The term risk management is applied in a number of diverse
disciplines. People in the fields of statistics, economics,
psychology, social sciences, biology, engineering, toxicology, systems
analysis, operations research, and decision theory, to name a few,
have been addressing the field of risk management.
the meaning of risk management in the context of a number of different
disciplines in an article for Risk Analysis:
"What is risk management? To many social analysts, politicians, and
academics it is the management of environmental and nuclear risks,
those technology-generated macro-risks that appear to threaten our
existence. To bankers and financial officers it is the sophisticated
use of such techniques as currency hedging and interest rate swaps. To
insurance buyers and sellers it is coordination of insurable risks and
the reduction of insurance costs. To hospital administrators it may
mean 'quality assurance.' To safety professionals it is reducing
accidents and injuries."
SEI Risk Statement
For a risk to be understandable, it must be expressed clearly.
Such a statement must include
- a description of the current conditions that may lead to the loss
- a description of the loss
An Example of Risk
A company has introduced object-oriented (OO) technology into its organization
by selecting a well-defined project "X" with hard schedule constraints to
pilot the use of the technology. Although many "X" project personnel were
familiar with the OO concept, it had not been part of their development
process, and they have had very little experience and training in the
technology's application. It is taking project personnel longer than expected
to climb the learning curve. Some personnel are concerned, for example, that
the modules implemented to date might be too inefficient to satisfy project
"X" performance requirements.
The risk is: Given the lack of OO technology experience and
training, there is a possibility that the product will not meet
performance or functionality requirements within the defined schedule.
- Non-Risk Example
Another company is developing a flight control system. During
system integration testing the flight control system becomes unstable
because processing of the control function is not quick enough during
a specific maneuver sequence.
The instability of the system is not a risk since the event is
a certainty - it is a problem.
- Continuous Risk Management Example
When using Continuous Risk Management, risks are assessed
continuously and used for decision-making in all phases of a project.
Risks are carried forward and dealt with until they are resolved or
they turn into problems and are handled as such.
- Non-Continuous Risk Management Example
In some projects, risks are assessed only once during initial
project planning. Major risks are identified and mitigated, but risks
are never explicitly looked at again.
This is not an example of
Continuous Risk Management because risks are not continuously assessed
and new risks are not continuously identified.
Software Risk Evaluation
The SEI Software Risk Evaluation (SRE) Service is a diagnostic and
decision-making tool that enables the identification, analysis, tracking,
mitigation, and communication of risks in software-intensive programs. An SRE
is used to identify and categorize specific program risks emanating from
product, process, management, resources, and constraints. The program's own
personnel participate in the identification, analysis, and mitigation of risks
facing their own development effort.
An SRE provides a program manager with a mechanism to anticipate and address
program risks. The SRE introduces a set of activities that, when initiated,
begin the process of managing risk. These activities can be integrated with
existing methods and tools to enhance program management practices.
Risk Process Check
A Risk Process Check is the SEI's most recently developed risk management
service. It is combination of tutorial, survey instrument, interviews,
and feedback session conducted on-site to determine how effective the
project or program's risk management process is. It is based on the
SEI's Seven Principles of Risk Management, and,
being principle-based rather than model-based, it can evaluate any risk
management process, whether it follows the guidelines of the SEI's Continuous
Risk Management course or some completely different model.
The Risk Process Check has been used on one major DoD program (DoD program
office, prime contractor, and two subcontractors to the prime) and two
contractor organizations to a non-DoD government agency. There are many areas
of opportunity to refine and further define this service with the SEI.
Continuous Risk Management Guidebook
The Continuous Risk Management Guidebook was written with professionals in mind who are directly involved in
software-intensive projects (program managers, lead engineers, software
engineers, etc.). It may also be of interest to professionals from other
disciplines (e.g., quality assurance, hardware engineering, testing) involved
in software-intensive projects, and sponsors, change agents, technology
transition agents, and software engineering process group members in
organizations that want to improve.
The Continuous Risk Management Guidebook describes the underlying
principles, concepts, and functions of risk management and
provides guidance on how to implement it as a continuous
practice in your projects and organization. Risk management can be
used to continuously assess what can go wrong in projects
(i.e., what the risks are), determine which of these risks are most
important, and implement strategies to deal with these risks. The
guidebook is based on proven practices confirmed through research, field
testing, and direct work with clients.
The Continuous Risk Management Guidebook was developed to help a
project or organization establish continuous risk management as a routine
practice and then continue to improve this process. It is organized so that
different users can read different parts of the book and get different
benefits. For example, technical managers and lead engineers can read the
book to learn how to build a risk management process that is tailored to their
specific project or organization; software engineers can use it to understand
how to perform the risk management methods and use the tools described
in the guidebook; and change agents (such as members of software engineering
process groups) can read it to understand why continuous risk management
should be used and how to get projects to tailor it and start using it.
In addition, all users of this guidebook will gain a greater understanding
of continuous risk management.
Although the Guidebook deals primarily with performing continuous risk
management in a software development environment, it can easily address
systems, hardware, and other domains.
For detailed information, visit the Guidebook web page.
Risk and Mission Success
Mission-Oriented Success Analysis and Improvement Criteria (MOSAIC)
The SEI Mission-Oriented Success Analysis and Improvement Criteria (MOSAIC)
provides a suite of advanced risk analysis tools for assessing complex processes and
programs. With this toolset, you can determine the potential for success based
on an analysis of current conditions. Using SEI MOSAIC approach you can:
- determine objectives
- define what constitutes success
- forecast the potential for success
- measure health status at any given point in time
- develop strategies to keep from failing
These tools are designed to analyze complex organizational and
technological issues that are well beyond the capabilities of most
traditional risk analysis approaches. Thus, SEI MOSAIC is well-suited for
use in a variety of complex environments, such as
- large, distributed software development programs
- organizations in dynamic, rapidly changing business environments
- organizations with strict reliability, security, and safety
- large, distributed supply chains
- processes supporting critical infrastructures
- distributed information-technology (IT) processes
In contrast to most traditional process and risk analysis approaches,
the SEI MOSAIC considers a broad range of conditions and events that can
affect the potential for success. By considering such a diverse set of
factors, it becomes easier to strategically allocate limited resources
where and when they are needed the most.
For detailed information, visit the Mission Success in Complex Environments website.