Abstract

Despite a migration of risk definitions towards alignment with ISO 31000, which defines risk as the effect of uncertainty on objectives, models for risk management continue to apply a failure-focused definition based upon Norman Rasmussen's probabilistic risk assessment: probability multiplied by consequence magnitude. This approach is counter to how people actually think about risk in decision making-in terms of achieving objectives-and makes it nearly impossible to model risks from diverse domains (e.g., technical, political, security, etc.) to develop a complete risk picture. As a result, individual risks and mitigations are "managed" rather than considered as elements of an integrated system of uncertainties. The Department of Defense recently published an update to their Risk Issues and Opportunities (RIO) Guide that restated their dichotomous definition of risk; the first half of the definition being objective-based and the second half being failure-based. The RIO guide goes on to only apply the second, failurebased portion of the definition to its recommendations for proper risk management. This paper proposes a conceptual methodology for applying a risk management model based upon risk as a measure of the nearness to one or more objectives, which allows for evaluation of risk as a networked system to inform decisions related to those objectives. Such a model also provides the ability to optimize mitigations to maximize effect while minimizing resources expended (i.e., cost or schedule) or changes in performance requirements.

Keywords

Risk, Risks, Management, Objective, FORM, Uncertainty