Figure 4.13-1 Risk Characterization

Risk management applies to all levels of FAA activity, from small projects to large programs. It applies to such risk areas as cost, schedule, technical, system safety, all security disciplines, human factors, operability, producibility, supportability, benefits, management, funding, and stakeholder satisfaction (e.g., Congressional and aviation community priorities; union concerns). The following examples illustrate key elements of risk management:

• Service-level risk management. Risk management during service analysis identifies and characterizes risks to the FAA's ability to execute its legislated responsibilities and satisfy customer demands for service. Typically, these risks arise from changes in the operational environment and shortfalls in operational capability.
• Investment analysis risk management. Risk management during investment analysis shall ensure primary risks associated with alternative solutions to mission need are identified and evaluated fully. Sufficient time and money must be included in the acquisition program baseline of a solution selected for implementation to mitigate risk and achieve program success.
• Program risk management.  Service organizations shall apply risk management throughout the lifecycle of their products and services. The focus is on early detection and reduction of risk to avoid the greatly increased cost of dealing with the consequences of risk later in the lifecycle. Risk management planning and risk-mitigation actions are documented in the OMB Exhibit 300 and the implementation strategy and planning document. Appropriate risk management requirements and activities are also included in any prime contract for products or services. Risk management continues throughout in-service management, with the assessment and adjustment of mitigation efforts to reduce the consequences of risk to an acceptable level.
• Security Risk Management. Vulnerabilities and risks within FAA programs must be reduced to acceptable levels for all identified threats that could result in quantifiable injury to personnel, loss or destruction of critical assets, or disruption of FAA information systems, including mission-critical NAS operational systems and mission support and administrative systems. Offices sponsoring or executing programs shall implement and maintain lifecycle security risk management for each investment program. Lifecycle security risk management shall be an integral part of program concept, planning, engineering design, and implementation, and shall be maintained and modified throughout the lifecycle, as required. The methodology for quantifying and measuring asset criticality, along with identifying levels of vulnerability and risk shall meet or exceed the lifecycle risk management process guidance in FAST.
• Human factors risk management. Human factors risk management shall ensure effective human / system interaction and performance. Human issues such as usability, operational suitability, personnel and training costs, and user performance must be evaluated during concept and requirements definition and investment analysis as FAA needs are defined and alternative solutions are evaluated. During solution implementation, human factors must be fully integrated into planning and execution of the overall program to foster safe, effective human / product performance and ensure user acceptance of the final product.