66 DAFPAM63-123 14 APRIL 2022
the combination of these two factors determines which risks are the highest threats to a particular
COA. For example, a provider of spare parts may be in poor financial state resulting in a credible
risk of going out of business. However, if the part is also available from several other vendors,
the potential impact is minimal since other sources are available. On the other hand, if a part is
rare, sensitive to damage in shipping, is a long-lead item and has few sources, the risk of losing an
asset could be assessed as high as could the impact due to inability to replace. The bottom line for
risk analysis is the process should critically examine both the probability and impact of each risk
so sufficient planning can take place to reduce either the exposure or the impact.
7.7.1. Risk Matrix. A common approach for assessing both the probability and impact of risk
is the use of the risk matrix. The risk matrix prioritizes uncertainties that could negatively
impact program cost, schedule and performance. SMEs, typically engineers, PMs, logisticians
and others familiar with the program, define the risk factors, probabilities, and resulting impact
to cost, schedule, performance or a combination thereof.
7.7.2. Best Practice: Continuously monitor risks to ensure awareness of events that may
change either the risk likelihood or risk impact. Additionally, mitigation plans should be
reviewed to ensure they are still valid.
7.8. Risk Handling Planning & Implementation. Risk Handling Planning & Implementation
is the fourth step in the risk management process. This step identifies, evaluates, and selects
options to set risk at acceptable levels given program constraints and objectives. Risk Handling
Planning & Implementation is intended to enable program success. It includes the specifics of
what should be done, when it should be accomplished, who is responsible, and the funding required
to implement the risk mitigation plan. The level of detail depends on the program life-cycle phase
and the nature of the need to be addressed. However, there should be enough detail to allow a
general estimate of the effort required and technological capabilities needed based on system
complexity.
7.8.1. Risk Mitigation. Furthermore, risk handling planning & implementation focuses on
either reducing the likelihood that a risk event will occur and/or reduce the impact should the
risk be realized. In many cases, the more cost effective option is to reduce the likelihood of a
risk occurrence. In the example of the vendor with financial troubles this may be mitigated by
setting up an indefinite-delivery indefinite-quantity type contract with multiple vendors, thus
reducing risk from sole source and adding opportunity for lower cost through competition.
Similarly, the choice to use open source software versus proprietary code would mitigate the
risk of depending on the original software manufacturer to provide follow-on support. In both
cases the likelihood of the risk event happening was reduced through planning and design
changes early in the system life cycle. However, not all risks can be addressed solely though
reducing the likelihood of occurrence, so risk mitigation plans should be developed to reduce
their impact. The exercise of developing risk mitigation plans is also a useful exercise in
helping to identify the root cause of a risk event. In the example of the item sensitive to
shipping, having limited sources and long lead time may be mitigated by improving packaging,
shipping method or adding more robust materials in the design. Deciding which mitigation
approach is most appropriate depends on knowing the root cause of damage during shipping.
Is it packaging, shipping, poor quality parts or a combination of each? Knowing this from the
risk assessment phase helps with developing the most appropriate and cost effective risk
mitigation plan.