| NODIS Library | Program Management(8000s) | Search |

NPR 8000.4C
Effective Date: April 19, 2022
Expiration Date: April 19, 2027
Printable Format (PDF)

Subject: Agency Risk Management Procedural Requirements

Responsible Office: Office of Safety and Mission Assurance

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |

Chapter 2. Chapter 2. Roles and Responsibilities

2.1 General

2.1.1 The implementation of the requirements of this NPR is the responsibility of Mission Directorates, Headquarters Mission Support Enterprise Offices, Center Directors, and program or project managers. They are responsible for determining which organizational units within their domains are subject to the risk management requirements in this NPR, including the staffing and execution of the risk management function.

2.1.2 Some requirements in this NPR are identified as applying only to organizational units of a particular type, such as Center support units or project units. Where the type of unit is not specified, requirements should be understood to apply to all types of organizational units.

2.1.3 Risks of all kinds are addressed in this NPR, but management of institutional risks is the focus of Headquarters and Center mission support and institutional organizations, while management of mission execution risks is the focus of project organizational units.

2.2 Organizational Roles and Responsibilities

2.2.1 Per NPD 1000.0, risk management at the Agency level is the responsibility of the Chairs of the Agency's Management Councils.

2.2.2 Establishment of the risk posture associated with human space flight is done by the Administrator. Establishment of the risk posture for science missions is done by the Associate Administrator for SMD. The risk posture affects risk-acceptance decision-making at all levels of the Agency.

2.2.3 Mission Directorate Associate Administrators:

a. specify organizational units within their Directorates responsible for the implementation of the requirements of this NPR;

b. designate organizational units that are authorized to acquire turnkey launch services based on fulfillment of requirements in 3.5.3, 3.5.4, and 3.5.5 of this NPR, accepting the risks as having been managed by the Provider, without assumption by the Acquirer of active management of the risks of launch services.

2.2.4 Project managers specify the organizational units and the hierarchy within their respective domains to which the requirements of this NPR apply.

2.2.5 Organizational unit managers coordinate the management of cross-cutting risks being managed within their units with other involved organizational units. More specifically, the MSD Associate Administrator and the Mission Support Enterprise Office heads:

a. Define institutional risk processes to ensure coordination across the Agency of institutional risk management activities efficiency and consistency;

b. In coordination with Center Directors, specify the organizational units and the hierarchy within their respective domains to which the requirements of this NPR apply.

Note: Refer to 3.7 for the detailed requirements concerning these areas of potentially shared responsibility.

2.2.6 The Technical and other Institutional Authorities (e.g., Institutional Safety Authorities) assure that risk management processes addressing their areas of responsibility are implemented in accordance with this NPR.

2.2.7 Per NPR 2810.1 the Chief Information Officer:

a. Develops and implements the Agency's cybersecurity policy and information system risk management framework for authorizing and operating information systems in accordance with Federal standards.

b. Evaluates and approves the appointment of all NASA information system Authorizing Officials, who are the primary authorities for acceptance of risk affecting, or resulting from, the operation of information systems.

2.2.8 Capability portfolio managers (e.g., the Manager for Rocket Propulsion Testing (RPT) Program), in collaboration with the stakeholders identified in NPD 1000.3, risk-inform the development and implementation of their respective asset and capability portfolios for the Agency.

2.3 Individual Accountabilities for Risk Acceptance

2.3.1 Programmatic authorities, e.g., project managers, have risk leadership responsibility and are accountable for risk acceptance decisions for their programs or projects, to be produced in timely fashion, and commensurate with their delegated authority and with the risk posture established for such activities or projects.

2.3.2 Center Directors are accountable for risk acceptance decisions for institutional activities at their Centers.

Note 1: Center Directors should proactively coordinate with MSD and its MSEO offices to make sure their risk related decision processes are carried out consistently with the cross-agency infrastructure optimization strategies promoted by MSD,

Note 2: Center Directors should also proactively coordinate with other stakeholders across the Agency when they determine that their risk acceptance decisions may impact or affect such stakeholders and their institutional roles and responsibilities.

2.3.3 The Associate Administrator for the Mission Support Directorate (MSD) is separately accountable for risk acceptance decisions for those institutional activities across the Agency that are managed by his/her Office.

Note 1: The Associate Administrator for MSD should proactively coordinate with Center Directors across the Agency when he/she determines that MSD’s risk acceptance decisions may impact or affect institutional activities at a Center.

Note 2: In the event of disagreement between the Center Directors and the Associated Administrator for the MSD regarding a risk acceptance decision, the non-accepting party invokes the formal dissent process.

2.3.4 Formally delegated Technical Authorities are accountable for:

a. Concurrences in the soundness of the technical (safety, engineering, health and medical) cases relied upon by the organizational unit managers in acceptance of risk to safety or mission success;

b. Concurrences that risk acceptance decisions are within the authority of the organizational unit managers;

c. Concurrences that the risk is acceptable (per NPD 1000.0);

Note: The Technical Authority (TA's) concurrence that the risk is acceptable includes agreement that the decision reflects the Agency’s risk posture: that it appropriately balances Agency priorities in the consideration of safety, mission success, cost, and schedule.

d. Nonconcurrences regarding a, b, or c, above, and elevation of the decision to the next higher level of management in accordance with the formal dissent process (NPD 1000.0).

Note: The TA role also includes framing safety and mission success issues of concern (potentially underappreciated risks) in terms of candidate risks for formal adjudication and disposition by the organizational unit managers.

2.3.5 When there is risk to humans, the actual Risk Taker[s]’ (e.g., astronauts’, pilots’) official spokesperson[s] and applicable supervisory chain must formally consent to assume the risk on behalf of the Risk Takers.

Note: The Administrator is the official Agency spokesperson to consent to any exposure to human safety or property risk on behalf of the general public.

2.3.6 When risk is produced by, or affecting, a specific information system, the Authorizing Official (AO) for that system is accountable for risk acceptance. If such a risk also affects a specific program, project, or activity, risk acceptance requires coordination between the responsible manager and the information system AO.

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |
| NODIS Library | Program Management(8000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.