How We Approach Risk

Everyone involved in software development, acquisition, operations, or management talks about "risk"—trouble is, everyone means something different by it. Many kinds of risk can affect your project, program, or business. Acquisition risk, development risk, operational risk, productivity risk, and reputation risk, are but a few examples—you need to decide on which types of risk you need to focus.  In addition, you cannot focus only on the negative aspects of risk. To assess and manage risk successfully, you need to view it within the context of the mission and objectives that you are pursuing. Viewing risk through the lens of your mission and objectives enables you to (1) determine which types of risks are of concern and (2) balance the risk you face against the opportunity you seek.

With so many questions and variables, how do you make sense of it all? You need to start by understanding that risk is multifaceted. On one hand it is associated with the obstacles to success and with loss. On the other, it is linked to business or success drivers, opportunities, assurance, and security. In addition, risk is influenced by many organizational factors, including people, tools and techniques, technologies, and processes.

The types of risk you face may differ depending on your role in the software life cycle. Management risks—at the project, program, or organizational level—may be related to cost, schedule, quality, scope, capability, operational effectiveness, interoperability, integration, or technical readiness levels. Acquisition risks may relate to buying software (adopt-before-we-buy or buy-before-we-create situations) or buying services (distributed teams, virtual organizations, or supply chain risks). Development risks may relate to any point in the life cycle—new development, migration, evolution, or technology insertion—or to the type of system being engineered.

Development approaches also carry their own potential risks, which may be mitigated by using proven methods in architecture, reuse, systems of systems (SoS), or model-based engineering.

There are also a number of ways to focus your risk-management improvement efforts. One way is to define a risk practice by specifying risk-management activities (assess, plan, control) and by selecting tools, such as risk spreadsheets, stoplight charts, and dashboards. Another way is to foster a risk-aware culture through workforce development, policy, and governance.

By partnering with the SEI, you will have the opportunity to

  • Learn—through executive seminar, workforce awareness, or technical training
  • Pilot—by establishing baselines, proving concepts, or measuring impact
  • Apply on your own—in your own organizational context to establish or improve your risk management
  • Apply with our assistance—in your own organizational context, we can assist you in installing or improving risk management practices

 

Want more information?

Contact us to find out how the SEI can help.

Government Representative

Al Evans
Manager, Government Program Development
703-908-8225

aevans@sei.cmu.edu

Industry/International Representative

Jan Philpot
Manager, Industry Program Development
703-908-8208

philpot@sei.cmu.edu


Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.