Risk Management Plan for the Ocean Observatories Initiative

Transcription

1 Risk Management Plan for the Ocean Observatories Initiative Version 1.0 Issued by the ORION Program Office July 2006 Joint Oceanographic Institutions, Inc New York Ave NW, Suite 400, Washington, D.C

2 Document Control Sheet Record of Issue Issue Date Document Status Version 1.0 July 2006 Initial Release Revisions Date Description of Change 2

3 TABLE OF CONTENTS SECTION PAGE TABLE OF CONTENTS...3 LIST OF FIGURES...4 LIST OF TABLES...4 LIST OF ACRONYMS AND ABBREVIATIONS OOI PROGRAM PROGRAM GOALS PROGRAM RISK MANAGEMENT OBJECTIVES APPROACH TO RISK MANAGEMENT RISK CATEGORIES Technical Risk Schedule Risk Cost Risk RISK MANAGEMENT STRUCTURE Risk Planning Risk Assessment Risk Handling Risk Monitoring ORGANIZATION MANAGEMENT OVERVIEW RISK MANAGER RISK MANAGEMENT DEFINITIONS RISK MANAGEMENT PROCESS RISK ASSESSMENT Risk Rating System RISK HANDLING Risk Control Risk Avoidance Risk Assumption Risk Transfer RISK MONITORING Watch List Reports RISK DOCUMENTATION...10 APPENDIX A RISK INFORMATION FORM INSTRUCTIONS FOR COMPLETING THE RISK INFORMATION FORM

4 LIST OF FIGURES FIGURE PAGE Figure 2-1. OOI Risk Management Structure...3 Figure 3-1. OOI Risk Management Organization...5 Figure 4-1. OOI Risk Management Process...10 Figure 4-2. Risk Rating Matrix...11 LIST OF TABLES TABLE PAGE Table 4-1. Likelihood Criteria Table 4-2. Consequence Criteria LIST OF ACRONYMS AND ABBREVIATIONS IO JOI NSF OOI WBS RMT Implementing Organization Joint Oceanographic Institutions National Science Foundation Ocean Observatories Initiative Work Breakdown Structure Risk Management Team 4

5 1. OOI PROGRAM The OOI program is responsible for implementing the U.S. scientific community's requirements for an a networked observatory for conducting basic oceanography using cabled, buoyed and mobile platforms and using funds from the National Science Foundation (NSF). The program is managed by the Joint Oceanographic Institutions (JOI) and a group of academic institutions called Implementing Organizations (IO's) The OOI will provide the infrastructure to allow a wide range of spatial scales, from local coastal phenomena to global scale. This observatory will allow transformational science to be conducted to better understand: (1) The deep biosphere and the seafloor ocean (2) Environmental change, processes, and effects (3) Solid Earth cycles and geodynamics 1.1 Program Goals The primary goal of the OOI program is to develop an ocean observatory meeting the science plan and within budgetary and schedule constraints. The budget has been fixed at $309.5M over six years. The OOI design relies heavily upon creative, efficient, and effective use of proven but relatively recent technologies. Mitigation of risk in this environment must be concerned with equipment development, cyberinfrastructure and program management. 1.2 Program Risk Management Objectives Risk management is defined as a systematic approach to identifying, analyzing, and controlling areas or events with a potential for causing unwanted change. It is through risk management that risks to the program are assessed and systematically managed to reduce risk to an acceptable level. The OOI program has established the following risk management objectives: a. To develop and implement a risk management process with risk assessment, handling, and monitoring functions; to define and generate risk watch lists; and to apply metrics to assess the implementation of alternative concepts. b. To establish quantified acceptable risk levels to be achieved and to define the risks and proposed risk mitigation steps to be addressed during design and construction. 1

6 2. APPROACH TO RISK MANAGEMENT Risk is an undesirable situation or circumstance, generally associated with uncertainties, that has both a likelihood of occurring and a potential consequence to the program. Risk management is an organized process to effectively reduce such risks to achieve program goals. The process includes identification, assessment and analysis of potential risks, implementation of risk-handling options, and a monitoring effort to track the effectiveness of the risk management program. The goal of risk management is to define methods or identify alternatives that mitigate or minimize risks to an acceptable level. 2.1 Risk Categories Four types of risk could affect the OOI Program: Technical Risk Schedule Risk Cost Risk Operational Risk? Programmatic Risk Technical Risk Technical risk is risk associated with a new design that provides an increased level of performance relative to existing system. This category also includes the supportability risks associated with fielding and maintaining new OOI subsystems Schedule Risk Schedule risks are risks whose occurrences could delay program schedules Cost Risk Cost risk is the risk to a program associated with overrunning program budget. As stated in section 1.1, the budget has been fixed at $309.5M over six years Operational Risk Operational risks are risks that may make the OOI more expensive to operate and maintain but have minimal or no risk to the OOI development program Programmatic Risk Programmatic risks are risks associated with circumstances outside the program management s control but which could affect the program s direction (e.g., budget cuts, labor disputes, concurrent development and manufacturing, etc) 2

7 2.2 Risk Management Structure Risk management consists of four separate but interrelated activities: Risk Planning Risk Assessment Risk Handling Risk Monitoring These are shown in perspective in Figure 2-1. To ensure success, all activities in the risk management process should be documented. Execution Phase Risk Planning Risk Assessment Risk Handling Risk Monitoring Requirements Responsibilities Definitions Resources Procedures Risk Events Analysis Update Assessments Document Findings Mitigation Tasks Metrics Report Metrics Track Status Report Documentation Figure 2-1. OOI Risk Management Structure Risk Planning The first stage of risk management is to plan the activity. Risk planning is the umbrella term for the systematic process of reducing or eliminating the undesirable occurrences inherent in programs. Effective risk planning ensures that risk is identified and minimized, alternatives are developed and time and/or money is identified to cover the risks that cannot be avoided. Risk planning is an integral part of the routine Program Office functions. It becomes especially important as major scheduled events approach. This Risk Management Plan is to be used to identify the risk management process and provide the framework for executing the process Risk Assessment Risk assessment consists of identification and quantification of program risks. Risk identification is the process of exposing the risks that have a realistic potential of harming the program. Risk identification is not intended to uncover every possible unfortunate incident that could happen. There are various techniques used to identify risk. In general, the OOI program will identify risk by analogy comparisons with prototype systems and by discussion at program documentation reviews. After the risks are identified, a quantification method is used to organize and stratify the risks. This process does not need to be complicated. The goal is to prioritize the list of risks and identify those that require the most management attention. Ratings of Low, Medium and High are sufficient. A risk 3

8 assessment (rating) mechanism is required to consistently apply a quantitative rating to risk items as they are identified. This rating system is discussed in detail in section Risk Handling Risk Handling is the action (or inaction) taken in response to an identified risk, after it has been identified and assessed. There are four basic actions that can be taken in response to handling a risk item. These actions are avoidance, control, assumption, and transfer. Avoidance is the act of not accepting an option because of the unfavorable aspects. Selecting a lower risk approach is an example of risk avoidance. Control is the process of applying management attention to a situation by continually monitoring and correcting a series of events or processes. Risk assumption is the conscious decision to accept the consequences of a particular risk. Simply stated, it s the I ll take the chance approach. Transfer is the process of sharing a risk with another party (normally the contractor) and may take the form of program compromises or cost sharing Risk Monitoring The last step in the risk management process is risk monitoring. The monitoring process systematically tracks and evaluates the effectiveness of risk handling actions against established metrics. Monitoring results also provide a basis for developing additional handling options and identifying new risks. The key to the monitoring process is to establish a cost, schedule, and performance management indicator system over the entire program. The JOI OOI Director uses this indicator system to evaluate the status of the program. The indicator system is designed to provide early warning of potential problems so that management can take action. Risk monitoring is not a problem-solving technique, but rather, a proactive technique to observe the results of risk handling and to identify new risks. Risk monitoring will be accomplished by periodic Risk Management Team (RMT) review of the risk register considering approved program documentation. The risks will be discussed in relation to the contractual capabilities desired by NSF and the program baseline. Results of monitoring activities will be captured in the watch list and cost/performance reports. 4

9 3. ORGANIZATION In one sense, everyone involved in the OOI conversion program contributes to risk management; i.e., all program participants are responsible for exposing risk items within their purview so that the negative impact of such risks can be minimized. But the organization that deals with risk on a regular basis is the Risk Management Team (RMT). (Figure 3-1) Risk Management Team Risk Manager CI IO JOI Acting Risk Director Risk Manager CSO IO SAC Rep Risk Manager RCO IO Risk Manager GSO IO Figure 3-1. OOI Risk Management Organization The RMT is comprised of the Risk Managers from each of the IO's and the lead for risk on the JOI Project Office Team. Also, there will be occasions when technical experts may be asked to attend RMT meetings to effectively evaluate or address risk issues. 3.1 Management Overview The JOI Director of OOI is ultimately accountable for execution of the OOI program and for managing the risks associated with delivering the modified OOI to the NSF. But the Director is responsible for many tasks in addition to risk management. Because of the broad demands of this position, the Director has delegated much of the OOI risk management functions to the Risk Manager. 3.2 Risk Manager The Risk Manager is responsible for all routine risk management activities and reports directly to the Director on significant risk issues. The Risk Manager generally adjudicates (i.e., approves or disapproves) risk handling and monitoring actions. In cases where high profile items are involved, the Risk Manager will defer approval to the Director, providing complete details and background information for the proposed action. Rosie Lunde, Senior Project Engineer for OOI has been designated as the acting Risk Manager. 5

10 4. RISK MANAGEMENT Risk management is a process whereby technical, schedule, cost, and programmatic risks to the program are identified, analyzed, and reduced or eliminated. For the OOI, the risk management process will engage all disciplines of the program and provide management with a systematic, decision-making tool for addressing potential risk issues. Through the risk management process, the OOI risk team: Identifies the risks to the program Analyzes the impact these risks could have should they materialize Prioritizes the risks so that program-threatening risks are given top management attention Makes adjustments to mitigate (eliminate or acceptably reduce) these risks Monitors actions to ensure adjustments were adequate Tracks the risk status of the program to determine if additional risk management procedures are needed This process enables the OOI Director to effectively manage risk and determine the potential effect risk will have on the program schedule and budget. 4.1 Definitions These definitions facilitate an understanding of OOI risk management. Risk the Likelihood of an undesirable event occurring and the significance of the consequence of the occurrence. Note that risk has two components Likelihood and consequence. Risk Management an organized, systematic, decision-making process that efficiently identifies risks, analyses risks, and effectively reduces or eliminates risks for the purpose of achieving program goals. Risk Event any event that has a realistic Likelihood of creating an undesirable effect on the technical, schedule, cost or programmatic aspects of the program. Risk Assessment the process of identifying and analyzing program risks. Risk Identification investigating all aspects of the program with the goal of identifying areas of risk and their corresponding potential impacts. Risk Analysis examining each identified risk event to refine the description of the risk, isolating the cause and determining effects should the risk event occur. Mitigation Analysis the process of examining the impact to the program of each individual risk and considering potential consequences if risk inputs are revised. Risk Handling the action (or inaction) taken in response to an identified risk after it has been quantified and analyzed. Risk Monitoring the process that systematically tracks and evaluates the performance of riskhandling actions against established metrics throughout the acquisition process and develops further riskhandling options, as appropriate. Program Risk the Likelihood of not achieving a defined goal in the following risk categories (see section 2.1 for further discussion): Technical Schedule Cost Operational 6

11 Programmatic 4.2 Risk Management Process The risk management process (Figure 4-1) is a closed-loop course of action used to identify, analyze, and manage risk items. The tools and techniques used within this process are described in the following sections. Risk items are maintained and tracked within the OOI risk database. The status of the risk program and active risk handling activities are presented as needed during RMT meetings and all program reviews. In addition, selected reports are available in the document management system. Analogy Comparison Program Documentation Review Identify Risk Issue Enter Risk Issue in Risk database Conduct Risk Assessment and Update database Update Risk Database No Is Risk Issue Data Complete? Yes Plan Mitigation High Moderate Calculate Risk Values for Likelihood and Consequence Publish periodic Watch List to Key Team Members Feedback Monitor Risk Mitigation Actions Address Risk Issues at Program Reviews/RMT Meetings Feedback Figure 4-1. OOI Risk Management Process 7

12 4.3 Risk Assessment Risk management begins with identification of a potential risk item. As described above, risk assessment has two components identification and analysis. All personnel can enter new risk items into the risk management process using the risk identification form (RIF), which is provided as Appendix A. The RMT will evaluate all new items and ensure the items are properly identified if further processing is warranted Risk Rating System In order to assess risk items in a meaningful way, a risk rating system is required. The RMT is comprised of experts familiar with each risk area (e.g., design, engineering, construction, science, cost, software, schedule and management). This team of experts determines risk ratings for the OOI program. The rating system establishes levels of Likelihood and consequences and provides a range of possibilities large enough to distinguish differences in risk ratings. At the program level, Consequences are expressed in terms of impact on cost, schedule and performance. Table 4-1 and Table 4-2 show the criteria for Likelihood and Consequence. Table 4-1. Likelihood Criteria Level What is the likelihood the risk event will happen? 1 Remote 2 Unlikely 3 Possible 4 Probable 5 Near Certainty Table 4-2. Consequence Criteria Level Technical Program Schedule Program End Cost Operational Programmatic 1 Minimal Impact Minimal impact Minimal impact Minimal Impact Minimal Impact 2 Acceptable with some reduction in capability Additional resources required; able to meet need dates < 1% Small increase in operational costs Small impact on cost, schedule or technical baselines 3 Acceptable with significant reduction in capability Moderate slip in key milestones; not able to meet need dates 1-5% Moderate increase in operational costs Moderate impact on cost, schedule or technical baselines 4 Marginally Acceptable, barely able to perform needed science Major slip in key milestone or critical path impacted 5-10% Significant increase in operational costs Significant impact on cost, schedule or technical baselines 5 Unacceptable Cannot achieve key team or major program milestone >10% Unacceptable increase in operational costs Unacceptable impact on cost, schedule or technical baselines Figure 4-2 shows the simple method that the OOI program uses for rating risk events. The matrix shows how the Risk Manager has defined levels as high, moderate, and low for the various combinations of likelihood and consequences. A high (H) rating means that a major disruption to the program is likely. A moderate (M) rating means that some disruption will likely occur. A low (L) rating means that the risk, if realized, will have a minimum impact on the program. 8

13 5 L M H H H Likelihood 4 L M M H H 3 L L M M H 2 L L L M M 1 L L L L M CONSEQUENCE Figure 4-2. Risk Rating Matrix. Based on the ratings determined by the RMT, the Risk Manager identifies risk items requiring priority management. The OOI program risk information is recorded in the risk database. 4.4 Risk Handling This section describes how the OOI program will deal with risk, when it should be accomplished, who is responsible, and the cost and schedule impact. As described in section 2, there are four risk-handling techniques, or options. Risk avoidance eliminates the sources of high risk and replaces them with lower-risk solutions. Risk transfer is the reallocation of risk from one part of the system to another or the reallocation of risks between the Government, the prime contractor or subcontractors. Risk control manages the risk in a manner that reduces the likelihood of its occurrence and/or minimizes the risk s effect on the program. Risk assumption is the acknowledgment of the existence of a particular risk situation and a conscious decision to accept the associated level of risk without engaging in any special efforts to control it. Many programs select control as the risk-handling option without seriously evaluating assumption, avoidance, and transfer. This is unwise, since control may not be the best option, or even appropriate option in some cases. The OOI program applies an unbiased assessment of risk-handling options to determine the most appropriate option. The RMT deliberate on each risk item to determine what risk-handling technique is appropriate for incorporation into the program baseline. As necessary, the Director forwards the action to the NSF Program Officer for approval Risk Control Using risk control, the RMT takes active steps to reduce the likelihood of a risk event occurring and to reduce the potential impact on the program. Most risk-control steps share two features: they require a commitment of program resources and they require additional time for accomplishment. Thus, the selection of risk-control actions undoubtedly requires some tradeoff between resources and the expected benefit of the actions Risk Avoidance Risk avoidance reduces risk through the modification or elimination of operational requirements, processes or activities that cause the risks. When risk avoidance is used, a risk-handling plan is developed to ensure a close coordination with the users so that the eliminated requirements do not adversely affect operations Risk Assumption The OOI will use risk assumption where appropriate, but will insure that the new technologies being employed must prove very reliable due to the inaccessibility of many of the components once they are installed on the seafloor. 9

14 4.4.4 Risk Transfer Risk transfer involves the reduction of risk exposure by the reallocation of risk from one part of the observatory to another or the reallocation of risks between the Government and the prime contractor, or between the prime contractor and its subcontractors. In reallocating risk, design requirements that are risk drivers are transferred to other system elements, with the intention of lowering system risk while still meeting system requirements. The effectiveness of reallocating requirements depends on good system engineering and design techniques. In fact, efficient allocation of those requirements that are risk drivers is an integral part of the systems engineering process. 4.5 Risk Monitoring Risk monitoring is a continuous process to systematically track and evaluate the performance of risk-handling actions against established metrics throughout the acquisition process. Risk monitoring includes results of periodic reassessments of program risk to evaluate both known and new risks to the program. When necessary, the risk manager re-examines the risk-handling approaches for effectiveness while conducting assessments. As the program progresses, the monitoring process will identify the need for additional risk-handling options. An effective monitoring effort will provide information to show if handling actions are not working and which risks are on their way to becoming actual problems. The information should be available in sufficient time for the Project Office to take corrective action. A key to risk monitoring is the establishment of a management indicator system that provides accurate, timely, and relevant risk information in a clear, easily understood manner Watch List A watch list is a straightforward listing of critical areas requiring special management attention during program execution. For the OOI program, the watch list is a subset of the top ten (or so) risks in the risk register which is published in the Monthly Reports to NSF. It includes the priority of the risk, how long it has been on the watch list, handling actions, planned and actual completion dates for the handling actions, and explanations for any differences Reports Reports are used to convey information to decision-makers and program participants on the status of risks and the effectiveness of risk-handling actions. The OOI risk database is a comprehensive reservoir of risk related information. Standard risk reports can be derived from this database. A report of mitigation options and actions will be a part of the risk package presented at all program management reviews. 4.6 Risk Documentation A primary criterion for successful risk management is formally documenting the ongoing risk management process. This is important because: It provides the basis for program assessments and updates as the program progresses. Formal documentation tends to ensure more comprehensive risk assessments than if it is not documented. It provides a basis for monitoring risk-handling actions and verifying the results. It provides program background material for new personnel. It is a management tool for the execution of the program. It provides the rationale for program decisions. 10

15 The JOI Risk Manager, with the cooperation of the RMT, ensures that risk documentation is complete and up-to-date. Examples of risk management documents and reports provided for the OOI program are: Risk Management Plan Risk Information Form Risk register Risk assessment report Risk monitoring documentation (program baseline, contract capabilities, watch list, cost/performance report) 11

16 APPENDIX A RISK INFORMATION FORM A - 12

17 Risk Information Form (RIF) Risk Submission Form for OOI Risk ID: Submitter of Risk Name: Title: Organization: Risk Title: Impact type: Description:. Phone: Submission Date: Estimated Cost: Consequence: Likelihood: Assessment: Mitigation Options: Risk Handling: Mitigation Action: Resolution: Closed Date: Comments: A - 13

18 INSTRUCTIONS FOR COMPLETING THE RISK INFORMATION FORM Risk Information Forms are to be downloaded from the JOI Program Office database, completed using the instructions that follow, and submitted electronically to Complete as much as possible of the form. 1. Risk ID No: To be assigned by the Risk Manager. 2. Submitter of Risk Item a. Name: Name of the individual submitting the risk. b. Title: The job title of the individual submitting the risk. c. Work Phone: Work phone of the individual creating the risk. d. Organization Name: Activity/company of the individual submitting the risk. e. The address of the individual submitting the risk. f. Submission Date: The date when the risk was submitted. 3. Risk Title: Denotes a short title to also uniquely identify each risk issue. 4. Impact: Identifies the impact of the risk as a technical/performance, cost or schedule or a combination of any or all these. 5. Estimated Cost: Best guess estimate of the actual cost to the program if the risk were to be realized. 6. Description of Risk: A complete and through description of the risk and its impacts should be entered in this block. If possible, make into an If.., Then statement. Identify the cause of the risk and its potential adverse cost, schedule, performance impacts. 7. Consequences Criteria: In each applicable category (performance, program schedule or procurement end cost) in Table RIF-1 (see page A-5), choose the block corresponding to the magnitude of the consequence should the risk be realized: level 1-5 for technical, cost, or schedule, whichever has the most potential impact. 8. Likelihood of Failure: Use Table RIF-2 (see page A-5), choose the block that best corresponds to the Likelihood that your risk will actually occur: level Assessment: Using Table RIF-3 (see page A-5) to determine the overall risk rating low, moderate or high by determining the intersection of the plotted consequence rating on the X axis and the Likelihood rating on the Y axis of the table. 10. Mitigation Options: Recommended actions that would allow the program to reduce or eliminate the risk you have identified. 11. Risk Handling: One of the four (4) handling options (Avoidance, Control/Mitigation, Assumption, or Transfer) should be identified that will be used on the risk. Avoidance eliminates the source of high risk and replaces it with a lower risk solution. For example, eliminating a requirement that is unachievable at cost. Control/Mitigation manages the risk in a manner that reduces the Likelihood/likelihood of its occurrence and/or minimizes and mitigates the risk s effect on the program. For example, using modeling to reduce the risk of a system. Assumption is the acknowledgement of the existence of a particular risk situation and a conscious decision to accept the associated level of risk without engaging in any special efforts to control it. This decision must always be accompanied by monitoring techniques, a fallback plan should the monitoring indicate a situation tending toward the risk occurring, and an allocation of resources/budget for the fall back plan. A - 14

19 Transfer is the reallocation of risk from one part of the system to another or the reallocation of risks between the Government, the prime contractor or subcontractors. For example, contract incentives for the contractor to reduce production time. 12. Mitigation Action: A list of mitigation actions to be taken by the Action Officer to attempt to avoid the risk. This section may also include a description of industry s fallback option, i.e., contingency plan, if applicable. Include cost, schedule, and performance impacts of the fallback option. Assess and if acceptable, provide a rationale statement and recommend possible program actions, i.e., risk handling options, as appropriate. 13. Resolution: An event or activity (such as testing) that effectively retired the risk. 14. Closed Date: The date the risk was closed. 15. Comments: Use this block to enter any additional comments you wish to provide to help the Risk Manager evaluate your risk. A - 15

20 Table RIF-1. Consequence Criteria Level Technical Program Schedule Program End Cost Operational Programmatic 1 Minimal Impact Minimal impact Minimal impact Minimal Impact Minimal Impact 2 Acceptable with some reduction in capability Additional resources required; able to meet need dates < 1% Small increase in operational costs Small impact on cost, schedule or technical baselines 3 Acceptable with significant reduction in capability Moderate slip in key milestones; not able to meet need dates 1-5% Moderate increase in operational costs Moderate impact on cost, schedule or technical baselines 4 Marginally Acceptable, barely able to perform needed science Major slip in key milestone or critical path impacted 5-10% Significant increase in operational costs Significant impact on cost, schedule or technical baselines 5 Unacceptable Cannot achieve key team or major program milestone >10% Unacceptable increase in operational costs Unacceptable impact on cost, schedule or technical baselines Table RIF-2. Likelihood Criteria TableRIF-3. Risk Rating Matrix Level Probability 5 L M H H H 1 Remote 4 L M M H H 2 Unlikely 3 L L M M H 3 Possible 2 L L L M M 4 Probable 1 L L L L M PROBABILITY 5 Near Certainty CONSEQUENCE A - 16