Systems Engineering Guide: An Introduction to Risk Management

About MITRE’s Systems Engineering Guide

Originally published in 2013, MITRE’s Systems Engineering Guide (SEG) was developed by systems engineers for systems engineers. It brought together the collective wisdom of some of the most highly regarded systems engineers at MITRE. It was designed to reflect MITRE's brand of systems engineering as a provider of federally funded research and development center (FFRDC) expertise to our government sponsors.

The text was written as if the author is speaking directly to a MITRE technical staff member involved in an FFRDC-related systems engineering activity on a government program.

Processes and technology have changed since 2013, particularly in the digital realm. We believe that our risk management guidance, as presented in the original Systems Engineering Guide, offers principles still useful today. The collection below consists of this introduction and five related articles.

Download Resources

Risk Management: Context

Risk management lies at the intersection of project functions performed by the systems engineer and the project manager. Historically, risk management focused more on management elements such as schedule and cost, and less on technical risks for well-defined or smaller projects. 

However, larger and more complex projects and environments have increased the uncertainty for the technical aspects of many projects. To increase the likelihood of successful project and program outcomes, the systems engineer and project manager must be actively involved in all aspects of risk management.

A substantial body of knowledge has developed around risk management. In general, risk management includes development of a risk management approach and plan, identification of components of the risk management process, and guidance on activities, effective practices, and tools for executing each component. 

View related articles below.

 

Risk Identification

Risk identification is the critical first step of the risk management process. Its objective is the early and continuous identification of risks, including those within and external to the engineering system project.

Risk Management Approach and Plan

The second step in risk management identifies and avoids the potential cost, schedule, and performance/technical risks to a system, takes a proactive and structured approach to manage negative outcomes, responds to them if they occur, and identifies potential opportunities that may be hidden in the situation.

Risk Impact Assessment and Prioritization

Risk impact assessment and prioritization involves the overall set of identified risk events, their impact assessments, and their occurrence probabilities, which are "processed" to derive a most critical to least critical rank-order of identified risks. A major purpose for prioritizing risks is to form a basis for allocating critical resources.

Risk Mitigation Planning, Implementation, and Progress Monitoring

These fourth and fifth steps involve the development of mitigation plans designed to manage, eliminate, or reduce risk to an acceptable level. Once a plan is implemented, it is continually monitored to assess its efficacy with the intent to revise the course-of-action, if needed.

Selecting Risk Management Tools

Risk management tools support the implementation and execution of program risk management in systems engineering programs. In selecting the appropriate tools, the project team considers factors such as program complexity and available resources.

Risk identification is the critical first step of the risk management process. Its objective is the early and continuous identification of risks, including those within and external to the engineering system project.

The second step in risk management identifies and avoids the potential cost, schedule, and performance/technical risks to a system, takes a proactive and structured approach to manage negative outcomes, responds to them if they occur, and identifies potential opportunities that may be hidden in the situation.

Risk impact assessment and prioritization involves the overall set of identified risk events, their impact assessments, and their occurrence probabilities, which are "processed" to derive a most critical to least critical rank-order of identified risks. A major purpose for prioritizing risks is to form a basis for allocating critical resources.

These fourth and fifth steps involve the development of mitigation plans designed to manage, eliminate, or reduce risk to an acceptable level. Once a plan is implemented, it is continually monitored to assess its efficacy with the intent to revise the course-of-action, if needed.

Risk management tools support the implementation and execution of program risk management in systems engineering programs. In selecting the appropriate tools, the project team considers factors such as program complexity and available resources.

MITRE Systems Engineering Roles & Expectations

MITRE systems engineers (SEs) working on engineering systems are expected to propose, influence, and often design the risk management approach that enables risk informed trade-offs and decisions to be made throughout a system's evolution. They are expected to identify, analyze, and prioritize risks based on impact, probabilities, dependencies, timeframes, and unknowns. They are expected to prepare and monitor risk mitigation plans and strategies, conduct reviews, and elevate important risks.

Risk Management Principles

MITRE systems engineers supporting government customers in risk management activities have observed the following elements common to the Department of Defense (DoD) and civilian environments.

Risk Management Is Fundamental

An event is uncertain if there is indefiniteness about its outcome. Risk management acknowledges the concept of uncertainty, which includes risks (unfavorable outcomes) and opportunities (favorable outcomes). Risk management is a formal and disciplined practice for addressing risk. In many ways, it is indistinguishable from program management. It includes identifying risks, assessing their probabilities and consequences, developing management strategies, and monitoring their state to maintain situational awareness of changes in potential threats.

Every Project Involves Risk

Every project is a temporary endeavor undertaken to provide a unique result; it is an undertaking that has not been done before. Therefore, all projects involve some level of risk, even if similar projects have been completed successfully.

Risk and Opportunity Must Be Balanced

Risk and opportunity management deal with uncertainty that is present throughout the systems' life cycle. The objective is to achieve a proper balance between them, while recognizing one is not the complement of the other.

Typically, more risk and opportunity are involved in decisions that are made early in the project life cycle because those decisions have a more significant impact on project scope, cost, and schedule than those made later in the life cycle.

Risk Is Present in Complicated Relationships

Risk affects all aspects of engineering a system and can be present in complicated relationships among project goals. A system may be intended for technical accomplishments near the limits of engineering or the maturity of technology, leading to technical risks. System development may be deployed too early to meet an imminent threat, thus resulting in schedule risks. 

All systems have funding challenges, which lead to cost risks. Risk can be introduced by external threats, due to changing social, political, or economic landscapes.
 

Publications

MITRE's Systems Engineering Guide

The legacy edition of MITRE's Systems Engineering Guide, originally published in 2013, is available as a PDF. 

MITRE Labs

Systems Engineering innovation Center