Subsystem Title or Section within Subsystem
[In the first column, using short bullets, fill in “what can go wrong,” or a brief description of a potential benefit from a program or action. Add additional rows as necessary. Fill in the other columns using the rating guidelines in the attached reference pages.]
Gap Analysis of Existing Risks and Controls
[Identify all controls that currently exist, excluding controls developed within this subsystem. Add more categories as necessary.]
Risk Mitigation Techniques
[Use the risk mitigation techniques and guidance within the attached reference to fill out the chart below. List all risks that have been identified in the gap analysis. When examining the relative cost-benefit of a proposed control be careful to notice situations where a risk-specific control may also (directly or indirectly) address a separate risk identified in the gap analysis.]
Risk Assessment for [Directive Number, Directive Title] | |||||
Risk/Opportunity | Risk Level | Potential Cost/Benefit | External Control(s) | Proposed Mitigation Technique | Internal Control (if needed) |
References
Risk/Opportunity Categories
- People – Risks that affect the individual well being.
- Mission – Risks that impede the ability of the department or offices to accomplish their mission.
- Assets – Risks that impact federal land, buildings, facilities, equipment, etc.
- Financial – Risks that may incur costs or obligations outside of DOE’s control.
- Customer and Public Trust – Risks that affect the trust and political environment around DOE.
Probability Ratings
- Rare – even without controls in place, it is nearly certain that event would not occur.
- Unlikely – without controls in place, it is unlikely the event would occur.
- Possible – without controls in place, there is an even (50/50) probability that the event will occur.
- Likely – without controls in place, the event is more likely than not to occur.
- Certain – without controls in place, the event will occur.
Impact Ratings
Risk Level Ratings
Risk Mitigation Options and Guidance
- Acceptance
- Monitoring
- Mitigation
- Avoidance
Unmitigated Risk / Strategy | Extreme | Significant | Moderate | Minor |
Acceptance | • Not Appropriate | • Not Appropriate | • Not Appropriate | • Risks can be handled through performance feedback and accountability |
Monitoring | • Mandatory Contractor independent assessments • Federal oversight with a mandatory periodicity • Mandatory, periodic reporting | • Mandatory Contractor Self-assessments with a minimum periodicity • Federal oversight with a periodicity that is based on performance • Mandatory, periodic reporting | • Limited Federal oversight based on performance. • Mandatory reporting of threshold events | • Federal oversight on a for-cause basis • Standard performance evaluation processes |
Mitigation | • Federal approvals of individual transactions • Detailed performance or process requirements • Detailed design requirements | • Federal approvals of systems and programs • Detailed performance or process requirements • Detailed design requirements | • Detailed performance requirements | • General Performance Requirements |
Avoidance | • Prohibition of activities or operations | • Prohibition of activities or operations | • Prohibition of activities or operations | • Guidance |