The Umbrella of Program Risk Management -A guide for DoD Contractors

Written By Lauren Fenley

When I talk to DoD contractors about program risk management, I’m sometimes met with confusion. Many people think I am talking about the cybersecurity risk management framework (RMF), supply chain risk management, system safety, or if they are familiar with banking or insurance, financial risk.

From a DoD perspective (re: Department of Defense Risk, Issue, and Opportunity (RIO) Management Guide for Defense Acquisition Programs), those are actually a sub-set of risks and risk categories under program risk management.

A picture is worth a thousand words, so with that in mind, here is what falls under the umbrella of program risk management.

As you can see from this graphic I created, from a DoD perspective, there are 3 main categories of program risk management (Solid lines. The dashed lines are related, but more of a functional area that falls under the other categories).

1.      Technical – risks that might stop the product or service from doing what it is supposed to do. Ie. Risk might prevent a drone from flying or a missile from surviving the thermal environments. There are 3 subsets of technical risk.

  • Technology – risks involving the transition of a technology from the lab to engineering

  • Engineering – risks related to using engineering to turn requirements into systems

  • Integration – risks related to getting a system to work with internal and external systems

 From a use case scenario it looks like this:

* Specific technical functional risks include cyber, system safety, environmental safety and occupational health, and electromagnetic spectrum supportability and compatibility (these are covered by a variety of DoD Instructions and MIL-STDs listed in the “light” reading list at the end of this article.

2.      Programmatic – non technical risks that can be controlled by the program manager or program management office. These tend to include estimates (budget, schedule, people needed, facilities, material), program plans, execution of the program, and type of contract.

3.      Business – non technical risks that are outside the control of the program manager or program management office and impact the program. Examples of this include: impacts from other programs, world events, regulations, ect. These may need to be escalated outside of the program.

At the program level, the program manager is responsible for ensuring (either by doing it themselves or having a program risk manager) that risk is managed across all of these categories. That doesn’t mean that they need to be the SME, but they need to have an understanding of the impacts of each area on their program.

____________________________________________________________________________________________________________________________________

Additional “light” reading:

Department of Defense Risk, Issue, and Opportunity (RIO) Management Guide for Defense Acquisition Programs

DoDI 8500.01 - Cybersecurity

DoDI 8510.01- Risk Management Framework (RMF) for DoD Systems

DoD Instruction 5000.83 - Technology and Program Protection to Maintain Technological Advantage

DoD Instruction 5000.90 - Cybersecurity for Acquisition Decision Authorities and Program Managers

DoDI 5000.88 - Engineering of Defense Systems

MIL-STD-882 - Standard Practice for System Safety

DoDI 5000.95 - Human Systems Integration in Defense Acquisition

Human Systems Integration (HSI) Guidebook (2022)

DoDI 4650.01 - Policy and Procedures for Management and Use of the Electromagnetic Spectrum

DoDI 3222.03 DoD Electromagnetic Environmental Effects (E3) Program

Lauren Fenley
Previous

Sharks with Lasers & Golden Dome - Risk Management Considerations for Small Businesses
Next

How to write a Risk, Issue and Opportunity Management Plan