Whether you are working in a systems-of-systems, multi-program, or single-program environment, our tools and methods can help you make a paradigm shift to a systemic approach to risk management. Or, we can also help you improve your current tactical approach.

Integrated Risk and Opportunity Management

Every program or organization conducts risk management on some level, no matter how large or small they are. Whether you are acquiring, developing and operating software-intensive systems or systems of systems, the risk management approach you use is integral to success. Even though most programs and organizations implement some type of risk management approach preventable failures continue to occur because of:

• Uneven and inconsistent application of risk-management practice
• Significant gaps in risk-management practice
• Ineffective integration of risk-management practice
• Increasingly complex management environment

While traditional risk management approaches are still useful and relevant, today's distributed environments demand an approach that effectively coordinates risk and opportunity management activities among all program groups, which may or may not be within the same organization, geographic location, or supply chain. Such an approach requires a shift in the risk management paradigm.

Mosaic—A New Approach

Mosaic is a suite of practical and innovative methods that can be used to systemically manage risk across the life cycle and supply chain. Apart from giving you an across the board view of risk, these methods have several other unique features.

• Straightforward and easy to apply
• Fully scalable
• Easily incorporates into existing management structures
• Success-oriented approach to risk management
• Employs top-down analysis

The Mosaic courses, workshops, and evaluation services enable decision makers to more efficiently engage in the risk management process, navigating through a broad tradeoff space (including performance, reliability, safety, and security considerations, among others) and strategically allocating their limited resources when and where they are needed the most.

Traditional Risk Management

If you are familiar with the SEI, then you are familiar with our traditional risk management approach known as Continuous Risk Management (CRM). CRM takes a tactical approach to managing risk by focusing on individual risk statements. This bottom-up approach has been around for nearly 15 years, and continues to be an effective risk management solution for software projects.

The functions of Continuous Risk Management are continuous activities throughout the life cycle of a project:

• Identify—search for and locate risks before they become problems.
• Analyze—transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks.
• Plan—translate risk information into decisions and actions (both present and future) and implement those actions.
• Track—monitor risk indicators and mitigation actions.
• Control—correct for deviations from the risk mitigation plans.
• Communicate—provide information and feedback internal and external to the project on the risk activities, current risks, and emerging risks. (Communication happens throughout all the functions of risk management.)

Each risk nominally goes through these functions sequentially, but the activity occurs continuously, concurrently (e.g., risks are tracked in parallel while new risks are identified and analyzed), and iteratively (e.g., the mitigation plan for one risk may yield another risk) throughout the project life cycle.