12619 - Fluency in Risk Management: DoD Acquisition Risk Management, MIL-STD-882D, ANSI-GEIA-STD-0010, and ISO 31000 All the Same, Only Different? Jeff Walker, Booz Allen Hamilton Environment, Energy Security & Sustainability Symposium May 2011
1 Fluency in Risk Management?
2 Introduction Documents Risk Management Guide for DoD Acquisition MIL-STD-882D DoD Standard Practice for System Safety ANSI-GEIA-STD-0010 Standard Best Practices for System Safety Program Development and Execution ISO 31000 Risk management Principles and guidelines Approaches Terminology Application
3 Risk Management Guide for DoD Acquisition Background Responsibility of the Deputy Assistant Secretary of Defense, Systems Engineering (DASD(SE)), August 2006 The purpose of addressing risk on programs is to help ensure program cost, schedule, and performance objectives are achieved at every stage in the life cycle The purpose of this guide is to assist DoD and contractor Program Managers (PMs), in effectively managing program risks during the entire acquisition process, including sustainment Refers the reader to MIL-STD-882D, Standard Practice for System Safety, for guidance regarding Environment, Safety, and Occupational Health (ESOH) hazards Risk management is a fundamental program management tool for effectively managing future uncertainties associated with system acquisition
4 Risk Management Guide for DoD Acquisition Approach Risk Management Process Risk Reporting Matrix
5 Risk Management Guide for DoD Acquisition Terminology Risks components: A future root cause (yet to happen), which, if eliminated or corrected, would prevent a potential consequence from occurring A probability (or likelihood) assessed at the present time of that future root cause occurring, and The consequence (or effect) of that future occurrence Application Programmatic risk Once a root cause has occurred, it becomes an issue and is handled separately
6 MIL-STD-882D DoD Standard Practice for System Safety Background Air Force Materiel Command/System Safety Office is Preparing Activity, February 2000 currently being updated Delineates the minimum mandatory requirements for an acceptable system safety program for any DoD system Mandated by DoD Instruction 5000.02 An approach useful in development, test, production, use, and disposal of DoD systems, subsystems, equipment, and facilities Consistent means of evaluating identified mishap risks Risk mitigations must consider total life cycle cost in any decision Residual mishap risk associated with an individual system must be reported to and accepted by the appropriate authority as defined in DoD
7 MIL-STD-882D DoD Standard Practice for System Safety Approach Risk Reporting Matrix Risk Management Process 1. Documentation of the system safety approach 2. Identification of hazards 3. Assessment of mishap risk 4. Identification of mishap risk mitigation measures 5. Reduction of mishap risk to an acceptable level 6. Verification of mishap risk reduction 7. Review of hazards and acceptance of residual mishap risk by the appropriate authority 8. Tracking of hazards and residual mishap risk
8 MIL-STD-882D DoD Standard Practice for System Safety PROBABILITY OF OCCURRENCE 1 CATASTROPHIC HAZARD SEVERITY CATEGORIES 2 CRITICAL 3 MARGINAL 4 NEGLIGIBLE A - FREQUENT 1 3 7 13 B - PROBABLE 2 5 9 16 C - OCCASIONAL 4 6 11 18 D - REMOTE 8 10 14 19 E - IMPROBABLE 12 15 17 20 Mishap Risk Assessment Value: Mishap Risk Category & Acceptance Authority: 1 5 HIGH - Acceptance of Risk by the Component Acquisition Executive 6-9 SERIOUS Acceptance of Risk by the Program Executive Officer 10-17 MEDIUM Acceptance of Risk Project Manager. 18-20 LOW - Acceptance of Risk Project Manager.
9 MIL-STD-882D DoD Standard Practice for System Safety Terminology Risks components: Hazard? Mishap Application Environment, safety, and occupational health risks
10 ANSI-GEIA-STD-0010 Standard Best Practices for System Safety Program Development and Execution Background Developed by the G-48 (TechAmerica), February 2009 Began as a draft update of MIL-STD-882D Intended enhancements Clarify basic elements of system safety program and the process flow Modernize the document and its tools to bring them abreast of contemporary best practice Introduce the concept of risk summation Parallel path to prepare a non-military system safety standard independent of MIL-STD-882 Demonstrates risk matrix tailoring through examples
11 ANSI-GEIA-STD-0010 Standard Best Practices for System Safety Program Development and Execution Approach Risk Reporting Matrix Appendix offers seven examples to demonstrate the spectrum of risk matrix options tailored to the system Risk Management Process Program Initiation Hazard Identification and Tracking Risk Assessment Risk Reduction Risk Acceptance
12 ANSI-GEIA-STD-0010 Standard Best Practices for System Safety Program Development and Execution Terminology Risks components: Source Mechanism Outcome Application System safety risk and ESOH risk
13 ISO 31000 Risk management Principles and guidelines Background Developed by the ISO Working Group on Risk Management, November 2009 Companion document - ISO Guide 73, Risk Management Vocabulary Provides principles, framework and a process for managing any form of risk Can be applied to any public, private or community enterprise, association, group or individual Risk management framework as an integral component of management system Assists organizations in developing their own approach to management of risk, but is not a certification standard Provides an internationally recognized benchmark, providing sound principles for effective management ISO Guide 73 will further ensure that all organizations are on the same page when talking about risk
14 ISO 31000 Risk management Principles and guidelines Approach Risk Reporting Matrix No Matrix Offered, but definition included in Guide 73 Risk Management Process Develop framework Communication and Consultation Establish the Context Risk Assessment Risk Treatment Monitoring and review Recording the Risk Management Process
15 ISO 31000 Risk management Principles and guidelines Terminology ISO Guide 73, Risk Management Vocabulary Risks components: Sources Causes Events Application Establishes principles, framework, and process for any system
16 Comparison DoD Risk Guide MIL-STD- 882D ANSI-GEIA- 0010 ISO 31000 Public/Private Public Public Private Private Risk Type Programmatic ESOH System Safety & ESOH Any Process Elements 5 8 5 7 Risk Matrix Applicability to Environmental Issues 5x5 3 Levels 4x5 4 Levels Multiple None Yes Yes Yes Yes
17 Comparison Risk Management Processes MIL-STD-882D DoD Risk Guide ANSI-GEIA-0010 ISO 31000 1. Document approach 2. Identify hazards Risk Identification Program Initiation Hazard Ident & Tracking 3. Assess Risk Risk Analysis Risk Assessment 4. Identify Mitigations Risk Mitigation Planning 5. Reduce Risk Risk Mitigation Plan Implementation 6. Verify Risk Reduction Risk Reduction 7. Risk Acceptance Risk Acceptance 8. Track Residual Risk Risk Tracking See Above Establish Framework, Comm & Consultation, Establish Context Risk Assessment Risk Treatment Monitoring & Review, Recording the Process
18 Comparison Risk Model MIL-STD-882D DoD Risk Guide ANSI-GEIA-0010 ISO 31000 Hazard Future root cause Source Sources Causal Factor? Probability of future root cause Mechanism Causes Mishap Consequence or effect Outcome Events
19 Conclusion More is similar than different all drive risk decisions Terminology, scope and order of presentation may vary, but all risk management models are essentially the same Establish a repeatable, documented structure Identify Risks Evaluate Risks Develop Mitigations Verify Mitigations Accept Risk Environmental engineer should be undaunted in translating findings between methodologies