||DSMC RMG 4th: Risk Management Guide 4th
2.9 RISK DOCUMENTATION
A primary criteria for successful management is
formally documenting the ongoing risk management process. This is important
- It provides the basis for program assessments and updates as the program
- Formal documentation tends to ensure more comprehensive risk assessments
than if it is not documented.
- It provides a basis for monitoring risk-handling actions and verifying
- It provides program background material for new personnel.
- It is a management tool for the execution of the program.
- It provides the rationale for program decisions.
The documentation should be done by those responsible for planning and
collecting and analyzing data, i.e., IPT level in most cases.
Risk management reports vary depending on the size, nature, and phase of
the program. Examples of some risk management documents and reports that may
be useful to a PM are:
- Risk Management Plan,
- Risk information form,
- Risk assessment report,
- Risk handling priority list,
- Risk handling plan of action,
- Aggregated risk list,
- Risk monitoring documentation:
- Program metrics,
- Technical reports,
- Earned value reports,
- Watch list,
- Schedule performance report,
- Critical risk processes reports.
Most PMOs can devise a list of standard reports that will satisfy their needs most of the time; however, since there will always be a need for ad hoc reports and briefing and assessments, it is advisable to store risk information in a management information system (MIS). This allows you to derive standard reports and create of ad hoc reports, as needed. Paragraphs
4.8 and 5.8 discuss an MIS to support a risk management program.
Acquisition reform discourages Government oversight; therefore, formal contractor-produced risk documentation may not be available for most programs. However, program insight is encouraged, and PMOs can obtain information about program risk from contractor internal documentation such as:
- Risk Management Policy and Procedures. This is a description of the contractor's corporate
policy for the management of risk. The procedures describe the methods for
risk identification, analysis, handling, monitoring, and documentation. It
should provide the baseline planning document for the contractor's approach
to risk management.
- Corporate Policy and Procedures Documents. Corporations have policy and procedures documents that
address the functional areas that are critical to the design, engineering,
manufacture, test and evaluation, quality, configuration control,
manufacture, etc., of a system. These documents are based on what the
company perceives as best practices, and although they may not specifically
address risk, deviation from these policies represents risk to a program.
Internal company reports that address how well programs comply with policy
may be required and will provide valuable information.
- Risk Monitoring Report.
Contractors should have internal tracking metrics and reports for each
moderate - or high-risk item. These metrics may be used to determine the
status of risk reduction programs.