Risk Management Tools

Definition: Risk management tools support the implementation and execution of program risk management in systems engineering programs.

Keywords: risk analysis tools, risk management tools, risk tools

MITRE SE Roles and Expectations: MITRE systems engineers (SEs) working on government programs are expected to use risk analysis and management tools to support risk management efforts. MITRE SEs also are expected to understand the purpose, outputs, strengths, and limitations of the risk tool being used.


Risk analysis and management tools serve multiple purposes and come in many shapes and sizes. Some risk analysis and management tools include those used for:

  • Strategic and Capability Risk Analysis: Focuses on identifying, analyzing, and prioritizing risks to achieve strategic goals, objectives, and capabilities.
  • Threat Analysis: Focuses on identifying, analyzing, and prioritizing threats to minimize their impact on national security.
  • Investment and Portfolio Risk Analysis: Focuses on identifying, analyzing, and prioritizing investments and possible alternatives based on risk.
  • Program Risk Management: Focuses on identifying, analyzing, prioritizing, and managing risks to eliminate or minimize their impact on a program's objectives and probability of success.
  • Cost Risk Analysis: Focuses on quantifying how technological and economic risks may affect a system's cost. Applies probability methods to model, measure, and manage risk in the cost of engineering advanced systems.

Each specialized risk analysis and management area has developed tools to support its objectives with various levels of maturity. This article focuses on tools that support the implementation and execution of program risk management.

Selecting the Right Tool

It is important that the organization define the risk analysis and management process before selecting a tool. Ultimately, the tool must support the process. When selecting a risk analysis and management tool, consider these criteria:

  • Aligned to risk analysis objectives: Does the tool support the analysis that the organization is trying to accomplish? Is the organization attempting to implement an ongoing risk management process or conduct a one-time risk analysis?
  • Supports decision making: Does the tool provide the necessary information to support decision making?
  • Accessibility: Is the tool accessible to all users and key stakeholders? Can the tool be located/hosted where all necessary personnel can access it?
  • Availability of data: Is data available for the tool's analysis?
  • Level of detail: Is the tool detailed enough to support decision making?
  • Integration with other program management / systems engineering processes: Does the tool support integration with other program management / systems engineering processes?

Program Risk Management Tools

In program risk management, it is important to select a tool that supports the risk management process steps outlined in Figure 1 in the SEG's Risk Management topic article. The other articles in this topic area provide additional information on each of the process steps. Many tools that support the implementation of program risk management are available. Many tools also can be used to support the management of project, enterprise, and system-of-systems risks.

MITRE-Developed Tools


RiskNAV® (RiskNav is a registered trademark of The MITRE Corporation) is a well-tested tool developed by MITRE to facilitate the risk process and help program managers handle their risk space. RiskNav lets you collect, analyze, prioritize, monitor, and visualize risk information in a collaborative fashion. This tool provides three dimensions of information graphically: risk priority, probability, and mitigation/management status.

RiskNav, originally produced for the U.S. government, is designed to capture, analyze, and display risks at a project or enterprise level. RiskNav is currently deployed throughout numerous and MITRE sponsors.

Since January 2005, the Technology Transfer Office at MITRE has licensed RiskNav technology to commercial companies. Current licensees include KEYW Corporation (Risk Mitigation Tool) and NMR Consulting. The Technology Transfer Office will support the tool for contractor and other government acquisition and will ensure that proper licensing forms are obtained and signed by new users. There is no cost for government usage. This formal procedure is not needed if MITRE is hosting a risk management effort.

RiskNav presents the risk space in tabular and graphical form. The tabular form, shown in Table 1, presents key information for each risk and allows the risk space to be filtered and sorted to focus on the most important risks. The information in the tables and figures is artificial and for illustrative purposes only. It does not represent real programs, past or present.

Risk Space:   <All Risks>

Risk List | Reports

Risk Space Filters:      Edit  |  Defaults         Default Filters     Sort Field: Priority

Show Details   |   Hide Categories

Risk ID




5X5 color


Mitigation status

Impact date

Risk manager

MGT.001 Description


Organizational interfaces



High/0.89 Analysis

White (No plan) Mitigation

16 Sep 2008


OOPS.003 Description


Ground sampling collection and analysis

Operational; subsystem; technical


Issue/0.84 Analysis

Green Mitigation

19 Jul 2008

Landes, Maxine

SE.016 Description

Proposed or pending review

Technology readiness for science payload Cis

Programmatic; technical


High/0.81 Analysis

Red Mitigation

16 Nov 2008

Landes, Maxine

PROG.001 Description

Open or needs review

Stakeholder and mission partner complexity



High/0.79 Analysis

Red Mitigation

02 Oct 2008

Landes, Maxine

OPS.006 Description


Balloon inflation

Operational; subsystem


High/0.75 Analysis

Yellow Mitigation

07 Jul 2008

Ramirez, Diego

MGT.002 Description





High/0.74 Analysis

White (No status) Mitigation

28 Aug 2008

Santos, Andrea

MGT.003 Description






White (No plan) Mitigation

27 Jul 2008


Table 1. RiskNav Summaries of Key Risk Information

RiskNav uses a weighted average model (Table 2) that computes an overall score for each identified risk. The risk priority is a weighted average of the timeframe (how soon the risk will occur), probability of occurrence, and impact (cost, schedule, technical). This score provides a rank order of the risks from most critical to least critical. Formally, this scoring model originates from the concept of linear utility, where more important risks get higher numbers, and the gaps between the numbers correspond to the relative strengths of the differences.

Risk Analysis Inputs

Computed Risk Scores

Impact Date:

16 Sep 2008

Risk Timeframe:

Short-term / 0.99


High / 0.90

Overall Risk Impact:

High / 0.79

Cost Impact Rating:

High / 0.83

Risk Consequence:

High / 0.89

Schedule Impact Rating:

High / 0.83

Risk Priority:

High / 0.89

Technical Impact Rating:

High / 0.65

Risk Ranking: (Ranks “open” risks with priority > 0)

Compliance & Oversight Impact Rating:

High / 0.83

Rank in Program:

1 of 17



Rank in Organization:

1 of 4



Rank in Project:

1 of 2

Table 2. RiskNav Uses a Scoring Model to Prioritize Risks

In graphical form (Figure 1), RiskNav represents three key aspects of each risk in the risk space—risk priority, probability, and the mitigation/management status. The data points represent risks, and the color of a box indicates the status of the mitigation action (White: no plan; Red: plan not working; Yellow: may not work; Green: most likely successful; Blue: completed successfully; Black: actions will start at a later date). Data points can be selected to show detailed risk information about the analysis, who is working the management actions, the status, and other information.

Figure 1. RiskNav Visualizes the Risk Space Showing Risk Priority and Mitigation Status

RiskNav also displays a 5x5 frequency chart (Figure 2) showing the number of risks in each square of a 5x5 matrix of probability versus consequence ranges. The Red cells contain the highest priority risks. The Yellow and Green cells contain medium and low priority risks, respectively. RiskNav incorporates an administrative capability that allows the chart's probability and consequence ranges to be customized. Clicking on a cell provides a detailed list of the risks in that cell. The All Red, All Yellow, and All Green icons at the top of the chart can be used to list risks in all cells of a particular color.

Figure 2. 5x5 Frequency Chart to Identify High-Priority Risks

MITRE transferred the RiskNav technology to two licensee companies: NMR Consulting, Inc. and KEYW (formerly Sycamore US). Each company has a commercial product based on RiskNav available (Highwire and RMT, respectively).

You can find information on their products at:

Risk Matrix

Risk Matrix is a software application that can help identify, prioritize, and manage key risks on a program. MITRE created it to support a risk assessment process developed by a MITRE DoD sponsor. MITRE and the sponsor have expanded and improved the original process, creating the Baseline Risk Assessment Process. Although the process and application were developed for use by a specific sponsor, these principles can be applied to most government acquisition projects. (See Figure 3.)

Figure 3. Screenshot of Risk Matrix

Risk Matrix (as well as more information on RiskNav and Risk Radar) is available in the Systems Engineering Practice Office (SEPO) Risk Management Toolkit. Although Risk Matrix is available for public release, support is limited to downloadable online documentation.

Commercial Tools

Many commercial tools are available to support program risk management efforts. The government most commonly uses these risk management tools:

Both tools are web-based applications that support all steps in the risk management process.

Contractor Tools

Government programs sometimes implement a combined government/contractor risk management process that uses tools provided by the contractor. Multiple major government contractors have developed in-house risk management applications. Many applications are comparable to available MITRE and commercial tools and effectively support program risk management.

Customized Tools

Many smaller programs use Microsoft Excel or Access customized risk management tools. Some customized solutions meet the tool selection criteria outlined earlier. This is important when considering a customized solution that meets the needs of the program being supported.

Best Practices and Lessons Learned

Fit the tool to the process or assessment needed. Many types of risk analysis and management tools are available, including ones for financial analysis, cost-risk uncertainty, and traditional program management. Understand the need of the program, reporting, analysis (e.g., ability to modify risk impact scales to reflect the need), and accessibility (e.g., multiple user environment) before selecting a tool. Do not let the tool drive the process.

Change the tool if it does not support decision making and the process. As the risk process matures and reporting needs evolve, it is important to change the risk management tool used to support the changed environment. The following circumstances could warrant a change in the risk management tool:

  • New reporting requirements. It is best to use a tool that matches reporting requirements.
  • Increase in level of mitigation detail needed. Some tools capture only high-level mitigation plans, whereas others capture detailed plans with action steps and statuses.
  • Team capacity unable to support tool. If the tool is too burdensome, it is important to examine ways to streamline its use or change to another tool that better supports the program's environment.

Maximize access to the tool. It is important that the widest cross-section of the team have access to the tool and is responsible for updates. This ensures distribution of workload and ownership and prevents bottlenecks in the process.

References and Resources

  1. Garvey, P. R., 2008, Analytical Methods for Risk Management: A Systems Engineering Perspective, Chapman-Hall/CRC-Press, Taylor & Francis Group (UK), Boca Raton, London, New York, ISBN: 1584886374.

Additional References and Resources

Garvey, P. R., January 2000, Probability Methods for Cost Uncertainty Analysis: A Systems Engineering Perspective, Chapman-Hall/CRC Press, Taylor & Francis Group (UK), Boca Raton, London, New York, ISBN: 0824789660.

"Risk Process Guidance," SEPO Risk Management Toolkit.


Download the SEG

MITRE's Systems Engineering Guide

Download for EPUB
Download for Amazon Kindle
Download a PDF

Contact the SEG Team