1、ASD-STAN STANDARD NORME ASD-STAN ASD-STAN NORM prEN 9239 Edition P 1 August 2014 PUBLISHED BY THE AEROSPACE AND DEFENCE INDUSTRIES ASSOCIATION OF EUROPE - STANDARDIZATION Rue Montoyer 10 - 1000 Brussels - Tel. 32 2 775 8126 - Fax. 32 2 775 8131 - www.asd-stan.org ICS: Descriptors: ENGLISH VERSION Ae
2、rospace series Programme Management Guide for the risk management Srie arospatiale Management de programme Recommandations pour la mise en uvre du management des Risques Luft- und Raumfahrt Programme Management Richtlinien zur Durchfhrung des Risikomanagement This “Aerospace Series“ Prestandard has
3、been drawn up under the responsibility of ASD-STAN (The AeroSpace and Defence Industries Association of Europe - Standardization). It is published for the needs of the European Aerospace Industry. It has been technically approved by the experts of the concerned Domain following member comments. Subs
4、equent to the publication of this Prestandard, the technical content shall not be changed to an extent that interchangeability is affected, physically or functionally, without re-identification of the standard. After examination and review by users and formal agreement of ASD-STAN, it will be submit
5、ted as a draft European Standard (prEN) to CEN (European Committee for Standardization) for formal vote and transformation to full European Standard (EN). The CEN national members have then to implement the EN at national level by giving the EN the status of a national standard and by withdrawing an
6、y national standards conflicting with the EN. Edition approved for publication 1st August 2014 Comments should be sent within six months after the date of publication to ASD-STAN Engineering Procedures Domain Copyright 2014 by ASD-STAN prEN 9239:2014 (E) 2 Contents Page Foreword 2 Introduction . 3 1
7、 Scope 3 2 Normative references 3 3 Terms and definitions . 4 4 Framework of Risk Management in the programme 5 4.1 General 5 4.2 Customers requirements . 5 4.3 Roles and Responsibilities . 5 4.4 Multidisciplinary groups . 6 5 Risk Management process. 6 5.1 Steps of risk management 6 5.2 Process syn
8、optic . 12 5.3 Consolidation of risk . 13 5.4 Maturity of programme Risk Management approach 13 6 Risk Management tools . 13 7 Awareness and Training . 14 8 Documentation . 14 9 Opportunity management concept 15 9.1 Opportunity management process 15 9.2 Identification of opportunities 15 9.3 Assessm
9、ent and prioritization of opportunities . 15 9.4 Opportunity treatment . 15 9.5 Secondary risks . 15 Annex A (informative) List type per category . 16 Annex B (informative) Example of risk sheet . 18 Annex C (informative) Example of qualitative and quantitative assessments 19 Annex D (informative) E
10、xample of 3 colour code criticality and acceptability matrix: general risk mapping 21 Annex E (informative) Example of Risks Portfolio . 22 Annex F (informative) Risk assessment report 23 Annex G (informative) Maturity of programme risk management: assessment criteria 24 Bibliography 28 Foreword Thi
11、s standard was reviewed by the Domain Technical Coordinator of ASD-STANs engineering procedure domain. After inquiries and votes carried out in accordance with the rules of ASD-STAN defined in ASD-STANs General Process Manual, this standard has received approval for Publication. prEN 9239:2014 (E) 3
12、 Introduction Risk Management forms an integral part of programme management. It should be implemented right from the start of the project feasibility phase and continue until material disposal. The ultimate goal is to contribute to an appropriate definition of programme objectives (costs, schedules
13、 and performances ) and to continuously ensure that they are met or enhanced, despite any events likely to affect the programme through its lifecycle. By implementing methods, the programme manager can manage risks in another way than by using intuitive and non-formalised procedures. The aim of this
14、 document is to describe the implementation of Risk Management within the Programme Management framework. It complements programme management guidelines EN 9200. This document is to be used as a basis, for any given programme, for negotiating the requirements and relationships between customers and
15、suppliers; they should comply with to ensure Management of Risk. 1 Scope This document allows to answer specific needs in the field of Aeronautics although it does not present any sectorial characteristic and may therefore apply to the needs of other areas. However, the specificity of some areas can
16、 lead to the use of existing sectorial standards such as EN ISO 17666 Space systems Risk management (ISO 17666:2003). This document: proposes the main steps for setting up Risk Management framework within programme Management. This guideline may serve as a basis for writing a Risk Management specifi
17、cation; describes a process for controlling programme risks within the defined boundaries that are considered as tolerable. This standard process can be used as a methodological guide for writing the programme Risk Management Plan; recognises the need for knowledge management related to Risk Managem
18、ent, in order to capitalize and to share lessons learnt with other programmes, as well as the maturity assessment of the Risk Management; identifies useful documents for Risk Management; proposes an example of a typical checklist of risks related to a programme; in addition: this document addresses
19、opportunities. An opportunity is an uncertain event with positive consequences on the programme. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited ap
20、plies. For undated references, the latest edition of the referenced document (including any amendments) applies. EN 9200, Aerospace series Programme management Guidelines for project management specification prEN 9239:2014 (E) 4 3 Terms and definitions For the purposes of this document, the followin
21、g terms and definitions apply. 3.1 risk uncertain event or circumstance which could have a negative impact on the objectives of the programme 3.2 cause event which is at the origin of a potential risk 3.3 severity assessment of the significance of a risk impact with respect to the potential conseque
22、nces on a programme 3.4 impact effects of a risk on the programme should it occur 3.5 criticality/level of risk characteristic of the risk significance. It enables prioritization of the risks Note 1 to entry: It is generally the combination of the severity and the probability of the risk. 3.6 detect
23、ability ability or capacity to detect the direct trace of a risk or the triggering point of one of its causes 3.7 level of risk tolerance criticality value beyond which specific actions to treat the risk are required 3.8 likelihood / probability/occurrence of the risk assessment of the probability /
24、 likelihood or frequency of a risk to occur 3.9 risk portfolio represented set of identified risks intended to be treated 3.10 lessons learnt - experience feedback collection and exploitation, by all the stakeholders, of information concerning the events which have occurred throughout programme, rel
25、ating to risk management 3.11 residual risk risk remaining after mitigating actions (protection, prevention, ) 3.12 opportunity uncertain event or circumstance with potentially positive effects on the objectives (improvement) of a programme prEN 9239:2014 (E) 5 4 Framework of Risk Management in the
26、programme 4.1 General The framework of Risk Management in the programme should be set up right from the feasibility phase through to disposal phase. It covers the whole life cycle of the programme, all its components and activities. It is led by the programme manager, who is responsible for defining
27、 the conditions within which it is organised and operated. It is based on multidisciplinary skills (law, technical, finance, logistics, ) in order to identify the various aspects of risks and take into account the different points of view. All programme stakeholders have a role, and should take an a
28、ctive part in Risk Management. The Risk Management framework is described in a document (a specific chapter of Programme Management Plan or a dedicated Risk Management Plan) established by the programme manager. 4.2 Customers requirements The customer should express in the programme management speci
29、fication his requirements concerning the implementation by his supplier, if necessary, of a risk management framework as well as the rules related to risk information exchanged between customers and suppliers. The supplier should comply with these requirements in one chapter of his Programme Managem
30、ent Plan and should define: The supplier will detail in this chapter: programme framework in terms of Risk Management, in particular the roles and responsibilities of each stakeholder in the programme, rules for cascading and or distributing these requirements to sub-contractor level, Risk Managemen
31、t process and associated deliverables (documentation, status reports, ), assessment, prioritization and definition criteria of risk criticality level, rules for sharing risk information with the customer. 4.3 Roles and Responsibilities Programme manager: is responsible for managing the programme ris
32、ks, and therefore is the risks owner. He validates the process to be implemented as well as the assessment criteria for risk prioritization and criticality. He ensures regular reviews of risk, validates the action plan for treating the major risks, selects the risks treated at his level among the mo
33、st critical ones, communicates with the relevant stakeholder internal or external to the company (customers and suppliers especially), and appoints the risk manager, if necessary. NOTE Risk decision and acceptance should be addressed at the appropriate level specific to each organisation. Risk manag
34、er: defines and implements the Risk Management process under the authority of the Programme manager, runs it in the programme, ensures a global visualisation of all risks identified in the programme, ensures quality of data and manages communication to all those who have a stake in the programme. Ri
35、sk owner: proposes the risk assessment. He leads the actions defined for risk treatment, ensures that each person in charge of an action is informed of what has to be done and conducts his action. prEN 9239:2014 (E) 6 Action owner: carries out the assigned action. The above mentioned organisation is
36、 to be adapted according to size and configuration of each programme. Others actors can be involved as “watchmen” who have to detect the weak signals coming from the environment (economic, technical, ) of the programme(s). 4.4 Multidisciplinary groups As risks are varied by nature, one individual pe
37、rson cannot ensure their complete management. Therefore, using all the employees skills within the company is required during all the phases of the process, for instance by forming multidisciplinary groups. Resorting to internal skills requires an overall monitoring to avoid dispersion or ineffectiv
38、eness and also the setting up of well defined rules. Different group working methods can be involved when appropriate, which include interviews, subject matter experts (SME), and brainstorming. 5 Risk Management process 5.1 Steps of risk management The main stages of risk management are (see Figure
39、1): S t a g e 1 Se t t i n g u p t h e f r a m e w o r k o f ri s k m a n a g e m e n t S t a g e 2 I d e n t i f y i n g S t a g e 3 As s e s s i n g S t a g e 4 T re a t i n g S t a g e 6 C a p i t a l i z i n g CommunicatingStage7Monitoring helping to set up the most appropriate treatment actions
40、. For each risk, it is recommended to assess (probability of occurrence, impact on cost and/or profitability, schedule, performance) a scoring level ranking from “very low” to “very high”. Each level corresponds to a scale of value to be adjusted according to the company (see example of tables in An
41、nex C). 2) Quantitative assessment: frequency and severity scale defined quantitatively This approach makes the qualitative assessment more accurate and allows: a more accurate prioritization of risks, an assessment of the overall programme risk exposure. See tables in Annex C. It is better to defin
42、e a scale with an even number of levels which prevents from the tendency to select the medium one. c) How to prioritize the risks: determination of their criticality? The criticality of each risk can be determined by combining both level of occurrence probability and highest impact level among costs
43、, schedule, and performances. prEN 9239:2014 (E) 9 A collegial strengthening made by a multi disciplinary group of the listed risks is necessary at the end of stage 3 “Assessment” to take into account the high number of risks, processes, stakeholders and organisations associated which are concerned
44、(cf. paragraph 5.3). The general purpose of strengthening is to obtain a synthetic view of the “risk portfolio” (see Annex E) and to facilitate decision making at Management programme level. Criticality scale: See Annex D. d) Difficulty of the evaluation The main difficulties are: Concerning the occ
45、urrence assessment, the main difficulties are: few quantitative metrics available on the shelves. To overcome this difficulty, we can encourage the use of conventional scale such as that presented in the Annexes C, D and E. Anyway, there must be a common scale for all parties involved in the process
46、. Where appropriate, we can define rules for transforming one scale to another. a common scale/rating depends on: domain, nature of the impact considered. It is necessary to adapt the scales for each type of impact analysis. Annex C provides a mapping between the qualitative and quantitative approac
47、h for different types of impact. Concerning the assessment of severity, the main difficulties are: the risk rating in terms of severity depends on the level of responsibility in the organisation which can lead to a lack of coherence between the different rating scales. it is necessary to adjust the
48、levels of severity depending on the relative level of the programme and its place in the organisational system in order to prioritize risks. Concerning the criticity assessment: it is necessary to take particular care for the evaluation and exploitation in terms of action plan to criticality, where
49、severity is very high and very low frequency of occurrence, or vice versa. EXAMPLE Very low frequency of occurrence and financial impact or in terms of safety (of people and goods) major. e) The concept of proximity and manageability Proximity and manageability of a risk may be considered in weighing its criticality (combination of the probability of risk occurring and its impact cost, schedule, performance, see paragraph c). The concept of prox