How to Perform Risk Management

Risk analysis and management are vital to the success of any project. As contractors who work on a myriad of projects, we see firsthand that different customers have different approaches towards risk. Here at SPEC Innovations, we seek to equip you with the tools to pursue your approach.

We use Innoslate, a model-based systems engineering and requirements management software. Using MBSE practices, you can use Innoslate to perform risk management. This article explains why we chose Innoslate for risk identification and management. It also provides guidance on completing the risk management process.

Risk Identification

One of the most difficult parts of this process is risk identification. Risk identification requires the technical and program staff to consider risk in their day-to-day work. They then report that risk along with any mitigation techniques to the risk managers.

Innoslate covers this with an explicit step in all of our processes for risk identification. This step reminds staff to consider risks at every stage of development. The figure below shows our functional analysis process with the Risk Checklist.

In the risk analysis step, the risk manager assesses the likelihood (probability) of a risk and the consequence. Once you have pinpointed the probability and consequence, you will need to also identify:

Risk Categories

• Technical
• Programmatic
• Business/External

Mitigation Techniques

The 2015 guide "Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs" has criteria for selecting a risk management tool:

• "Support Objectives: Does the tool aid in meeting program objectives?
• Recurrence: Will the risk management tool accommodate recurring updates to the risk management process?
• Helpfulness: Will the tool be useful during the decision-making process?
• Accessibility: Will the tool be accessible to all users, perhaps remotely, including certain tool-licensing requirements?
• Integration: Does the tool aid in the integration with other program management tools and processes?
• Requirements: Does the tool meet the requirements for the program office and contractor(s)?"

A tool that does these things must have at least three forms of risk capturing and display:

1. risk matrix
2. risk burndown chart
3. risk register

Risk Matrix

The figure below shows the interactive risk matrix from Innoslate. The probabilities (rows) range from Low to High, and the consequences range from negligible to critical.

Each risk item shown on the matrix has a number of attributes and related information (seen in the figure below). The left column contains information about who created/modified this risk and when. It also contains labels, which in this case include the category “Schedule.” Note there is a tab for comments in case you need some kind of help with this risk.

The middle panel shows the attributes associated with this risk. This includes the name, number, and description of the risk entity. You can also include the probability, consequence, and consequence description.

The far right panel shows various relationships, including the source of the risk (caused by) and mitigation (mitigated by). The risk decomposition shows risks at each stage of the development process. You can view these risks in the Risk Burndown chart shown below.

By selecting the Risk at SRR, you can see the actual probability and consequence of the risk at this stage. Note that the consequence stays the same, only the probability changes over time. If you apply risk mitigation, the risk probability should be lowered. However, the consequence (if the risk actually happens) does not change.

Finally, you can see a summary of these risks in the “risk register” shown below. You can create this table in the Innoslate Database View. Users can click into any cell in the table and add or change information in the cell. It shows the risk and mitigation technique, as well as other information.

Innoslate can also support risk analysis in modeling and simulation. With each step of the modeling process, you can associate the schedule, cost, resource usage, etc.

You can also apply distributions to this information that reflect uncertainty in any numerical value. Running the Monte Carlo simulation executes the models and identifies the potential risk in each factor. Below is an example of a Monte Carlo simulation’s results.

The Status Report shows the mean and standard deviation of the Duration and Cost of the process. The bar charts on the right side reflect the mean and standard deviation as well.

You can use these impacts to quantify the consequence, particularly the extreme tails. Although only a few simulations show the cost in the 10-month bin, you can assign a probability and consequence value using this information.

Innoslate goes beyond the tool selection criteria in the Defense Acquisition Programs' Guide. Integrating risk analysis results in Documents View helps manage project risks more effectively and comprehensively. You have now learned how to use a model-based systems engineering approach to identify and manage risk. Start developing your own requirements management process by signing up for a free account at cloud.innoslate.com/signup.

Learn how effective Risk Management can help you win federal contracts. ⬇️