NASA Risk Management Program

NASA’s mission success depends on informed decision-making under uncertainty. Risk Management (RM) is a core competency that supports this effort across the Agency. In 2023, NASA established the Agency Risk Management Officer (ARMO) within the Office of Safety and Mission Assurance (OSMA) to strengthen and coordinate the Agency’s RM framework.

About the ARMO

The ARMO leads Agency-wide efforts to advance risk management policy, culture, and capability. While there is currently no formal NASA Risk Management Program Office, the ARMO role was created to develop the foundations needed to better support NASA’s Mission Directorates, Centers, and Program/Project Managers in managing and communicating risk.

The ARMO is focused on building capabilities that:

Integrate risks from various boards and forums to provide a consolidated perspective on top enterprise risks.
Champion risk leadership initiatives to improve communication and clarify the Agency’s overall risk posture.
Develop and implement best practices for integrating Enterprise Risk Management (ERM) into day-to-day operations and decision-making.
Investigate and co-develop with stakeholders new methods to identify, monitor, and manage NASA’s highest-level risks.

ARMO Areas of Emphasis and Strategic Priorities

The ARMO’s work is organized around five interconnected emphasis areas:

Risk Framework: Strengthening Agency-wide structures, processes, and principles for consistent RM practice.
Risk Leadership: Building capacity and accountability for effective risk-informed leadership at all levels.
Tools: Identifying and advancing RM tools that support risk analysis, decision-making, and cross-level communication.
Training: Equipping NASA personnel with the knowledge and skills to practice effective RM, tailored to their roles and responsibilities.
Communication: Fostering timely, transparent, and meaningful risk dialogue across the enterprise.

Standard Risk Categories

Common risk types are frequently identified and managed across NASA’s activity domains. To support consistency and clarity in risk reporting, NASA has adopted a set of recommended standard risk categories. These categories provide a structured way to characterize risks based on the objectives they most significantly affect. Importantly, risks are categorized according to the objective at greatest risk even though a single risk may threaten multiple domains. These are intended for use in high, Agency-level risk discussions and are particularly relevant for enterprise and senior leadership contexts.

Domain	Category	Description
Enterprise	Strategic	Risks that may hinder NASA’s long-term goals or strategic direction (e.g., policy changes, geopolitical shifts).
Enterprise	Financial	Budget instability, funding constraints or issues in financial oversight that could affect program continuity.
Enterprise	Reputational	Threats to public trust, stakeholder confidence or NASA’s image.
Enterprise	Compliance	Legal, regulatory or policy noncompliance with potential for broad impact.
Programmatic	Technical	Engineering, design or technology risks that could degrade mission performance.
Programmatic	Schedule	Delays caused by unforeseen challenges, resource limitations or process issues.
Programmatic	Cost	Budget overruns, inaccurate cost projections or scope changes.
Programmatic	Safety & Security	Risks to mission execution involving physical or data safety concerns.
Institutional	Operational	Workforce, infrastructure or support function issues affecting day-to-day operations.
Institutional	Compliance	Institutional adherence to applicable standards, laws or policies.
Institutional	Safety & Security	Threats to the protection of people, systems or data from harm or cyber-attack.
All Domains	Other	Unique or emerging risks not adequately represented in the standard taxonomy.

Note: While categorization aids communication and visibility, it is not intended to restrict risk thinking. Regular updates and flexibility are essential to accommodate emerging risks and evolving mission needs

The Objectives-Driven Risk Management Framework (ODRMF)

NASA applies an Objectives-Driven Risk Management Framework (ODRMF) to guide how risks are identified, analyzed, communicated, and managed across the Agency. This framework emphasizes aligning risk decisions with clearly defined objectives at all levels—from mission design to strategic planning.

The ODRMF consists of two interrelated processes:

RIDM (Risk-Informed Decision Making): A structured process that uses risk analysis to inform decisions where uncertainty could affect mission or program success. RIDM supports evaluation of options and trade-offs by considering likelihood, consequence, and stakeholder priorities.
CRM (Continuous Risk Management): A repeatable process used to manage operational risks throughout the life of a mission, project, or activity. CRM helps teams identify, track, and mitigate risks proactively as part of day-to-day execution.

Together, RIDM and CRM ensure that risks are managed both strategically and tactically, providing an integrated approach that supports safe, successful, and sustainable outcomes.

People

Dr. Mary Skow

Agency Risk Management Officer

Dr. Mary R. Coan Skow, Ph.D., is the Agency Risk Management Officer. In this role, which she helped formulate and establish, Dr. Skow integrates risks from various boards and forums to achieve perspective on top-enterprise risks.

Learning

SATERN Courses

Fundamentals of Risk Management SMA-OV-WBT-137

This course is designed to provide an overview of risk management, including key concepts and terminology, agency principles and practices, foundations of the Objectives-Driven Risk Management framework, and communication of risk information.

As an IACET Accredited Provider, the NSC offers IACET CEUs for its learning events that comply with the ANSI/IACET Continuing Education and Training Standard. Please refer to the CPE field below for the number of CEUs on this course.

SMA-OV-WBT-137 Details Launch SATERN

Risk Leadership SMA-HQ-WBT-220

This course provides you with an overview of the definition of risk leadership as stated in the NASA Agency Risk Management Procedural Requirements, NPR 8000.4. It highlights important aspects such as risk culture, risk posture, decision velocity, and the importance of balancing risk versus benefits. Throughout, you'll hear from NASA's risk leaders from a variety of fields and expertise as they share their experiences and describe what risk leadership means to them. You’ll also learn the vital role that you play in risk leadership at NASA.

As an IACET Accredited Provider, the NSC offers IACET CEUs for its learning events that comply with the ANSI/IACET Continuing Education and Training Standard. Please refer to the CPE field below for the number of CEUs on this course.

SMA-HQ-WBT-220 Details Launch SATERN

APPEL-Understanding Risk Management: Exploration of Core Concepts APPEL-RMCC

This course provides detailed insight of NASA’s risk management principles and practices. The course takes up and explores in greater detail core concepts introduced in the required pre-requisite “Fundamentals of Risk Management at NASA” SATERN course. Recommended approaches and guidance for applying Risk Informed Decision Making (RIDM) and Continuous Risk Management (CRM) processes are introduced.

Required Pre-requisite: Fundamentals of Risk Management at NASA SMA-OV-WBT-137.

APPEL-RMCC Details Launch SATERN

APPEL-Applying Risk Management: From Theory to Practice APPEL-RMTP

This course builds on the knowledge of NASA’s approach to managing risk provided in Understanding Risk Management: An Exploration of Core Concepts. The course provides an opportunity to evaluate and practice application of the Risk Informed Decision Making (RIDM) and Continuous Risk Management (CRM) in the context of NASA projects and programs. Participants will collaborate on a threaded case study as described in the Risk Management Handbook.