ECSS-M-ST-80C 31 July 2008 Space project management Risk management  ECSS Secretariat ESA-ESTEC Requirements & Standards Division Noordwijk, The Netherlands ECSS‐M‐ST‐80C 31July2008 Foreword This Standard is one of the series of ECSS Standards intended to be applied together for the management, engineering and product assurance in space projects and applications. ECSS is a cooperative effort of the European Space Agency, national space agencies and European industry associationsforthepurposeofdevelopingandmaintainingcommonstandards.Requirementsinthis Standardaredefinedintermsofwhatshallbeaccomplished,ratherthanintermsofhowtoorganize and perform the necessary work. This allows existing organizational structures and methods to be appliedwhere they are effective, andforthe structures and methodsto evolve asnecessarywithout rewritingthestandards. This Standard has been prepared by the ECSS‐M‐ST‐80 Working Group, reviewed by the ECSS ExecutiveSecretariatandapprovedbytheECSSTechnicalAuthority. Disclaimer ECSSdoesnotprovideanywarrantywhatsoever,whetherexpressed,implied,orstatutory,including, butnotlimitedto,anywarrantyofmerchantabilityorfitnessforaparticularpurposeoranywarranty that the contents of the item are error‐free. In no respect shall ECSS incur any liability for any damages,including,butnotlimitedto, direct,indirect,special,orconsequentialdamagesarisingout of, resulting from, or in anyway connected to the use of this Standard, whether or not based upon warranty,business agreement, tort,orotherwise; whetheror not injurywassustained by personsor propertyorotherwise;andwhetherornotlosswassustainedfrom,oraroseoutof,theresultsof,the item,oranyservicesthatmaybeprovidedbyECSS. Publishedby: ESARequirementsandStandardsDivision ESTEC, P.O. Box 299, 2200 AG Noordwijk The Netherlands Copyright: 2008 © by the European Space Agency for the members of ECSS 2  ECSS‐M‐ST‐80C 31July2008 Change log ECSS‐M‐00‐03A 25April2000 Firstissue ECSS‐M‐00‐03B 16August2004 Secondissue ECSS‐M‐ST‐80C Thirdissue 31July2008 MaindifferencesbetweenECSS‐M‐00‐03B(16August2004)andthis versionare: • RenumberingfromECSS‐M‐00‐03toECSS‐M‐ST‐80. • Deletionofthedefinitionsfor:.risk,residualrisk,riskmanagement,risk managementpolicybecauseidenticallydefinedinECSS‐S‐ST‐00‐01 • Update of descriptive text in clause 4.4, 5.1, 5.2.1.2f, 5.2.1.2h, 5.2.2.1, 6.5c, • In clause 7, former text contained in “AIM” converted into notes and former text from “EXPECTED OUTPUT” deleted or converted into requirementswhennormative. 3  ECSS‐M‐ST‐80C 31July2008 Table of contents Change log 3 Introduction 6 1 Scope 7 2 Normative references 8 3 Terms, definitions and abbreviated terms 9 3.1 Terms from other standards 9 3.2 Terms specific to the present standard 9 3.3 Abbreviated terms 10 4 Principles of risk management 11 4.1 Risk management concept 11 4.2 Risk management process 11 4.3 Risk management implementation in a project 11 4.4 Risk management documentation 12 5 The risk management process 13 5.1 Overview of the risk management process 13 5.2 Risk management steps and tasks 15 5.2.1 Step 1: Define risk management implementation requirements 15 5.2.2 Step 2: Identify and assess the risks 18 5.2.3 Step 3: Decide and act 19 5.2.4 Step 4: Monitor, communicate, and accept risks 20 6 Risk management implementation 22 6.1 General considerations 22 6.2 Responsibilities 22 6.3 Project life cycle considerations 23 6.4 Risk visibility and decision making 23 6.5 Documentation of risk management 23 4  ECSS‐M‐ST‐80C 31July2008 7 Risk management requirements 25 7.1 General 25 7.2 Risk management process requirements 25 7.3 Risk management implementation requirements 28 Annex A (normative) Risk management policy document - DRD 30 Annex B (normative) Risk management plan - DRD 33 Annex C (normative) Risk assessment report - DRD 36 Annex D (informative) Risk register example and ranked risk log example 38 Annex E (informative) Contribution of ECSS Standards to the risk management process 41 Bibliography 43 Figures Figure 5-1: The steps and cycles in the risk management process 14 Figure 5-2: The tasks associated with the steps of the risk management process within the risk management cycle 14 Figure 5-3: Example of a severity–of–consequence scoring scheme 15 Figure 5-4: Example of a likelihood scoring scheme 16 Figure 5-5: Example of risk index and magnitude scheme 17 Figure 5-6: Example of risk magnitude designations and proposed actions for individual risks 17 Figure 5-7: Example of a risk trend 21  5  ECSS‐M‐ST‐80C 31July2008 Introduction Risks are a threat to project success because they have negative effects on the project cost, schedule and technical performance, but appropriate practices of controllingriskscanalsopresentnewopportunitieswithpositiveimpact. The objective of project risk management is to identify, assess,reduce, accept, and control space project risks in a systematic, proactive, comprehensive and cost effective manner, taking into account the project’s technical and programmaticconstraints.Riskisconsideredtradableagainsttheconventional known project resources within the management, programmatic (e.g. cost, schedule)andtechnical(e.g.mass,power, dependability,safety)domains. The overall risk management in a project is an iterative process throughout the project life cycle, with iterations being determined by the project progress throughthedifferentprojectphases,andbychangestoagivenprojectbaseline influencingprojectresources. Risk management is implemented at each level of the customer‐supplier network. Known project practices for dealing with project risks, such as system and engineering analyses, analyses of safety, critical items, dependability, critical path,andcost,areanintegralpartofprojectriskmanagement.Rankingofrisks accordingtotheircriticalityforprojectsuccess,allowingmanagementattention tobedirectedtotheessentialissues,isamajorobjectiveofriskmanagement. The project actors agree on the extent of the risk management to be implemented in a given project depending on the project definition and characterization. 6  ECSS‐M‐ST‐80C 31July2008 1 Scope This Standard defines the principles and requirements for integrated risk management on a space project; it explains what is needed to implement a project–integratedriskmanagementpolicybyanyprojectactor,atanylevel(i.e. customer,firstlevelsupplier,orlowerlevelsuppliers). This Standard contains a summary of the general risk management process, whichissubdividedintofour(4)basicstepsandnine(9)tasks. Theriskmanagementprocessrequiresinformationexchangeamongallproject domains, and provides visibility overrisks, with a ranking according to their criticalityfortheproject;theserisksaremonitoredandcontrolledaccordingto therulesdefinedforthedomainstowhichtheybelong. The fields of application of this Standard are all the activities of all the space projectphases.AdefinitionofprojectphasingisgiveninECSS‐M‐ST‐10. Thisstandardmaybetailoredforthespecificcharacteristicsandconstraintsofa spaceprojectinconformancewithECSS‐S‐ST‐00.  7  ECSS‐M‐ST‐80C 31July2008 2 Normative references The following normative documents contain provisions which, through reference in this text, constitute provisions of this ECSS Standard. For dated references,subsequentamendmentsto,orrevisionsofanyofthesepublications donotapply.However,partiestoagreementsbasedonthisECSSStandardare encouragedtoinvestigatethepossibilityofapplyingthemostrecenteditionsof the normative documents indicated below. For undated references the latest editionofthepublicationreferredtoapplies.  ECSS‐ST‐00‐01 ECSSsystem‐Glossaryofterms ECSS‐M‐ST‐10 Spaceprojectmanagement–Projectplanningand implementation 8  ECSS‐M‐ST‐80C 31July2008 3 Terms, definitions and abbreviated terms 3.1 Terms from other standards ForthepurposeofthisStandard,thetermsanddefinitionsfromECSS‐ST‐00‐01 apply,inparticularforthefollowingterms: risk residualrisk riskmanagement riskmanagementpolicy 3.2 Terms specific to the present standard 3.2.1 acceptance of (risk) decisiontocopewithconsequences,shouldariskscenariomaterialize NOTE1 Ariskcan be acceptedwhen itsmagnitude is less than a given threshold, defined in the risk managementpolicy. NOTE2 Inthecontextofriskmanagement,acceptancecan meanthateventhoughariskisnoteliminated,its existence and magnitude are acknowledged and tolerated. 3.2.2 (risk) communication all information and data necessary for risk management addressed to a decision–makerandtorelevantactorswithintheprojecthierarchy 3.2.3 (risk) index score used to measure the magnitude of the risk; it is a combination of the likelihoodofoccurrenceandtheseverityofconsequence,wherescoresareused tomeasurelikelihoodandseverity 3.2.4 individual (risk) riskidentified,assessed,andmitigatedasadistinctriskitemsinaproject 9  ECSS‐M‐ST‐80C 31July2008 3.2.5 (risk) management process consists of all the project activities related to the identification, assessment, reduction,acceptance,andfeedbackofrisks 3.2.6 overall (risk) risk resulting from the assessment of the combination of individual risks and theirimpactoneachother,inthecontextofthewholeproject NOTE Overall risk can be expressed as a combination of qualitativeandquantitativeassessment. 3.2.7 (risk) reduction implementationofmeasuresthatleadstoreductionofthelikelihoodorseverity ofrisk NOTE Preventive measures aim at eliminating the cause of a problem situation, and mitigation measures aim at preventing the propagation ofthe cause to the consequence or reducing the severity of the consequenceorthelikelihoodoftheoccurrence. 3.2.8 resolved (risk) riskthathasbeenrenderedacceptable 3.2.9 (risk) scenario sequence or combination of events leading from the initial cause to the unwantedconsequence NOTE The cause can be a single event or something activatingadormantproblem. 3.2.10 (risk) trend evolutionofrisksthroughoutthelifecycleofaproject 3.2.11 unresolved (risk) risk for which risk reduction attempts are not feasible, cannot be verified, or haveprovedunsuccessful:ariskremainingunacceptable 3.3 Abbreviated terms Forthepurposeofthisstandard,theabbreviatedtermsofECSS‐S‐ST‐00‐01and thefollowingapply: Abbreviation Meaning IEC InternationalElectrotechnicalCommission 10  [...]... Figure 5‐2: The tasks associated with the steps of the risk management process  within the risk management cycle  14    ECSS‐M‐ST‐80C  31 July 2008   5.2 Risk management steps and tasks 5.2.1 Step 1: Define risk management implementation requirements 5.2.1.1 Purpose To  initiate  the  risk management process  by  defining  the  project risk management policy and preparing the project risk management plan.  5.2.1.2 Task 1: Define the risk management. .. a The  risk management plan  shall  describe  the  risk management organization of the project   b The risk management plan shall list the responsibilities of each of the risk management participants.  33    ECSS‐M‐ST‐80C  31 July 2008   a Risk management policy  The  risk management plan  shall  contain  a  link  to  the  applicable  risk management policy document.  a Risk management documentation and follow‐up ... Project goals and resource constraints  The  risk management policy  document  shall  describe  the  project objectives  and  the  resource  constraints  of  the  project and  name  the  project s critical success factors.  Risk management strategy and approach  a The risk management policy document shall provide an overview of the  risk management approach, to include the status of the risk management ... Figure 5‐5: Example of risk index and magnitude scheme    Risk index  Risk magnitude  Proposed actions  E4, E5, D5  Very High risk Unacceptable risk:  implement new team process or change  baseline – seek project management attention at appropriate  high management level as defined in the risk management plan E3, D4, C5  High risk Unacceptable risk:  see above.  E2, D3, C4, B5  Medium risk Unacceptable risk:  aggressively manage, consider alternative ... Risk management documentation and follow‐up  The risk management plan shall describe the structure, the rules and the  procedures used to document the results of the risk management and the  follow‐up process.  a Project summary  The risk management plan shall contain a brief description of the project,   including the project management approach.  a Description of risk management implementation  The  risk management plan ... trend are used to optimize the tradable resources.  Within  the  risk management process,  available  risk information  is  produced  and  structured,  facilitating  risk communication  and  management decision  making. The results of risk assessment and reduction and the residual risks are  communicated to the project team for information and follow‐up.  4.3 Risk management implementation in a project Risk management requires  corporate ... follow‐up of risks.  Risk management draws on existing documentation as much as possible.  Responsibilities The  responsibilities  for  risk management matters  within  the  project organization are described in the risk management plan in accordance with the  risk management policy. The following approach applies:  a The  project manager  acts  as  the  integrator  of  the  risk management function ... of  the  prevailing  risk.   Risk information  is  presented  to  support  management decision  making,  including an alert system for new risks.  Information  about  all  identified  risks  and  their  disposition  is  kept  in  a  record.  Documentation of risk management a Risk management documents are maintained so that each step of the risk management process and the key risk management results and decisions ... are traceable and defensible.  b The  risk management process  draws  on  the  existing  project data  to  the  maximum extent possible, but documentation established specifically for  risk management includes  information  on  project specific  risk management policy; objectives and scope; the risk management plan; the  identified  scenarios;  likelihood  of  events;  risk results;  risk decisions;  records of risk reduction and verification actions; risk trend data; and risk ... rationale of all risk related decisions made during the life of the project.   The  risk management documentation  includes  the  risk management policy,  which:  • defines  the  organizationʹs  attitude  towards  risk management,   together  with the project specific categorization of risk management,  and  • provides  a  high‐level  outline  for  the  implementation  of  the  risk management process.  . of risk management 11 4.1 Risk management concept 11 4.2 Risk management process 11 4.3 Risk management implementation in a project 11 4.4 Risk management. ECSS-M-ST-80C 31 July 2008 Space project management Risk management  ECSS Secretariat ESA-ESTEC Requirements & Standards