AFMC Pamphlet 63-101
9 July 1997
Certified By: HQ AFMC/ENP (Louis Hari) Supersedes: AFMCPAM 63-101, 15 Sep 93
OPR: HQ AFMC/ENPI (Maj Paul Loughnane) Distribution: F
By Order of the Commander Air Force Materiel Command
This pamphlet does not apply to the Air National Guard or US Air Force Reserve units and members. This pamphlet is intended to provide program managers and their program management team a basic understanding of the terms, definitions and processes associated with effective risk management.
Current acquisition reform initiatives embrace closer government/industry relationships and greater reliance on commercial technologies -- both designed to provide reliable, lower cost weapon systems. Hand-in-hand with these initiatives is an accompanying focus on risk management.
The risk management concepts and ideas presented in this pamphlet are focused on encouraging the use of risk-based management practices and suggesting ways to address the program risk without prescribing the use of specific methods or tools. Rather, this pamphlet was prepared as a guide, with the expectation that program risk management processes will be developed to meet the intent of this document.
The terms and definitions in this guide have been standardized with the current DoD terminology as a result of the activities of the 1996 DoD Risk Management Working Group. Additionally, this document served as a primary source of the DoD level risk management material for the December 96 version of the DoD online acquisition model, “Deskbook.”
Summary of Revisions
This pamphlet was rewritten in its entirety.
1.1. -- Pamphlet Roadmap.
This risk management pamphlet applies to acquisition risks and is organized into three general segments. Chapters 1 and 2 provide an executive-level overview of risk management. Chapters 3 and 4 provide high level concepts related to application of risk management on new programs and to implementation of sample approaches and techniques. Chapter 5 contains a selected list of references for additional information.
1.2. -- Overview.
Risk management is an integral part of the overall acquisition process. When a disciplined, comprehensive risk management program is implemented throughout a program’s life cycle, critical program risks are properly identified and suitable handling plans are developed and implemented. A well-managed risk management program is an invaluable tool for balancing cost, schedule, and performance goals, especially on programs with designs which approach or exceed the state-of-the-art.
1.2.1. Risk management is not a separate program function but an integral part of the overall program planning and management process. In order to be effective, the risk management process must be recognized as a program management activity, and not something limited to the engineering function. Any program element associated with cost, schedule, and performance has a direct interface with the risk management process.
1.2.2. It is important to remember that risk management is employed throughout the program’s life cycle. A risk management strategy should be developed early in the program (as early as Phase 0) and addressed continually throughout the program. This process does not change fundamentally as the program progresses, although refinement will occur as program unknowns become knowns and its design matures.
1.2.3. Recent emphasis on risk management coincides with overall DoD efforts to reduce life-cycle costs (LCC) of system acquisitions. New processes, reforms, and initiatives are being implemented within the acquisition communities with risk management as a key component. It is essential that programs define and implement appropriate risk management and contingency plans. Risk management should be designed to enhance program management effectiveness and provide program managers a key tool to reduce LCCs.
1.2.4. An effective risk management process requires a commitment on the part of the program manager and the program office to be successful. Many impediments exist to risk management implementation. One good example is the natural reluctance to identify real program risks early for fear of jeopardizing the program’s support or even continuation. Another example is the lack of sufficient funds to properly implement the risk handling process. However, when properly implemented, the risk management program supports setting realistic cost, schedule, and performance objectives and identifies areas that require special attention.
1.2.5. Planning a good risk management program integral to the management process ensures that risks are handled at the appropriate management level.
1.3. -- Major DoD References:
1.3.1. DoD Directive 5000.1, Defense Acquisition.
1.3.2. DoD 5000.2-R, Mandatory Procedures for Major Defense Acquisition Programs and Major Automated Information System Acquisition Programs.
1.3.3. DoD 4245.7-M, Transition from Development to Production.
1.3.4. DoD Directive 5000.4, OSD Cost Analysis Improvement Group (CAIG).
1.4. -- Purpose.
• Provides guidance to help establish a risk management framework for planning, assessing, handling and monitoring risks for all acquisition programs.
• Serves as a source of general guidance which can be tailored to fit within the program and statutory requirements.
• Includes discretionary acquisition guidance and information, expert wisdom, best practices and lessons learned.
• Applies to all elements of a program (system, subsystem, hardware and software).
• Should be used in conjunction with related directives, instructions, policy memoranda, or regulations issued to implement the mandatory procedures contained in DoD directives and instructions.
• Can be tailored into a single management process to provide an efficient, integrated acquisition process supporting the orderly flow of program decisions, milestones, and other essential activities.
• Discusses performance within the context of the following areas of technical risks: threat; requirements; technology; engineering; manufacturing; environmental, safety, and health; logistics and supportability; test and evaluation; operational support; demilitarization and disposal.
Note: This pamphlet uses the term “acquisition” generically to apply to all programs, regardless of life-cycle phase -- from laboratory research programs to major weapon or information system development programs -- through sustainment and disposal.
1.5. -- Risk Management Definitions:
1.5.1. Risk. Risk is a measure of the inability to achieve program objectives within defined cost and schedule constraints. Risk has two components:
• The probability (or likelihood) of failing to achieve particular performance, schedule, or cost objectives, and
• The consequence of failing to achieve those objectives.
1.5.2. Failure to account for the severity of the consequences means that risks may be misstated. For example, if a particular event has a high probability of failure (PF), but only a small impact, then it is unrealistic to call it a high risk. On the other hand, a number of risks can have a low probability of occurrence but have consequences so serious that they are treated as significant risks. A classic case is safety issues, which typically have been handled as moderate or high risks, despite their relatively low probability of occurrence.
1.5.3. Risk Management Process:
188.8.131.52. Risk management is the act or practice of controlling risk. This process includes identifying and tracking risk areas, developing risk mitigation plans as part of risk handling, monitoring risks and performing risk assessments to determine how risks have changed. Risk management process activities fall into the following four broad elements and are performed with many iterative feedback loops.
184.108.40.206. Risk planning is the process of developing and documenting organized, comprehensive and interactive strategy and methods for identifying and tracking risk areas, developing risk mitigation plans, performing risk assessments to determine how risks have changed, and planning adequate resources.
220.127.116.11. Risk Assessment is the process of identifying and analyzing program area and critical technical process risks to increase the likelihood of meeting performance, schedule and cost objectives. It includes risk identification and risk analysis. Risk identification is the process of examining the program and each critical technical process to identify and document risk areas. Risk analysis is the process of examining each identified program and process risk, isolating the cause, and determining the impact. Risk impact is defined in terms of its probability of occurrences, its consequences, and its relationship to other risk areas or processes.
18.104.22.168. Risk handling is the process that identifies, evaluates, selects and implements options in order to set risk at acceptable levels given program constraints and objectives. This includes the specifics on what should be done, when it should be accomplished, who is responsible, and the cost impact. The most appropriate strategy is selected from these handling options and documented in a risk handling plan.
22.214.171.124. Risk monitoring is the process that systematically tracks and evaluates the performance of risk handling actions against established metrics throughout the acquisition process and develops further risk handling options or executes risk mitigation plans, as appropriate.
1.6. -- The Risk Management Participants:
1.6.1. Involve Everyone In Risk Management. Effective risk management requires early and continual involvement of all of the program team as well as outside help from subject-matter experts, as appropriate. Participants include the customer, laboratories, acquisition, contract management, test, logistics, and sustainment communities and, above all, industry.
1.6.2. Develop Close Partnership With Industry. Effective management of a program’s risk requires a close partnership between the government, industry, and later, the selected contractor(s). The program manager should understand the differences in the government’s view of risk versus industry’s view and ensure all risk management approaches are consistent with program objectives. Both the government and industry need to understand their respective roles and authority while developing and executing the risk management effort.
1.7. -- Effective Risk Management.
Acquisition programs run the gamut from simple, straightforward procurements of mature technologies which cost a few thousand dollars to state-of-the-art and beyond programs valued in the multibillions of dollars. Effective risk management programs generally follow consistent characteristics and guidelines across all programs despite these vast differences in program size and technologies. Some characteristics of effective risk management programs follow.
1.7.1. Characteristics Of Successful Risk Management. Successful programs will have the following risk management characteristics:
• Feasible, stable, and well-understood user requirements.
• A close partnership with user, industry, and other appropriate participants.
• A planned risk management process integral to the acquisition process.
• A program assessment performed early to help define a program which satisfies the user’s needs within acceptable risk.
• Identification of risk areas, risk analysis and development of risk handling strategies.
• Acquisition strategy consistent with risk level and risk handling strategies.
• Continuous reassessment of program and associated risks.
• A defined set of success criteria that covers all performance, schedule, and cost elements.
• Metrics used to monitor effectiveness of risk handling strategies.
• Formally documented.
1.7.2. Top-Level Guidelines for Effective Risk Management:
• Assess program risks and develop strategies to manage these risks during
- Identify early and intensively manage those design parameters which
critically affect capability, readiness, design cost, or LCC.
- Use technology demonstrations/modeling/simulation and aggressive
prototyping to reduce risks.
- Include test and evaluation as part of the risk management process.
• Include industry participation in risk management. Offerors must identify
risks and develop plans to manage those risks as part of their proposals.
• Use proactive, structured risk assessment and analysis process to identify
and analyze risks.
- Identify, assess and track technical, schedule, and cost risk areas.
- Establish risk mitigation plans.
- Provide for periodic risk assessments throughout each program phase.
• Establish a series of “risk assessment events,” where the effectiveness of risk
reduction conducted to date is reviewed. These events are to be tied to the
integrated master plan (IMP) at each level and have clearly defined entry and
• Include processes as part of risk assessment. This would include the
contractor’s managerial, development, and manufacturing processes.
• Clearly define a set of evaluation criteria for assigning risk ratings (low,
moderate, high) for identified risk areas.