The SEI has had a long relationship with risk management. For nearly 20 years, we have been conducting research and development in various aspects of managing risks for software-intensive systems. In the early years, we developed and conducted Software Risk Evaluations (SREs), using the Risk Taxonomy. The Continuous Risk Management (CRM) approach to managing project risk followed, which is still in use today— nearly 15 years after it was released. Other applications of risk management principles have been developed, including CURE, ATAM®, and OCTAVE®. But the work at the SEI hasn't stopped because, despite the plethora of risk management approaches, methods, tools, and techniques, programs continue to fail from risks that turn into preventable catastrophes.

In 2006, the SEI Mission Success in Complex Environments (MSCE) project was chartered to develop practical and innovative methods, tools, and techniques for measuring, assessing, and managing program risks. The MSCE team developed Mosaic—a suite of methods that can be used to manage risk and opportunity during acquisition, development, and operations, and across the supply chain. Mosaic enables decision makers to more efficiently engage in the risk management process, navigating through a broad tradeoff space (including performance, reliability, safety, and security considerations, among others) and strategically allocating their limited resources when and where they are needed the most.

Rather than begin with a traditional, tactical focus on all the things that could go wrong (i.e., all risks), Mosaic analyzes risk from the top down. Starting with a program's key objectives, you derive a small set of key drivers of program success and failure. This set of drivers is the heart of Mosaic's methods and techniques, and  provides a multi-purpose foundation for easy-to-use, practical risk management; yet, when needed, more complex, in-depth analysis techniques are available. Because of its dynamic nature, Mosaic can be used to either improve or replace more traditional risk management approaches.

The intent of Mosaic is to start simple, with an overall view into the current state of the program, and extend that view in-depth where needed. By using a consistent set of success drivers to define and organize a program's risks, the number of "weak areas" the program manager must focus on stays  small and manageable, and addresses the full breadth of the program and its life cycle, avoiding the blind spots of more tactical approaches. The view of risk can be broadened to include opportunity when appropriate.