Program Risk Management

Definition

Program risk management is the risk management subactivity consisting of the cohesive collection of all tasks that are primarily performed to lower a program’s significant risks to acceptable levels.

Goals

The typical goals of program risk management are to:

• Reduce program risks to acceptable levels.

Objectives

The typical objectives of program risk management are to:

• Identify and understand the major risks to the program.
• Avoid the risks that can be avoided.
• Mitigate the impact of risks that cannot be avoided.

Examples

Typical examples of program risk management include the management of risks on a:

• Small, simple, low-criticality program.
• Large, complex, distributed, business-critical program.

Preconditions

Program risk management typically may begin when the following conditions hold:

• The program is started.
• The program team are:
  • Initially staffed.
  • Adequately trained in risk management.

Completion Criteria

Program risk management is typically complete when the following postconditions hold:

• The program is retired.

Tasks

Program risk management typically involves the following teams performing the following tasks in an iterative, incremental, parallel, and time-boxed manner:

• The program team, which performs:
  • Risk Analysis
  • Risk Control
  • Risk Identification
  • Risk Management Planning
  • Risk Monitoring

Environments

Program risk management is typically performed using the following environment(s) and associated tools:

• TBD
  • Risk management tool

Work Products

Program risk management typically results in the production of all or part of the following work products:

• Risk Management Plan
• Risk Analysis
• Risk Monitoring Report

Phases

Program risk management tasks are typically performed during the following phases:

Guidelines

• The importance of a risk is the product of its probability and its impact.
• It is typically better to avoid a risk that to mitigate its damage once it has occured.
• Risks can be divided into the following categories:
  • Business Risks:
    • Requirements Scope Creep
    • Changing Market Pressures
    • Loss of Market Share
    • Bad Public Relations
    • Loss of Life or Property
    • Litigation
  • Financial Risks:
    • Cost Overrun
    • Inadequate Cost Estimates
  • Resource Risks:
    • Inadequate Staffing
    • Inadequately Trained Staff
    • Inadequate Staff Productivity
    • Inadequate Development Tools
  • Schedule Risks:
    • Unrealistic Schedule
    • Inadequate Schedule Estimates
    • Upgrades to COTS components and tools not available when promised (vaporware)
    • Excessive Time To Market
  • Technical Risks:
    • The program will not provide all required functionality.
    • The program’s transactions will not be auditable.
    • The program will not adequately support internationalization.
    • The program will not provide personalization.
    • The program will contain excessive defects.
    • The program’s outputs will be inadequately accurate or precise.
  • This activity is documented using the typical configuration for large projects. It is intended to be configured (i.e., instantiated, extended, and tailored) to meet the needs of specific projects.
  • The preconditions of this activity should be the union of the preconditions of its constituent tasks.
  • The completion criteria for this activity should be the union of the postconditions of its constituent tasks.