Risk Management

Definition: Risk is an event that, if it occurs, adversely affects the ability of a project to achieve its outcome objectives [1]. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level [2].

Keywords: opportunity, risk, risk analysis, risk management, uncertainty, uncertainty analysis


Risk management lies at the intersection of project functions performed by the systems engineer and the project manager [3]. Historically, risk management focused more on management elements such as schedule and cost, and less on technical risks for well-defined or smaller projects. However, larger and more complex projects and environments have increased the uncertainty for the technical aspects of many projects. To increase the likelihood of successful project and program outcomes, the systems engineer and project manager must be actively involved in all aspects of risk management.

A substantial body of knowledge has developed around risk management. In general, risk management includes development of a risk management approach and plan, identification of components of the risk management process, and guidance on activities, effective practices, and tools for executing each component. One characterization of the risk management process is shown in Figure 1 [1].

Figure 1. Fundamental Steps of Risk Management
Figure 1. Fundamental Steps of Risk Management

Step 1. Risk Identification
Risk identification is the critical first step of the risk management process. Its objective is the early and continuous identification of risks, including those within and external to the engineering system project.

Step 2. Risk Impact or Consequence Assessment
In this step, an assessment is made of the impact each risk event could have on the engineering system project. Typically, this includes how the event could impact cost, schedule, or technical performance objectives. Impacts are not limited to only these criteria. Additional criteria such as political or economic consequences may also require consideration. In addition, an assessment is made of the probability (chance) each risk event will occur.

Step 3. Risk Prioritization
At this step, the overall set of identified risk events, their impact assessments, and their occurrence probabilities are "processed" to derive a most critical to least critical rank-order of identified risks. A major purpose for prioritizing risks is to form a basis for allocating critical resources.

Step 4. Risk Mitigation Planning
This step involves the development of mitigation plans designed to manage, eliminate, or reduce risk to an acceptable level. Once a plan is implemented, it is continually monitored to assess its efficacy with the intent to revise the course-of-action, if needed.

Two other steps are involved in executing risk management: developing the approach and plan, and selecting the risk management tools. The risk management approach determines the processes, techniques, tools, and team roles and responsibilities for a specific project. The risk management plan describes how risk management will be structured and performed on the project [3]. Risk management tools support the implementation and execution of program risk management in systems engineering programs. In selecting the appropriate tools, the project team considers factors such as program complexity and available resources.

These six steps are discussed in the five articles under this Risk Management topic of the MITRE SE Guide:

MITRE SE Roles & Expectations: MITRE systems engineers (SEs) working on engineering systems are expected to propose, influence, and often design the risk management approach that enables risk informed trade-offs and decisions to be made throughout a system's evolution. They are expected to identify, analyze, and prioritize risks based on impact, probabilities, dependencies, timeframes, and unknowns. They are expected to prepare and monitor risk mitigation plans and strategies, conduct reviews, and elevate important risks [4].

Risk Management Principles

MITRE systems engineers supporting government customers in risk management activities have observed the following elements common to the Department of Defense (DoD) and civilian environments.

Risk Management Is Fundamental

An event is uncertain if there is indefiniteness about its outcome [1]. Risk management acknowledges the concept of uncertainty, which includes risks (unfavorable outcomes) and opportunities (favorable outcomes). Risk management is a formal and disciplined practice for addressing risk. In many ways, it is indistinguishable from program management. It includes identifying risks, assessing their probabilities and consequences, developing management strategies, and monitoring their state to maintain situational awareness of changes in potential threats.

Every Project Involves Risk

Every project is a temporary endeavor undertaken to provide a unique result [3]; it is an undertaking that has not been done before. Therefore, all projects involve some level of risk, even if similar projects have been completed successfully.

Risk and Opportunity Must Be Balanced

Risk and opportunity management deal with uncertainty that is present throughout the systems' life cycle. The objective is to achieve a proper balance between them, while recognizing one is not the complement of the other.

Typically more risk and opportunity is involved in decisions that are made early in the project life cycle because those decisions have a more significant impact on project scope, cost, and schedule than those made later in the life cycle.

Risk Is Present in Complicated Relationships

Risk affects all aspects of engineering a system, and can be present in complicated relationships among project goals. A system may be intended for technical accomplishments near the limits of engineering or the maturity of technology, leading to technical risks. System development may be deployed too early to meet an imminent threat, thus resulting in schedule risks. All systems have funding challenges, which lead to cost risks. Risk can be introduced by external threats, due to changing social, political, or economic landscapes.

References & Resources

  1. Garvey, P.R., 2008, Analytical Methods for Risk Management: A Systems Engineering Perspective, Chapman-Hall/CRC-Press, Taylor & Francis Group (UK), Boca Raton, London, New York, ISBN: 1584886374.
  2. Stoneburner, G., A. Goguen, and A. Feringa, July 2002, Risk Management Guide for Information Technology System, National Institute of Standards and Technology, Special Publication 800-30, p. 1.
  3. Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK Guide), Fourth Edition, ANSI/PMI 99-001-2008, pp. 273–312.
  4. September 1, 2007, "MITRE Systems Engineering (SE) Competency Model, Version 1," The MITRE Institute, pp. 10, 40–41.

Additional References & Resources

IEEE Standard for Software Life Cycle Processes - Risk Management," IEEE Std. 1540-2001.

International Council on Systems Engineering (INCOSE), January 2010, INCOSE Systems Engineering Handbook, Version 3.2, INCOSE-TP-2003-002-03.2, p. 213–225.

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC Guide 73, Risk Management – Vocabulary – Guidelines.

Kerzner, H., Ph. D., 2003, Project Management, Eighth Edition, John Wiley and Sons, Inc., pp. 651–710.

Kossiakoff, A. and W.N. Sweet, 2003, Systems Engineering Principles and Practice, John Wiley and Sons, Inc., pp. 98––106.

MITRE Systems Engineering Practice Office, Risk Management Toolkit

Moore, J.W., 2006, "The Road Map to Software Engineering, A Standards-Based Guide," IEEE Computer Society, 2006, pp. 171–172.

Mulcahy, R., 2003, Risk Management: Tricks of the Trade for Project Managers, RMC Publications.

OMB Circular A-11 E-300, "Part 7: Planning, Budgeting, Acquisition and Management of Capital Assets," June 2008.

Software Engineering Institute CMMI, "Risk and Opportunity Management."

Thayer, R.H., and M. Dorfman (eds.), 2005, Software Engineering Volume 2: The Supporting Processes, Third Edition, IEEE Computer Society.

The Institute of Risk Management, "The Risk Management Standard."

"Uncertainty Management," MITRE Project Leadership Handbook.

Woodward, D. and K. Buck, July 2007, "Office of Management and Budget (OMB) Uncertainty and Risk Assessment Requirements: A Preliminary MITRE Study (MP #070137)."


Download the SEG

MITRE's Systems Engineering Guide

Download for EPUB
Download for Amazon Kindle
Download a PDF

Contact the SEG Team