INTRODUCTION. This section should address
the purpose and objective of the plan, and provide a brief summary of the
program, to include the approach being used to manage the program, and the
PROGRAM SUMMARY. This section
contains a brief description of the program, including the acquisition
strategy and the program management approach. The acquisition strategy
should address its linkage to the risk management strategy.
DEFINITIONS. Definitions used by
the program office should be consistent with DoD definitions for ease of
understanding and consistency. However, the DoD definitions allow program
managers flexibility in constructing their risk management programs.
Therefore, each program's risk management plan may include definitions
that expand the DoD definitions to fit its particular needs. For example,
each plan should include, among other things, definitions for the ratings
used for technical, schedule, and cost risk. (Discussion of risk rating is
contained in Acquisition Deskbook, Section 220.127.116.11.)
RISK MANAGEMENT STRATEGY AND APPROACH.
Provide an overview of the
risk management approach, to include the status of the risk management
effort to date, and a description of the program risk management strategy.
See Acquisition Deskbook, Sections 18.104.22.168 and 22.214.171.124.
Describe the risk management organization of
the program office and list the responsibilities of each of the risk
management participants. See Acquisition Deskbook, Section 126.96.36.199.
RISK MANAGEMENT PROCESS AND PROCEDURES. Describe the program risk management
process to be employed, i.e., risk planning, assessment, handling,
monitoring and documentation, and a basic explanation of these components.
See Acquisition Deskbook, Section 188.8.131.52. Also provide application
guidance for each of the risk management functions in the process. If possible, the guidance should be as general
as possible to allow the program's risk management organization (e.g., IPTs)
flexibility in managing the program risk, yet specific enough
to ensure a common and coordinated approach to risk management.
It should address how the information associated with each element of the
risk management process will be documented and made available to all
participants in the process, and how risks will be tracked, to include
the identification of specific metrics if possible.
describes the risk planning process and provides guidance on how
it will be accomplished, and the relationship between continuous risk planning and
this RMP. Guidance on updates of the RMP and the approval
process to be followed should also be included. See Section 184.108.40.206 of
the Deskbook for information on risk planning.
RISK ASSESSMENT. This section of the plan describes the assessment
(identification and analysis) process. It includes procedures for
examining the critical risk areas and processes to identify and document
the associated risks. It also summarizes the analyses process for each of
the risk areas leading to the determination of a risk rating. This rating
is a reflection of the potential impact of the risk in terms of its
variance from known Best Practices or probability of occurrence, its
consequence, and its relationship to other risk areas or processes. This
section may include:
Overview and scope of the assessment
Sources of information
Information to be reported and
Description of how risk information is
Assessment techniques and tools (see Section
220.127.116.11.2 of the Deskbook).
describes the risk handling options, and identifies tools that can assist in implementing the
risk handling process. It also provides guidance on the use of
the various handling options for specific risks.
This section describes
the process and procedures that will be followed to monitor the status of the
various risk events identified. It should provide criteria for the selection of risks to
be reported on, and the frequency of reporting. Guidance on the
selection of metrics should also be included.
RISK MANAGEMENT INFORMATION SYSTEM, DOCUMENTATION AND
REPORTS. This section
describes the MIS structure, rules, and procedures that will be used to
document the results of the risk management process. It also identifies
the risk management documentation and reports that will be prepared;
specifies the format and frequency of the reports; and assigns
responsibility for their preparation.