Systems Engineering: Risk Impact Assessment and Prioritization   

Risk impact assessment is the process of assessing the probabilities and consequences of risk events if they are realized.

The critical third step in the risk management process is risk management assessment and prioritization. Other steps include:

Read an introduction to risk management  to learn more about this collection of resources originally published in MITRE’s Systems Engineering Guide.

Risk Management Assessment and Prioritization: Context

Risk impact assessment and prioritization are the second and third steps of the risk management process.

MITRE SE Roles & Expectations: MITRE systems engineers (SEs) working on government programs are expected to analyze risks with respect to impact, probability, dependencies, and timeframes and to prioritize risks to facilitate decision making by the sponsor or customers.

Risk Impact Assessment in the Systems Engineering Program

In this step, the impact each risk event could have on the project is assessed. Typically, this assessment considers how the event could impact cost, schedule, or technical performance objectives. Impacts are not limited to these criteria, however; political or economic consequences may also need to be considered. The probability (chance) each risk event will occur is also assessed. This often involves the use of subjective probability assessment techniques, particularly if circumstances preclude a direct evaluation of the probability by objective methods (i.e., engineering analysis, modeling, and simulation). 

As part of the risk assessment, risk dependencies, interdependencies, and the timeframe of the potential impact (near-, mid-, or far-term) must be identified. 

When assessing risk, it is important to match the assessment impact to the decision framework. For program management, risks are typically assessed against cost, schedule, and technical performance targets. Some programs may also include oversight and compliance, or political impacts. Paul Garvey provides an extensive set of rating scales for making these multicriteria assessments, as well as ways to combine them into an overall measure of impact or consequence.

These scales provide a consistent basis for determining risk impact levels across cost, schedule, performance, and other criteria considered important to the project. Performing POET (Political, Operational, Economic, Technical) and/or SWOT (Strengths, Weaknesses, Opportunities, and Threats) assessments can help determine the drivers of the risks. 

For some programs or projects, the impacts of risk on enterprise or organizational goals and objectives are more meaningful to the managing organization. Risks are assessed against the potential negative impact on enterprise goals. Using risk management tools for the enterprise and its components can help with the consistency of risk determination. 

Depending on the criticality of a component to enterprise success (e.g., risk of using commercial communications to support a military operation and the impact of the enterprise to mission success, versus risk of using commercial communications for peacetime transportation of military equipment), the risks may be viewed differently at the enterprise level even when the solution sets are the same or similar.

One way management plans for engineering an enterprise is to create capability portfolios of technology programs and initiatives that, when synchronized, will deliver time-phased capabilities that advance enterprise goals and mission outcomes. A capability portfolio is a time-dynamic organizing construct to deliver capabilities across specified epochs; a capability can be defined as the ability to achieve an effect to a standard under specified conditions using multiple combinations of means and ways to perform a set of tasks.

With the introduction of capability management, defining the impact of risk on functional or capability objectives may provide valuable insights into what capability is at risk, and which risks could potentially significantly impact the ability to achieve a capability and/or impact multiple capability areas.

In portfolio management, a set of investments is administered based on an overall goal(s), timing, tolerance for risk, cost/price interdependencies, a budget, and changes in the relevant environment over time. These factors are generally applicable to the government acquisition environment. 

For portfolio risk assessment, investment decision, or analysis of alternatives tasks, using categories of risk area scales may be the most appropriate way to ensure each alternative or option has considered all areas of risk. Risk areas may include advocacy, funding, resources, schedule and cost estimate confidence, technical maturity, ability to meet technical performance, operational deployability, integration and interoperability, and complexity.

Scales are determined for each risk area, and each alternative is assessed against all categories. Risk assessment may also include operational consideration of threat and vulnerability. For cost-risk analysis, the determination of uncertainty bounds is the risk assessment.

When determining the appropriate risk assessment approach, it is important to consider the information need. 

Risk Prioritization in the Systems Engineering Program

In the risk prioritization step, the overall set of identified risk events, their impact assessments, and their probabilities of occurrences are "processed" to derive a most-to-least-critical rank-order of identified risks. A major purpose of prioritizing risks is to form a basis for allocating resources.

Multiple qualitative and quantitative techniques have been developed for risk impact assessment and prioritization. Qualitative techniques include analysis of probability and impact, developing a probability and impact matrix, risk categorization, risk frequency ranking (risks with multiple impacts), and risk urgency assessment. Quantitative techniques include weighting of cardinal risk assessments of consequence, probability, and timeframe; probability distributions; sensitivity analysis; expected monetary value analysis; and modeling and simulation.

MITRE has developed the min- and max-average approaches (using a weighting scale more heavily weighting the max or min value). Expert judgment is involved in all of these techniques to identify potential impacts, define inputs, and interpret the data.

Best Practices and Lessons Learned

  • Tailor the assessment criteria to the decision or project. When assessing risks, recommend techniques and tools that are suitable for the analysis. For example, if the project is an enterprise management or organizational oversight project, then risk impact might be most suitably assessed against goals in lieu of technical performance, cost, and schedule. If the assessment is to determine the risk of investment options, the risk area scale approach might be best suited.  
  • Document the rationale for the assessment of impact and probability. It is important to document the justification or rationale for each risk impact assessment and probability of occurrence rating. If the conditions or environment change, the assessment might need to be revisited. The rationale helps to communicate the significance of the risk. When using the investment assessment scale approach, the statement of risk is typically captured in the rationale.
  • Recognize the role of systems engineering. Risk assessment and management are roles of systems engineering, especially as projects and programs become more complex and interdependent. The judgments that are involved require a breadth of knowledge of system characteristics and the constituent technologies beyond that of design specialists. In addition, the judgments of risk criticality are at the system and program levels. Risk cuts across the life cycle of systems engineering, and MITRE SEs should be prepared to address risk throughout concept and requirements satisfaction, architectural level risks, design and development risks, training risks, fielding, and environment risks. MITRE SEs are encouraged to advocate for SE involvement in risk assessment and management.
  • Tailor the prioritization approach to the decision or project. Match the prioritizing algorithm, techniques, and tools to the assessment need (e.g., needs could include time criticality as a prioritization factor, the ability to see capability at risk, the need for a single risk score for the portfolio, the ability to have insight into risks with multiple impacts, and more). Each risk area—threat, operations, programmatic, etc.—will have different priorities. Typically, there will be a priority to these areas themselves—a major threat risk could be totally unacceptable, and the effort may be abandoned. 
  • If the threat risks are acceptable but the operations cannot be effectively performed, then, again, the effort may be abandoned. Be sure to consider these various decisions and criticality to help the government assess the priorities of mitigating the risks that arise.
  • Consider Monte Carlo simulations. Monte Carlo simulations use probability distributions to assess the likelihood of achieving particular outcomes, such as cost or completion date. They have been used effectively on a number of MITRE government programs to help the project teams assess schedule risk.

MITRE's Systems Engineering Guide

The legacy edition of MITRE's Systems Engineering Guide, originally published in 2013, is available as a PDF.


Systems Engineering innovation Center