Risk Management Tools
Definition: Risk management tools support the implementation and execution of program risk management in systems engineering programs.
Keywords: risk analysis tools, risk management tools, risk tools
MITRE SE Roles & Expectations: MITRE systems engineers (SEs) working on government programs are expected to use risk analysis and management tools to support risk management efforts. MITRE systems engineers also are expected to understand the purpose, outputs, strengths, and limitations of the risk tool being used.
Risk analysis and management tools serve multiple purposes and come in many shapes and sizes. Some risk analysis and management tools include those used for:
- Strategic and Capability Risk Analysis—Focuses on identifying, analyzing, and prioritizing risks to achieve strategic goals, objectives, and capabilities.
- Threat Analysis—Focuses on identifying, analyzing, and prioritizing threats to minimize their impact on national security.
- Investment and Portfolio Risk Analysis—Focuses on identifying, analyzing, and prioritizing investments and possible alternatives based on risk.
- Program Risk Management—Focuses on identifying, analyzing, prioritizing, and managing risks to eliminate or minimize their impact on a program's objectives and probability of success.
- Cost Risk Analysis—Focuses on quantifying how technological and economic risks may affect a system's cost. Applies probability methods to model, measure, and manage risk in the cost of engineering advanced systems.
Each specialized risk analysis and management area has developed tools to support its objectives with various levels of maturity. This article focuses on tools that support the implementation and execution of program risk management.
Selecting the Right Tool
It is important that the organization defines the risk analysis and management process before selecting a tool. Ultimately, the tool must support the process. Below are criteria to consider when selecting a risk analysis and management tool:
- Aligned to risk analysis objectives—Does the tool support the analysis that the organization is trying to accomplish? Is the organization attempting to implement an ongoing risk management process or conduct a one-time risk analysis?
- Supports decision making—Does the tool provide the necessary information to support decision making?
- Accessibility—Is the tool accessible to all users and key stakeholders? Can the tool be located/hosted where all necessary personnel can access it?
- Availability of data—Is data available for the tool's analysis?
- Level of detail—Is the tool detailed enough to support decision making?
- Integration with other program management/system engineering processes—Does the tool support integration with other program management/system engineering processes?
Program Risk Management Tools
In program risk management, it is important to select a tool that supports the risk management process steps outlined in Figure 1. Refer to the other articles in the Risk Management topic area of this guide for additional information on each of the process steps. Many tools are available that support the implementation of program risk management. Many tools also can be used to support the management of project, enterprise, and system-of-systems risks.
MITRE Developed Tools
RiskNAV® is a well-tested tool developed by MITRE to facilitate the risk process and help program managers handle their risk space. RiskNav lets you collect, analyze, prioritize, monitor, and visualize risk information in a collaborative fashion. This tool provides three dimensions of information graphicallyrisk priority, probability, and mitigation/management status.
RiskNav, originally produced for the U.S. government, is designed to capture, analyze, and display risks at a project or enterprise level. RiskNav is currently deployed throughout numerous and MITRE sponsors or clients.
Since January 2005, the Technology Transfer Office at MITRE has licensed RiskNav technology to commercial companies. Current licensees include KEYW Corporation (Risk Mitigation Tool) and NMR Consulting. The Technology Transfer Office will support the tool for contractor and other government acquisition, and will ensure that proper licensing forms are obtained and signed by new users. There is no cost for government usage. This formal procedure is not needed if MITRE is hosting a risk management effort.
RiskNav presents the risk space in tabular and graphical form. The tabular form, shown below, presents key information for each risk, and allows the risk space to be filtered and sorted to focus on the most important risks. The information in the tables and figures is artificial and for illustrative purposes only. It does not represent real programs, past or present.
RiskNav uses a weighted average model that computes an overall score for each identified risk. The risk priority is a weighted average of the timeframe (how soon the risk will occur), probability of occurrence, and impact (cost, schedule, technical). This score provides a rank order of the risks from most critical to least critical. Formally, this scoring model originates from the concept of linear utility, where more important risks get higher numbers, and the gaps between the numbers correspond to the relative strengths of the differences.
In graphical form, RiskNav represents three key aspects of each risk in the risk spacerisk priority, probability, and the mitigation/management status. The data points represent risks, and the color of a box indicates the status of the mitigation action (White: no plan; Red: plan not working; Yellow: may not work; Green: most likely successful; Blue: completed successfully; Black: actions will start at a later date). Data points can be selected to show detailed risk information about the analysis, who is working the management actions, the status, and other information.
RiskNav also displays a 5x5 frequency chart showing the number of risks in each square of a 5x5 matrix of probability versus consequence ranges. The Red cells contain the highest priority risks. The Yellow and Green cells contain medium and low priority risks, respectively. RiskNav incorporates an administrative capability that allows the chart's probability and consequence ranges to be customized. Clicking on a cell provides a detailed list of the risks in that cell. The All Red, All Yellow, and All Green icons at the top of the chart can be used to list risks in all cells of a particular color.
Acquiring and Installing RiskNav
RiskNav is a Web application that runs on a personal computer (PC) server, which can concurrently be used as a client. Once installed, it is intended to run using Internet Explorer as the browser.
Because RiskNav is a Web application, its installation requires more experience than simply installing a normal executable. A detailed installation guide is available to assist in the installation process. However, it is assumed that the installer has expertise installing and configuring Windows Web-based software. To obtain more information about RiskNav, please email firstname.lastname@example.org.
Risk Matrix is a software application that can help identify, prioritize, and manage key risks on a program. MITRE created it a few years ago to support a risk assessment process developed by a MITRE DoD client. MITRE and the client have expanded and improved the original process, creating the Baseline Risk Assessment Process. Although the process and application were developed for use by a specific client, these principles can be applied to most government acquisition projects.
Risk Matrix (as well as more information on RiskNav and Risk Radar) is available in the Systems Engineering Practice Office (SEPO) Risk Management Toolkit. Although Risk Matrix is available for public release, support is limited to downloadable online documentation.
Many commercial tools are available to support program risk management efforts. Risk management tools most commonly used by the government are:
Both tools are Web-based applications that support all steps in the risk management process.
Government programs sometimes implement a combined government/contractor risk management process that utilizes tools provided by the contractor. Multiple major government contractors have developed in-house risk management applications. Many applications are comparable to MITRE and commercial tools available, and effectively support program risk management.
Many smaller programs utilize Microsoft Excel or Access customized risk management tools. Some customized solutions meet the tool selection criteria outlined above. This is important when considering a customized solution that meets the need of the program being supported.
Best Practices and Lessons Learned
- Fit the tool to the process or assessment needed.
There are many types of risk analysis and management tools available, including ones for financial analysis, cost-risk uncertainty, and traditional program management. Understand the need of the program, reporting, analysis (e.g., ability to modify risk impact scales to reflect the need), and accessibility (e.g., multiple user environment), before selecting a tool. Do not let the tool drive the process.
- Change the tool if it does not support decision-making and the process.
As the risk process matures and reporting needs evolve, it is important to change the risk management tool used to support this changed environment.
The following could warrant a change in the risk management tool:
- New reporting requirements—It is best to use a tool that matches reporting requirements.
- Increase in level of mitigation detail needed—Some tools capture only high-level mitigation plans, whereas others capture detailed plans with action steps and statuses.
- Team capacity unable to support tool—If the tool is too burdensome, it is important to examine ways to streamline its use or change to another tool that better supports the program's environment.
- Maximize access to the tool.
It is important that the widest cross-section of the team has access to the tool and is responsible for updates. This ensures distribution of workload and ownership, and prevents bottlenecks in the process.
References & Resources
- Garvey, P.R., 2008, Analytical Methods for Risk Management: A Systems Engineering Perspective, Chapman-Hall/CRC-Press, Taylor & Francis Group (UK), Boca Raton, London, New York, ISBN: 1584886374.
Additional References & Resources
MITRE E520 Risk Analysis and Management Technical Team, "Risk Analysis and Management Tools."
Garvey, P.R., January 2000, Probability Methods for Cost Uncertainty Analysis: A Systems Engineering Perspective, Chapman-Hall/CRC Press, Taylor & Francis Group (UK), Boca Raton, London, New York, ISBN: 0824789660.
"Risk Process Guidance," SEPO Risk Management Toolkit.
1 RiskNav is a registered trademark of The MITRE Corporation.