WIXLIB

RISKMANAGEMENTGUIDE FORDOD ACQUISITIONFifth Edition(Version 2.0)June 2003Department of DefenseDefense Acquisition Universityi

Form ApprovedOMB No. 0704-0188Report Documentation PagePublic reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.1. REPORT DATE2. REPORT TYPE00 JUN 2003N/A3. DATES COVERED-4. TITLE AND SUBTITLE5a. CONTRACT NUMBERRisk Management Guide for DOD Acquisition, Fifth Edition, (Version2.0)5b. GRANT NUMBER5c. PROGRAM ELEMENT NUMBER6. AUTHOR(S)5d. PROJECT NUMBER5e. TASK NUMBER5f. WORK UNIT NUMBER7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)Department of Defense, Defense Acquisition University, Ft. Belvoir,22060-55659. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)8. PERFORMING ORGANIZATIONREPORT NUMBER10. SPONSOR/MONITOR’S ACRONYM(S)11. SPONSOR/MONITOR’S REPORTNUMBER(S)12. DISTRIBUTION/AVAILABILITY STATEMENTApproved for public release, distribution unlimited13. SUPPLEMENTARY NOTES14. ABSTRACT15. SUBJECT TERMS16. SECURITY CLASSIFICATION OF:a. REPORTb. ABSTRACTc. THIS PAGEunclassifiedunclassifiedunclassified17. LIMITATION OFABSTRACT18. NUMBEROF PAGESUU18819a. NAME OFRESPONSIBLE PERSONStandard Form 298 (Rev. 8-98)Prescribed by ANSI Std Z39-18

Please e-mail comments or recommended changes to:Bill.Bahnmaier@dau.milPUBLISHED BY THEDEFENSE ACQUISITION UNIVERSITY PRESSFORT BELVOIR, VIRGINIA 22060-5565For sale by theU.S. Superintendent of Documents, Government Printing OfficeInternet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250Mail Stop: SSOP, Washington, DC 20402-0001ii

OFFICE OF THE UNDER SECRETARY OF DEFENSE3000 DEFENSE PENTAGONWASHINGTON, DC 20301-3000RISKMANAGEMENTGUIDEAcquisition excellence has changed the way the Department of Defense (DoD) designs, develops,manufactures, and supports systems. Our technical, business, and management approach for acquiringand operating systems has, and continues to, evolve. For example, we no longer can rely on militaryspecifications and standards to define and control how our developers design, build, and support ournew systems. Today we use commercial hardware and software, promote open systems architecture,and encourage streamlining processes, just to name a few of the initiatives that affect the way we dobusiness. At the same time, the Office of the Secretary of Defense (OSD) has reduced the level ofoversight and review of programs and manufacturers’ plants.While the new acquisition model gives government program managers and their contractors broadercontrol and more options than they have enjoyed in the past, it also exposes them to new risks. OSDrecognizes that risk is inherent in any acquisition program and considers it essential that programmanagers take appropriate steps to manage and control risks.This document is a product of a joint effort by the Under Secretary of Defense (Acquisition, Technologyand Logistics (USD (AT&L)) staff and the Defense Acquisition University. It is based on the materialdeveloped by the DoD Risk Management Working Group. Material in this Guide is also reflected inthe Risk Management Focus Area of the Program Management Community of Practice (PMCOP)(http://www.pmcop.dau.mil), and in the Defense Acquisition Deskbook, which can be accessed viathe AT&L Knowledge Sharing System (AKSS) Website (http://deskbook.dau.mil/jsp/default.jsp).Frank J. Anderson, Jr.PresidentDefense Acquisition Universityiii

PREFACEIn 1996, the USD (AT&L) established a Risk Management Working Group composed of members ofthe Office of the Secretary of Defense (OSD) staff, representatives of the Military Services, andmembers of other DoD agencies involved in systems acquisition. This group reviewed pertinent DoDdirectives (DoDD) and regulations, examined how the Services managed risk, studied various examples of risk management by industry, and looked at DoD training and education activity in riskmanagement. Other sources of information were the Software Engineering Institute Risk Initiative,the Open Systems Initiative, and the safety and cost estimating communities. The findings and resultsof the Working Group investigation were presented to the USD (AT&L) and are summarized below:Working Group members then wrote the risk management portions of the Defense Acquisition Deskbook. The Defense Acquisition Deskbook (sometimes referred to as the “Legacy” Deskbook) is accessible from the AT&L Knowledge Sharing System (AKSS) Website es Focus of efforts is to get a product to market at a competitive price. Industry has have either a structured or informal Risk Management process. Evolutionary approaches help avoid or minimize risk. Most approaches employ risk avoidance, early planning, continuous assessment, and problemsolving techniques. Structured approaches, when they exist, are similar to DoD’s approach to Risk Management.The Working Group concluded that industry has no magic formula for Risk Management.The Military Services The Services differ in their approaches to Risk Management. Each approach has its strengths but no one approach is comprehensive. Consolidation of the strengths of each approach could foster better Risk Management in DoD.The Working Group recommended that the Defense Acquisition Deskbook contain a set of guidelinesfor sound risk management practices, and further, that it contain a set of risk management definitionsthat are comprehensive and useful by all the Components.DoD Policy* The risk management policy contained in DoDD 5000.1 is not comprehensive.The Working Group recommended that DoDD 5000.1 be amended to include a more comprehensiveset of risk management policies that focuses on: The relationship between the Cost As an Independent Variable (CAIV) concept and RiskManagement. Requirement that risk management be prospective (forward looking). Establishment of risk management as a primary management technique to be used by ProgramManagers (PMs).*Note: The DoD 5000 policy documents referred to in the 1996 Report have since been superseded by a new set of DoD5000 policy and guidance documents issued in 2002–2003 time frame.iv

DoD Procedures Risk Management procedures in DoD 5000.2-R (Note: Later changed to Interim Defense Acquisition Guidebook) are inadequate to fully implement the risk management policy contained in DoDD5000.1.Procedures are lacking regarding:–Scope of Risk Management–Purpose of Risk Management–Role of Milestone Decision Authorities–Risk Management’s support of CAIV–Risk assessment during early acquisition phases. Some key procedures may have been lost in transition the DoD 5000.2-R, and need to be expanded upon in the Defense Acquisition Deskbook.DoD Risk Management Training Risk management training for the DoD Acquisition Corps needs to be updated and expanded, andIntegrated Product Team (IPT) and Overarching IPT (OIPT) personnel need to be educated on thenew and expanding role of risk management in DoD systems acquisition. Risk Management knowledge level needs improvement. Education is a key to obtaining the support of OIPTs and PMs. The Defense Acquisition University (DAU) needs to include Risk Management training in all functional courses and develop adedicated risk management course for acquisition corps personnel.The recommendations of the Risk Management Working Group have been fully implemented over theperiod 1996-2003. The Risk Management part of the Defense Acquisition Deskbook and material in theRisk Focus Area of the Program Management Community of Practice (PMCoP) (http://www.pmcop.dau.mil) form the basis for this Guide. The goal of the Risk Management Guide is toprovide acquisition professionals and program management offices with a practical reference for dealing with system acquisition risks. It has also been designed to be used as an aid in DAU course offerings.This Guide reflects the efforts of many people. Mr. Mark Schaeffer, former Deputy Director, SystemsEngineering, who chaired the initial Risk Management Working Group, and Mr. Mike Zsak and Mr.Tom Parry, formerly from the AT&L Systems Engineering Support Office, were the original drivingforces behind the risk management initiative. LtCol John Driessnack, USAF, from the DAU/DSMCfaculty; Mr. Greg Caruth, Ms. Debbie Gonzalez, and Ms. Frances Battle from the DAU Press; andMs. Patricia Bartlett from Bartlett Communications guided the composition of the Guide. Assistancewas also provided by Mr. Jeff Turner of the DAU Publications Distribution Center. Special recognition goes to the Institute for Defense Analyses team composed of Mr. Louis Simpleman, Mr. KenEvans, Mr. Jim Lloyd, Mr. Gerald Pike, and Mr. Richard Roemer, who compiled the data and wrotemajor portions of the text. Also special thanks to Ms. Margaret Adcock for her detailed comments andsupport, and to Dr. Edmund Conrow for his suggestions and recommendations that have vastly improvedthe Guide.Charles B. CochraneDirectorDAU Center for Program ManagementWilliam W. BahnmaierEditorv

CONTENTSChapter 1 INTRODUCTION . 11.1 Purpose and Scope . 11.2 Organization of the Guide . 11.3 Approach to Risk Management . 21.4 DoD Risk Management Policies and Procedures . 2Chapter 2 RISK AND RISK MANAGEMENT . 52.1 Introduction . 52.2 Overview . 52.3 Risk Management Structure and Definitions . 72.4 Risk Discussion . 82.4.1 Characteristics of Acquisition Risk . 82.4.2 Program Products, Processes, Risk Areas, and Risk Events . 92.5 Risk Planning . 112.5.1 Purpose of Risk Plans . 112.5.2 Risk Planning Process . 112.6 Risk Assessment . 132.6.1 Purpose of Risk Assessments . 132.6.2 Risk Assessment Process . 132.6.3 Timing of Risk Assessments . 142.6.4 Conducting Risk Assessments . 152.7 Risk Handling . 202.7.1 Purpose of Risk Handling . 202.7.2 Risk-Handling Process . 202.8 Risk Monitoring . 232.9 Risk Documentation . 24Chapter 3 RISK MANAGEMENT AND THE DOD ACQUISITION PROCESS . 273.1 Introduction . 273.2 Overview . 273.3 DoD Acquisition Process . 273.4 Characteristics of the Acquisition Process . 283.4.1 Integrated Product and Process Development (IPPD) . 283.4.2 Continuous Risk Management . 283.4.3 Program Stability . 293.4.4 Reduction of Life-Cycle Costs . 29vi