Systems Engineering: Selecting Risk Management Tools  

Selecting risk management tools is the critical final step in the risk management process, which also includes:

• Risk Identification
• Risk Management Approach and Plan
• Risk Impact Assessment and Prioritization
• Risk Mitigation Planning, Implementation, and Progress Monitoring
• Selecting Risk Management Tools

Read an introduction to risk management to learn more about this collection of resources originally published in MITRE’s Systems Engineering Guide.

Selecting Risk Management Tools: Context

Risk analysis and management tools serve multiple purposes and come in many shapes and sizes. Some risk analysis and management tools include those used for:

• Strategic and Capability Risk Analysis: Focuses on identifying, analyzing, and prioritizing risks to achieve strategic goals, objectives, and capabilities.
• Threat Analysis: Focuses on identifying, analyzing, and prioritizing threats to minimize their impact on national security.
• Investment and Portfolio Risk Analysis: Focuses on identifying, analyzing, and prioritizing investments and possible alternatives based on risk.
• Program Risk Management: Focuses on identifying, analyzing, prioritizing, and managing risks to eliminate or minimize their impact on a program's objectives and probability of success.
• Cost Risk Analysis: Focuses on quantifying how technological and economic risks may affect a system's cost. Applies probability methods to model, measure, and manage risk in the cost of engineering advanced systems.

Each specialized risk analysis and management area has developed tools to support its objectives with various levels of maturity. This article focuses on tools that support the implementation and execution of program risk management.

MITRE SE Roles and Expectations: MITRE systems engineers (SEs) working on government programs are expected to use risk analysis and management tools to support risk management efforts. MITRE SEs also are expected to understand the purpose, outputs, strengths, and limitations of the risk tool being used.

Selecting the Right Tool

It is important that the organization define the risk analysis and management process before selecting a tool. Ultimately, the tool must support the process. When selecting a risk analysis and management tool, consider these criteria:

• Aligned to risk analysis objectives: Does the tool support the analysis that the organization is trying to accomplish? Is the organization attempting to implement an ongoing risk management process or conduct a one-time risk analysis?
• Supports decision making: Does the tool provide the necessary information to support decision making?
• Accessibility: Is the tool accessible to all users and key stakeholders? Can the tool be located/hosted where all necessary personnel can access it?
• Availability of data: Is data available for the tool's analysis?
• Level of detail: Is the tool detailed enough to support decision making?
• Integration with other program management/systems engineering processes: Does the tool support integration with other program management/systems engineering processes?

In program risk management, it is important to select a tool that supports the risk management process steps outlined in these articles. The other articles in this topic area provide additional information on each of the process steps. Many tools that support the implementation of program risk management are available. Many tools also can be used to support the management of project, enterprise, and system-of-systems risks.

Best Practices and Lessons Learned

• Fit the tool to the process or assessment needed. Many types of risk analysis and management tools are available, including ones for financial analysis, cost-risk uncertainty, and traditional program management. Understand the need of the program, reporting, analysis (e.g., ability to modify risk impact scales to reflect the need), and accessibility (e.g., multiple user environment) before selecting a tool. Do not let the tool drive the process.
• Change the tool if it does not support decision making and the process. As the risk process matures and reporting needs evolve, it is important to change the risk management tool used to support the changed environment. The following circumstances could warrant a change in the risk management tool:
  • New reporting requirements. It is best to use a tool that matches reporting requirements.
  • Increase in level of mitigation detail needed. Some tools capture only high-level mitigation plans, whereas others capture detailed plans with action steps and statuses.
  • Team capacity unable to support the tool. If the tool is too burdensome, it is important to examine ways to streamline its use or change to another tool that better supports the program's environment.
• Maximize access to the tool. It is important that the widest cross-section of the team has access to the tool and is responsible for updates. This ensures distribution of workload and ownership and prevents bottlenecks in the process.