ECSS-M-ST-80C
31 July 2008

Space project
management
Risk management

ECSS Secretariat
ESA-ESTEC
Requirements & Standards Division
Noordwijk, The Netherlands
ECSS‐M‐ST‐80C
31July2008
Foreword
This Standard is one of the series of ECSS Standards intended to be applied together for the
management, engineering and product assurance in space projects and applications. ECSS is a
cooperative effort of the European Space Agency, national space agencies and European industry
associationsforthepurposeofdevelopingandmaintainingcommonstandards.Requirementsinthis
Standardaredefinedintermsofwhatshallbeaccomplished,ratherthanintermsofhowtoorganize
and perform the necessary work. This allows existing organizational structures and methods to be
appliedwhere they are effective, andforthe structures and methodsto evolve asnecessarywithout
rewritingthestandards.
This Standard has been prepared by the ECSS‐M‐ST‐80 Working Group, reviewed by the ECSS
ExecutiveSecretariatandapprovedbytheECSSTechnicalAuthority.
Disclaimer
ECSSdoesnotprovideanywarrantywhatsoever,whetherexpressed,implied,orstatutory,including,
butnotlimitedto,anywarrantyofmerchantabilityorfitnessforaparticularpurposeoranywarranty
that the contents of the item are error‐free. In no respect shall ECSS incur any liability for any
damages,including,butnotlimitedto, direct,indirect,special,orconsequentialdamagesarisingout
of, resulting from, or in anyway connected to the use of this Standard, whether or not based upon
warranty,business agreement, tort,orotherwise; whetheror not injurywassustained by personsor

propertyorotherwise;andwhetherornotlosswassustainedfrom,oraroseoutof,theresultsof,the
item,oranyservicesthatmaybeprovidedbyECSS.
Publishedby: ESARequirementsandStandardsDivision
ESTEC, P.O. Box 299,
2200 AG Noordwijk
The Netherlands
Copyright: 2008 © by the European Space Agency for the members of ECSS
2

ECSS‐M‐ST‐80C
31July2008
Change log
ECSS‐M‐00‐03A
25April2000
Firstissue
ECSS‐M‐00‐03B
16August2004
Secondissue
ECSS‐M‐ST‐80C Thirdissue
31July2008 MaindifferencesbetweenECSS‐M‐00‐03B(16August2004)andthis
versionare:
• RenumberingfromECSS‐M‐00‐03toECSS‐M‐ST‐80.
• Deletionofthedefinitionsfor:.risk,residualrisk,riskmanagement,risk
managementpolicybecauseidenticallydefinedinECSS‐S‐ST‐00‐01
• Update of descriptive text in clause
4.4, 5.1, 5.2.1.2f, 5.2.1.2h, 5.2.2.1,
6.5c,
• In clause
7, former text contained in “AIM” converted into notes and
former text from “EXPECTED OUTPUT” deleted or converted into

requirementswhennormative.
3

ECSS‐M‐ST‐80C
31July2008
Table of contents
Change log 3
Introduction 6
1 Scope 7
2 Normative references 8
3 Terms, definitions and abbreviated terms 9
3.1 Terms from other standards 9
3.2 Terms specific to the present standard 9
3.3 Abbreviated terms 10
4 Principles of risk management 11
4.1 Risk management concept 11
4.2 Risk management process 11
4.3 Risk management implementation in a project 11
4.4 Risk management documentation 12
5 The risk management process 13
5.1 Overview of the risk management process 13
5.2 Risk management steps and tasks 15
5.2.1 Step 1: Define risk management implementation requirements 15
5.2.2 Step 2: Identify and assess the risks 18
5.2.3 Step 3: Decide and act 19
5.2.4 Step 4: Monitor, communicate, and accept risks 20
6 Risk management implementation 22
6.1 General considerations 22
6.2 Responsibilities 22
6.3 Project life cycle considerations 23

6.4 Risk visibility and decision making 23
6.5 Documentation of risk management 23
4

ECSS‐M‐ST‐80C
31July2008
7 Risk management requirements 25
7.1 General 25
7.2 Risk management process requirements 25
7.3 Risk management implementation requirements 28
Annex A (normative) Risk management policy document - DRD 30
Annex B (normative) Risk management plan - DRD 33
Annex C (normative) Risk assessment report - DRD 36
Annex D (informative) Risk register example and ranked risk log example 38
Annex E (informative) Contribution of ECSS Standards to the risk
management process 41
Bibliography 43

Figures
Figure 5-1: The steps and cycles in the risk management process 14
Figure 5-2: The tasks associated with the steps of the risk management process within
the risk management cycle 14

Figure 5-3: Example of a severity–of–consequence scoring scheme 15
Figure 5-4: Example of a likelihood scoring scheme 16
Figure 5-5: Example of risk index and magnitude scheme 17
Figure 5-6: Example of risk magnitude designations and proposed actions for individual
risks 17

Figure 5-7: Example of a risk trend 21


5

ECSS‐M‐ST‐80C
31July2008
Introduction
Risks are a threat to project success because they have negative effects on the
project cost, schedule and technical performance, but appropriate practices of
controllingriskscanalsopresentnewopportunitieswithpositiveimpact.
The objective of project risk management is to identify, assess,reduce, accept,
and control space project risks in a systematic, proactive, comprehensive and
cost effective manner, taking into account the project’s technical and
programmaticconstraints.Riskisconsideredtradableagainsttheconventional
known project resources within the management, programmatic (e.g. cost,
schedule)andtechnical(e.g.mass,power, dependability,safety)domains. The
overall risk management in a project is an iterative process throughout the
project life cycle, with iterations being determined by the project progress
throughthedifferentprojectphases,andbychangestoagivenprojectbaseline
influencingprojectresources.
Risk management is implemented at each level of the customer‐supplier
network.
Known project practices for dealing with project risks, such as system and
engineering analyses, analyses of safety, critical items, dependability, critical
path,andcost,areanintegralpartofprojectriskmanagement.Rankingofrisks
accordingtotheircriticalityforprojectsuccess,allowingmanagementattention
tobedirectedtotheessentialissues,isamajorobjectiveofriskmanagement.
The project actors agree on the extent of the risk management to be
implemented in a given project depending on the project definition and
characterization.
6


ECSS‐M‐ST‐80C
31July2008
1
Scope
This Standard defines the principles and requirements for integrated risk
management on a space project; it explains what is needed to implement a
project–integratedriskmanagementpolicybyanyprojectactor,atanylevel(i.e.
customer,firstlevelsupplier,orlowerlevelsuppliers).
This Standard contains a summary of the general risk management process,
whichissubdividedintofour(4)basicstepsandnine(9)tasks.
Theriskmanagementprocessrequiresinformationexchangeamongallproject
domains, and provides visibility overrisks, with a ranking according to their
criticalityfortheproject;theserisksaremonitoredandcontrolledaccordingto
therulesdefinedforthedomainstowhichtheybelong.
The fields of application of this Standard are all the activities of all the space
projectphases.AdefinitionofprojectphasingisgiveninECSS‐M‐ST‐10.
Thisstandardmaybetailoredforthespecificcharacteristicsandconstraintsofa
spaceprojectinconformancewithECSS‐S‐ST‐00.

7

ECSS‐M‐ST‐80C
31July2008
2
Normative references
The following normative documents contain provisions which, through
reference in this text, constitute provisions of this ECSS Standard. For dated
references,subsequentamendmentsto,orrevisionsofanyofthesepublications
donotapply.However,partiestoagreementsbasedonthisECSSStandardare

encouragedtoinvestigatethepossibilityofapplyingthemostrecenteditionsof
the normative documents indicated below. For undated references the latest
editionofthepublicationreferredtoapplies.

ECSS‐ST‐00‐01 ECSSsystem‐Glossaryofterms
ECSS‐M‐ST‐10 Spaceprojectmanagement–Projectplanningand
implementation
8

ECSS‐M‐ST‐80C
31July2008
3
Terms, definitions and abbreviated terms
3.1 Terms from other standards
ForthepurposeofthisStandard,thetermsanddefinitionsfromECSS‐ST‐00‐01
apply,inparticularforthefollowingterms:
risk
residualrisk
riskmanagement
riskmanagementpolicy
3.2 Terms specific to the present standard
3.2.1 acceptance of (risk)
decisiontocopewithconsequences,shouldariskscenariomaterialize
NOTE1 Ariskcan be acceptedwhen itsmagnitude is less
than a given threshold, defined in the risk
managementpolicy.
NOTE2 Inthecontextofriskmanagement,acceptancecan
meanthateventhoughariskisnoteliminated,its
existence and magnitude are acknowledged and
tolerated.

3.2.2 (risk) communication
all information and data necessary for risk management addressed to a
decision–makerandtorelevantactorswithintheprojecthierarchy
3.2.3 (risk) index
score used to measure the magnitude of the risk; it is a combination of the
likelihoodofoccurrenceandtheseverityofconsequence,wherescoresareused
tomeasurelikelihoodandseverity
3.2.4 individual (risk)
riskidentified,assessed,andmitigatedasadistinctriskitemsinaproject
9

ECSS‐M‐ST‐80C
31July2008
3.2.5 (risk) management process
consists of all the project activities related to the identification, assessment,
reduction,acceptance,andfeedbackofrisks
3.2.6 overall (risk)
risk resulting from the assessment of the combination of individual risks and
theirimpactoneachother,inthecontextofthewholeproject
NOTE Overall risk can be expressed as a combination of
qualitativeandquantitativeassessment.
3.2.7 (risk) reduction
implementationofmeasuresthatleadstoreductionofthelikelihoodorseverity
ofrisk
NOTE Preventive measures aim at eliminating the cause
of a problem situation, and mitigation measures
aim at preventing the propagation ofthe cause to
the consequence or reducing the severity of the
consequenceorthelikelihoodoftheoccurrence.
3.2.8 resolved (risk)

riskthathasbeenrenderedacceptable
3.2.9 (risk) scenario
sequence or combination of events leading from the initial cause to the
unwantedconsequence
NOTE The cause can be a single event or something
activatingadormantproblem.
3.2.10 (risk) trend
evolutionofrisksthroughoutthelifecycleofaproject
3.2.11 unresolved (risk)
risk for which risk reduction attempts are not feasible, cannot be verified, or
haveprovedunsuccessful:ariskremainingunacceptable
3.3 Abbreviated terms
Forthepurposeofthisstandard,theabbreviatedtermsofECSS‐S‐ST‐00‐01and
thefollowingapply:
Abbreviation Meaning
IEC
InternationalElectrotechnicalCommission
10

ECSS‐M‐ST‐80C
31July2008
4
Principles of risk management
4.1 Risk management concept
Riskmanagementisasystematicanditerativeprocessforoptimizingresources
in accordance with the project’s risk management policy.  It is integrated
through defined roles and responsibilities into the day–to–day activities in all
project domains and at all project levels. Risk management assists managers
and engineers by including risk aspects in management and engineering
practices and judgements throughout the project life cycle, including the

preparation of project requirements documents. It is performed in an
integrated,holisticway,maximizingtheoverallbenefitsinareassuchas:
• design, manufacturing, testing, operation, maintenance, and disposal,
togetherwiththeirinterfaces;
• controloverriskconsequences;
• management,cost,andschedule.
4.2 Risk management process
The entire spectrumof risks isassessed.Trade‐offsare madeamongdifferent,
and often competing, goals. Undesired events are assessed for their severity
andlikelihoodofoccurrence.Theassessmentsofthealternativesformitigating
therisksareiterated,andthe resultingmeasurementsofperformanceandrisk
trendareusedtooptimizethetradableresources.
Within the risk management process, available risk information is produced
and structured, facilitating risk communication and management decision
making.Theresultsofriskassessmentandreductionandtheresidualrisksare
communicatedtotheprojectteamforinformationandfollow‐up.
4.3 Risk management implementation in a project
Risk management requires corporate commitment in each actor’s organization
and the establishment of clear lines of responsibility and accountability from
the top corporate level downwards. Project management has the overall
responsibility for the implementation of risk management, ensuring an
integrated,coherentapproachforallprojectdomains.
11

ECSS‐M‐ST‐80C
31July2008
Independent validation of data ensures the objectiveness of risk assessment,
performedaspartoftheriskmanagementprocess.
Risk management is a continuous, iterative process. It constitutes an integral
part of normal project activity and is embedded within the existing

management processes. It utilizes the existing elements of the project
managementprocessestothemaximumpossibleextent.
4.4 Risk management documentation
The risk management process is documented to ensure that the risk
management policies (see
Annex A) are well established, understood,
implemented and maintained, and that they are traceable to the origin and
rationaleofallrisk–relateddecisionsmadeduringthelifeoftheproject.
The risk management documentation includes the risk management policy,
which:
• defines the organizationʹs attitude towards risk management, together
withtheprojectspecificcategorizationofriskmanagement,and
• provides a high‐level outline for the implementation of the risk
managementprocess.
In addition to the risk management policy document, two key documents are
established:
• risk management plan describing the implementation of the risk
managementprocess(see
AnnexB),and
• risk assessment report for communicating the  identified and assessed
risks as well as the subsequent follow‐up actions and their results (see
AnnexC).
12

ECSS‐M‐ST‐80C
31July2008
5
The risk management process
5.1 Overview of the risk management process
The iterative four–step risk ma nagement process of a project is illustrated in

Figure 5‐1. Thetasks tobe performedwithin eachof these stepsare shownin
Figure5‐2.
Step1comprisestheestablishmentoftheriskmanagementpolicy(Task1)and
risk management plan (Task 2) in coordination with other project disciplines,
suchassystemengineering,productassurance,production, and operations, to
ensure coherent approach to risk management across the programme/project.
Theriskmanagementprocessincludesfullcoordinationbetweenthedisciplines
oftheprogramme/project.
NOTE E.g. System Engineering coordination, all
engineeringdisciplines.
Product Assurance coordination, Quality
Assurance,SafetyandDependabilitydisciplines.
Management is responsible for overall
coordination of all disciplines, including
administrationofbusiness agreements and project
control.
These tasks (1 and 2) are performed at the beginning of a project. The
implementation of the risk management process consists of a number of “risk
management cycles” over the project duration comprising the Steps 2 to 4,
subdividedintothesevenTasks3to9.
The period  designated in the illustration with “Risk management process”
comprises all the project phases of the project concerned. The frequency and
projecteventsatwhichcyclesarerequiredinaproject(onlythreeareshownin
Figure5‐1forillustrationpurposes)dependontheneedsandcomplexityofthe
project, and need to be defined during Step 1. Unforeseen cycles are required
when changes to, for example, the schedule, technologies, techniques, and
performanceoftheprojectbaselineoccur.
Risks at any stage of the project are controlled as part of the project
managementactivities.
13


ECSS‐M‐ST‐80C
31July2008

Projectphases0toFperECSS‐M‐ST‐10
Step1
Defineriskmanagement
implementation
requirements
Step2
Identifyandassessthe
risks
Step4
Monitor,communicate
andacceptrisks
Riskmanagementprocess
Step3
Decideandact
Step2
Identifyandassessthe
risks
Step4
Monitor,communicate
andacceptrisks
Step3
Decideandact
Step2
Identifyandassess
therisks
Step4

Monitor,communicate
andacceptrisks
Step3
Decideandact

Figure5‐1:Thestepsandcyclesintheriskmanagementprocess

Task5:Decideiftherisksmaybeaccepted
Step4
Monitor,communicateand
acceptrisks
Step3
Decideandact
Step2
Identifyandassesstherisks

Step1
Defineriskmanagement
implementationrequirements

Task1:Definetheriskmanagementpolicy
Task2:Preparetheriskmanagementplan
Task3:Identifyriskscenarios
Task4:Assesstherisks
Task6:Reducetherisks
Task7:Recommendacceptance
Task8:Monitorandcommunicatetherisks
Task9:Submitrisksforacceptance.(Return
toTask6forrisksnotaccepted)
R

I
S
K

M
A
N
A
G
E
M
E
N
T

C
Y
C
L
E

Figure5‐2:Thetasksassociatedwiththestepsoftheriskmanagementprocess
withintheriskmanagementcycle
14

ECSS‐M‐ST‐80C
31July2008
5.2 Risk management steps and tasks
5.2.1 Step 1: Define risk management
implementation requirements

5.2.1.1 Purpose
To initiate the risk management process by defining the project risk
managementpolicyandpreparingtheprojectriskmanagementplan.
5.2.1.2 Task 1: Define the risk management policy
Thefollowingactivitiesareincludedinthistask:
a. Identificationofthesetofresourceswithimpactonrisks.
b. Identificationoftheprojectgoalsandresourceconstraints.
c. Description of the project strategy for dealing with risks, such as the
definition of margins and the apportionment of risk between customer
andsupplier.
d. Definition of scheme for ranking the risk goals according to the
requirementsoftheproject.
e. Establishment of scoring schemes for the severity of consequences and
likelihoodof occurrencefor the relevant tradable resources asshown in
theexamplesgivenin
Figure5‐3andFigure5‐4.
NOTE In the examples, five categories are used for
illustration only; more or fewer categories or
designationsarealsopossible.
f. Establishment of a risk index scheme to denote the magnitudes of the
risksofthevariousriskscenariosasshown,forexamplein
Figure5‐5.
NOTE1 Establishmentofscoringandriskindexschemasis
performed with the full coordination between the
differentprojectdisciplinestoensurecompleteand
consistentinterpretation.
NOTE2 In the example, risk magnitude categorization
(“Red”,“Yellow”,“Green”)is usedforillustration
only.Differentdesignationsarealsopossible
Score Severity Severityofconsequence:impacton(forexample)cost

5 Catastrophic Leadstoterminationoftheproject
4 Critical Projectcostincrease>tbd%
3 Major Projectcostincrease>tbd%
2 Significant Projectcostincrease<tbd%
1 Negligible Minimalornoimpact
Figure5‐3:Exampleofaseverity–of–consequencescoringscheme

15

ECSS‐M‐ST‐80C
31July2008
Score Likelihood Likelihoodofoccurrence
E Maximum Certaintooccur,willoccuroneormoretimesperproject
D High
Willoccurfrequently,about1in10projects
C Medium
Willoccursometimes,about1in100projects
B Low
Willseldomoccur,about1in1000projects
A Minimum
Willalmostneveroccur,1of10000ormoreprojects
Figure5‐4:Exampleofalikelihoodscoringscheme
g. Establishmentofcriteriato determine the actionsto be takenonrisksof
various risk magnitudes and the associated risk decision levels in the
projectstructure(asintheexamplein
Figure5‐6).
NOTE In the example, risk magnitude designation,
acceptability, and proposed actions are used for
illustration only. Project‐specific policydefinitions
canbedifferent.

h. Definitionofriskacceptancecriteriaforindividualrisks.
NOTE The acceptability of likelihood of occurrence and
severity of consequence are both programme
dependent. For example, when a programme is
advancing new research, technology development
or management, a high probability of a
consequence that quickly increase the cost can be
acceptable.
i. Establishmentofamethodfortherankingandcomparisonofrisks.
j. Establishmentofamethodtomeasuretheoverallrisk.
k. Establishmentofacceptancecriteriafortheoverallrisk.
l. Definitionof thestrategy for monitoring the risksand the formatsto be
usedforcommunicatingriskdatatothedecision–makersandallrelevant
actorsintheprojecthierarchy.
m. Descriptionofthe review,decision,andimplementationflowwithinthe
projectconcerningallriskmanagementmatters.

16

ECSS‐M‐ST‐80C
31July2008
Likelihood

RiskIndex:
Combinationof
SeverityandLikelihood
E Low Medium High VeryHigh VeryHigh 
D Low Low Medium High VeryHigh 
C VeryLow Low Low Medium High
B VeryLow VeryLow Low Low Medium

A VeryLow VeryLow VeryLow VeryLow Low
 1 2 3 4 5 Severity

  “Red”  “Yellow”  “Green”

Figure5‐5:Exampleofriskindexandmagnitudescheme

Riskindex Riskmagnitude Proposedactions
E4,E5,D5 VeryHighrisk Unacceptablerisk:implementnewteamprocessorchange
baseline–seekprojectmanagementattentionatappropriate
highmanagementlevelasdefinedintheriskmanagementplan.
E3,D4,C5 Highrisk Unacceptablerisk:seeabove.
E2,D3,C4,B5 Mediumrisk Unacceptablerisk:aggressivelymanage,consideralternative
teamprocessorbaseline–seekattentionatappropriate
managementlevelasdefinedintheriskmanagementplan.
E1,D1,D2,C2,
C3,B3,B4,A5
Lowrisk Acceptablerisk:control,monitor–seekresponsiblework
packagemanagementattention.
C1,B1,A1,B2,
A2,A3,A4
VeryLowrisk Acceptablerisk:seeabove.
Figure5‐6:Exampleofriskmagnitudedesignationsandproposedactionsfor
individualrisks
5.2.1.3 Task 2: Prepare the risk management plan
Theriskmanagementplantypicallycontainsthefollowingdata:
a. Description of the project risk management organization including its
roleandresponsibility.
b. Summaryoftheriskmanagementpolicy.
c. Theriskmanagement–relateddocumentationandfollow–upconcept.

d. Thescopeofriskmanagementovertheprojectduration.
17

ECSS‐M‐ST‐80C
31July2008
5.2.2 Step 2: Identify and assess the risks
5.2.2.1 Purpose
Toidentify eachof the riskscenarios,to determine then,basedon theoutputs
from Step 1, the magnitude of the individual risks and, finally, to rank them.
Datafromallprojectdomainsareused(managerial,programmatic,technical).
NOTE Listofexamplesofpossibleriskitems:
• Technical: Technology maturity; definition
status of requirements, internal/external
interfaces, payloads, operations; availability of
margins,supportteam,projectteam;etc.
• Cost:Overallprojectcost definition status; cost
margins; insurance costs; availability of
funding, independent cost assessment,
industrialoffers;humanresourcesaspects;etc.
• Schedule: Procurement planning; availability
of planningof phases andactivitiesinterfacing
withthirdparties;etc.
• Others: Internal or ganisational aspects; public
image; political constraints; risk sharing
betweenactors;etc.
5.2.2.2 Task 3: Identify risk scenarios
Thefollowingactivitiesareincludedinthistask:
a. Identification of the risk scenarios, including causes and consequences,
accordingtotheriskmanagementpolicy.
b. Identification of the means of early warning (detection) for the

occurrence of an undesirable event, to prevent propagation of
consequences.
c. Identificationoftheprojectobjectivesatrisk.
5.2.2.3 Task 4: Assess the risks
Thefollowingactivitiesareincludedinthistask:
a. Determinationoftheseverityofconsequencesofeachriskscenario.
b. Determinationofthelikelihoodofeachriskscenario.
c. Determinationoftheriskindexforeachriskscenario.
d. Utilisation of available information sources and application of suitable
methodstosupporttheassessmentprocess.
e. Determinationofthemagnitudeofriskofeachriskscenario.
f. Determination of the overall project risk through an evaluation of
identified individual risks, their magnitudes and interactions, and
resultantimpactontheproject.
18

ECSS‐M‐ST‐80C
31July2008
5.2.3 Step 3: Decide and act
5.2.3.1 Purpose
Toanalysetheacceptabilityofrisksandriskreductionoptionsaccordingtothe
risk management policy, and to determine the appropriate risk reduction
strategy.
5.2.3.2 Task 5: Decide if the risks may be accepted
Thefollowingactivitiesareincludedinthistask:
a. Applicationoftheriskacceptancecriteriatotherisks.
b. Identification of acceptable risks, the risks that will be subjected to risk
reduction,anddeterminationofthemanagementdecisionlevel.
c. For accepted risks proceed directly to Step 4; for unacceptable risks
proceedtoTask6.

5.2.3.3 Task 6: Reduce the risks
Thefollowingactivitiesareincludedinthistask:
a. Determinationofpreventative andmitigationmeasures/options foreach
unacceptablerisk.
b. Determinationofriskreductionsuccess,failure,andverificationcriteria.
c. Determination of the risk reduction potential of each measure in
conjunctionwiththeoptimizationoftradableresources.
d. Selection of the best risk reduction measures and decision on priorities
for implementation, at the appropriate decision making level in the
projectaccordingtotheriskmanagementplan.
e. Verificationofriskreduction.
f. Identification of the risks that cannot be reduced to an acceptable level
andpresentationtotheappropriatemanagementlevelfordisposition.
g. Identification of the reduced risks for which risk reduction cannot be
verified.
h. Identification of the risk reduction potential of all risk reduction efforts
withrespecttotheoverallrisk.
i. Documentation of the successfully reduced risks ina resolved risks list;
and the unsuccessfullyreduced risks in an unresolvedriskslist: present
thelattertotheappropriatemanagementlevel fordisposition.
5.2.3.4 Task 7: Recommend acceptance
Thefollowingactivitiesareincludedinthistask:
a. Decisionoptionsforacceptanceofrisks.
b. Approvalofacceptableandresolvedrisks.
c. Presentationofunresolvedrisksforfurtheraction.
19

ECSS‐M‐ST‐80C
31July2008
5.2.4 Step 4: Monitor, communicate, and accept

risks
5.2.4.1 Purpose
To track, monitor, update, iterate, and communicate, and finally accept the
risks.
5.2.4.2 Task 8: Monitor and communicate the risks
Thefollowingactivitiesareincludedinthistask:
a. Periodicalassessmentand review of allidentified risks andupdating of
theresultsaftereachiterationoftheriskmanagementprocess.
b. Identification of changes to existing risks and initiation of new risk
analysisneededinordertodecreaseuncertainties.
c. Verification of the  performance and effect of corresponding risk
reduction.
d. Illustrationoftherisktrendovertheprojectevolutionbyidentifyinghow
themagnitudesofriskhavechangedoverprojecttime.
e. An example of a risk trend for technical risks, which are main risk
contributorsatthefirstprojectmilestone,isprovidedin
Figure5‐7.S1,S2
andS3arethreeriskscenarios.
NOTE In theexample, the evolution of S1 showsthat, in
spite of risk reduction efforts, risk trend can
worsenbeforeimprovement.
f. Communicationoftherisksandtherisktrendtotheappropriatelevelof
management.
g. Implementationofanalertsystemfornewrisks.
20

ECSS‐M‐ST‐80C
31July2008

Riskmagnitude Risktrendduringprojectphases

VeryHigh
S1
High
S2
Medium

Low
S3
VeryLow




Phase1 Phase2 Phase3
Figure5‐7:Exampleofarisktrend
5.2.4.3 Task 9: Submit risks for acceptance
Thefollowingactivitiesareincludedinthistask:
a. Submission of the risks for formal risk acceptance by the appropriate
levelofmanagement.
b. ReturntoTask6forrisksnotaccepted.
21

ECSS‐M‐ST‐80C
31July2008
6
Risk management implementation
6.1 General considerations
a. Risk management is performed within the normal project management
structure, ensuring a systematic risk identification, assessment and
follow‐upofrisks.

b. Risk management is implemented as a team effort, with tasks and
responsibilities being assigned to the functions and individuals within
the project organization with the most relevant expertise in the areas
concernedby a givenrisk.Itis a collaborativeeffortof all projectactors
fromthedifferentdisciplines.
c. The results of risk management are considered in the routine project
management process and in the decisions relative to the baseline
evolution.
d. Riskmanagementdrawsonexistingdocumentationasmuchaspossible.
6.2 Responsibilities
The responsibilities for risk management matters within the project
organizationaredescribedintheriskmanagementplaninaccordancewiththe
riskmanagementpolicy.Thefollowingapproachapplies:
a. The project manager acts as the integrator of the risk management
function across all concerned project domains. The project manager has
overall responsibility for integrated risk management within a project
and reports the results of the risk management task to the next higher
levelinthecustomer/supplierchain.Theprojectmanagerdefineswhoin
the project is responsible for the control of the risks in their respective
domains, and what their communication, information and reporting
lines,andresponsibilitiesareforriskmanagementmatters.
b. Each project domain (such as engineering, software, verification, and
schedulecontrol)managestherisksemanatingfromitsdomainorbeing
assignedtoitsdomainfortreatment,underthesupervisionoftheproject
manager.
c. Risksareformallyacceptedbythenexthigherlevelresponsibilitywithin
thecustomer/supplierchain.
22

ECSS‐M‐ST‐80C

31July2008
6.3 Project life cycle considerations
Riskmanagementactivitiestakeplaceduringallprojectphases.Thefollowing
projectactivitiesareconcernedwithriskmanagement:
a. Project feasibility studies, trades, and analyses (such as design,
production,safety,dependability,andoperations).
b. The allocation of tasks, manpower, and resources according to the
rankingofrisks.
c. Theevolutionofthetechnicalconceptthroughiterativeriskassessment.
d. Evaluationofchangesforriskimpact.
e. Thedevelopment,qualification,acceptance,andrunningoftheprojectby
using risk assessment as a diagnostictool and for identifying corrective
actions.
f. Assessment of the overall risk status of projects as part of all formal
projectreviews.
6.4 Risk visibility and decision making
a. Management processes and information flow within the project
organization ensure a high visibility of the prevailing risk. Risk
information is presented to support management decision making,
includinganalertsystemfornewrisks.
b. Action plans are prepared covering all outstanding risk items whose
magnitudesareabovethelevelspecifiedintheprojectriskmanagement
policytoincreasetheirvisibility,topermitrapiddecisionmaking,andto
ensurethattheirstatusisregularlyreportedtotherelevantmanagement
level,andtoallactorsimpactedbytheriskconsequences.
c. Information about all identified risks and their disposition is kept in a
record.
6.5 Documentation of risk management
a. Riskmanagementdocumentsaremaintainedsothateachstepoftherisk
managementprocessandthekeyriskmanagementresultsanddecisions

aretraceableanddefensible.
b. The risk management process draws on the existing project data to the
maximumextentpossible,butdocumentationestablishedspecificallyfor
risk management includes information on project–specific risk
managementpolicy;objectivesandscope;theriskmanagementplan;the
identified scenarios; likelihood of events; risk results; risk decisions;
recordsofriskreductionandverificationactions;risktrenddata;andrisk
acceptancedata.
c. The data emanating from risk management activities are recorded in a
riskmanagementdatabasecontainingalldatanecessarytomanagerisks
and document the evolution of risks over the whole duration of the
23

ECSS‐M‐ST‐80C
31July2008
project. The database is a living document, and is maintained current.
Extractsfromthedatabasearepresentedatprojectmeetings,reviewsand
milestones as required by the risk management plan. Items to be
candidatesfor“lessonslearned”areidentified.Thedatabaseisaccessible
toactorsasappropriate.
NOTE For example: the risk management database
should support the efficient and effective
management of critical areas of a program/project
by:
• demonstrating that the risk management
process is conducted in accordance with the
definedprocessforprojectriskmanagement;
• providingevidenceofasystematicapproachto
riskidentificationandassessment;
• providingarecordofrisks;

• providing the decision makers with sufficient
plansforapproval;
• facilitating continuing monitoring and review
ofriskstatus;
• providingtraceability;
• sharing and communicating required
informationwithinprojectactors;
• It includes all technical assessment by the
various disciplines, as well as programmatic
data.
• Example forms for the registration and
ranking/logging of risk items are presented in
AnnexDtothisStandard.
24

ECSS‐M‐ST‐80C
31July2008
7
Risk management requirements
7.1 General
The requirements in this section are identified. Each identified requirement is
composed of the wording of the requirement proper, and accompanied by an
explanatorynoteattachedtothegeneralrequirement.
7.2 Risk management process requirements
7.2.1
a. The basis for risk management shall be the four–step process and nine
tasks illustrated in
Figure 5‐1 and Figure 5‐2 of this document. The
starting point for risk management shall be the formulation of the risk
management policyatthe beginningof theproject inconformance with

theDRDin
AnnexA.
NOTE The aim is to establish a risk management policy
fortheprojectconcerned:
• meetingcustomerrequirements;
• covering all project domains such as
management, engineering, performance,
schedule,andcost;
• taking into account the project resources such
as margins inschedule, cost,performance, and
power;
• establishing scoring and risk ranking criteria
allowingactionsanddecisionsonthetreatment
ofindividualandoverallrisks;
• definingrequirementsforriskmanagement.
7.2.2
a. A risk management plan shall be established by each supplier in
conformancewiththeDRDin
AnnexB.
NOTE The aim is to assemble in a single document all
elements necessary to ensure implementation of a
25
