Risk Mitigation Planning, Implementation, and Progress ...

Definition: Risk mitigation planning is the process of developing options and actions to enhance opportunities and reduce threats to project objectives [1]. MITRE RiskMitigationPlanning,Implementation,andProgressMonitoring Print Definition:Riskmitigationplanningistheprocessofdevelopingoptionsandactionstoenhanceopportunitiesandreducethreatstoprojectobjectives[1].Riskmitigationimplementationistheprocessofexecutingriskmitigationactions.Riskmitigationprogressmonitoringincludestrackingidentifiedrisks,identifyingnewrisks,andevaluatingriskprocesseffectivenessthroughouttheproject[1]. Keywords:risk,riskmanagement,riskmitigation,riskmitigationimplementation,riskmitigationplanning,riskmitigationprogressmonitoring MITRESERoles&Expectations:MITREsystemsengineers(SEs)workingongovernmentprogramsdevelopactionableriskmitigationstrategiesandmonitoringmetrics,monitorimplementationofriskmitigationplanstoensuresuccessfulprojectandprogramcompletion,collaboratewiththegovernmentteaminconductingriskreviewsacrossprojectsandprograms,andanalyzemetricstodetermineongoingriskstatusandidentifyseriousriskstoelevatetothesponsororcustomer[2]. Background Riskmitigationplanning,implementation,andprogressmonitoringaredepictedinFigure1.Aspartofaniterativeprocess,therisktrackingtoolisusedtorecordtheresultsofriskprioritizationanalysis(step3)thatprovidesinputtobothriskmitigation(step4)andriskimpactassessment(step2). Figure1.RiskManagement:FundamentalSteps[3]Theriskmitigationstepinvolvesdevelopmentofmitigationplansdesignedtomanage,eliminate,orreducerisktoanacceptablelevel.Onceaplanisimplemented,itiscontinuallymonitoredtoassessitsefficacywiththeintentofrevisingthecourse-of-actionifneeded. RiskMitigationStrategies GeneralguidelinesforapplyingriskmitigationhandlingoptionsareshowninFigure2.Theseoptionsarebasedontheassessedcombinationoftheprobabilityofoccurrenceandseverityoftheconsequenceforanidentifiedrisk.Theseguidelinesareappropriateformany,butnotall,projectsandprograms. Figure2.RiskMitigationHandlingOptions[3]Riskmitigationhandlingoptionsinclude: Assume/Accept:Acknowledgetheexistenceofaparticularrisk,andmakeadeliberatedecisiontoacceptitwithoutengaginginspecialeffortstocontrolit.Approvalofprojectorprogramleadersisrequired. Avoid:Adjustprogramrequirementsorconstraintstoeliminateorreducetherisk.Thisadjustmentcouldbeaccommodatedbyachangeinfunding,schedule,ortechnicalrequirements. Control:Implementactionstominimizetheimpactorlikelihoodoftherisk. Transfer:Reassignorganizationalaccountability,responsibility,andauthoritytoanotherstakeholderwillingtoaccepttherisk. Watch/Monitor:Monitortheenvironmentforchangesthataffectthenatureand/ortheimpactoftherisk. Eachoftheseoptionsrequiresdevelopingaplanthatisimplementedandmonitoredforeffectiveness.Moreinformationonhandlingoptionsisdiscussedunderbestpracticesandlessonslearnedbelow. Fromasystemsengineeringperspective,commonmethodsofriskreductionormitigationwithidentifiedprogramrisksincludethefollowing,listedinorderofincreasingseriousnessoftherisk[4]: Intensifiedtechnicalandmanagementreviewsoftheengineeringprocess Specialoversightofdesignatedcomponentengineering Specialanalysisandtestingofcriticaldesignitems Rapidprototypingandtestfeedback Considerationofrelievingcriticaldesignrequirements Initiationoffallbackparalleldevelopments Whendeterminingthemethodforriskmitigation,theMITRESEcanhelpthecustomerassesstheperformance,schedule,andcostimpactsofonemitigationstrategyoveranother.Forsomethinglike"parallel"developmentmitigation,MITRESEscouldhelpthegovernmentdeterminewhetherthecostcouldmorethandouble,whiletimemightnotbeextendedbymuch(e.g.,doublethecostforparalleleffort,butalsoaddedcostforadditionalprogramofficeanduserengagement).Forconductingrapidprototypingorchangingoperationalrequirements,MITRESEscanuseknowledgeincreatingprototypesandusingprototypingandexperimenting(seeSEGuidearticleonSpecialConsiderationsforConditionsofUncertainty:PrototypingandExperimentationandtheRequirementsEngineeringtopic)forprojectingthecostandtimetoconductaprototypetohelpmitigateparticularrisks(e.g.,requirements).Implementingmoreengineeringreviewsandspecialoversightandtestingmayrequirechangestocontractualagreements.MITREsystemsengineerscanhelpthegovernmentassessthese(scheduleandcost)byhelpingdeterminethebasisofestimatesforadditionalcontractoreffortsandprovidingarealitycheckfortheseestimates.MITRE'sCASA[CenterforAcquisitionandSystemsAnalysis]andtheCCG[CenterforConnectedGovernment]InvestmentManagementpracticedepartmenthaveexperienceandaknowledgebaseinmanydevelopmentactivitiesacrossawidespectrumofmethodsandcanhelpwithrealisticassessmentsofmitigationalternatives. Forrelatedinformation,refertotheotherarticlesinthisRiskManagementtopicareaoftheSEGuide. BestPracticesandLessonsLearned Whatactionsareneeded? Whenmustactionsbecompleted? HandlingOptions Assume/Accept.Collaboratewiththeoperationaluserstocreateacollectiveunderstandingofrisksandtheirimplications.Riskscanbecharacterizedasimpactingtraditionalcost,schedule,andperformanceparameters.Risksshouldalsobecharacterizedasimpacttomissionperformanceresultingfromreducedtechnicalperformanceorcapability.Developanunderstandingofalltheseimpacts.Bringingusersintothemissionimpactcharacterizationisparticularlyimportanttoselectingwhich"assume/accept"optionisultimatelychosen.Userswilldecidewhetheracceptingtheconsequencesofariskisacceptable.Providetheuserswiththevulnerabilitiesaffectingarisk,countermeasuresthatcanbeperformed,andresidualriskthatmayoccur.Helptheusersunderstandthecostsintermsoftimeandmoney. Avoid.Again,workwithuserstoachieveacollectiveunderstandingoftheimplicationsofrisks.Provideuserswithprojectionsofscheduleadjustmentsneededtoreduceriskassociatedwithtechnologymaturityoradditionaldevelopmenttoimproveperformance.Identifycapabilitiesthatwillbedelayedandanyimpactsresultingfromdependenciesonotherefforts.Thisinformationbetterenablesuserstointerprettheoperationalimplicationsofan"avoid"option. Control.Helpcontrolrisksbyperforminganalysesofvariousmitigationoptions.Forexample,oneoptionistouseacommerciallyavailablecapabilityinsteadofacontractordevelopedone.Indevelopingoptionsforcontrollingriskinyourprogram,seekoutpotentialsolutionsfromsimilarrisksituationsofotherMITREcustomers,industry,andacademia.Whenconsideringasolutionfromanotherorganization,takespecialcareinassessinganyarchitecturalchangesneededandtheirimplications. Transfer.Reassigningaccountability,responsibility,orauthorityforariskareatoanotherorganizationcanbeadouble-edgedsword.Itmaymakesensewhentheriskinvolvesanarrowspecializedareaofexpertisenotnormallyfoundinprogramoffices.But,transferringarisktoanotherorganizationcanresultindependenciesandlossofcontrolthatmayhavetheirowncomplications.Positionyourselfandyourcustomertoconsideratransferoptionbyacquiringandmaintainingawarenessoforganizationswithinyourcustomerspacethatfocusonspecializedneedsandtheirsolutions.Acquirethisawarenessasearlyintheprogramacquisitioncycleaspossible,whentransferoptionsaremoreeasilyimplemented. Watch/Monitor.Onceariskhasbeenidentifiedandaplanputinplacetomanageit,therecanbeatendencytoadopta"headsdown"attitude,particularlyiftheexecutionofthemitigationappearstobeoperatingon"cruisecontrol."Resistthatinclination.Periodicallyrevisitthebasicassumptionsandpremisesoftherisk.Scantheenvironmenttoseewhetherthesituationhaschangedinawaythataffectsthenatureorimpactoftherisk.Theriskmayhavechangedsufficientlysothatthecurrentmitigationisineffectiveandneedstobescrappedinfavorofadifferentone.Ontheotherhand,theriskmayhavediminishedinawaythatallowsresourcesdevotedtoittoberedirected. DeterminingMitigationPlans Understandtheusersandtheirneeds.Theusers/operationaldecisionmakerswillbethedecisionauthorityforacceptingandavoidingrisks.Maintainacloserelationshipwiththeusercommunitythroughoutthesystemengineeringlifecycle.Realizethatmissionaccomplishmentisparamounttotheusercommunityandacceptanceofresidualriskshouldbefirmlyrootedinamissiondecision. Seekouttheexpertsandusethem.SeekouttheexpertswithinandoutsideMITRE.MITRE'stechnicalcentersexisttoprovidesupportintheirspecialtyareas.Theyunderstandwhat'sfeasible,what'sworkedandbeenimplemented,what'seasy,andwhat'shard.Theyhavetheknowledgeandexperienceessentialtoriskassessmentintheirareaofexpertise.Knowourinternalcentersofexcellence,cultivaterelationshipswiththem,andknowwhenandhowtousethem. Recognizerisksthatrecur.Identifyandmaintainawarenessoftherisksthatare"alwaysthere"—interfaces,dependencies,changesinneeds,environmentandrequirements,informationsecurity,andgapsorholesincontractorandprogramofficeskillsets.Helpcreateanacceptancebythegovernmentthattheseriskswilloccurandrecurandthatplansformitigationareneededupfront.Recommendvariousmitigationapproaches—includingadoptionofanevolutionstrategy,prototyping,experimentation,engagementwithbroaderstakeholdercommunity,andthelike. Encouragerisktaking.Givenallthathasbeensaidinthisarticleanditscompanions,thismayappeartobeanoddpieceofadvice.Thepointisthatthereareconsequencesofnottakingrisks,someofwhichmaybenegative.Helpthecustomerandusersunderstandthatrealityandthepotentialconsequencesofbeingoverlytimidandnottakingcertainrisksinyourprogram.Anexampleofanegativeconsequencefornottakingariskwhendeliveringafullcapabilityisthatanadversarymightrealizeagainagainstouroperationalusers.Risksarenotdefeats,butsimplybumpsintheroadthatneedtobeanticipatedanddealtwith. Recognizeopportunities.Helpthegovernmentunderstandandseeopportunitiesthatmayarisefromarisk.Whenconsideringalternativesformanagingaparticularrisk,besuretoassesswhethertheyprovideanopportunisticadvantagebyimprovingperformance,capacity,flexibility,ordesirableattributesinotherareasnotdirectlyassociatedwiththerisk. Encouragedeliberateconsiderationofmitigationoptions.Thispieceofadviceisgoodanytime,butparticularlywhensupportingafast-paced,quickreactiongovernmentprogramthatisjugglingmanycompetingpriorities.Carefullyanalyzemitigationoptionsandencouragethoroughdiscussionbytheprogramteam.Thisistheformofthewisdom"goslowtogofast." Notallrisksrequiremitigationplans.Riskeventsassessedasmediumorhighcriticalityshouldgointoriskmitigationplanningandimplementation.Ontheotherhand,considerwhethersomelowcriticalityrisksmightjustbetrackedandmonitoredonawatchlist.Husbandyourrisk-relatedresources. MitigationPlanContent Determinetheappropriateriskmanager.Theriskmanagerisresponsibleforidentifyingandimplementingtheriskmitigationplan.Heorshemusthavetheknowledge,authority,andresourcestoimplementtheplan.Riskmitigationactivitieswillnotbeeffectivewithoutanengagedriskmanager.Itmaybenecessarytoengagehigherlevelsinthecustomerorganizationtoensuretheneedfortheriskmanagerisaddressed.ThiscanbedifficultandusuallyinvolvesengagingmoreseniorlevelsoftheMITREteamaswell. Developahigh-levelmitigationstrategy.Thisisanoverallapproachtoreducetheriskimpactseverityand/orprobabilityofoccurrence.Itcouldaffectanumberofrisksandinclude,forexample,increasingstaffingorreducingscope. Identifyactionsandstepsneededtoimplementthemitigationstrategy.Askthesekeyquestions: Whatactionsareneeded? Makesureyouhavetherightexitcriteriaforeach.Forexample,appropriatedecisions,agreements,andactionsresultingfromameetingwouldberequiredforexit,notmerelythefactthatthemeetingwasheld. Lookforevaluation,proof,andvalidationofmetcriteria.Consider,forexample,metricsortestevents. Includeonlyandallstakeholdersrelevanttothestep,action,ordecisions. Whenmustactionsbecompleted? BackwardPlanning:Evaluatetheriskimpactandscheduleofneedforthesuccessfulcompletionoftheprogramandevaluatetestevents,designconsiderations,andmore. ForwardPlanning:Determinethetimeneededtocompleteeachactionstepandwhentheexpectedcompletiondateshouldbe. Evaluatekeydecisionpointsanddeterminewhenamovetoacontingencyplanshouldbetaken. Whoistheresponsibleactionowner? Whatresourcesarerequired?Consider,forexample,additionalfundingorcollaboration. Howwillthisactionreducetheprobabilityorseverityofimpact? Developacontingencyplan("fallback,planB")foranyhighrisk. Arecuesandtriggersidentifiedtoactivatecontingencyplansandriskreviews? Includedecisionpointdatestomovetofallbackplans.Thedatetomovemustallowtimeto executethecontingencyplan. Evaluatethestatusofeachaction.Determinewheneachactionisexpectedtobecompletedsuccessfully. IntegrateplansintoIMSandprogrammanagementbaselines.Riskplansareintegraltotheprogram,notsomethingapartfromit. MonitoringRisk Includeriskmonitoringaspartoftheprogramreviewandmanagecontinuously.Monitoringrisksshouldbeastandardpartofprogramreviews.Atthesametime,risksshouldbemanagedcontinuouslyratherthanjustbeforeaprogramreview.Routinelyreviewplansinmanagementmeetings. Reviewandtrackriskmitigationactionsforprogress.Determinewheneachactionisexpectedtobecompletedsuccessfully. Refineandredefinestrategiesandactionstepsasneeded. Revisitriskanalysisasplansandactionsaresuccessfullycompleted.Aretherisksburningdown?Evaluateimpacttoprogramcriticalpath. Routinelyreassesstheprogram'sriskexposure.Evaluatethecurrentenvironmentfornewrisksormodificationtoexistingrisks. References&Resources ProjectManagementInstitute,AGuidetotheProjectManagementBodyofKnowledge,(PMBOKGuide),FourthEdition,ANSI/PMI99-001-2008,pp.273-312. TheMITREInstitute,September1,2007,MITRESystemsEngineering(SE)CompetencyModel,Version1,pp.10,40-41. Garvey,P.R.,2008,AnalyticalMethodsforRiskManagement:ASystemsEngineeringPerspective,Chapman-Hall/CRC-Press,Taylor&FrancisGroup(UK),BocaRaton,London,NewYork,ISBN:1584886374. Kossiakoff,A.andW.N.Sweet,2003,SystemsEngineeringPrinciplesandPractice,JohnWileyandSons,Inc.,pp.98-106. AdditionalReferences&Resources InternationalCouncilonSystemsEngineering(INCOSE),January2010,INCOSESystemsEngineeringHandbook,Version3.2,INCOSE-TP-2003-002-03.2,pp.213-225. DownloadtheSEG MITRE'sSystemsEngineeringGuide DownloadforEPUBDownloadforAmazonKindleDownloadaPDF Questions? ContacttheSEGTeam MITREisproudtobeanequalopportunityemployer.MITRErecruits,employs,trains,compensates,andpromotesregardlessofage;ancestry;color;familymedicalorgeneticinformation;genderidentityandexpression;marital,military,orveteranstatus;nationalandethnicorigin;physicalormentaldisability;politicalaffiliation;pregnancy;race;religion;sex;sexualorientation;andanyotherprotectedcharacteristics. MITREintendstomaintainawebsitethatisfullyaccessibletoallindividuals.IfyouareunabletosearchorapplyforjobsandwouldliketorequestareasonableaccommodationforanypartofMITRE’semploymentprocess,pleasecontactMITRE’sRecruitingHelpLineat703-983-8226oremailatrecruitinghelp@mitre.org Copyright©1997-2021,TheMITRECorporation.Allrightsreserved. MITREisaregisteredtrademarkofTheMITRECorporation.Materialonthissitemaybecopiedanddistributedwithpermissiononly.