2.6.2 Risk Assessment Process
Risk assessment is the problem definition stage of management that identifies and analyzes (quantifies) prospective program events in terms of probability and consequences/impacts. The results form the basis for most risk management actions. It is probably the most difficult and time-consuming part of the management process. There are no quick answers or shortcuts. Tools are available to assist evaluators in assessing risk, but none are totally suitable for any program and may be highly misleading if the user does not understand how to apply them or interpret the results. Despite its complexity, risk assessment is one of the most important phases of the risk process because the caliber and quality of assessments determine the effectiveness of a management program.
The components of assessment, identification and analysis, are performed sequentially with identification being the first step.
Risk identification begins by compiling the program's risk events. PMOs should examine and identify program events by reducing them to a level of detail that permits an evaluator to understand the significance of any risk and identify its causes, i.e., risk drivers. This is a practical way of addressing the large and diverse number of potential risks that often occur in acquisition programs. For example, a WBS level 4 or 5 element may generate several risk events associated with a specification or function, e.g., failure to meet turbine blade vibration requirements for an engine turbine design.
Risk events are best identified by examining each WBS
product and process element in terms of the sources or areas of risk, as
previously described in Paragraph
Risks are those events that evaluators (after examining scenarios, WBS, or processes) determine would adversely affect the program. Evaluators may initially rank events by probability and consequence/impact of occurrence before beginning analysis to focus on those most critical.
Risk analysis is a technical and systematic process to examine identified risks, isolate causes, determine the relationship to other risks, and express the impact in terms of probability and consequences/impacts.
In practice, the distinction between risk identification and risk analysis is often blurred because there is some risk analysis that occurs during the identification process. For example, if, in the process of interviewing an expert, a risk is identified, it is logical to pursue information on the probability of it occurring, the consequences/impacts, the time associated with the risk (i.e., when it might occur), and possible ways of dealing with it. The latter actions are part of risk analysis and risk handling, but often begin during risk identification.
Prioritization is the ranking of risk events to determine the order of importance. It serves as the basis for risk-handling actions. Prioritization is part of risk analysis.
Integrated Product Teams (IPTs) typically perform risk
assessments in a decentralized risk management organization as described in Paragraph 4.4.
If necessary, the team may be augmented by people from other program areas or
outside experts. Paragraph
5.4, Risk Assessment Techniques
elaborates on this for each of the described assessment