The NASA Continuous Risk Management Process

As an intern this summer in the GRC Risk Management Office, I have become familiar with the NASA Continuous Risk Management Process. In this process, risk is considered in terms of the probability that an undesired event will occur and the impact of the event, should it occur (ref., NASA-NPG: 7120.5). Risk management belongs in every part of every project and should be ongoing from start to finish. Another key point is that a risk is not a problem until it has happened. With that in mind, there is a six step cycle for continuous risk management that prevents risks from becoming problems. The steps are: identify, analyze, plan, track, control, and communicate & document. Incorporated in the first step are several methods to identify risks such as brainstorming and using lessons learned. Once a risk is identified, a risk statement is made on a risk information sheet consisting of a single condition and one or more consequences. There can also be a context section where the risk is explained in more detail. Additionally there are three main goals of analyzing a risk, which are evaluate, classify, and prioritize. Here is where a value is given to the attributes of a risk &e., probability, impact, and timeframe) based on a multi-level classification system (e.g., low, medium, high). It is important to keep in mind that the definitions of these levels are probably different for each project. Furthermore the risks can be combined into groups. Then, the risks are prioritized to see what risk is necessary to mitigate first. After the risks are analyzed, a plan is made to mitigate as many risks as feasible. Each risk should be assigned to someone in the project with knowledge in the area of the risk. Then the possible approaches to choose from are: research, accept, watch, or mitigate. Next, all risks, mitigated or not, are tracked either individually or in groups. As the plan is executed, risks are re-evaluated, and the attribute values are adjusted as necessary. Metrics are established and monitored as tools for risk tracking. Also a trigger or threshold should be set on the metric data that indicates when an action is needed. Results of this tracking are usually evaluated and reported in a relevant format at weekly or monthly meetings. Choosing controls is the subsequent step, which involves the effects of the tracking. The three basic controls are: close, continue tracking, and re- plan. Finally communicate & document is the last step, but occurs throughout the process. It is vital that main risks, plans, changes, and progress are known by everyone in the project. A good way to keep everyone updated and inform other projects of common issues is by thoroughly documenting project risks. NASA sees value in risk management and believes that projects have greater probability or success by using the NASA Continuous Risk Management Process.