Risk and Modeling and Simulation 101 (M&S) basic concepts

RISK (from the Defense Acquisition Guidebook [DAG])

Definition of Risk… (yes, even Technical Risk)

…is a at its core typically a neutral concept (like surprise). It neither cares for you nor anyone else, and it incorporates both positive instances and negative instances. Positive risks are commonly known as opportunities and negative risks are commonly known as threats.

The Dept of Defense convention (being the cautious types) is to assume that risk will generally be negative. From the DAG, a risk has three components:

  • A future (yet-to-happen) root cause that, if corrected or eliminated, would be prevented along with its potential consequences
  • A probability (or likelihood), assessed at the present time, of that future root cause occurring
  • The consequence (or impact) of that future occurrence

A “Condition-If-Then” construct expresses risk as a function of its root cause, likelihood, and consequence.

This construct generally reveals opportunities to not only mitigate the potential consequences of the risk occurring but also eliminate its root cause(s).

As a best practice, risk mitigation plans should focus more on the causal factors that enable the risk’s existence rather than on consequence management. Eliminating the root cause of a risk avoids its consequences.


Now there are a few more definitions we should know and agree to hold in common usage when discussing risk:

Known Risks

Known risks are risks that have been identified and analyzed.

Unknown Risks

Unknowns risk are of course unknown, and they are not known until they happen. You cannot make a response plan for these risks, and you cannot manage them proactively since they are not identified during the planning phase.

Risk Tolerance

Risk tolerance tells you how sensitive the organization or individuals are to risks. High tolerance means people are willing to take a high risk, and low tolerance means people are not willing to take a high risk unless the benefit of taking the risk outweighs the fear of the risk.

Tolerance is shown in limits.

Risk Threshold

The risk threshold is an amount of risk that an organization or individual is willing to accept.

The risk threshold is usually a definitive figure.

The risk threshold is a further step in risk tolerance. In other words, you can say that it quantifies the risk tolerance with a more precise figure.

Residual Risks

Residual risks are those risks that are expected to remain after implementing the planned risk response, as well as those that have been deliberately accepted.

Secondary Risks

Secondary risks are those risks that arise as a direct outcome of implementing a risk response of an identified risk.

Risk Triggers

Risk triggers are indications that a risk has occurred or is about to occur. Risk triggers are sometimes called warning signs or risk symptoms.

Risk Owner

A risk owner is a project team member who is assigned the responsibility of ensuring that the risk response is effective, and to plan additional risk response if required.

The Program Manager and Systems Engineer should clearly define, assess, and consider technical and programmatic off ramps if the program cannot be adequately advanced given schedule and budget.




The figure above shows the Earned-Value Management/Systems Engineering proposition that Risk is affected by all three factors. Also implicit in the figure is that the three factors affect each other. So not only is Risk related to Feasibility, but Feasibility is related to Cost, Schedule and Performance. The ecosystem of the product must be considered at the appropriate stage in its schedule to determine appropriate and accurate levels of risk.

Now, a product’s risk can be reasonably tied to its place in the Systems Engineering Schedule. For example, higher risk is often found at the very beginning of programs. Programs on the far left of their programmatic schedules are threatened by risk, but are benefited by the time and resources remaining to the right of them. A typical high-level Acquisitions Cycle Schedule (like those in Defense Acquisitions) can be seen below:


[DoD M&S] Models and simulations are SE tools used by multiple functional area disciplines during all life-cycle phases. Modeling is essential to aid in understanding complex systems and system interdependencies, and to communicate among team members and stakeholders. Simulation provides a means to explore concepts, system characteristics, and alternatives; open up the trade space; facilitate informed decisions and assess overall system performance.

Modeling and simulation provide:

  • Insight into program cost, schedule, performance, and supportability risk
  • Understanding of capabilities and the requirements set
  • Data to inform program and technical decisions
  • Efficient communication and shared understanding among stakeholders about relationships between system requirements and the system being developed, through precise engineering artifacts and traceability of designs to requirements
  • Better analysis and understanding of system designs (including system elements and enabling system elements), therefore providing a greater understanding of the reasons for defects and failures at all levels
  • Greater efficiencies in design and manufacturing by reducing the time and cost of iterative build/test/fix cycles
  • Timely understanding of program impacts of proposed changes


[WIKIPEDIA] Modeling and simulation (M&S) is using models, including emulators, prototypes and simulators, either statically or over time, to develop data as a basis for making managerial or technical decisions. The terms “modeling” and “simulation” are often used interchangeably.[1]

  • The use of M&S within engineering is well recognized. Simulation technology belongs to the tool set of engineers of all application domains and has been included in the body of knowledge of engineering management. M&S has already helped to reduce costs, increase the quality of products and systems, and document and archive lessons learned.

M&S is a discipline on its own. Its many application domains often lead to the assumption that M&S is pure application.

M&S is not a pure application and needs to be recognized by engineering management experts who want to use it. To ensure that the results of simulation are applicable to the real world, the engineering manager must understand the assumptions, conceptualizations, and implementation constraints of this emerging field.

  • In summary, three activities have to be conducted and orchestrated to ensure success:
  1. A model must be produced that captures formally the conceptualization.
  2. A simulation must implement this model.
  3. A management processes must ensure that model and simulation are interconnected and on the current state (which means that normally the model needs to be updated in case the simulation is changed as well).
  • The military and defense domain, in particular within the United States, has been the main M&S champion, in form of funding as well as application of M&S. E.g., M&S in modern military organizations is part of the acquisition/procurement strategy. Specifically, M&S is used to conduct Events and Experiments that influence requirements and training for military systems. As such, M&S is considered an integral part of systems engineering of military systems.

[MIT M&S below, really just co-op’d them…it’s actually another DoD publication]



  • Spaceflight and aerospace disasters/successes compared to Hindenburg

An interesting anecdote in human flight development as it relates to perceived risk and media sensationalism is the history and aftermath of the Hindenburg airship crash. Now, the story is quite famous (but never famous at a detailed level) because most people without an understanding of the politics, engineering construction, hugely impressive passenger and cargo safety record of the ship, and without knowledge of the total loss of life figures say that it seemed reckless to sustain an airship on hydrogen, and yet — we routinely use highly combustible and dangerous fuels in both our current jet travel and automobile transportation (ie. gas and gas vapors are extremely flammable as well), and we callously accept near-regular aircraft crashes and drive without much regard for the risk of dying in a car accident. With that said, of the 97 people on board the Hindenburg (36 passengers and 61 crewmen), there were 35 fatalities (13 passengers and 22 crewmen). One worker on the ground was also killed, making a total of 36 dead. A table comparison can clearly outline the survivability aspect of the Hindenburg versus commercial aircraft:

Fatalities per Accident Occurrence


For driving, one can use the US average fatal automobile fatality rate of 1.5 per 100 million vehicle-miles for 2000 and then translate it into passenger-miles (to get a single-person risk exposure). The number of deaths per passenger-mile on commercial airlines in the US between 1995 and 2000 is about 3 deaths per 10 billion passenger-miles.


  • Why risk and risk perception is important to Humans

With all this said with respect to judging risk, despite how often we’re expected to, humans are terrible judges of risk…and yet…living is a series of risk judgments and trade-offs. Aviation is one of the most-safe activities a human can engage in to travel, despite of the low survivability rate in the unlikely event of an incident (or perhaps because of), people commonly hold it to be more dangerous than other life activities. The point I wish to convey, is do we we, for example, pay an appropriate amount of attention to driving risk? If we tried re-engineering cars to make them as safe as planes, would the technical feasibility of automotive transportation suddenly change? This is why risk and feasibility are related.

Now, we may begin to discuss the Mars Society debate performance with a common language basis.