Risk Management (RM)

Slide 4

AGibson

• Risk sources and categories are predetermined by QA and are listed in QP 19  Risk Management Procedure.
• Risk Sources are the fundamental drivier that causes risk in our contracts. Risk Sources can be internal and external -- from changing cusotmer requirements; new work, contract work environment, inadequate funding; inadequate or highly specialize staff, sub or prime issues
• Risk categories - bins for collecting data -- DEPENDENCIES, FUNDING, PERFORMANCE, STAFFING

• Risk parameter for probability of occurrences and impact are predetermined in QP 19
• Risk Probability identifies the LIKELYHOOD of the RISK occurring. Risk Probability ratings --  scale is 1 -5 where  1 is VERY LOW THAT the RISK WOULD OCCUR and 5 VERY HIGH which means the RISK is highly likely to occur.
• The risk impact identifies the consequences of the risk if it would to occur. Goups the categories as mentioned above -- DEPEND/FUNDING/PERFORMANCE/STAFFING) and provides a range of descriptive consequences rated from 1 - 5 where 1 is very low and 5 is very high.
• For example AAAP, I identified the upcoming recompete as a risk as it is dependent on other groups (government) on how the recompete will be handled and release.  So under dependencies -- I rated the risk as a High - 4 as the government will have an impact.  Then I reated the propability as a 5 as it was very likely to happen.

Now I just explained how I arrive at the impact and probability rating for AAAP.  I determine the overall risk by mulitplying these two factors -- 4 * 5 = 20. .  Each category of Risk is rated with a  Risk Impact to ID the consequences of the risk occuring -- 1 being very low with 5 being Very High.

For example DEPENDENCIES for AAAP has a Option Year coming up for renewal is dependenton other groups such as the government on impact of the renewal of this contract.   Now you you then take the Risk probability rating as I mention before and you multiply the two scores to determine a Risk Score which will detemine the Threshold and resulting action.

Dependent on the score we can take NO ACTION/ACCEPT RISK, RISK MONITORING, RISK Mitigation PLAN

Risk are identified in for a project that would negatively affect the work of the project -- asking the questions of what could go wrong or what are the uncertainties.  With AAAP - the potential recompete and recruiting for a web programmer (Risk Categories of Dependencies and Staffing) are indenfitied risk.  

This risk is entered intothe Risk Log to be tracked.

1. Analyzing the risk involve identifying the possible consequences of risk using Table 1 to assign an impact score

2. determine the likelihood or probabiliy of the risk occuring using table 2 to assign a risk probability score

3. determine the overall risk score by mulitplying it impact score and probability score in Table 3

4. Compare risk score to threshold in table 3 and determine appropiate action in the relation to the risk.

Actions range from green No action/accept risk; yellow - monitor risk; and red - implement a risk mitigation plan

With AAAA our Risk score is 20 with would rate as a RED.

• Risk mitigation plans are established when the risk falls within the red threshold with a Risk score between 12-25.
• The purpose of the Risk Mitigation is to determine the best approach in resolve the issue.
• Risk Mitgation options are : Risk Avoidance (changing or lowering requirements to meet needs; Risk Control( actively trying to minimize risk);Risk transferr(reallocatinog requirements or resources to lower risks); Risk monitoring (watching and periodically re-evaluation the risk for changes; risk acceptance (acknowledging the possiblitiy of the risk and not taking action to avoid it

• Risk Mitigation plans are implemented when the PM presents a recommendation of a Risk Mitigation Plan to the President and CEO who will make the final decision to use and implement plan.  If the President and CEO does not implement the Risk Mitigation plan, then the risk will be monitored and updates/status  will be provide to President and CEO.
• If the Risk Migation plan is implemented, the PM will work with the appropriate parties to implement the plan.  PM will monitor risk mitigation activities and track to closure.  Risk Mitigation activities are listed in RISK LOG.