NASA Risk Management Program

NASA’s mission success depends on informed decision-making under uncertainty. Risk Management (RM) is a core competency that supports this effort across the Agency. In 2023, NASA established the Agency Risk Management Officer (ARMO) within the Office of Safety and Mission Assurance (OSMA) to strengthen and coordinate the Agency’s RM framework.

About the ARMO

The ARMO leads Agency-wide efforts to advance risk management policy, culture, and capability. While there is currently no formal NASA Risk Management Program Office, the ARMO role was created to develop the foundations needed to better support NASA’s Mission Directorates, Centers, and Program/Project Managers in managing and communicating risk.

The ARMO is focused on building capabilities that:

  • Integrate risks from various boards and forums to provide a consolidated perspective on top enterprise risks.
  • Champion risk leadership initiatives to improve communication and clarify the Agency’s overall risk posture.
  • Develop and implement best practices for integrating Enterprise Risk Management (ERM) into day-to-day operations and decision-making.
  • Investigate and co-develop with stakeholders new methods to identify, monitor, and manage NASA’s highest-level risks.
ARMO_Logo 

ARMO Areas of Emphasis and Strategic Priorities

The ARMO’s work is organized around five interconnected emphasis areas:

  • Risk Framework: Strengthening Agency-wide structures, processes, and principles for consistent RM practice.
  • Risk Leadership: Building capacity and accountability for effective risk-informed leadership at all levels.
  • Tools: Identifying and advancing RM tools that support risk analysis, decision-making, and cross-level communication.
  • Training: Equipping NASA personnel with the knowledge and skills to practice effective RM, tailored to their roles and responsibilities.
  • Communication: Fostering timely, transparent, and meaningful risk dialogue across the enterprise.

Standard Risk Categories

Common risk types are frequently identified and managed across NASA’s activity domains. To support consistency and clarity in risk reporting, NASA has adopted a set of recommended standard risk categories. These categories provide a structured way to characterize risks based on the objectives they most significantly affect. Importantly, risks are categorized according to the objective at greatest risk even though a single risk may threaten multiple domains. These are intended for use in high, Agency-level risk discussions and are particularly relevant for enterprise and senior leadership contexts.

Domain Category Description
Enterprise Strategic Risks that may hinder NASA’s long-term goals or strategic direction (e.g., policy changes, geopolitical shifts).
Enterprise Financial Budget instability, funding constraints or issues in financial oversight that could affect program continuity.
Enterprise Reputational Threats to public trust, stakeholder confidence or NASA’s image.
Enterprise Compliance Legal, regulatory or policy noncompliance with potential for broad impact.
Programmatic Technical Engineering, design or technology risks that could degrade mission performance.
Programmatic Schedule Delays caused by unforeseen challenges, resource limitations or process issues.
Programmatic Cost Budget overruns, inaccurate cost projections or scope changes.
Programmatic Safety & Security Risks to mission execution involving physical or data safety concerns.
Institutional Operational Workforce, infrastructure or support function issues affecting day-to-day operations.
Institutional Compliance Institutional adherence to applicable standards, laws or policies.
Institutional Safety & Security Threats to the protection of people, systems or data from harm or cyber-attack.
All Domains Other Unique or emerging risks not adequately represented in the standard taxonomy.

Note: While categorization aids communication and visibility, it is not intended to restrict risk thinking. Regular updates and flexibility are essential to accommodate emerging risks and evolving mission needs

The Objectives-Driven Risk Management Framework (ODRMF)

NASA applies an Objectives-Driven Risk Management Framework (ODRMF) to guide how risks are identified, analyzed, communicated, and managed across the Agency. This framework emphasizes aligning risk decisions with clearly defined objectives at all levels—from mission design to strategic planning.

The ODRMF consists of two interrelated processes:

  • RIDM (Risk-Informed Decision Making): A structured process that uses risk analysis to inform decisions where uncertainty could affect mission or program success. RIDM supports evaluation of options and trade-offs by considering likelihood, consequence, and stakeholder priorities.
  • CRM (Continuous Risk Management): A repeatable process used to manage operational risks throughout the life of a mission, project, or activity. CRM helps teams identify, track, and mitigate risks proactively as part of day-to-day execution.

Together, RIDM and CRM ensure that risks are managed both strategically and tactically, providing an integrated approach that supports safe, successful, and sustainable outcomes.

Risk Management News

People

Dr. Mary Skow

Dr. Mary Skow

Agency Risk Management Officer

Dr. Mary R. Coan Skow, Ph.D., is the Agency Risk Management Officer. In this role, which she helped formulate and establish, Dr. Skow integrates risks from various boards and forums to achieve perspective on top-enterprise risks.

Read More

Learning

SATERN Courses

Fundamentals of Risk Management SMA-OV-WBT-137

This course is designed to provide an overview of risk management, including key concepts and terminology, agency principles and practices, foundations of the Objectives-Driven Risk Management framework, and communication of risk information.

As an IACET Accredited Provider, the NSC offers IACET CEUs for its learning events that comply with the ANSI/IACET Continuing Education and Training Standard. Please refer to the CPE field below for the number of CEUs on this course.

SMA-OV-WBT-137 Details Launch SATERN
Risk Leadership SMA-HQ-WBT-220

This course provides you with an overview of the definition of risk leadership as stated in the NASA Agency Risk Management Procedural Requirements, NPR 8000.4. It highlights important aspects such as risk culture, risk posture, decision velocity, and the importance of balancing risk versus benefits. Throughout, you'll hear from NASA's risk leaders from a variety of fields and expertise as they share their experiences and describe what risk leadership means to them. You’ll also learn the vital role that you play in risk leadership at NASA.

As an IACET Accredited Provider, the NSC offers IACET CEUs for its learning events that comply with the ANSI/IACET Continuing Education and Training Standard. Please refer to the CPE field below for the number of CEUs on this course.

SMA-HQ-WBT-220 Details Launch SATERN
APPEL-Understanding Risk Management: Exploration of Core Concepts APPEL-RMCC

This course provides detailed insight of NASA’s risk management principles and practices. The course takes up and explores in greater detail core concepts introduced in the required pre-requisite “Fundamentals of Risk Management at NASA” SATERN course. Recommended approaches and guidance for applying Risk Informed Decision Making (RIDM) and Continuous Risk Management (CRM) processes are introduced.

Required Pre-requisite: Fundamentals of Risk Management at NASA SMA-OV-WBT-137.

APPEL-RMCC Details Launch SATERN
APPEL-Applying Risk Management: From Theory to Practice APPEL-RMTP

This course builds on the knowledge of NASA’s approach to managing risk provided in Understanding Risk Management: An Exploration of Core Concepts. The course provides an opportunity to evaluate and practice application of the Risk Informed Decision Making (RIDM) and Continuous Risk Management (CRM) in the context of NASA projects and programs. Participants will collaborate on a threaded case study as described in the Risk Management Handbook.

Required Pre-requisite: Fundamentals of Risk Management at NASA SMA-OV-WBT-137.

APPEL-RMTP Details Launch SATERN

Policy and Guidance

NASA

Policy Title Buttons Buttons
NPD 1000.0 NASA Governance and Strategic Management Handbook NPD 1000.0 Details See NPD 1000.0
NPD 1000.5 Policy for NASA Acquisition NPD-1000-5 Details See NPD 1000.5
NPD 1200.1 NASA Internal Control NPD 1200.1 Details See NPD 1200.1
NPD 7120.4 NASA Engineering and Program/Project Management Policy NPD 7120.4 Details See NPD 7120.4
NPD 8700.1 NASA Policy for Safety and Mission Success NPD 8700.1 Details See NPD 8700.1
NPR 8000.4 Agency Risk Management Procedural Requirements NPR 8000.4 Details See NPR 8000.4
NASA/SP-2024-3422 NASA Risk Management Handbook: Version 2.0, Part I NASA/SP-2024-3422 Details See NASA/SP-2024-3422
NASA/SP-2024-0014326 NASA Risk Management Handbook: Version 2.0, Part II NASA/SP-2024-0014326 Details See NASA/SP-2024-0014326
NASA/SP-2014-615 Organizational Risk and Opportunity Management Concepts and Processes for NASA's Consideration NASA/SP-2014-615 Details See NASA/SP-2014-615

Recommended Reading

Title Author Year    
Workshop Minutes Enterprise Risk and Opportunity Management 2014 Minutes Details See Minutes
NASA and the Importance of Risk NASA Administrator Charlie Bolden 2013 Message Details See Message
Preparation, Submission, and Execution of the Budget Office of Management and Budget 2014 Circular A-11 Details See Circular A-11
Management's Responsibility for Enterprise Risk Management and Internal Control Office of Management and Budget 2016 Circular A-123 Details See Circular A-123