5.8.2 Risk Management Reports
The following are examples of basic reports that a PMO may use to manage its risk program. Each office should tailor and amplify them, if necessary, to meet specific needs.
Risk Information Form. The PMO needs a document that serves the dual purpose of a source of data entry information and a report of basic information for the IPTs. The RIF serves this purpose. It gives members of the project team, both Government and contractors, a format for reporting risk-related information. The RIF should be used when a potential risk event is identified and updated over time as information becomes available and the status changes. As a source of data entry, the RIF allows the database administrator to control entries. To construct the database and ensure the integrity of data, the PMO should design a standard format for a RIF.
Risk Assessment Report. Risk assessments form the basis for many program decisions, and the PM will probably need a detailed report of any assessment of a risk event. A Risk Assessment Report (RAR) is prepared by the team that assessed a risk event and amplifies the information in the RIF. It documents the identification and analysis process and results. The RAR provides information for the summary contained in the RIF, is the basis for developing risk-handling plans, and serves as a historical recording of program risk assessment. Since RARs may be large documents, they may be stored as files. RARs should include information that links it to the appropriate RIF.
Risk-Handling Documentation. Risk-handling documentation may be used to provide the PM with the information he needs to choose the preferred mitigation option and is the basis for the handling plan summary that is contained in the RIF. This document describes the examination process for the risk-handling options and gives the basis for the selection of the recommended choice. After the PM chooses an option, the rationale for that choice may be included. There should be a plan for each risk-mitigation task. Risk-handling plans are based on results of the risk assessment. This document should include information that links it to the appropriate RIF.
Risk Monitoring Documentation. The PM needs a summary document that tracks the status of high and moderate risks. He can produce a risk-tracking list, for example, that uses information that has been entered from the RIF. Each PMO should tailor the tracking list to suit its needs. If elements of needed information are not included in the RIF, they should be added to that document to ensure entry into the database.
Database Management System (DBMS). The DBMS that the PM chooses may be commercial, Government-owned, or contractor-developed.
It should provide the means to enter and access data, control access, and create reports. Many options are available to users.
Key to the MIS are the data elements that reside in
the database. The items listed in Table 5-7 are examples of risk information
that might be included in a database that supports risk management. They are a
compilation of several risk reporting forms used in current DoD programs and
other risk document sources. "Element" is the title of the database field;
"Description" is a summary of the field contents. PMs should tailor the list
to suit their needs.
||Identifies the risk and is a
critical element of information, assuming that a relational database will
be used by the PMO. (Construct the ID number to identify the organization
responsible for oversight.)|
||States the risk event and
identifies it with a descriptive name. The statement and risk
identification number will always be associated in any report.|
||Reflects the importance of
this risk priority assigned by the PMO compared to all other risks, e.g.,
a one (1) indicates the highest priority.|
||Gives the date that
the RIF was submitted.|
major system/component based on the WBS.|
pertinent subsystem or component based on the WBS.|
||Identifies the risk
as technical/performance cost or schedule or combination of these.|
||Gives a concise
statement (one or two sentences) or the risk.|
the risk. Lists the key processes that are involved in the design,
development, and production of the particular system or subsystem. If
technical/performance, includes how it is manifested (e.g., design and
engineering, manufacturing, etc.).|
||Identifies the key
parameter, minimum acceptable value, and goal value, if appropriate.
Identifies associated subsystem values required to meet the minimum
acceptable value and describes the principal events planned to demonstrate
that the minimum value has been met.|
||States if an
assessment has been done. Cites the Risk Assessment Report, if
the analysis done to assess the risk. Includes rationale and basis for
likelihood of the event occurring, based on definitions in the program's
Risk Management Plan.|
consequence of the event, if it occurs, based on definitions in the
program's Risk Management Plan.|
relative urgency for implementing the risk-handling option.|
identifies any other subsystem or process that this risk affects.|
plans to mitigate the risk. Refers to any detailed plans that may exist,
metrics for tracking progress in implementing risk-handling plans and
achieving planned results for risk reduction.|
||Briefly reports the
status of the risk-handling activities and outcomes relevant to any risk
||Lists date of the
assigned responsibility for mitigation activities.|
||Records name and
phone number of individual who reported the risk.|