failing to achieve a particular outcome, and (2) the consequences/impacts of failing to achieve that outcome.
Risk events, i.e., things that could go wrong for a program or system, are elements of an acquisition program that should be assessed to determine the level of risk. The events should be defined to a level that an individual can comprehend the potential impact and its causes. For example, a potential risk event for a turbine engine could be turbine blade vibration. There could be a series of potential risk events that should be selected, examined, and assessed by subject-matter experts.
The relationship between the two components of risk - probability and consequence/impact - is complex. To avoid obscuring the results of an assessment, the risk associated with an event should be characterized in terms of its two components. As part of the assessment there is also a need for backup documentation containing the supporting data and assessment rationale.
Risk management is the act or practice of dealing with risk. It includes planning for risk, assessing (identifying and analyzing) risk areas, developing risk-handling options, monitoring risks to determine how risks have changed, and documenting the overall risk management program.
Risk planning is the process of developing and documenting an organized, comprehensive, and interactive strategy and methods for identifying and tracking risk areas, developing risk-handling plans, performing continuous risk assessments to determine how risks have changed, and assigning adequate resources.
Risk assessment is the process of identifying and analyzing program areas and critical technical process risks to increase the probability/likelihood of meeting cost, schedule, and performance objectives. Risk identification is the process of examining the program areas and each critical technical process to identify and document the associated risk. Risk analysis is the process of examining each identified risk area or process to refine the description of the risk, isolating the cause, and determining the effects. It includes risk rating and prioritization in which risk events are defined in terms of their probability of occurrence, severity of consequence/impact, and relationship to other risk areas or processes.
Risk handling is the process that identifies, evaluates, selects, and implements options in order to set risk at acceptable levels given program constraints and objectives. This includes the specifics on what should be done, when it should be accomplished, who is responsible, and associated cost and schedule. The most appropriate strategy is selected from these handling options. For purposes of the Guide, risk handling is an all-encompassing term whereas risk mitigation is one subset of risk handling.
Risk monitoring is the process that systematically tracks and evaluates the performance of risk-handling actions against established metrics throughout the acquisition process and develops further risk-handling options, as appropriate. It feeds information back into the other risk management activities of planning, assessment, and handling as shown in Figure 2-1.
Risk documentation is recording, maintaining, and reporting assessments,
handling analysis and plans, and monitoring results. It includes all plans,
reports for the PM and decision authorities, and reporting forms that may be
internal to the PMO.