Risk Management FAQ
What is risk management?
Why is there pressure to do risk management more
systematically?
How do I learn about risk management?
What are the prerequisites? What do I have to do?
Who have been the SEI collaborators in developing risk
management?
What does success look like?
What will risk management do for my business?
What are the consequences or negative results of not
doing risk management?
How does software risk management relate to software
process improvement?
If I implement risk management, does that guarantee
success?
How do the SEI's products and services in risk management
relate to the CMMI's Process Area on Risk Management (RSKM)?
What products/services/documents are available?
Do Software Risk Evaluation, Continuous Risk Management,
and Team Risk Management work for non-government projects and
organizations?
What size projects do Software Risk Evaluation,
Continuous Risk Management, and Team Risk Management work on?
How often does the SEI update risk management products
and services?
What are the opportunities for collaboration?
What is a Risk Process Check?
Are these products and practices stable?
What does the SEI mean by a "risk statement"?
What are some other good sources for information about
risk management?
- How can I get a copy of the CD-ROM that is an
integral part of the SRE Method Description version 2.0
(CMU/SEI-99-TR-029)?
- What is the cost for an SEI service?
- How do I get more information?
- How can I order bound copies of SEI reports?
- Distribution Centers for SEI Reports
- How can I order a copy of the Continuous Risk Management Guidebook?
- How can I get electronic copies of SEI reports?
- What is the cost for an SEI service?
What is risk management?
Risk Management is a practice with processes, methods, and tools for managing risks in a project. It provides a disciplined environment for proactive decision making to
- assess continuously what could go wrong (risks)
- determine which risks are important to deal with
- implement strategies to deal with those risks
Why is there pressure to do risk management more systematically?
Recent Congressional action as well as DoD policy emphasizes the requirements to improve acquisition practices and the management of risks.
- The Information Technology Acquisition Reform act of 1996 (also known as the Clinger-Cohen Act) specifies: " Design Of Process. - In fulfilling the responsibilities assigned under section 3506(h) of title 44, United States Code, the head of each executive agency shall design and implement in the executive agency a process for maximizing the value and assessing and managing the risks of the information technology acquisitions of the executive agency."
- DoD Directive 5000.1 "Defense Acquisition" (March 15, 1996, incorporating Change 1, May 21, 1999) requires a "...streamlined management structure and event-driven management process that emphasizes risk management and affordability and that explicitly links milestone decisions to demonstrated accomplishments," and goes on to require (in Section 4.1.4), "PMs [Program Managers] and other acquisition managers shall continually assess program risks. Risks must be well understood, and risk management approaches developed, before decision authorities can authorize a program to proceed into the next phase of the acquisition process. To assess and manage risk, PMs and other acquisition managers shall use a variety of techniques, including technology demonstrations, prototyping, and test and evaluation. Risk management encompasses identification, mitigation, and continuous tracking, and control procedures that feed back through the program assessment process to decision authorities...."
In addition, the pressure to improve project performance, time-to-market, reduce costs, and improve management practices is driving organizations to avoid expensive problems, hence to more effectively manage risk.
How do I learn about risk management?
See the risk bibliography of articles and books related to risk management, including the Continuous Risk Management Guidebook [Dorofee96]. We also recommend that you speak with an SEI customer relations representative to learn more about what the SEI offers. The Customer Service representative can discuss the steps necessary for various products and services or answer any of your questions. Please contact Customer Relations to be directed to the appropriate Customer Service representative.
What are the prerequisites? What do I have to do?
While there are no real prerequisites to performing risk management, it is more effectively practiced by organizations or projects which have acquired some degree of maturity (level 2 on the SW-CMMR , for example). Risk management is a required Process Area (PA) at Level 3 of the Capability Maturity Model Integrated (CMMI), so it is necessary to have effective risk management processes in place to qualify for Level 3 in the Staged representation. Level 1 organizations can practice some rudimentary forms of risk management (e.g., identifying risks, using action items to manage them); however, be aware that any project which, for example, fails to adequately manage action items or problems is also likely to have difficulty managing risks.
To start managing risks, you need to understand risk management. See the bibliography as a starting place for reading material.
Who have been the SEI collaborators in developing risk management?
Customers include:
Computer Science Corporation
Federal Aviation Agency
Ford ACD
Hughes
Loral
National Reconnaissance Office
Sandia Labs
State of Pennsylvania
U.S. Air Force
U.S. Army
U.S. Marine Corps
U.S. Navy
U.S. Coast Guard
Unisys
Xerox Corporation
What does success look like?
A successful risk management practice is one in which risks are continuously identified and analyzed for relative importance. Risks are mitigated, tracked, and controlled to effectively use program resources. Problems are prevented before they occur and personnel consciously focus on what could affect product quality and schedules.
What will risk management do for my business?
There will be a cultural shift from "fire-fighting" and "crisis management" to proactive decision making that avoids problems before they arise. Anticipating what might go wrong will become a part of everyday business, and the management of risks will be as integral to program management as problem or configuration management.
What are the consequences or negative results of not doing risk management?
Management will not have insight into what could go wrong -- consequently more resources will be spent correcting problems that could have been avoided sooner, catastrophic problems (surprises) may occur without warning (and with no recovery possible), decisions will be made without complete information or adequate knowledge of future consequences, the overall probability of successful completion of the program is reduced, and your program will always be in a crisis.
How does software risk management relate to software process improvement?
Risk management is currently a key process area (KPA) in the Systems Engineering CMM® and the Software Acquisition CMM. It is a Process Area (PA) at Maturity Level 3 in the CMM Integration (CMMI) staged model. Risk management and process improvement are complementary.
Risk management focuses on building the right product, project performance, managing change, innovation, and uncertainty. Process improvement focuses on building the product right, activity improvement, managing variability, conformance, and control.
How do the SEI's products and services in risk management relate to the CMMI's Process Area on Risk Management (RSKM)?
The SEI's products for Continuous Risk Management are completely consistent with the requirements of RSKM. Continuous Risk Management, fully and effectively implemented, will satisfy all the requirements for an organization to be at Level 3 in RSKM.
The Risk Clinic provides a direct, hands-on workshop and follow-up consulting for an organization to fulfill the RSKM specific goal SG 1, "Prepare for Risk Management."
The Software Risk Evaluation provides a direct way of starting a project on RSKM goals SG 2, "Identify and Analyze Risks," and SG 3, "Mitigate Risks."
Team Risk Management takes the organization beyond the internal organizational focus of the CMMI to deal with customer-supplier risk management. TRM fits more comfortably into the world of the SA-CMM and of the CMMI augmented to include acquisition issues and process areas (CMMI-SE/SW/IPPD/A, currently in draft release).
Finally, the Risk Process Check is a diagnostic that can help an organization that has installed risk management but is unable to achieve Level 2 or Level 3 proficiency in RSKM to pinpoint the areas of weakness and define remedial activities.
If I implement risk management, does that guarantee success?
No. There are many aspects to achieving program success. Risk management is not a silver bullet. However, it can improve decision making, help avoid surprises, and improve your chances of succeeding.
What products, services, and documents are available?
Currently available:
- Common Elements of Risk
- Software Risk Evaluation (SRE) Service
- Software Risk Evaluation (SRE) Method Description, V2.0
- Continuous Risk Management (CRM) Guidebook
- Continuous Risk Management Installation Service ("Risk Clinic")
- Continuous Risk Management Course
- Team Risk Management Installation (TRM) Service
- Risk Process Check
An SRE establishes a snapshot, or baseline set of risks and mitigation plans for a project. CRM is the continuous, life-cycle processes, methods, and tools for managing risks. TRM extends CRM to include all organizations in a program, such as customers and suppliers, in the joint management of the program's risks.
The CRM course has been a public offering since 1997. On-site training can be arranged through SEI Customer Relations. Executive-level training in risk management is available and can be arranged through Customer Relations for up-to-date-information about public offerings.
Do Software Risk Evaluation, Continuous Risk Management, and Team Risk Management work for non-government projects and organizations?
Absolutely. SREs have been used in purely commercial settings to identify risks, create mitigation plans, and help to meet the product's market window. CRM can be done by any organization or project trying to manage its risks, whether government or industry. The inter-organizational aspects of TRM are primarily focused on customer-supplier teams but these can be industry customer-supplier, prime-subcontractor, and contractor-vendor, as well as government-contractor.
What size projects do Software Risk Evaluation, Continuous Risk Management, and Team Risk Management work on?
Small to very large. On the smaller end, SREs apply to projects of at least five staff members and eight months in duration. Both CRM and TRM are applicable to any size project.
How often does the SEI update risk management products and services?
All SEI risk work is currently being funded through customer collaboration; therefore the risk management products and services are updated as needed by the individual customers. Most recently, for example, the National Reconnaissance Office provided the funding to create Software Risk Evaluation Method Description Version 2.0. As a customer/collaborator of the SEI in risk management, you can help determine which products and services receive priority.
What are the opportunities for collaboration?
Customers/collaborators are welcomed for work that will further refine the areas of Software Risk Evaluation, Continuous Risk Management (CRM), Team Risk Management, and Risk Process Checks. These products and services can only be refined through application to real software-intensive programs, so such programs will receive priority. Also of particular interest to the SEI are collaborations that will lead to publication of articles, conference presentations, technical reports, and definitive texts in any of these four topic areas. In addition, there are opportunities for individuals to be resident affiliate in the Process Improvement Team of the Software Engineering Process Management program, working in risk management and other process improvement disciplines. See the Affiliate Opportunities on our Web site, and follow the links to specific opportunities.
What is a Risk Process Check?
A Risk Process Check is the SEI's most recently developed risk management service. It is combination of tutorial, survey instrument, interviews, and feedback session conducted on-site to determine how effective the project or program's risk management process is. It is based on the SEI's Seven Principles of Risk Management, and, being principle-based rather than model-based, it can evaluate any risk management process, whether it follows the guidelines of the SEI's Continuous Risk Management course or some completely different model.
The Risk Process Check has been used on one major DoD program (DoD program office, prime contractor, and two subcontractors to the prime) and two contractor organizations to a non-DoD government agency. There are many areas of opportunity to refine and further define this service with the SEI.
Are these products and practices stable?
In general, yes; however, as best practice improves, we will include the useful methods and tools that are being developed by others as well as the SEI.
What does the SEI mean by a "risk statement"?
A risk statement is a concise articulation of a program condition leading to risks, with one or more consequences foreseen from that condition, and each accompanied by context for the statement (richer textual explanation of the risk pointed to by the risk statement, with indications of the sources of the underlying condition). The risk statement is the "basic data brick" on which the SRE, CRM, and TRM processes are built.
What are some other good sources for information about risk management?
Other good sources for information about project and program risk management would include independent consultants, the Software Program Managers' Network, the Defense Systems Management College (DSMC), and the Project Management Institute, a professional association for project managers.
The SEI contribution to risk management is in the specific area of managing risks for software-dependent projects and programs. The SEI is focusing on how to manage risks both when developing or when acquiring, software-dependent systems as part of such projects and programs.
Other Questions
How can I get a copy of the CD-ROM that is an integral part of the SRE Method Description version 2.0 (CMU/SEI-99-TR-029)?
While supplies last, you can contact Customer Relations and a copy of the CD-ROM will be mailed to you free of charge. Incidentally, the CD-ROM contains a portable document format (PDF) copy of CMU/SEI-99-TR-029, so you can either print it from the CD-ROM or download it from this Web site (see: "How can I get electronic copies of SEI reports?" below). Once the SEI's supplies of the CD-ROM are exhausted, you can order complete bound copies of the Method Description -including the CD-ROM-through the normal distribution channels (see "How can I get bound copies of SEI reports?")
What is the cost for an SEI service?
Cost will vary depending upon the product or service selected. The least expensive is acquiring technical reports or guidebooks. The most expensive are long-term consulting and technical transition support services. See the individual product/service information descriptions for general cost descriptions. Please discuss the actual costs with your SEI Customer Service representative.
How do I get more information?
Contact SEI Customer Relations at customer-relations@sei.cmu.edu.
How can I order bound copies of SEI reports?
Bound copies of SEI technical reports, special reports, maturity models, and handbooks are available only from the National Technical Information Service (NTIS), or the Defense Technical Information Center (DTIC). Contact one of the listed distribution centers for details about how to order bound copies of reports.
Distribution Centers for SEI Reports
National Technical Information Service
U.S. Department of Commerce
Springfield, VA 22161-2103
Telephone: 703 / 487-4600
Web: http://www.ntis.gov
Defense Technical Information Center
ATTN: BRR
8725 John J. Kingman Road, Suite 0944
Ft. Belvoir, VA 22060-6218
Telephone: 1 800-225-3842 or toll free in the U.S. 1-800-225-3842
703 / 767-8274
Web: http://www.dtic.mil
Note: DTIC distribution is limited to government contractors who have established a DTIC account. To order documents from DTIC, you must provide the DTIC accession number for the desired report; for example, ADA235641 is the DTIC number for the SEI report, Rate Monotonic Analysis for Real-Time Systems. Recent SEI reports may not have DTIC-assigned accession numbers as yet.
How can I order a copy of the Continuous Risk Management Guidebook?
To order a copy of the Continuous Risk Management Guidebook, contact SEI Customer Relations at 412-268-5800, or by email customer-relations@sei.cmu.edu or see our Web page.
How can I get electronic copies of SEI reports?
Many SEI documents are available in portable document format (PDF) or HTML files. Please visit the publications section of the SEI Web site for information about how to download electronic copies of SEI reports. See document listing for a complete list of SEI documents.
For More Information
Customer Relations
Software Engineering Institute
Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh, PA 15213-3890
Phone: 412-268-5800
Send comments or questions to customer-relations@sei.cmu.edu
return to top | Risk Management main page