search menu icon-carat-right cmu-wordmark

Practical Risk Management: Principles and Methods

Although most programs and organizations implement some type of risk management approach, preventable failures continue to occur. Many of these approaches tend to be bureaucratic and time-intensive, which can consume valuable program resources. Most programs would benefit by improving, or in some cases replacing, their current risk management practices.

This course introduces a suite of practical and innovative methods that can be used to systemically manage risk across the life cycle and supply chain. It builds on older, more traditional approaches to risk management such as CRM and OCTAVE. It will enable decision makers to more efficiently engage in the risk management process, navigating through a broad tradeoff space (including performance, reliability, safety, and security considerations, among others) and strategically allocating their limited resources when and where they are needed the most.

This two-day course provides the foundation for a more practical approach to risk management that builds from a straightforward, broad-view method to a complex array of techniques needed for in-depth analyses of complex risks. Through an interactive learning environment using discussion, examples, worksheets, and exercises, participants will be able to grasp the essentials of the practical, easy-to-use techniques.

The course progresses as follows.

  • Introduction to a small set of success and failure drivers used to evaluate the current state of a software-intensive program. This driver foundation is the central theme of the practical approach to managing risks.
  • Description and application of a framework1 and methods for managing risk, including risk identification and mitigation as well as preparing for and sustaining good risk management practice
  • Description and application of a technique for evaluating an existing risk management practice from two points of view:
    • outputs: are the appropriate activities and required results of risk management present?
    • success: is the risk management practice effective?
  • A review of some of the more common standards and guidelines for how to perform risk management, and how this practical approach aligns with those standards.
  • Examination of several alternative means of implementing this practical approach to risk management.

1. [Note: This is the SEI Risk Management Framework which focuses primarily on program/project risk management and not the NIST RMF, which is now being used for system certification/accreditation.]


  • project managers, lead engineers, software engineers
  • risk managers and others performing risk management activities
  • those involved in process improvement such as EPG and SEPG members and change or technology transition agents
  • those from related disciplines such as quality assurance, acquisition, security, IT


This course will help participants to

  • Understand core risk management concepts
  • Understand how to apply the success and failure drivers
  • Adapt and tailor the Mosaic risk management methodology to their program's needs and constraints
  • Be able to apply Mosaic risk management methods
  • Be able to evaluate an existing risk management practice for completeness and effectiveness


  • Drivers of success and failure
  • Risk management framework
  • Mosaic: Practical risk management activities
    • assessing risks
    • planning for risk mitigation
    • implementing mitigation plans
  • Preparing for risk management
  • Sustaining risk management
  • Evaluating your risk management practice
  • Alignment with risk management standards
  • Implementing practical risk management


Students will receive the complete set of slides; a course workbook of templates, examples, and exercises; and handouts of related papers and reference materials.


This course has no prerequisites. It is recommended that participant have a minimum 2-3 years of experience in the fields of development or acquisition of software intensive systems, or project management.

Course Fees [USD]

  • U.S. Industry: $1,400.00
  • U.S. Govt/Academic: $1,100.00
  • International: $2,100.00


This two day course meets the following times:

Days 1-2, 8:30 a.m. - 5:00 p.m. (U.S. Locations)

This course may be offered by special arrangement at customer sites. For details, please email or telephone at +1 412-268-1817.

Course Questions?

Phone: 412-268-7388
FAX: 412-268-7401

Related Courses

  • Assessing Information Security Risk Using the OCTAVE Approach

    3 - Day Course

    In this three-day course, participants learn to perform information security risk assessments using the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro method. The OCTAVE Allegro approach provides organizations a comprehensive methodology that focuses on information assets in their operational context. Risks...

    Learn More
  • Introduction to the CERT Resilience Management Model

    2 - Day Course

    This two-day course introduces a model-based process improvement approach to managing operational resilience using the CERT® Resilience Management Model (CERT-RMM) v1.2 Resilience Management Model (CERT-RMM) v1.2. CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help...

    Learn More

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.