MGB - part 1 Flashcards
for the January 2021 exam
Risk Definition
Simple, everything can be a risk! It is an undesirable event or situation which has both a likelihood of occurrence and potentially negative consequence(s).
- A risk can affect the successful achievement of objectives in terms such as Finance (costs and revenues), Time, Performance, Environment, or Health & Safety.
- Every activity, even “doing nothing”, contains risk because the future is uncertain and we operate within constraints and targets.
- It is always useful to distinguish between : Causes => Risks => Consequences
Risk Managment definition
Risk Management is a systematic and proactive approach to assess and control risks, performed according to an established (risk management) policy.
- Risk Management is a part of the project and general management, it is therefore a continuous and integrated process.
- Risk Management is not the activity to carry out when problems occur, that is crisis management.
- It is not a policing system, but a management tool.
- It has never, and will never, eradicate all risks. Zero risk does not exist.
Scope of Risk Management in Space Project
See Failed Risk management: (Challenger 1986… L1-Part 1) Risk Management should*:
- be an integral part of organizational processes
- be part of decision making
- explicitly address uncertainty and assumptions
- be systematic, structured, and timely • be based on the best available information
- be tailor able
- take into account human and cultural factors
- be transparent and inclusive
- be iterative and responsive to change
- be continually or periodically re-assessed
- be process based
- contribute to lessons learned
- have an added value
Risk management Process Cycle
- Establish the Context
Establishing the context includes planning the remainder of the process and mapping out the scope of the exercise, the identity and objectives of stakeholders, the basis upon which risks will be evaluated and defining a framework for the process, and agenda for identification and analysis.
2. Identification
After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems.
Hence, risk identification can start with the source of problems, or with the problem itself.
Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it does its business, its financial strengths and weaknesses, its vulnerability to unplanned losses, the manufacturing processes, and the management systems and business mechanism by which it operates.
Any failure at this stage to identify risk may cause a major loss for the organization.
Risk identification provides the foundation of risk management.
The identification methods are formed by templates or the development of templates for identifying source, problem or event. The various methods of risk identification methods are.
3. Assessment
Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence.
These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring.
Therefore;
In the assessment process, it is critical to making the best-educated guesses possible in order to properly prioritize the implementation of the risk management plan.
The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents.
Furthermore;
Evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed.
Thus, best educated opinions and available statistics are the primary sources of information.
Nevertheless, a risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized.
Thus, there have been several theories and attempts to quantify risks.
Numerous different risk formula exists but perhaps the most widely accepted formula for risk quantification is the rate of occurrence multiplied by the impact of the event.
In business, it is imperative to be it’s to present the findings of risk assessments in financial terms. Robert Courtney Jr. (IBM. 1970) proposed a formula for presenting risks in financial terms.
The Courtney formula was accepted as the official risk analysis method of the US governmental agencies.
The formula proposes the calculation of ALE (Annualized Loss Expectancy) and compares the expected loss value to the security control implementation costs (Cost-Benefit Analysis).
4. Potential Risk Treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories;
- Risk Transfer
Risk Transfer means that the expected party transfers whole or part of the losses consequential o risk exposure to another party for a cost. Insurance contracts fundamentally involve risk transfers.
Apart from the insurance device, there are certain other techniques by which the risk may be transferred.
- Risk Avoidance
Avoid the risk or the circumstances which may lead to losses in another way, Includes not performing an activity that could carry risk.
Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning the profits.
- Risk Retention
Risk-retention implies that the losses arising due to a risk exposure shall be retained or assumed by the party or the organization.
Risk-retention is generally a deliberate decision for business organizations inherited with the following characteristics. Self-insurance and Captive insurance are the two methods of retention.
- Risk Control
Risk can be controlled either by avoidance or by controlling losses. Avoidance implies that either a certain loss exposure is not acquired or an existing one is abandoned. Loss control can be exercised in two ways.
5. Create the Plan
Decide on the combination of methods to be used for each risk. Each risk management decision should be recorded and approved by the appropriate level of management.
For example,
A risk (concerning the image of the organization should have a top management decision behind it whereas IT management would have the authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for managing the risks.
A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.
The risk management concept is old but is still net very effectively measured. Example: An observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software.
6. Implementation
Follow all of the planned methods for mitigating the effect of the risks.
Purchase insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the entity’s goals, reduce others, and retain the rest.
7. Review and Evaluation of the Plan
Initial risk management plans will never be perfect.
Practice, experience and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two primary reasons for this;
- To evaluate whether the previously selected security controls are still applicable and effective, and,
- To evaluate the possible risk level changes in the business
environment. For example, information risks are a good example of the rapidly changing business environment.
Requirements & Severity Scoring Scheme
Scores can be attributed to represent each probability and severity
- The probability score is then a measure of the likelihood of occurrence of the risk scenario
- Severity score is a measure of the amount of damage or penalty to be expected
Risk Index Scheme
Limitations of RM in space projects
& Documentations
Visible Risks : a lot of assumptions are made. The aim is to reduce the risks but there will always be some hidden risks remaining!
Risk Management Documentation
• Risk Management Policy
• Risk Management Plan
• Risk Assessments/Register
• Risk Trends
• Risk Status Report
• Risk Reduction Actions
• Ranked Risk Listing
• Risk Control Decision
What is Product Assurance ?
Discipline devoted to the study, planning and implementation of activities intended to assure that the design, controls, methods and techniques in a project result in satisfactory degree of quality in a product.
Explain when and where Product Assurance is needed in a space project and
where it fits in project teams
In Phase 0 => Mission Analysis (MDR => Mission Definition Review)
* In phases A and B it covers the assessment of plans and capabilities, the qualification of technologies, and the review of requirements. So Phase A leaves from the MRD and goes to the PRR ((Preliminary Requirement Review) until Phase B with SRR (System Requirement Review) to arrive at the PDR (Preliminary Design Review).
* In phase C covers the readiness for manufacture, selection of methods, design suitability.
CDR => Preliminary Critical Review
* In phase D assesses operation readiness, manufacturing control and verification control with the QR (Qualification Review) until Phase E with the AR (Acceptance Review) and the ORR (Operational Readiness Review).
* In phase E ensures approved plans are implemented, manage problems and gives feedback.
FRR => Flight Readiness Review
* In phase F => we have the Disposal with the ELR => End of Life Review, until the MCR (Mission Close-out Review). It covers also aspects of operations, quality of data, etc.
Product Assurance Management
PA programme planning involves the definition of a PA Plan:
o Tailors specific requirements to the project
o Identifies PA activities to be carried out (inputs/outputs)
o Defines the PA organization
o Identifies adequate resources: personnel and facilities
o Ensures requirements are cascaded to lower tier suppliers
• PA programme implementation addresses:
o Monitoring and control of PA disciplines
o Progress reporting of PA matters
o Management of audits & inspections, critical items, NCRs and alerts
o Support to risk management and configuration management
o Lower tier supplier control
o Demonstrates the fulfillment of requirements
Nonconformance control ‐ classification
Major nonconformances – those with an
impact on the customer’s requirements as
follows
• safety of people or equipment
• operational, functional or any technical
requirements
• reliability, maintainability, availability
• lifetime
• interchangeability (functional, dimensional)
• interfaces
• changes to or deviations from approved
qualification or acceptance test procedures
• project specific items which are proposed to
be scrapped
Minor nonconformances – those which
by definition cannot be classified as
major.
• If in doubt raise major NCR
• Note: New tailoring in PARD:
NCRs shall not be limited to non-
conformances to a requirement but shall
also be raised for unexpected occurrences
during assembly, integration and testing.
(Unexpected occurrences may impact the
mission even if not against a requirement:
they may be an indication for a defect or
the start of degradation).
Alert Management
Alerts need to be assessed to determine whether a particular risk exists in the project (i.e. if item is within
perimeter of the alert)
• If product is affected then alerts usually provide recommendations that depend on the state of development.
• Alerts can have major cost and schedule impacts. An example is to replace a EEE component after a H/W
item has been built.
• Contractors have to maintain a listing of all alerts and the responses/status.
=> This is reviewed periodically and is recommended to be part of the project progress reporting
Quality management systems
Management system – set of interrelated elements of an organization to establish policies and
objectives, and processes to achieve those objectives (ISO 9000:2015)
• Quality Management System (QMS) – part of a management system with regard to quality
• Product quality depends on many variables.
=> Processes, organization, resources and procedures that manufacturers and suppliers use to
control these variables to produce a product of consistent quality which meets defined
specifications is usually called a QUALITY SYSTEM.
Supply Chain Management
The production and even the design of space systems require the collaboration of many companies
and organizations.
• The specification and procurement are major engineering and management activities (maybe not fully covered
in engineering courses).
• Quality management with PA disciplines is a major activity in projects.
The ECSS System
The European Cooperation for Space Standardisation (ECSS), established in 1993, is an organisation which works to improve standardisation within the European space sector. The ECSS frequently publishes standards, to which contractors working for ESA must adhere to.
