In this post, we’ll examine how NASA assesses risk and how you might use their approach at your financial institution to evaluate risks better and understand their consequences. Are you ready to manage risk like an astronaut?
When the ink dried on the recent $1.4 billion deal between SpaceX and NASA, the relationship between America’s space agency and commercial space travel companies was solidified.
In extending its 2014 contract with SpaceX, NASA solved its problem of maintaining a reliable schedule of crew missions to the International Space Station (ISS) until 2030. Rising geopolitical tensions with Russia, NASA’s leading partner on the ISS, and the agency’s inability to launch the necessary number of crew missions independently drove this updated partnership.
NASA modified its contract with SpaceX again in 2022, awarding the California startup another $1.15 billion to develop its Starship human landing system for a return moon landing and eventual human-crewed mission to Mars.
The space agency’s collaboration with SpaceX and other private space companies has not been without controversy. Between legal fights with other billionaires trying to claim a piece of NASA’s budget and concerns over SpaceX’s satellite deployments, the marriage between public and private space travel has been far from perfect.
When Crew-1, SpaceX’s first manned ISS mission, splashed down in the Gulf of Mexico in April 2021, it was the first nighttime splashdown since 1968.
NASA considers nighttime splashdowns risky. SpaceX argued that daytime weather conditions made a nighttime splashdown necessary. Communication between the space agency and its private contractor broke down, which led to the last-minute decision by NASA to approve a nighttime splashdown.
The 2021 Aerospace Safety Advisory Panel (ASAP) report addresses the risk of outsourcing space travel to private companies such as SpaceX.
“For NASA to continue its trajectory of success in the decades ahead, it must proactively plan for and manage its work in the presence of the numerous challenges, constraints, and risks inherent in the changing environment of the aerospace community,” reads the report.
As a government agency, NASA has more robust processes for managing risk than its private partners. NASA’s risk scorecard evaluates risk along two axes – the likelihood that a negative event will occur and the consequences if it does.
The dark blue tiles represent the lowest risk, while the red tiles indicate the highest risk.
Organizations such as NASA use a risk matrix to help identify potential risks and develop mitigation strategies. As we can see from the example above, even if a negative situation has a higher potential of occurring if the consequence isn’t that great, it’s not worth losing sleep over.
On the other hand, assessments must address the potential risks if a situation is highly likely and has severe consequences. NASA writes risk assessment statements based on four criteria:
Using SpaceX’s nighttime splashdown as the basis for writing a risk assessment, NASA might construct the following:
Because nighttime splashdowns can make a spacecraft more challenging to locate [Condition], there is a possibility of leaving astronauts on the spacecraft for an extended period [Departure] that puts the astronauts [Asset] at increased risk of dehydration and a worse response time to address medical emergencies [Consequence].
Read also: Key Risk Indicators for Banks, Credit Unions and Other Financial Institutions
There are two things to consider for any potential risk: the likelihood of the possible negative event occurring – a “departure” from the original plan – and the consequence of this departure. Referring to the risk assessment chart above, the likelihood of a departure from the original plan breaks down into five tiers.
NASA represents these tiers as percentages (the lowest likelihood has a 20% chance of occurring, while the highest likelihood has a 100% chance).
Business organizations can leverage NASA’s risk assessment matrix to manage risk. Let’s look at how this might work for your typical financial institution managing operational risk.
Operational risk is the broadest category of risk. It covers aspects such as an organization’s potential financial losses, the speed and timeliness of delivery impacting its reputation among customers, and its expected return on investments in falling short, among others.
These operational risks are present because people, procedures, and systems fail.
Creating a reliable risk assessment means evaluating real-world risks and assigning a value to their likelihood of occurrence.
Once you have determined whether an event is likely to occur, you can create a consequence scorecard. Consequence scorecards describe the negative impact that can occur based on the likelihood of departure from your original plan.
The chart below shows an example of the escalating consequences of an operational failure at a financial institution. (Note: A chart like this is only an effective risk management tool when there are clearly defined ranges and/or thresholds. Defining these levels is up to each individual organization.)
You need to examine your internal controls to determine whether a departure from a desired outcome is likely. Inherent risk is the risk that naturally occurs if you have no controls in place.
We can take cyber risk as an example because it has severe consequences. If your financial institution didn’t set up firewalls, intrusion detection software, or antivirus software, you would likely fall victim to a cyberattack.
Obviously, financial institutions have cybersecurity protocols in place to lower the likelihood of attack. Let’s say a bank has a cybersecurity system that reduces the risk of a breach from 100% with no internal controls to 40% with some controls in place.
Is this enough protection?
It’s important to note that no organization – NASA nor a financial institution – can achieve a 0% likelihood of a departure unless their risk response avoids the risk altogether. (The only way to 100% eliminate cyber risk is to not engage in any activities connected to the Internet.)
It all depends on your risk tolerance. Residual risk is the risk that remains after deterrence measures and a risk response are put into place.
Residual risk can be determined by the following formula: Residual risk = Inherent risk X Control Effectiveness. The less effective your controls, the more your residual risk will approach inherent risk (or the complete absence of controls).
How much residual risk you tolerate depends on your risk appetite. Using NASA’s risk mitigation formula, how much risk you tolerate depends on the acceptable degree of taking these risks.
In the case of a cyberattack with no controls, this could very well mean the end of your financial institution. When the consequences are highest, you want to take all reasonable measures to prevent the likelihood of an event occurring.
Cyberattacks fall into the category of wanting to reduce the likelihood of a departure because of their high negative consequences.
Being too averse to risk can be just as damaging as excessive risk-taking. While some banks take on excessive risk, other banks miss out on opportunities because they are allergic to risk.
Determining your risk appetite as an organization is critical to success. One might argue that NASA is too risk-averse. Daytime splashdowns also pose risks: the likelihood of more boats in the water during the day presents its own difficulties in retrieving space crews.
The key takeaway from the relationship between NASA and its private partners in space travel is that they need to consider how to measure risk and what they can reasonably do to avoid or minimize it.
Similar to how financial institutions and other organizations manage the risks associated with their third-party vendors, NASA requires more oversight in determining how SpaceX manages risk.
Managing risk like an astronaut means that organizations need to balance the likelihood of a departure from their original plan while also determining the severity of the consequences of this departure.
Only then can they effectively know their risk appetite and decide whether to pursue a venture.
For more risk assessment insights, download our webinar Reliable Risk Assessments.