Explorer

Content

Introduction to Risk Management

This content is about the project Risk Management process. The process comes from Ministry of Defences’ (MODs) single Risk Management process. This process is defined in Joint Services Publication (JSP) 525 and incorporates national (and international) best practice.

There are variations from and additions to JSP 525 to support projects’ requirements. The variations address differing terminology that arises from subtle differences in approach. The principle addition is that of overall statistical analysis used by projects to predict outcomes for cost and time (captured in Confidence Figures).

With the introduction of Through Life Capability Management (TLCM), procedures specific to Programme Risk Management have become increasingly important. General guidance on programme risk management comes from the Office of Government Commerce Managing Successful Programmes External link to Internet content publication is set out within this site as is information about TLCM Risk Management.

What is Risk Management ?

Risk Management may be defined as:

"The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, planning and managing Risks in a way that will enable organisations to minimise threats and maximise opportunities in a cost-effective way."

For the purpose of this guide the definition of a risk is:

Risk Management may be defined as:

"The combination of the Probability of an Event occurring and its Consequences on objectives."

It allows an informed judgement to be made on the degree of risk in project proposals, and provides confirmation that the balance struck between performance, whole life cost, timescale, and risk represents value for money.

Applying risk management throughout the project lifecycle is essential to the aim of delivering on time, and to cost, equipment that meets its performance objectives. The process helps to make sure the output is value for money, reliable and easy to maintain throughout its in-service life.

Why do Risk Management ?

The House of Commons Defence Committee concluded in 1987/88 that "The application of a more disciplined approach by MOD to risk assessment is clearly required".

The Jordan Lee Cawsey Report "Learning From Experience" places emphasis on the need for risk management in the areas of:

Technology availability.
Hardware and software demonstration.
MOD responsibilities such as Government Furnished Equipment (GFE) / Government Furnished Facilities (GFF) / Government Furnished Information (GFI).

This approach has the aim of making sure that managers apply explicit risk management techniques to all aspects of all projects. It exposes the risks to scrutiny in the Approvals Process, and enables their management in a logical and systematic way.

This is a joint policy between Chief of Defence Materiel (CDM) and Chief Scientific Advisor (CSA) recognising that Procurement practice and central scrutiny of technical and procurement aspects must be consistent.

Risk Management should be carried out in every stage of the CADMID or CADMIT lifecycle.

Who is Responsible for Risk Management ?

All managers involved in the acquisition of Defence equipment, systems or support have to manage complex and sometimes an extremely large number of risks.

This guide applies to all staff involved in acquisition it comprises managers in the Capability Sponsor, DE and DE&S, and includes:

Heads of Capability
Project Team Leaders
Finance Managers, Technical Managers
Contract Managers
Integrated Logistic Support Managers
Quality Managers
Reliability and Maintainability Managers.

Here the term ‘Project’ refers to any identifiable acquisition activity, including programmes, irrespective of whether it is a Capability Sponsor, Defence Estates or Defence Equipment and Support activity.

What are Issues, Uncertainties and Risks ?

Figure 1 - Diagram illustrating Issues Uncertainties and Risks - A textual description of this image is contained in the following paragraphs.

Figure 1 differentiates between the terms ‘Issues’, ‘Uncertainties’, and ‘Risks’

The first stage of the Risk Management process is about identifying risk. The starting point is to consider the Project’s overall context, its assumptions and objectives. The identification process will identify future events that may impact on the Project.

It is essential that these events are correctly classified so that the appropriate Project Management action can be carried out.

At the highest level, future events can be categorised as either Certain Occurrences or Uncertain Occurrences.

Certain Occurrences are events that will happen, and as such they must be accounted for in a Project’s baseline Planning and Schedule Management activities.

Whether the occurrence is considered significant or insignificant it must be addressed. The term ‘Issue’ is used to describe these types of event.

Insignificant certainties – The only likely action necessary is to add an entry in an assumptions register to log the fact that it has been taken into account.
Significant certainties – Management action may be necessary in order to avoid, minimise or absorb the effects.

Uncertain Occurrences are events that might or might not occur. The type of management action necessary to deal with them depends on their significance.

The term ‘Risk’ is used to describe significant uncertainties, either threats or opportunities, which must be addressed within the Risk Management process.

The term ‘Uncertainties’ is used to describe insignificant uncertainties, which may not warrant specific Risk Management action, should be addressed within a Project’s baseline Planning and Schedule.

Change History

1 November 2009: Minor amendments made for Plain English review.
1 October 2009: Update to incorporate Programme Risk Management.