CONTACT

Godesberger Allee 150-154 53175 Bonn, Germany Phone: +49 (0) 228 5502-167Mail: A007@occar.intWeb: www.occar.int

OCCA

R –

Risk

Man

agem

ent

RESPONSIBILITIES IN THE RISK MANAGEMENT PROCESS Programme Manager / Head of Division:

Lead the Risk Management (RM) activities: Planning for RM, risk identification, risk analysis, risk response planning and risk monitoring / control. Assures the compliance with the IP 111.Embeds the risk management process in Programme/Division processes.Approves the Risk Management Plan (RMP).Assigns the Risk Owners.Coordinates communication with internal and external Stakeholders.Reports the Programme/Division Top N risks in the Director’s Risk Review.Approves the Programme/Division Risk Management Maturity Model (RM3) self-assessment and KPI I7.2.Ultimately responsible to the OCCAR-EA Director for the final decisions on risk actions.

Risk Owner: Approves the risk (if it’s delegated by the PM).Manages all the activities related to the risks.Leads the qualitative analysis.Assesses the need to perform quantitative analysis.Assigns the Risk Response Plan Owner.Reviews the risk regularly.

Risk Response Plan Owner: Defines the risk response strategy.Defines the actions in accordance with the strategy.Assigns Action Owner.Follows up risk responses. Assesses risk response effectiveness (together with the Action Owner).Reviews and assesses plan effectiveness. Adjust/modify plan if necessary.Populates ARM tool accordingly.

Action Owner: Undertakes the action.Assess the effectiveness of the action (together with the risk response plan owner).Reports on the effectiveness of the action.Populates ARM accordingly.

Risk Officer:

RISK MANAGEMENT PHILOSOPHY A core business.Top down led.Actively managed.Where Heads of Division and Programme Managers own the risks and are held to account to deliver mitigation actions by due dates.

RISK MANAGEMENT ACTIVITIES

Risk Identification

Risk Management Planning

ResponsePlanning

ResponseImplementation

Risk Analysis

Risk Monitoring and Control

RiskCommunication

Develops and maintains the Risk Management Plan.Supports the Programme Manager/Head of Division in terms of RM.Supports the Risk Owners, Risk Response Plan Owners and Action Owners in terms of RM.Monitors the RM process.Supervises the quality of the information recorded in ARM.Sponsors risk identification activities.Facilitates the communication throughout the risk process.Conducts risk workshops when required (internal and external).Reports on risk (formal and informal reports) to Corporate, Programme Level and External.Updates, Monitors and Controls ARM activities. Verifi s the consistency of the data.Conducts the self-assessment with regard to the RM3 and the KPI I7.2.Represents Programme in the risk CoPs and other risk related meetings/events.Reviews/Manages shared external Risk Registers (e.g. Contractor) together with the relevant stakeholders.

RISK MANAGEMENT DOCUMENTATION

IP 111 Risk Management ProcedureIG 111-1 Risk Management Guide

RISK MANAGEMENT IN THE INTRANET

RISK: [Uncertain event, that if occurs, may have positive (Opportunity) or negative (Threat) impact on the achievement of corporate and programme objectives]

RISK IDENTIFICATION

CauseThe cause has to be a fact Risk

Uncertainevent Effects

Impact onobjectives

RISK IDENTIFIED

Example: Because XYZ is the only vendor source for the transceiver circuit card (cause), and XYZ might discontinue production of the card making it unavailable during the radar system production (risk), deliveries of the radar system may be delayed (effect).

1. Risk Event Probability assessment

Risk Probability RankingRanking Probability of Risk Event

Very High >75 AND <100%High >50 AND <= 75%

Medium >30 AND <=50%Low >10 AND <=30%

Very Low >0 AND <=10%

2. Risk Event impact assessment *

Evaluating Impact of a Risk on Programme/Project Objectives

Impa

ct ObjectiveTime Cost Performance

Very

Low Insignificant

schedule slippage.

Insignificant cost increase.

No direct impact on key performance requirements.

Low Delivery plan

milestone delay within quarter.

< 5% cost increase.

Minor shortfalls in 1 or 2 KRs.

Med

ium Delivery plan

milestone delay of one quarter.

5-10% cost increase.

Minor shortfalls in 3 KRs, significant

shortfalls in 1 or 2 KRs.

High

Delivery plan milestone delay

of more than one quarter.

10-20% cost increase.

Major shortfalls in 1 or 2 KRs, significant

shortfalls in more than 3 KRs.

Very

Hig

h Delivery plan milestone delay outside fiscal

year.

> 20%cost increase.

Major shortfalls in more than 3 KRs.

Likely to impede product acceptance by customer

or qualification. Product is not fit for purpose.

* Note: check out the Risk Management Plan to verify the scoring schemefor your programme/division.At Corporate level a Risk Scoring Scheme is established to assess the risks against REPUTATION, COHESION and GROWTH.

PROBABILITY IMPACT DIAGRAM (PID)Based on the combination of the assessed probability and the assessed impact, the risk level is obtained.

positive negative

Prob

abilit

y

VeryHigh -25 -21 -16 -11 -6 6 11 16 21 25

High -24 -20 -15 -10 -5 5 10 15 20 24

Medium -23 -19 -14 -9 -4 4 9 14 19 23

Low -22 -17 -12 -7 -2 2 7 12 17 22Very Low -18 -13 -8 -3 -1 1 3 8 13 18

Very High High Medium Low Very

LowVery Low Low Medium High Very

HighOpportunity Threat

Impact

To ensure that risks are captured correctly, the following questions need to be answered:

Is the context clearly understood by all?Is the risk linked to objectives?Is it a risk or is it an issue?Is the risk description adequate?

RISK RESPONSE STRATEGIESThreat Generic Strategy OpportunityAvoid Eliminate uncertainty. Terminate. Exploit

Transfer Involve others. Transfer. ShareReduce Change size. Treat. EnhanceAccept Take a risk. Tolerate. Accept

Risk

Sco

re

Time6 weeks ago

Response 1

Response 2

Response 3

Today in 3 weeks

Response 1

Response 2

Response 3

First Assessment (pre-mitigation)

Score (after successfullycompletitionresponse 1)

Current Risk Management (response 2 was successfully completed today, no further mitigation considered during assessment)

Post Mitigation Risk Assessment (response 3 applied, confidence level of successful completition taken into account)

RISK RESPONSE PLANNING. In accordance with the approved risk treatment strategy and with the resource constraints, a Mitigation Plan is developed. It contains a set of responses each defined in terms of aim, ownership and deadline.

Type of Risk Responses

Actions are responses taken to reduce risk exposure to an acceptable level. If effective, they do not need to be continued or repeated.

Controls are responses, generally repetitive, which are taken to maintain risk at an acceptable level. Effectiveness of each performed control measure should be recorded.

During the development of the Mitigation Plan, the target risk level for each action should be determined.

When all risk actions are combined, the residual risk can be determined.

The waterfall diagram represents graphically the plan.

RISK ANALYSISThe identified risks are individually assessed in terms of likelihood of occurrence (PROBABILITY) and magnitude of their effect (IMPACT) on objectives, in order to be prioritized as support to decision making process.

QUALITATIVE ASSESSEMENT (Prioritisation of risks)