oSIST prEN 9239:2023

SLOVENSKI STANDARD
oSIST prEN 9239:2023
01-april-2023
Nadomešča:
SIST EN 9239:2016
Aeronavtika - Vodenje programov - Priporočila za obvladovanje tveganja in
upravljanje priložnosti
Aerospace series - Programme Management - Recommendations to implement risk
management and opportunity management
Luft- und Raumfahrt - Programm-Management - Empfehlungen zur Umsetzung für
Risikomanagement und Gelegenheitsmanagement
Série aérospatiale - Management de Programme - Recommandations pour la mise en
œuvre du management des risques et du management des opportunités
Ta slovenski standard je istoveten z: prEN 9239
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
49.020 Letala in vesoljska vozila na Aircraft and space vehicles in
splošno general
oSIST prEN 9239:2023 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 9239:2023

---------------------- Page: 2 ----------------------
oSIST prEN 9239:2023


DRAFT
EUROPEAN STANDARD
prEN 9239
NORME EUROPÉENNE

EUROPÄISCHE NORM

February 2023
ICS 49.020 Will supersede EN 9239:2016
English Version

Aerospace series - Programme Management -
Recommendations to implement risk management and
opportunity management
Série aérospatiale - Management de Programme - Luft- und Raumfahrt - Programm-Management -
Recommandations pour la mise en œuvre du Empfehlungen zur Umsetzung für Risikomanagement
management des risques et du management des und Gelegenheitsmanagement
opportunités
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee ASD-
STAN.

If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations
which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.


EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 9239:2023 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Principles . 11
4.1 Integral part of management of the entire programme . 11
4.2 Incorporation of risks and opportunities . 12
4.2.1 Apprehension of risks and opportunities . 12
4.2.2 Assessment of the risk or opportunity . 12
4.2.3 Treatment of the risk or opportunity . 12
4.2.4 Control and monitoring . 12
4.2.5 Capitalization . 12
4.2.6 Overall synopsis . 12
4.3 Transversality . 13
4.4 Communication . 13
5 Risk management . 13
5.1 Organizational framework for risk management in the programme . 13
5.1.1 General. 13
5.1.2 Leadership . 14
5.1.3 Risk management plan . 14
5.1.4 Context and customer requirements . 14
5.1.5 Roles and responsibilities . 14
5.1.6 Resources . 15
5.1.7 Improvement: maturity of programme risk control process . 17
5.2 Programme risk management process . 17
5.2.1 General. 17
5.2.2 Step 1: setting up the risk management framework . 19
5.2.3 Step 2: identifying . 20
5.2.4 Step 3: analysing . 21
5.2.5 Step 4: assessing . 21
5.2.6 Step 5: producing risk reduction scenarios . 23
5.2.7 Step 6: selecting the scenarios . 25
5.2.8 Step 7: implementing the risk treatment actions . 26
5.2.9 Step 8: controlling and monitoring . 27
5.2.10 Step 9: capitalizing . 28
5.2.11 Communicating . 29
6 Opportunity management . 30
6.1 Organizational framework for programme opportunity management . 30
6.1.1 General. 30
6.1.2 Leadership . 30
6.1.3 Strategic opportunity management plan . 30
6.1.4 Context and customer requirements . 31
6.1.5 Roles and responsibilities . 31
2

---------------------- Page: 4 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
6.1.6 Resources . 32
6.1.7 Improvement: maturity of programme opportunity control process . 34
6.2 Programme opportunity management process . 34
6.2.1 General . 34
6.2.2 Step 1: setting up the opportunity management framework . 36
6.2.3 Step 2: identifying . 37
6.2.4 Step 3: analysing . 38
6.2.5 Step 4: assessing . 38
6.2.6 Step 5: producing scenarios for undertaking opportunity control actions . 41
6.2.7 Step 6: selecting the scenarios . 42
6.2.8 Step 7: implementing the opportunity treatment actions . 43
6.2.9 Step 8: controlling and monitoring . 44
6.2.10 Step 9: capitalizing . 45
6.2.11 Communicating . 46
Annex A (informative) List of typical risks by category . 48
Annex B (informative) List of typical opportunities by category . 51
Annex C (informative) Example of risk sheet . 53
Annex D (informative) Example of opportunity sheet . 55
Annex E (informative) Example of qualitative and quantitative assessments . 57
Annex F (informative) Examples of registers . 59
F.1 Example of risk register . 59
F.2 Example of opportunity register . 60
Annex G (informative) Notable differences between the risk management process and the
opportunity management process . 61
G.1 Vocabulary differences . 61
G.2 Differences in the management process . 61
Bibliography . 68

3

---------------------- Page: 5 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
European foreword
This document (prEN 9239:2023) has been prepared by the Aerospace and Defence Industries
Association of Europe — Standardization (ASD-STAN).
After enquiries and votes carried out in accordance with the rules of this Association, this document has
received the approval of the National Associations and the Official Services of the member countries of
ASD, prior to its presentation to CEN.
This document is currently submitted to the CEN Enquiry.
This document will supersede EN 9239:2016.

4

---------------------- Page: 6 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
Introduction
Risk management and opportunity management form an integral part of programme management.
They are implemented right from the start of the project feasibility stage and continue until material
disposal. This document is to be used as a basis, for any given programme, for negotiating the
requirements and relationships between customers and suppliers for risk management and
opportunity management. EN 9239 complements EN 9200 on programme management.
This document describes the processes to be followed in order to:
— identify and manage risks and opportunities within the programmes;
— maximize benefits for the programme, and also for any associated transverse function;
— construct and implement appropriate action plans.
In this document, risks and opportunities are addressed separately in two different clauses. This is
because the contractual, organizational and financial impacts of risk management and of opportunity
management may be different. Separate documentation for risk management and opportunity
management is recommended, as the respective responsibilities may be entrusted to the same or
different people.
The ultimate goal of this document is to contribute to an appropriate definition of programme
objectives (including costs, schedules and performances) and to continuously ensure that they are met
or enhanced, despite or thanks to events likely to have a negative or positive impact on its progress.
The programme director can manage risks and opportunities through the application of methods.
From previous edition EN 9239:2016, the changes mainly concern:
— the separation of risk management and opportunity management and the explanation of this choice
in the introduction;
— the terms and definitions:
— addition of terms and definitions associated with opportunity management (including
"amplitude", "benefit", "opportunity", etc.);
— update of the list of defined terms with the addition of new terms (including "detectability",
"sheet", "list of typical risks", "matrix", "portfolio", "register", etc.);
— the modification of the overall structure of the document:
— Clause 4 – Principles added, common to risks and opportunities;
— description of the organizational framework and process for risk management in Clause 5, and
description of the organizational framework and process for opportunity management in
Clause 6 (which mirrors the risk management process);
— compared to the risk management process described in the previous edition:
— choice to describe the process steps with the following construction: input data / actors /
processes / output data;
— addition of a step 3 – analyzing (between identifying and assessing), a step 5 – producing
scenarios (risk reduction and undertaking opportunity control actions) and a step 6 – selecting
5

---------------------- Page: 7 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
the scenarios. Communication is no longer described as a step because it is meant to be
transverse at all steps;
— the addition / removal of some annexes:
— new Annex B – List of typical opportunities by category added;
— former Annex D – Example of 3 colour code criticality and acceptability matrix: general risk
mapping deleted (addressed in the body of the RG);
— new Annex C and Annex D – Example of risk / opportunity sheet added;
— former Annex F – Risk assessment report deleted;
— former Annex G – Maturity of programme risk management: assessment criteria deleted;
— the update of the references cited and in the bibliography.

6

---------------------- Page: 8 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
1 Scope
This document enables the specific needs of the aeronautical, space and defence fields to be met. It can
also apply to other fields.
However, the specificity of some fields can lead to the use of existing sectorial standards such as
EN 16601-80, Space project management — Risk management (derived from ECSS-M-80).
This document:
— proposes a framework for implementing organization of risk management and opportunity
management within programme management; this framework may serve as a basis for writing risk
management specifications and opportunity management specifications;
— describes a process for keeping programme risks within the defined limitations that are considered
tolerable; this standard process can be used as a methodological guide for writing the programme
risk control plan;
— describes a process for addressing and developing opportunities that have positive consequences
on the execution of a programme; this standard process can be used as a methodological guide for
writing the strategic programme opportunity control plan;
— recognizes the need for knowledge management in order to capitalize and to share lessons learned
with other programmes, as well as the maturity assessment of the risk management and
opportunity management processes;
— identifies useful documents for risk management and opportunity management;
— proposes an example of a typical list of risks and opportunities.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp/
— IEC Electropedia: available at https://www.electropedia.org/
3.1
amplitude
level of importance of the opportunity allowing prioritization
Note 1 to entry: The amplitude of an opportunity is often the combination of the consequence in terms of
expected benefit and the likelihood (or probability) of occurrence of the opportunity, and possibly other attributes
(defined in the opportunity management plan) such as detectability.
7

---------------------- Page: 9 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
3.2
target amplitude
level of importance of the opportunity after implementation of the proposed action plan
Note 1 to entry: The target amplitude is characterized by a target likelihood (probability), a target consequence
index, and possibly detectability or another target attribute.
3.3
benefit
significance of the impact of an opportunity
3.4
library of risks and opportunities
set of information documented by the risk management and opportunity management processes
(standard sheets, lessons learned, etc.)
3.5
mapping of risks and opportunities
summary of the register obtained by consolidation of risks or of opportunities with the aim of
presenting them to aid strategic decision-making
3.6
cause
set of events and situations that are at the origin of the risk or opportunity
3.7
criticality
level of importance of the risk allowing prioritization
Note 1 to entry: The criticality of a risk is often the combination of the severity and the likelihood (or
probability) of occurrence of the risk, and possibly other attributes (defined in the risk management plan) such as
detectability.
3.8
detectability
capacity to detect the direct manifestation of a risk or the appearance of one of the causes of a risk or
opportunity
Note 1 to entry: Detectability includes the capacity to provide an appropriate response to mitigate the risk or
seize the opportunity.
3.9
opportunity sheet
documentation of the characteristics and other parameters of an identified opportunity
Note 1 to entry: An example is available in Annex D.
8

---------------------- Page: 10 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
3.10
risk sheet
documentation of the characteristics and other parameters of an identified risk
Note 1 to entry: An example is available in Annex C.
3.11
severity
significance of the impact of a risk
3.12
impact
effect of a risk or opportunity when it occurs
3.13
list of typical opportunities
identification of generic opportunities to assist with construction of the opportunity register for a
programme
Note 1 to entry: The list of consolidated typical opportunities at the company level is based on feedback from
the company, from previous or current programs and on the best practices identified in the normative
repositories.
Note 2 to entry: See Annex B.
3.14
list of typical risks
identification of generic risks to assist with construction of the risk register for a programme
Note 1 to entry: The list of consolidated typical risks at the company level is based on feedback from the
company, from previous or current programs and on the best practices identified in the normative repositories.
Note 2 to entry: See Annex A.
3.15
programme opportunity management
coordinated activities in order to take advantage of the opportunities for a programme
3.16
programme risk management
coordinated activities in order to mitigate the risks for a programme
3.17
opportunity matrix
presentation of the mapping of opportunities characterized according to their amplitude
Note 1 to entry: The amplitude may be represented by a colour code with 3 or 4 values, see Figure 5 in 6.2.5.4.
3.18
risk matrix
presentation of the mapping of risks characterized according to their criticality
Note 1 to entry: The criticality is often represented by a colour code with 3 or 4 values, see Figure 3 in 5.2.5.4.
9

---------------------- Page: 11 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
3.19
level of risk tolerance
criticality value beyond which specific risk mitigation actions are implemented
3.20
opportunity consideration level
amplitude value beyond which specific actions for the opportunity are implemented
3.21
occurrence of a risk or of an opportunity
fact of a risk or of an opportunity occurring
3.22
opportunity
uncertain event or circumstance which can have a positive impact on the achievement of the objectives
of the programme
3.23
typical opportunity
generic set of characteristics of opportunities
Note 1 to entry: The definition of typical opportunities supports the identification of the opportunities of a
programme.
3.24
risk portfolio
set of identified risk sheets for the programme
3.25
opportunity portfolio
set of identified opportunity sheets for the programme
3.26
programme
coordinated set of technical, administrative and financial tasks, intended to design, develop,
manufacture and use a product or a system, satisfying a need under the best performance, cost and time
conditions as well as ensuring the support of it and finally the disposal
Note 1 to entry: All or part of a programme can be designated also in the industrial world and in some
normative texts by the words “project”, “contract”, etc.
Note 2 to entry: When the notion of programme is associated with an overall system, the notion of sub-
programme or project is frequently used when addressing the constituents of this system.
3.27
opportunity promoter
person or entity responsible for promoting an opportunity and with the authority to manage it
3.28
risk owner
person or entity responsible for a risk and with the authority to manage it
[SOURCE: ISO/IEC 27000]
10

---------------------- Page: 12 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
3.29
opportunity register
list of identified opportunities in the portfolio, accompanied by their associated key information
Note 1 to entry: An example register is available in F.2.
3.30
risk register
list of identified risks in the portfolio, accompanied by their associated key information
Note 1 to entry: An example register is available in F.1.
3.31
opportunity lessons learned
retrospective analysis of each opportunity managed during the programme, aiming to determine the
knowledge that is reusable for opportunity management for the current programme and/or other
programmes
3.32
risk lessons learned
retrospective analysis of each risk managed during the programme, aiming to determine the knowledge
that is reusable for risk management for the current programme and/or other programmes
3.33
risk
uncertain event or circumstance which can have a negative impact on the achievement of the objectives
of the programme
3.34
residual risk
risk remaining after implementation of mitigation actions
Note 1 to entry: The residual risk is characterized by a residual criticality determined by a residual likelihood
(probability), a residual severity, and possibly detectability or another residual attribute.
3.35
likelihood of a risk or of an opportunity
assessment of the probability or frequency of a risk or of an opportunity occurring
4 Principles
4.1 Integral part of management of the entire programme
Risk management and opportunity management are an integral part of programme management.
The risk management and opportunity management success criteria cannot be dissociated from the
programme and programme management success criteria.
Risk management and opportunity management require a risk culture and an opportunity culture
within the organization. They rely on the involvement of all personnel and the deployment of suitable
practices.
Risk management and opportunity management cover each stage of the programme and of the product
life cycle.
11

---------------------- Page: 13 ----------------------
oSIST prEN 9239:2023
prEN 9239:2023 (E)
4.2 Incorporation of risks and opportunities
4.2.1 Apprehension of risks and opportunities
The risks and opportunities can be apprehended by all stakeholders of the programme, organization or
their environments. This apprehension of a risk or opportunity is expressed in a statement.
Processes are to be implemented (monitoring and alert system, lessons learned, comparative studies of
the competition (“benchmarking”), etc.) to apprehend risks and opportunities. This apprehension may
be intuitive and based on listening, observation, critical thinking and openness.
The apprehended statement is then compared with risks and opportunities that have already been
identified. If it is new, it is reformulated as a risk or opportunity, and enters into the assessment
process.
4.2.2 Assessment of the risk or opportunity
This risk or opportunity is then assessed by the programme team’s risk and opportunity managers, in
three steps: identification, analysis and assessment.
As the managers and processes for risk management and for opportunity management are technically
different, risks and opportunities are addressed separately in this document.
NOTE See Clause 5 for risk management, Clause 6 for opportunity management and Annex G to compare risk
and opportunity terminologies and approaches.
4.2.3 Treatment of the risk or opportunity
The risk
...