A T T A C H M E N T 3

К оглавлению
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 
102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 
119 120 121 122 123 


The Risk Mitigation Plan provides direction and control for the identification,

documentation, correction methodology, and closure of risks on the program.

Risk Management is an organized, systematic decision-making process designed

to identify, analyze, plan, track, control, and document each and all risks

to increase the probability of achieving project goals. Risks are events that may

or may not impact the cost, schedule, or technical quality of the project and


Risk management is the responsibility of everyone on the team. It implies

control of possible future events and is proactive rather than reactive. There are

four elements of the risk management process.

1. Risk Identification. Potential risks must be identified and managed. Once

identified, risks are entered into a Risk Mitigation Form as in Figure A3-1


F i g u r e A 3 - 1 — R i s k M i t i g a t i o n F o r m


Risk Priority Date Date

No. Opened Closed

Risk Description

Source of Risk (i.e., SOW, Para X.X)

Mitigation Plan

Cost Exposure

Cost of Mitigation

Expected Date of Occurrence

Application of Mitigation Funds (dates & amounts)

Closure Authority:

Program Manager System Manager

M-M Form F-04028-1

and then into a Risk List as in Table A3-1. Risk identification is an element

of the process that continues throughout the lifetime of the project.

2. Risk Assessment. Each risk must be characterized as to the likelihood (probability)

of its occurrence (Po) and the severity of the potential consequences

(So). When the assessments are made, the characteristics of the risk are documented

in the Risk List.

3. Risk Disposition. Each risk must be assigned to an individual designated as

the risk manager for that risk (this will likely involve a number of different

people). Once a risk has been assessed, the project team must consider how

to handle it. Alternatives include:

Avoidance. Avoidance is best accomplished during the bid or negotiation

process. Once the project has started, avoidance is difficult to accomplish.

R I S K MI T I G AT I O N P L A N 229

T a b l e A 3 - 1 — R i s k L i s t

Risk No. Risk Resp Po* So* Priority (Po _ So) Status

P-001 System Weight Smith .6 .8 .48 In Proc

P-002 Deceleration Jones .5 .5 .25 In Proc

P-003 Rxo BER Nacker .3 .4 .12 In Proc

Because this is the best method of risk mitigation, it should not be summarily

dismissed, however. Consider alternative architecture, design, or project approaches

that would avoid the incidence of this risk altogether.

Transfer. It may be possible to transfer a risk to a subcontractor or to a

third party such as an insurance agency. In the final analysis, however, the

program team is still ultimately responsible for the risk.

Sharing. When the risk cannot be appropriately transferred—and when it

is not in the best interest of the program team to assume the risk—the risk

may be shared with the customer, a subcontractor, or a third party. Such

shared risks require extensive monitoring. Risk sharing with the customer is

quite common in Research and Development (R&D) contracts. Sharing is

implemented through both cost sharing, such as cost plus contracts or arrangements,

and profit sharing, such as award fee or incentive fee provisions.

Risk sharing with the subcontractor is accomplished in the same way. Risk

sharing with a third party such as an insurance or bonding company is simply

sharing of the cost outcome. These share situations are rare.

Assumption. When all the other alternatives have not been successful, the

only option left is to assume the risk. Once the risk has been directly assumed,

the issue of mitigation becomes your full responsibility. This statement

means that the intensity of mitigation will increase significantly. The

assumption of the entire risk will require a full plan to approach and neutralize

or at least mitigate the risk.

4. Risk Tracking. Once a risk has been identified, as stated in Step 1, it must be

entered into the Risk List. Every risk in the Risk List must be documented in

a Risk Mitigation Form.

The size, content, and intensity of Risk Mitigation will increase as you

progress further down the process steps and as the Priority (Po _ So) in-

creases. Constant vigilance and status reporting must be maintained on each

risk throughout its lifetime. Some risks will require monthly attention while

others will require daily or even hourly attention.

Additional references that may contribute to developing your plan are:


DoD Directive Dir 5000.2R, paragraph 3.3.3.