Risk Management Framework

Risk Management Framework
Christopher J. Alberts
Audrey J. Dorofee
August 2010
TECHNICAL REPORT
CMU/SEI-2010-TR-017
ESC-TR-2010-017
Acquisition Support Program

Unlimited distribution subject to the copyright.
http://www.sei.cmu.edu
This report was prepared for the
SEI Administrative Agent

ESC/XPK
5 Eglin Street
Hanscom AFB, MA 01731-2100
The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of
scientific and technical information exchange.
This work is sponsored by the U.S. Department of Defense. The Software Engineering Institute is a federally funded
research and development center sponsored by the U.S. Department of Defense.
Copyright 2010 Carnegie Mellon University.
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS

FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,
WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED
FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.
Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use
is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative
works.
External use. This document may be reproduced in its entirety, without modification, and freely distributed in written or
electronic form without requesting formal permission. Permission is required for any other external and/or commercial
use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development
center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose
the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant
to the copyright license under the clause at 252.227-7013.
For information about SEI publications, please visit the library on the SEI website (www.sei.cmu.edu/library).
Table of Contents
Acknowledgments v
Abstract vii
1 Introduction 1
2 Risk Management Concepts 5
3 Framework Overview 9
4 Prepare for Risk Management (Phase 1) 15
5 Perform Risk Management Activities (Phase 2) 19

5.1 Assess Risk (Activity 2.1) 24
5.2 Plan for Risk Mitigation (Activity 2.2) 27
5.3 Mitigate Risk (Activity 2.3) 31
6 Sustain and Improve Risk Management (Phase 3) 35
7 Framework Requirements 39
Appendix: Evaluating a Risk Management Practice 45
References/Bibliography 59
i | CMU/SEI-2010-TR-017
ii | CMU/SEI-2010-TR-017
List of Figures
Figure 1: Components of Risk 6
Figure 2: Risk Management Activities 7
Figure 3: Framework Structure 9
Figure 4: Structure of Dataflow Diagrams 11
Figure 5: Dataflow for Phase 1 15
Figure 7: Dataflow for Activity 2.1 24
iii | CMU/SEI-2010-TR-017
iv | CMU/SEI-2010-TR-017
Acknowledgments
The authors would like to thank the Army Strategic Software Improvement Program (ASSIP) for pilot-
ing a workshop that resulted in significant improvements to the framework. The authors also wish to
acknowledge the contributions of the reviewers, Carol Woody, Julie Cohen, and Tricia Oberndorf, and
the editor of this technical report, Barbara White.
v | CMU/SEI-2010-TR-017
vi | CMU/SEI-2010-TR-017
Abstract
Although most programs and organizations use risk management when developing and operating soft-
ware-reliant systems, preventable failures continue to occur at an alarming rate. In many instances, the
root causes of these preventable failures can be traced to weaknesses in the risk management practices
employed by those programs and organizations. To help improve existing risk management practices,
Carnegie Mellon University Software Engineering Institute (SEI) researchers undertook a project to
define what constitutes best practice for risk management. The SEI has conducted research and devel-
opment in the area of risk management since the early 1990s. Past SEI research has applied risk man-
agement methods, tools, and techniques across the life cycle (including acquisition, development, and
operations) and has examined various types of risk, including software development risk, system acqui-
sition risk, operational risk, mission risk, and information security risk, among others.
In this technical report, SEI researchers have codified this experience and expertise by specifying (1) a
Risk Management Framework that documents accepted best practice for risk management and (2) an
approach for evaluating a program’s or organization’s risk management practice in relation to the
framework.
vii | CMU/SEI-2010-TR-017
viii | CMU/SEI-2010-TR-017
1 Introduction
Occurrence of Although most programs and organizations use risk management when
Preventable Failures developing and operating software-reliant systems, preventable failures
continue to occur at an alarming rate. Several reasons contribute to the oc-
currence of these failures, including
significant gaps in the risk management practices employed by programs

and organizations
uneven and inconsistent application of risk management practices within
and across organizations
ineffective integration of risk management with program and organiza-
tional management
increasingly complex management environment
To help improve existing risk management practices, Carnegie Mellon

Software Engineering Institute (SEI) researchers undertook a project to
define what constitutes best practice for risk management. This technical
report provides the results of that research project by specifying the follow-
ing:
a Risk Management Framework that documents accepted best practice

for risk management
an approach for evaluating a program’s or organization’s risk manage-
ment practice in relation to the requirements specified in the framework
SEI Background in Since the early 1990s, the SEI has conducted research and development in
Risk Management the area of risk management and has applied risk management methods,
tools, and techniques across the life cycle (including acquisition, develop-
ment, and operations). In addition, past SEI research examined various
types of risk, including software development risk [Dorofee 1996, Williams
1999, Alberts 2009], system acquisition risk [Gallagher 1999], operational
risk [Gallagher 2005], mission risk [Alberts 2009] and information securi-
ty risk [Alberts 2002], among others. In this technical report, SEI research-
ers have codified this experience in the form of a Risk Management
Framework.
Carnegie Mellon is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
1 | CMU/SEI-2010-TR-017
Risk Management The Risk Management Framework specifies accepted best practice for the
Framework discipline of risk management. The framework is implementation indepen-
dent—it defines key risk management activities, but does not specify how
to perform those activities. In particular, the framework helps provide a
foundation for a comprehensive risk management methodology

basis for evaluating and improving a program’s risk management prac-
tice
The Risk Management Framework can be applied in all phases of the sys-
tem development life cycle (e.g., acquisition, development, operations). In
addition, the framework can be used to guide the management of many
different types of risk (e.g., acquisition program risk, software development
risk, operational risk, information security risk).
Purpose of this The purpose of this technical report is to present the Risk Management
Document Framework, which defines the core set of activities and outputs required to
manage risk effectively. However, this document does not provide step-by-
step procedures for conducting the risk management activities. Other SEI
documents and courses provide specific methods, tools, and techniques for
managing different types of risk.
Intended Audience The primary audience for this technical report is people who are responsi-
ble for assessing and managing risk in development and operational set-
tings. People who are interested in the following topics might also find this
document useful:
learning about what constitutes best practice in risk management

evaluating and improving an existing risk management practice
2 | CMU/SEI-2010-TR-017
Structure of This This technical report is divided into the following parts:
Document
Section 1: Introduction—provides a brief overview of the motivation
for developing the Risk Management Framework and defines the au-
dience for this document
Section 2: Risk Management Concepts—presents background infor-
mation about risk management
Section 3: Framework Overview—describes how the Risk Manage-
ment Framework is structured
Section 4: Prepare for Risk Management (Phase 1)—presents activi-
ties that are required to prepare for risk management
Section 5: Perform Risk Management Activities (Phase 2)—
describes activities that are required to manage risk effectively
Section 6: Sustain and Improve Risk Management (Phase 3)—
presents activities that are required to sustain and improve a risk man-
agement practice over time
Section 7: Framework Requirements—defines the criteria that are
used to establish conformance with the Risk Management Framework
Appendix: Evaluating a Risk Management Practice—presents a set
of worksheets that can be used to evaluate a program’s or organization’s
risk management practice and establish consistency with the Risk Man-
agement Framework
3 | CMU/SEI-2010-TR-017
4 | CMU/SEI-2010-TR-017
2 Risk Management Concepts
Multiple Contexts of The term risk is used universally, but different audiences often attach dif-
Risk Management ferent meanings to it [Kloman 1990]. In fact, the details about risk and how
it supports decision making depend upon the context in which it is applied
[Charette 1990]. For example, safety professionals view risk management
in terms of reducing the number of accidents and injuries. A hospital ad-
ministrator views risk as part of the organization’s quality assurance pro-
gram, while the insurance industry relies on risk management techniques
when setting insurance rates. Each industry thus uses a definition that is
uniquely tailored to its context. No universally accepted definition of risk
exists.
Three Conditions Whereas specific definitions of risk might vary, a few characteristics are
of Risk common to all definitions. For risk to exist in any circumstance, the follow-
ing three conditions must be satisfied [Charette 1990]:
1. The potential for loss must exist.

2. Uncertainty with respect to the eventual outcome must be present.1
3. Some choice or decision is required to deal with the uncertainty and
potential for loss.
Basic Definition of These three characteristics can be used to forge a very basic definition of
Risk the word risk. Most definitions focus on the first two conditions—loss and
uncertainty—because they are the two measurable aspects of risk. Thus, the
essence of risk, no matter what the domain, can be succinctly captured by
the following definition: Risk is the possibility of suffering loss [Dorofee
1996].
1
Some researchers separate the concepts of certainty (the absence of doubt), risk (where the probabilities of alternative
outcomes are known), and uncertainty (where the probabilities of possible outcomes are unknown). However, because
uncertainty is a fundamental attribute of risk, we do not differentiate between decision making under risk and decision
making under uncertainty in this technical report.
5 | CMU/SEI-2010-TR-017
Components of Risk As illustrated in Figure 1, a risk can be thought of as a cause-and-effect
pair, where the threat is the cause and the resulting consequence is the ef-
fect. In this context, a threat is defined as a circumstance with the potential
to produce loss, while a consequence is defined as the loss that will occur
when a threat is realized [Alberts 2009].
Cause Effect
Threat Consequence
Probability Impact
Figure 1: Components of Risk
Risk Measures Three measures are associated with a risk: (1) probability, (2) impact, and
(3) risk exposure. The relationships between probability and impact and the
components of risk are shown in Figure 1. In this context, probability is
defined as a measure of the likelihood that a threat will occur, while impact
is defined as a measure of the loss that will occur if the threat is realized.
Risk exposure provides a measure of the magnitude of a risk based on cur-
rent values of probability and impact.
Risk Management Risk management is a systematic approach for minimizing exposure to po-
tential losses. It provides a disciplined environment for
continuously assessing what could go wrong (i.e., assessing risks)

determining which risks to address (i.e., setting mitigation priorities)
implementing actions to address high-priority risks and bring those risks
within tolerance
6 | CMU/SEI-2010-TR-017
Risk Management Figure 2 illustrates the three core risk management activities:
Activities
assess risk—transform the concerns people have into distinct, tangible
risks that are explicitly documented and analyzed
plan for risk mitigation—determine an approach for addressing or mi-
tigating each risk; produce a plan for implementing the approach2
mitigate risk—deal with each risk by implementing its defined mitiga-
tion plan and tracking the plan to completion
These three activities form the foundation of the Risk Management Frame-
work.
Assess
Mi
tig
n
Pla
a te
Figure 2: Risk Management Activities
2
No universal definition for the term mitigation exits. In fact, various risk management standards and guidelines use this
term quite differently. In this report, we define mitigation broadly as any action taken to address a risk.
7 | CMU/SEI-2010-TR-017
Issue/Problem One of the fundamental conditions of risk is uncertainty regarding its oc-
currence. A risk, by definition, might or might not occur. In contrast, an
issue3 (also referred to as a problem in many contexts) is a loss or adverse
consequence that has occurred or is certain to occur. With an issue, no un-
certainty exists—the loss or adverse consequence has taken place or is cer-
tain to take place.4 Issues can also lead to (or contribute to) other risks by
creating a circumstance that produces a new threat

making an existing threat more likely to occur
aggravating the consequences of existing risks
Opportunity Risk is focused on the potential for loss; it does not address the potential for
gain. The concept of opportunity is used to address the potential for gain.
An opportunity is the likelihood of realizing a gain from an allocation or
reallocation of resources. Opportunity defines a set of circumstances that
provides the potential for a desired gain and requires an investment or ac-
tion to realize that gain (i.e., to take advantage of the opportunity). Pursuit
of an opportunity can produce new risks or issues, and it can also change
existing risks or issues.
Focus of the Risk The Risk Management Framework (hereafter also referred to as “the
Management framework”) defines activities that are required to manage risk effectively.
Framework Activities for managing issues and opportunities are not explicitly specified
in the Risk Management Framework. While risk management can be inte-
grated with issue and opportunity management [Alberts 2009], the details
for achieving an integrated approach for managing risks, issues, and oppor-
tunities is beyond the scope of this report.
3
People do not always find it easy to distinguish between an issue and the future risk posed by that issue (if left uncor-
rected). This confusion can result in issues being documented in a risk database and being treated like risks (and vice
versa). Management must take great care to ensure that their approaches for managing issues and risks are integrated
appropriately and understood by both management and staff.
4
Many of the same tools and techniques can be applied to both issue and risk management.
8 | CMU/SEI-2010-TR-017
3 Framework Overview
Introduction This section presents an overview of the Risk Management Framework. Figure
3 shows the three phases of the framework. The main goal of the framework is
to specify the core sequence of activities that must be executed when perform-
ing risk management (Phase 2). However, because risk management must be
conducted within a broader context or environment, the framework also speci-
fies activities to prepare for risk management (Phase 1) as well as to sustain
and improve the risk management practice over time (Phase 3).
Phase 1 Phase 2 Phase 3

Prepare for Risk Perform Risk Sustain and Improve
Management Management Activities Risk Management
Figure 3: Framework Structure
Risk Management Phase 1 (“Prepare for Risk Management”) is used to get ready for the other two
Framework: Three phases. Phase 1 activities should be complete before activities in the other
Phases phases are executed. Phase 2 (“Perform Risk Management Activities”) defines
a set of activities for managing risk. Phase 2 activities are continually per-
formed to ensure that the overall risk to key objectives is effectively managed
over time. The activities of Phase 3 (“Sustain and Improve Risk Management”)
are normally performed on a periodic basis to ensure that the risk management
practice remains effective over time. Phase 3 activities are used to identify im-
provements to a risk management practice. While Phase 1 is generally com-
pleted prior to beginning the other two, Phases 2 and 3 are typically executed
concurrently.
9 | CMU/SEI-2010-TR-017
Specifying The following common elements are used to specify each phase of the
Framework Phases framework:
description of the phase

key questions answered by the phase
dataflow for the phase that highlights the phase’s inputs, constraints,
resources, and outputs
description of each input required by the activities performed in the
phase
description of each constraint affecting activities performed in the phase
description of each resource required by activities performed in the
phase
description of each output produced by the activities performed in the
phase
description of each activity that must be performed in the phase
Specifying Phase 2 Phase 2 is described in more detail than the other phases because it speci-
Activities fies the distinct sequence of activities that uniquely defines a risk manage-
ment practice. Phase 2 of the framework comprises the following three ac-
tivities:
Activity 2.1: Assess Risk

Activity 2.2: Plan for Risk Mitigation
Activity 2.3: Mitigate Risk
The following common elements are used to specify each Phase 2 activity:
description of the activity

key questions answered by the activity
dataflow of inputs and outputs for the activity
descriptions of each input to the activity
descriptions of each output produced by the activity
circumstances that trigger execution of the activity
description of each sub-activity that must be performed when conducting
the activity
10 | CMU/SEI-2010-TR-017
Dataflow Diagrams Dataflow diagrams are used to document phases and activities in the Risk
Management Framework. Figure 4 shows the structures of the dataflow
diagrams for a phase and an activity.
Constraints
Inputs Framework Phase Outputs Inputs Framework Activity Outputs
Note: Activity diagrams are

Resources provided for Phase 2 only.
Figure 4: Structure of Dataflow Diagrams
Note that dataflow diagrams include the following four elements:
inputs—items that are used by a phase or activity to produce an output or

result
outputs—the results that are produced by a phase or activity
constraints—items that restrict the execution of a phase and its activities
resources—items that can be used during the execution of a phase and its
activities
In the Risk Management Framework, dataflow diagrams for activities are

documented only for Phase 2. Because Phase 2 defines the core risk man-
agement activities, additional details are provided for that phase of the
framework. Dataflow diagrams are not provided for the activities of Phases
1 and 3.
Notice that the dataflow structure for a Phase 2 activity does not include
constraints and resources. (Refer to Figure 4.) Phase 2 constraints and re-
sources influence all activities that are performed during that phase. For
simplicity, Phase 2 constraints and resources are documented in the Phase 2
diagram only; they are not replicated in each activity diagram for Phase 2.
11 | CMU/SEI-2010-TR-017
Dataflow Identifiers Each input, output, constraint, and resource included in a dataflow is
represented by an identifier, which includes a prefix and a number. The
prefix is based on the type of data and the number represents a specific data
element of that type. For example:
C1 is the first risk management constraint (affects all phases).

R3 is the third risk management resource (affects Phases 1 and 3).
PI1 is the first input to Phase 1 (preparation).
O4 is the fourth output of Phase 2 (conduct risk management).
SO2 is the second output of Phase 3 (sustainment and improvement).
The prefixes used in the dataflow diagrams are listed in Table 1.
Table 1: Prefixes Used in the Dataflow Diagrams

Assessment Phase Prefixes
Phase 1 PI is an input to preparation activities.
PO is an output that is produced when preparation activities are

performed.
C is a constraint.
R is a resource.
Phase 2 I is an input to the core risk management activities of Phase 2.
O is an output produced when the core risk management

activities of Phase 2 are performed.
C is a constraint.
PO is an output of Phase 1 that either acts as a constraint or is

used as a resource during Phase 2.
Phase 3 SI is an input to sustainment and improvement activities.
SO is an output that is produced when sustainment and

improvement activities are performed.
C is a constraint.
R is a resource.
12 | CMU/SEI-2010-TR-017
Specifying One of the objectives of the framework is to provide a basis for evaluating
Framework and improving risk management practice for a program or organization.
Requirements Requirements have been specified for each output in the framework. These
requirements provide the basis for evaluating a risk management practice.
Requirements are presented for the following phases and activities:
Phase 1: Prepare for Risk Management

Phase 2: Perform Risk Management Activities,
Phase 3: Sustain and Improve Risk Management
A set of worksheets that can be used to evaluate a risk management prac-

tice and establish conformance with the Risk Management Framework is
provided in the appendix of this report.
Framework The basic structure of the Risk Management Framework is defined as:
Specification:
Structure Phase 1: Prepare for Risk Management
Phase 2: Perform Risk Management Activities
— Activity 2.1: Assess Risk
— Activity 2.2: Plan for Risk Mitigation
— Activity 2.3: Mitigate Risk
Framework Requirements
This structure forms the basis for the remainder of this report.
13 | CMU/SEI-2010-TR-017
14 | CMU/SEI-2010-TR-017
4 Prepare for Risk Management (Phase 1)
Description In this phase, preparation activities for risk management are performed.
Key Questions This phase answers the following questions:
Who is sponsoring risk management?

How can stakeholder sponsorship be attained?
What is the plan for conducting risk management?
What resources are required to effectively conduct risk management?
Dataflow The following dataflow describes the inputs and outputs of this phase.
Constraint
C1 Risk Management Constraints
Outputs
PO1 Stakeholder Sponsorship
Input Phase 1 PO2 Risk Management Plan
PI1 Stakeholder Requirements Prepare for risk PO3 Risk Sources
management PO4 Risk Management Criteria
PO5 Tailored Methods and Tools
PO6 Trained Personnel
Resources
R1 Policies, Standards, Laws, and Regulations
R2 Standard Risk Management Practice
R3 Experienced Personnel
Figure 5: Dataflow for Phase 1
Input The following is the input to this phase.
Input Description
PI1 Stakeholder The needs of the key stakeholders regarding risk management
Requirements
15 | CMU/SEI-2010-TR-017
Constraint The following is the constraint for this phase.
Constraint Description
C1 Risk Management Any circumstances, including logistics, standards, laws, regulations, personnel,
Constraints schedule, and cost issues that could affect risk management activities
Resources The following are the resources required by this phase.
Resource Description
R1 Policies, Standards, Any informative policies, standards, laws, and regulations that guide the
Laws, and Regulations implementation of the risk management practice
R2 Standard Risk The accepted practice for implementing risk management, including methods, tools,
Management Practice procedures, criteria, worksheets, automated support tools, and databases. The
standard risk management practice must be tailored for each specific application of
risk management (e.g., program, organization, technology).
R3 Experienced Personnel5 A core group of people who are collectively experienced in all phases of risk
management. Risk management roles and responsibilities for these people are
defined, and they have received training that is appropriate for their roles and
responsibilities.
5
This core group of experienced personnel is responsible for setting up and sustaining an effective risk management
practice. Other personnel who will also be performing risk management activities will be trained as needed.
16 | CMU/SEI-2010-TR-017
Outputs The following are the outputs of this phase.
Output Description
PO1 Stakeholder Active and visible support of risk management by key stakeholders and decision
Sponsorship makers
PO2 Risk Management Plan The activities a program intends to perform when conducting risk management.
Examples of items commonly found in a risk management plan include
 the objectives of the risk management effort
 the scope of the risk management effort (e.g., actively participating groups and
teams, support groups, interfaces)
 resources (e.g., personnel, funding, technology, facilities, and equipment)
needed to conduct risk management
 roles and responsibilities for conducting risk management
 description of the risk management method being employed
 relationships and dependencies with other management practices (e.g., project,
problem/issue, or opportunity management)
 pointers to the procedures, artifacts, and tools used in each risk management
activity
 the sources of risk being assessed
 all relevant criteria for conducting risk management activities, including the
criteria for probability, impact, and risk exposure
 a communication framework that describes formal paths for sharing risk
information among key stakeholders
 time intervals and other triggers for establishing risk baselines
 effectiveness measures used to evaluate the risk management practice
PO3 Risk Sources The causes of risk that will be assessed (this should be kept current)
PO4 Risk Management The parameters used when managing risks, including
Criteria  probability, impact, and risk exposure criteria
 decision-making criteria (e.g., for prioritizing risks during mitigation or deciding
when to escalate risks within a program or organization)
 criteria that establish risk tolerance
 criteria for communicating with collaborators and partners as well as with senior
management
PO5 Tailored Methods and The methods and tools that will be used when conducting risk management,
Tools including procedures, criteria, worksheets, automated support tools, and databases.
Methods and tools are usually tailored from a standard set for a specific application
of risk management (e.g., program, organization, technology).
PO6 Trained Personnel6 The people who are tasked with performing risk management activities and are
prepared to conduct them
6
The majority of personnel in a program typically receive awareness training to enable them to effectively identify risks
or bring them to the attention of those responsible for risk management activities. Other people can receive more spe-
cialized training based on their roles in the risk management process.
17 | CMU/SEI-2010-TR-017
Activities The following activities are performed in this phase.
Activity Description
1.1 Develop stakeholder Meet with key stakeholders and decision makers to foster their active, visible, and
sponsorship continuous support of risk management and gather their requirements.
1.2 Develop risk Create the plan for conducting risk management based on requirements and
management plan constraints (e.g., schedule, funding, logistics, and contractual restrictions).
Note: The risk management plan needs to be consistent with applicable policies,
standards, laws, and regulations.
1.3 Tailor methods and tools Adapt the risk management methods and tools (e.g., procedures, criteria,
worksheets, automated support tools, databases) for the specific application of risk
management (e.g., program, organization, technology).
1.4 Train personnel Ensure that all of the people who will participate in risk management are able to
effectively perform their assigned roles and responsibilities.
18 | CMU/SEI-2010-TR-017
5 Perform Risk Management Activities (Phase 2)
Description In this phase, risk management activities are performed as planned.
What risks could affect the achievement of key program objectives?

How will each risk be addressed?
What needs to be done to ensure that each risk is maintained within an
acceptable tolerance over time?
Is each mitigation plan having its intended effect?
Constraints
PO1 Stakeholder Sponsorship
PO2 Risk Management Plan
Outputs
O1 Risk Statement
O2 Context
Phase 2 O3 Probability
Input Perform risk O4 Impact
I1 Concerns management O5 Risk Exposure
activities O6 Risk Profile
O7 Mitigation Approach
O8 Mitigation Plan
O9 Executed Mitigation Plan
Resources O10 Tracking Data
PO3 Risk Sources O11 Tracking Decision
PO4 Risk Management Criteria
PO5 Tailored Methods and Tools
PO6 Trained Personnel
19 | CMU/SEI-2010-TR-017
Input The following is the input to this phase.
Input Description
I1 Concerns Doubts, worries, and unease about how current conditions and potential events
might adversely affect the ability to achieve key objectives
Constraints The following are the constraints for this phase.7
PO1 Stakeholder Active and visible support of risk management by key stakeholders and decision
Sponsorship makers.
activity
7
Constraints affect all activities performed during Phase 2. Similarly, resources are used to aid the completion of all
activities performed during Phase 2. The definitions for all Phase 2 constraints and resources are provided in this sec-
tion only. They are not replicated in the sections for individual Phase 2 activities.
20 | CMU/SEI-2010-TR-017
PO3 Risk Sources The causes of risk that will be assessed (this should be kept current)
PO4 Risk Management The parameters used when managing risks, including
Criteria  probability, impact, and risk exposure criteria
 decision-making criteria (e.g., for prioritizing risks during mitigation or deciding
when to escalate risks within a program or organization)
 criteria that establish risk tolerance
 criteria for communicating with collaborators and partners as well as with senior
management
PO5 Tailored Methods and The methods and tools that will be used when conducting risk management,
Tools including procedures, criteria, worksheets, automated support tools, and databases.
Methods and tools are usually tailored from a standard set for a specific application
of risk management (e.g., program, organization, technology).
PO6 Trained Personnel The people who are tasked with performing risk management activities and are
prepared to conduct them
Outputs The following are the outputs of this phase.8
Output Description
O1 Risk Statement A succinct and unique description of a risk. Risk statements typically describe (1) a
circumstance with the potential to produce loss (i.e., threat) and (2) the loss that will
occur if that circumstance is realized (i.e., consequence).
Note: A risk statement does not have to be documented using text. For example, a
graphical expression or model can also be used to provide a succinct and unique
description of a risk.
O2 Context Additional information essential for characterizing a risk, including any relevant
background information about the risk, elaborations about the threat and
consequence, any aggravating or mitigating conditions, and relationships and
dependencies with other risks
O3 Probability A measure of the likelihood that a risk will occur
O4 Impact A measure of the severity of a risk’s consequence if the risk were to occur
O5 Risk Exposure A measure of the magnitude of a risk based on current values of probability and
impact
8
Outputs O1 through O5 will exist for each risk that is identified. Output O6 provides a snapshot of all risks that are
identified. Output O7 will exist for each risk that is identified. Finally, outputs O8 through O11 will exit for each risk that
is being actively mitigated.
21 | CMU/SEI-2010-TR-017
Output Description
06 Risk Profile A snapshot or summary of all risks relevant to the specific application of risk
management (e.g., program, organization, technology)
O7 Mitigation Approach A strategy for addressing a risk. Examples of common mitigation approaches include
 accept—If a risk occurs, its consequences will be tolerated; no proactive action
to address the risk will be taken. When a risk is accepted, the rationale for
doing so is documented.
 transfer—A risk is shifted to another party (e.g., through insurance or
outsourcing).
 avoid—Activities are restructured to eliminate the possibility of a risk occurring.
 control—Actions are implemented in an attempt to reduce or contain a risk.
O8 Mitigation Plan A set of actions for implementing the selected mitigation approach. Examples of
items commonly found in a mitigation plan include
 objectives of the plan
 resources allocated to the plan
 responsibility for completing each action in the plan
 a schedule for completing all actions in the plan
 the funding allocated to performing the plan’s actions
 measures for tracking the execution of the plan (in relation to the schedule and
cost) and the effectiveness of the plan
 a contingency plan and triggers when appropriate
Note: Changes in probability, impact, and risk exposure (i.e., residual risk) are often
used to track a plan’s effectiveness.
O9 Executed Mitigation Plan A set of completed actions (as outlined in a mitigation plan)
O10 Tracking Data Specific data that are gathered when monitoring the progress of a mitigation plan
O11 Tracking Decision Reaching a conclusion or determination about what action(s) to take related to a
mitigation plan. Examples of common tracking decisions include
 continue implementing the mitigation plan as intended
 modify the mitigation approach and develop a new plan as appropriate
 modify the mitigation plan
 implement the contingency plan (if one exists)
 close the risk
22 | CMU/SEI-2010-TR-017
Importance of Open Effective communication among all stakeholders ensures that information,
Communication plans, actions, concerns, and progress are known. Risk communication is
not a separate activity; it is embedded in all other risk management activi-
ties. The importance of communication is highlighted by its emphasis in the
risk management plan, where a communication framework for sharing risk
information among key stakeholders is documented.
Success cannot be achieved if risk information is not communicated to and

understood by the organization’s decision makers and stakeholders. Open
communication requires
risk management activities that are built upon collaborative approaches

encouraging exchanges of risk information among all levels of an or-
ganization
using consensus-based processes that value the individual voice
2.1 Assess risk Transform concerns into distinct, tangible risks that are explicitly documented and
measured
2.2 Plan for risk mitigation Determine an approach for addressing or mitigating each risk, and produce a plan
for implementing the approach
2.3 Mitigate risk Deal with each risk by implementing its defined mitigation plan and tracking it to
completion
23 | CMU/SEI-2010-TR-017
5.1 Assess Risk (Activity 2.1)
Description This activity transforms concerns into distinct, tangible risks that are expli-
citly documented and measured. Assessing risk is an activity that is per-
formed continually.
Key Questions This activity answers the following questions:
What is the statement of risk?

What additional information is important for understanding this risk?
— What are the root causes of the risk?
— What conditions aggravate or mitigate the risk?
— What are the relationships and dependencies with other risks?
What is the likelihood that the risk will occur?
What is the severity of the impact if the risk were to occur?
What is the magnitude of a risk exposure based on current values of
probability and impact?
What is the current snapshot or profile of all risks?
Dataflow The following dataflow describes the inputs and outputs of this activity.
Outputs
O1 Risk Statement
Input O2 Context
Activity 2.1 O3 Probability
I1 Concerns Assess risk O4 Impact
O5 Risk Exposure
O6 Risk Profile
Figure 7: Dataflow for Activity 2.1
24 | CMU/SEI-2010-TR-017
Input The following is the input to this activity.
Input Description
I1 Concerns Doubts, worries, and unease about how current conditions and potential events
might adversely affect the ability to achieve key objectives
Outputs The following are the outputs of this activity.
Output Description
impact
Activity Triggers The following situations will trigger this activity:
A risk evaluation, appraisal, or audit is scheduled to be performed.

Someone raises a new concern that could affect the ability to achieve key
objectives.
Conditions indicate a potential change in the current risk profile.
A tracking decision requires a risk to be reassessed.
25 | CMU/SEI-2010-TR-017
Sub-Activities The following table describes the sub-activities performed when conduct-
ing this activity.
Sub-Activity Description Outputs
2.1.1 Identify risk A concern is transformed into a distinct, tangible risk that O1 Risk Statement
can be described and measured.
O2 Context
Note: Risks that are related can be grouped to provide an
aggregate view of risk to objectives. A risk statement for
the group is documented, and the statement for the group
is carried forward in the rest of the risk management
activities.9 Aggregating risks in this manner helps keep the
total number of risks to a manageable level without losing
the broader view.
2.1.2 Analyze risk The risk is evaluated in relation to predefined criteria to O3 Probability
determine its probability, impact, and risk exposure. O4 Impact
Note: Measures for existing risks must be re-evaluated on
O5 Risk Exposure
a periodic basis.
Note: Some risk management methods include timeframe
as a risk measure. Timeframe is the period when action is
required in order to mitigate a risk. However, timeframe is
not a standard risk measure; many methods do not use it.
For this reason, it is not included as a standard output in
the framework.
2.1.3 Develop risk profile A snapshot or summary of all risks relevant to the specific O6 Risk Profile
application of risk management (e.g., program,
organization, or technology) is developed and
documented. The risk profile should be shared with all
relevant stakeholders as appropriate.
9
When multiple risks are grouped into an aggregate risk, a new risk statement is documented for the aggregate risk.
The aggregate risk is handled the same as other risks from this point forward in the process.
26 | CMU/SEI-2010-TR-017
5.2 Plan for Risk Mitigation (Activity 2.2)
Description This activity determines an approach for addressing or mitigating a risk,

and produces a plan for implementing the approach.
Key Questions This activity answers the following questions for each risk:
How will the risk be addressed?

What is the plan for mitigating the risk?
— What are the objectives of the mitigation plan?
— Who is responsible for completing each action in the plan?
— When will each action be completed?
— How much funding is allocated to executing the plan?
— What are the requirements for tracking the risk mitigating plan’s ex-
ecution and effectiveness?
— Is a contingency plan needed for the risk? If so, what it the contin-
gency plan?
Inputs
O1 Risk Statement
O2 Context Activity 2.2 Outputs
O3 Probability Plan for risk O7 Mitigation Approach
O4 Impact mitigation O8 Mitigation Plan
O5 Risk Exposure
O6 Risk Profile
27 | CMU/SEI-2010-TR-017
Inputs The following are the inputs to this activity.
Input Description
impact
Output Description
outsourcing).
28 | CMU/SEI-2010-TR-017
Output Description
Activity Triggers The following situations will trigger this activity:
A risk has been assessed (or reassessed).

A tracking decision
— changes the mitigation approach
— calls for a new or modified mitigation plan
ing this activity.
2.2.1 Determine mitigation The strategy for addressing a risk is based on the current O7 Mitigation
approach measures for the risk (i.e., probability, impact, and risk Approach
exposure). Decision-making criteria (e.g., for prioritizing
risks during mitigation or deciding when to escalate risks
within a program or organization) may also be used to help
determine the appropriate strategy for addressing a risk.
Common mitigation approaches include
 accept—If a risk occurs, its consequences will be
tolerated; no proactive action to address the risk will
be taken. When a risk is accepted, the rationale for
 transfer—A risk is shifted to another party (e.g.,
through insurance or outsourcing).
 avoid—Activities are restructured to eliminate the
possibility of a risk occurring.
 control—Actions are implemented in an attempt to
reduce or contain a risk.
Mitigation approaches should be shared with all relevant
stakeholders as appropriate.
29 | CMU/SEI-2010-TR-017
2.2.2 Develop mitigation plan A mitigation plan is defined and documented. Mitigation O8 Mitigation Plan
plans should be shared with all relevant stakeholders as
appropriate.
Note: More than one risk might share a common root
cause. Relationships between risks (including those within
an aggregate risk or between the smaller risks in different
aggregate groups) can point to more effective mitigation
actions. Mitigation actions should maximize the return on
investment for resources.
30 | CMU/SEI-2010-TR-017
5.3 Mitigate Risk (Activity 2.3)
Description This activity deals with the risk by implementing the defined mitigation
plan and tracking it to completion.
Key Questions This activity answers the following questions for each mitigation plan:
Is the mitigation plan being implemented as planned?

Is the mitigation plan having its intended effect?
Based on tracking data, do any corrective actions need to be taken?
Inputs
O1 Risk Statement
O2 Context Outputs
O3 Probability O9 Executed Mitigation Plan
Activity 2.3
O4 Impact O10 Tracking Data
Mitigate risk
O5 Risk Exposure O11 Tracking Decision
O6 Risk Profile
O7 Mitigation Approach
O8 Mitigation Plan
Inputs The following are the inputs to this activity.
Input Description
31 | CMU/SEI-2010-TR-017
Input Description
impact
outsourcing).
Output Description
O9 Executed Mitigation Plan A set of completed actions (as outlined in a mitigation plan)
O10 Tracking Data Specific data that are gathered when monitoring the progress of a mitigation plan
O11 Tracking Decision Reaching a conclusion or determination about what action(s) to take related to a
mitigation plan. Examples of common tracking decisions include
 continue implementing the mitigation plan as intended
 modify the mitigation approach and develop a new plan as appropriate
 modify the mitigation plan
 implement the contingency plan (if one exists)
 close the risk
32 | CMU/SEI-2010-TR-017
Activity Trigger The following situation will trigger this activity: a mitigation plan has been
developed or modified.
ing this activity.
2.3.1 Implement mitigation The mitigation plan (or the contingency plan) is executed O9 Executed
plan as intended. Mitigation Plan
2.3.2 Track mitigation plan The measures for tracking the action plan’s execution are O10 Tracking Data
collected and analyzed as specified in the mitigation plan.
Tracking data should be shared with all relevant
stakeholders as appropriate.
2.3.3 Make tracking decision A decision about whether to take corrective action(s) O11 Tracking
related to a risk or it’s mitigation plan is made. Tracking Decisions
decisions should be shared with all relevant stakeholders
as appropriate.
33 | CMU/SEI-2010-TR-017
34 | CMU/SEI-2010-TR-017
6 Sustain and Improve Risk Management (Phase 3)
Description In this phase, activities are performed to sustain and improve risk manage-
ment effort over time.
Which risk management assets (e.g., methods, tools) and work products
(e.g., risk profile, mitigation plans) need to be under configuration con-
trol?
What lessons were learned when preparing for risk management?
What lessons were learned when conducting risk management?
How does the risk management practice (e.g., plan, methods, tools, re-
sources, training) need to be updated or improved?
Constraint
Inputs
PI1 Stakeholder Requirements Outputs
Phase 3 SO1 Controlled Risk Management Assets and Work Products
SI1 Risk Management Results Sustain and improve
SI2 Risk Management Effectiveness Data SO2 Lessons Learned
risk management SO3 Updates to Risk Management Practice
SI3 Risk Management Practice
Resources
R1 Policies, Standards, Laws, and Regulations
R2 Standard Risk Management Practice
R3 Experienced Personnel
R4 Sustainment/Improvement Procedures
R5 Sustainment/Improvement Artifacts and Tools
PO2 Risk Management Plan
35 | CMU/SEI-2010-TR-017
Inputs The following are the inputs to this phase.
Input Description
PI1 Stakeholder The needs of the key stakeholders regarding risk management
Requirements
SI1 Risk Management All outputs and data produced when preparing for and conducting risk management,
Results including the risk management plan, risks, mitigation plans, and risk tracking data
SI2 Risk Management Specific data that are gathered to evaluate the effectiveness of the risk management
Effectiveness Data practice
SI3 Risk Management The accepted approach for performing risk management activities, including the risk
Practice management plan, methods, tools, resources, and training
Constraint The following is the constraint for this phase.
R1 Policies, Standards, Any informative policies, standards, laws, and regulations that guide the
Laws, and Regulations implementation of the risk management practice
R2 Standard Risk The accepted practice for implementing risk management, including methods, tools,
Management Practice procedures, criteria, worksheets, automated support tools, and databases. The
standard risk management practice must be tailored for each specific application of
risk management (e.g., program, organization, technology).
R3 Experienced Personnel A core group of people who are collectively experienced in all phases of risk
management. Risk management roles and responsibilities for these people are
defined, and they have received training that is appropriate for their roles and
responsibilities.
R4 Sustainment/ Documentation that describes how to conduct sustainment and improvement

Improvement Procedures activities
R5 Sustainment/ Basic items that can be used when conducting sustainment and improvement
Improvement Artifacts and activities, including templates, worksheets, standard presentations, automated tools,
Tools and databases
36 | CMU/SEI-2010-TR-017
activity
Outputs The following are the outputs of this phase.
Output Description
SO1 Controlled Risk Selected risk management assets (e.g., methods, tools) and work products (e.g., risk
Management Assets and profile, mitigation plans) that are under configuration control
Work Products
SO2 Lessons Learned Knowledge gained by preparing for and conducting risk management activities that
can be used to modify and improve the risk management practice
SO3 Updates to Risk Any changes to the risk management practice (e.g., changes to the risk
Management Practice management plan, methods, tools, resources, training ) to improve the efficiency and
effectiveness of its application
37 | CMU/SEI-2010-TR-017
3.1 Manage risk Place designated assets (e.g., methods, tools) and work products (e.g., risk profile,
management assets and mitigation plans) of the risk management practice under appropriate levels of
work products control.
3.2 Evaluate effectiveness of Analyze risk management results and effectiveness measures (as specified in the
risk management practice risk management plan) to identify and document lessons learned regarding the
strengths and weaknesses of the risk management practice (e.g., risk management
plan, methods, tools, resources, training).
3.3 Implement improvements Make identified changes to the risk management practice (e.g., changes to the risk
to risk management practice management plan, methods, tools, resources, training) based on lessons learned.
38 | CMU/SEI-2010-TR-017
7 Framework Requirements
Framework Framework requirements define criteria that are used to establish confor-
Requirements mance with the Risk Management Framework. A requirement is specified
for each output in the framework. Requirements are presented for the fol-
lowing phases and activities:
Phase 1: Prepare for Risk Management

The appendix of this document provides a set of worksheets for evaluating

a risk management practice against the framework requirements.
Phase 1 The following are the framework requirements for Phase 1: Prepare for
Requirements Risk Management.
Requirement Related Output
REQ 1 Support of risk management by key stakeholders is tangible, active, and PO1 Stakeholder
visible. Sponsorship
Examples of sponsorship
Organizational policies; memos from senior management; resources;
funding; risks discussed at management meetings
REQ 2 A risk management plan is defined, documented, and approved. PO2 Risk Management
Plan
Examples of plan content
Objectives; scope; resources; descriptions of methods and tools;
sources of risk; risk management criteria; communication framework;
schedule and triggers for conducting evaluations; effectiveness
measures
39 | CMU/SEI-2010-TR-017
REQ 3 Risk sources are defined, documented, and kept current. PO3 Risk Sources
Examples of documents containing risk sources
Publicly available lists and taxonomies; domain-specific lists and
taxonomies; organizational lists and taxonomies
Examples of risk categories
Program management, technical, organizational, infrastructure, support
services, and product
REQ 4 Risk management criteria are defined and documented. PO4 Risk Management
Criteria
Examples of risk management criteria
Probability, impact, and risk exposure criteria; decision-making criteria
(e.g., for escalation or prioritization); criteria that establish risk tolerance;
criteria for communicating with collaborators, partners, subcontractors,
suppliers, customers, and other stakeholders
REQ 5 Methods and tools used to support risk management activities have PO5 Tailored Methods
been appropriately tailored for use. and Tools
Examples of methods and tools
Procedures for conducting risk management activities; risk
management criteria; risk sources; worksheets; automated support
tools; report generators; databases
REQ 6 People who perform risk management activities are prepared to conduct PO6 Trained Personnel
them.
Examples of people who need training
Managers, technical leads, and staff who participate in risk
management activities; risk manager; risk database administrator
Examples of types of training
Awareness training; method training; tool training
Phase 2, Activity 2.1 The following are the framework requirements for Phase 2: Perform Risk
Requirements Management Activities, Activity 2.1: Assess Risk.
REQ 7 A risk statement is documented for each risk using a standard format. O1 Risk Statement
Examples of items that influence the format and use of risk statements
Organizational guidance for communicating, documenting, and updating
risks; requirements of methods and tools; needs of decision makers,
collaborators, partners, subcontractors, suppliers, customers, and other
stakeholders
40 | CMU/SEI-2010-TR-017
REQ 8 Context is documented for each risk. O2 Context

Examples of items that influence the format and use of context
stakeholders
Examples of context
Root causes; aggravating conditions; mitigating conditions; relationships
and dependencies with other risks
REQ 9 Probability is evaluated and documented for each risk. O3 Probability

Examples of items that influence the use of probability
Probability criteria; organizational guidance for assessing probability;
requirements of methods and tools; needs of decision makers,
stakeholders
REQ 10 Impact is evaluated and documented for each risk. O4 Impact

Examples of items that influence the use of impact
Impact criteria; organizational guidance for assessing impact;
stakeholders
REQ 11 Risk exposure is evaluated and documented for each risk. O5 Risk Exposure
Examples of items that influence the use of risk exposure
Risk exposure criteria; organizational guidance for assessing risk
exposure; requirements of methods and tools; needs of decision
makers, collaborators, partners, subcontractors, suppliers, customers,
and other stakeholders
REQ 12 A profile of all risks is developed, documented, and kept current. O6 Risk Profile
Examples of items that influence the development of a risk profile
the risk profile; requirements of methods and tools; format of risk
statements; risk profile format; needs of decision makers, collaborators,
partners, subcontractors, suppliers, customers, and other stakeholders
41 | CMU/SEI-2010-TR-017
Requirements Management Activities, Activity 2.2: Plan for Risk Mitigation.
REQ 13 A mitigation approach is established and documented for each risk. O7 Mitigation Approach
Examples of items that influence selection of a mitigation approach
a mitigation approach; requirements of methods and tools; needs of
decision makers, collaborators, partners, subcontractors, suppliers,
customers, and other stakeholders; risk tolerance; decision-making
criteria
Examples of common mitigation approaches
Accept a risk and take no action; transfer a risk to another party;
restructure activities to avoid a risk by eliminating the possibility of it
occurring; take action to reduce or contain a risk
REQ 14 A mitigation plan is defined and documented for each risk that is O8 Mitigation Plan
actively being addressed.
Examples of items that influence development of a mitigation plan
a mitigation plan; requirements of methods and tools; needs of decision
and other stakeholders; risk tolerance
Examples of a mitigation plan’s content
Objectives for the plan; resources responsible for completing each
action; schedule for completing all actions; funding allocated to
performing the plan’s actions; measures for tracking the execution of
the plan (in relation to the schedule and cost); measures for tracking the
effectiveness of the plan; a contingency plan and triggers when
appropriate
Requirements Management Activities, Activity 2.3: Mitigate Risk.
REQ 15 Mitigation plans are implemented as intended (unless circumstances O9 Executed Mitigation
force a change in direction). Plan
Examples of items that influence plan execution
Resources available for plan execution; funding allocated to the plan;
responsibility for implementing the plan; authority for implementing plan;
verification of completion; visible support of management
Examples of data that can be used to evaluate plan implementation
Tracking measures for effectiveness and efficiency of mitigation plan
execution; tracking measures for verifying plan completion; triggers for
contingency or alternate plans
42 | CMU/SEI-2010-TR-017
REQ 16 Data for tracking mitigation plans are collected, analyzed, documented, O10 Tracking Data
and reported.
Examples of items that influence collection of tracking data
Organizational guidance for selecting tracking measures; organizational
guidance for communicating, documenting, and updating tracking data;
stakeholders; approach for collecting measurement data; approach for
analyzing measurement data; frequency requirements for collecting
tracking data
Examples of types of tracking measures
REQ 17 Tracking decisions for mitigation plans are documented appropriately. O11 Tracking Decisions
Examples of items that influence tracking decisions
tracking decisions; requirements for approving tracking decisions;
stakeholders; decision-making criteria
Examples of common tracking decisions
Modify the mitigation approach and develop a new plan; modify an
existing mitigation plan; implement a contingency plan; close a risk
Phase 3 The following are the framework requirements for Phase 3: Sustain and
Requirements Improve Risk Management.
REQ 18 Selected risk management assets and work products are under SO1 Controlled Risk
configuration control. Management Assets
Examples of assets under configuration control and Work Products
Risk management plan; methods and tools; risk sources, risk criteria
Examples of work products under configuration control
Risk profile; mitigation plans; tracking decisions; status reports
REQ 19 Lessons learned are collected and documented for the risk SO3 Lessons Learned
management practice.
Examples of items that influence lessons learned
Requirements for developing lessons learned; needs of decision
and other stakeholders; types of effectiveness measures collected for
the risk management practice; strengths of the risk management
practice; weaknesses of the risk management practice; changes in best
practices; new standards or changes to existing standards or
regulations; new methods and tools or changes to existing methods and
tools
43 | CMU/SEI-2010-TR-017
REQ 20 The risk management practice is updated as appropriate based on SO3 Updates to Risk
lessons learned. Management
Examples of items that influence how lessons are incorporated Practice
Change management process; organizational guidance for managing
change; needs of decision makers, collaborators, partners,
subcontractors, suppliers, customers, and other stakeholders
Examples of items that could be updated or changed
Risk management plan; funding for risk management; methods; tools;
resources; training
44 | CMU/SEI-2010-TR-017
Appendix: Evaluating a Risk Management Practice
This appendix provides a set of worksheets that can be used to evaluate a risk management practice and
establish conformance with the Risk Management Framework. Conformance is established through sa-
tisfaction of the framework requirements. Non-conformance to any requirement generally indicates a
less effective and potentially inadequate risk management practice.
Directions:
You must complete the following two steps when evaluating each requirement.
1. Evaluate each requirement in the checklist by checking the most appropriate box. The
following table defines the range of responses for each requirement.
Response Definition
Satisfied The requirement is met by the risk management practice.
The requirement is partially met by the risk management practice. Some aspects of the
Partially Satisfied
requirement are not met satisfactorily.
Unsatisfied The requirement is not met by the risk management practice.
Don’t Know More information is needed to evaluate the requirement.
2. After you evaluate each requirement, document the rationale for your response in
the space provided. Note where your response is based on objective data and where
it is based on more subjective data, such as opinions.
45 | CMU/SEI-2010-TR-017
Evaluation: Framework Requirements
Requirement Response
Stakeholder Sponsorship
1. Support of risk management by key stakeholders is tangible,  Satisfied
active, and visible.
 Partially Satisfied
Examples of sponsorship
Organizational policies; memos from senior management; resources;  Unsatisfied
funding; risks discussed at management meetings
 Don’t Know
Risk Management Plan

2. A risk management plan is defined, documented, and approved.  Satisfied
Examples of plan content  Partially Satisfied

Objectives; scope; resources; descriptions of methods and tools;
sources of risk; risk management criteria; communication framework;  Unsatisfied
schedule and triggers for conducting evaluations; effectiveness
measures
 Don’t Know
Risk Sources
3. Risk sources are defined, documented, and kept current.  Satisfied
Examples of documents containing risk sources  Unsatisfied

Publicly available lists and taxonomies; domain-specific lists and
taxonomies; organizational lists and taxonomies  Partially Satisfied
Examples of risk categories
Program management, technical, organizational, infrastructure, support  Don’t Know
services, and product
Risk Management Criteria

4. Risk management criteria are defined and documented.  Satisfied
Examples of risk management criteria  Unsatisfied

Probability, impact, and risk exposure criteria; decision-making criteria
(e.g., for escalation or prioritization); criteria that establish risk tolerance;  Partially Satisfied
criteria for communicating with collaborators, partners, subcontractors,
suppliers, customers, and other stakeholders  Don’t Know
46 | CMU/SEI-2010-TR-017
Evaluation: Framework Requirements
Rationale
Stakeholder Sponsorship
1.
Risk Management Plan

2.
Risk Sources
3.
Risk Management Criteria

4.
47 | CMU/SEI-2010-TR-017
Evaluation: Framework Requirements (continued)
Tailored Methods and Tools

5. Methods and tools used to support risk management activities  Satisfied
have been appropriately tailored for use.
Examples of methods and tools
Procedures for conducting risk management activities; risk management  Unsatisfied
criteria; risk sources; worksheets; automated support tools; report
generators; databases  Don’t Know
Trained Personnel
6. People who perform risk management activities are prepared to  Satisfied
conduct them.
Examples of people who need training
Managers, technical leads, and staff who participate in risk management  Unsatisfied
activities; risk manager; risk database administrator
Examples of types of training  Don’t Know
Awareness training; method training; tool training
Risk Statement
7. A risk statement is documented for each risk using a standard  Satisfied
format.
 Unsatisfied
Examples of items that influence the format and use of risk statements
Organizational guidance for communicating, documenting, and updating  Partially Satisfied
collaborators, partners, subcontractors, suppliers, customers, and other  Don’t Know
stakeholders
Context
8. Context is documented for each risk.  Satisfied
Examples of items that influence the format and use of context  Unsatisfied
risks; requirements of methods and tools; needs of decision makers,  Partially Satisfied
stakeholders  Don’t Know
Examples of context
Root causes; aggravating conditions; mitigating conditions; relationships
and dependencies with other risks
48 | CMU/SEI-2010-TR-017
Rationale
Tailored Methods and Tools

5.
Trained Personnel
6.
Risk Statement
7.
Context
8.
49 | CMU/SEI-2010-TR-017
Probability
9. Probability is evaluated and documented for each risk.  Satisfied
Examples of items that influence the use of probability  Partially Satisfied

Probability criteria; organizational guidance for assessing probability;
requirements of methods and tools; needs of decision makers,  Unsatisfied
stakeholders
 Don’t Know
Impact
10. Impact is evaluated and documented for each risk.  Satisfied
Examples of items that influence the use of impact  Partially Satisfied

Impact criteria; organizational guidance for assessing impact;
requirements of methods and tools; needs of decision makers,  Unsatisfied
stakeholders
 Don’t Know
Risk Exposure
11. Risk exposure is evaluated and documented for each risk.  Satisfied
Examples of items that influence the use of risk exposure  Unsatisfied

Risk exposure criteria; organizational guidance for assessing risk
exposure; requirements of methods and tools; needs of decision  Partially Satisfied
and other stakeholders  Don’t Know
Risk Profile
12. A profile of all risks is developed, documented, and kept current.  Satisfied
Examples of items that influence the development of a risk profile  Unsatisfied

the risk profile; requirements of methods and tools; format of risk  Partially Satisfied
statements; risk profile format; needs of decision makers, collaborators,
partners, subcontractors, suppliers, customers, and other stakeholders  Don’t Know
50 | CMU/SEI-2010-TR-017
Rationale
Probability
9.
Impact
10.
Risk Exposure
11.
Risk Profile
12.
51 | CMU/SEI-2010-TR-017
Mitigation Approach
13. A mitigation approach is established and documented for each  Satisfied
risk.
Examples of items that influence selection of a mitigation approach
Organizational guidance for communicating, documenting, and updating  Unsatisfied
a mitigation approach; requirements of methods and tools; needs of
decision makers, collaborators, partners, subcontractors, suppliers,  Don’t Know
customers, and other stakeholders; risk tolerance; decision-making
criteria
Examples of common mitigation approaches
Accept a risk and take no action; transfer a risk to another party;
restructure activities to avoid a risk by eliminating the possibility of it
occurring; take action to reduce or contain a risk
Mitigation Plan
14. A mitigation plan is defined and documented for each risk that is  Satisfied
actively being addressed.
Examples of items that influence development of a mitigation plan
a mitigation plan; requirements of methods and tools; needs of decision
makers, collaborators, partners, subcontractors, suppliers, customers,  Don’t Know
and other stakeholders; risk tolerance
Examples of a mitigation plan’s content
Objectives for the plan; resources responsible for completing each
action; schedule for completing all actions; funding allocated to
performing the plan’s actions; measures for tracking the execution of the
plan (in relation to the schedule and cost); measures for tracking the
effectiveness of the plan; a contingency plan and triggers when
appropriate
Executed Mitigation Plan

15. Mitigation plans are implemented as intended (unless  Satisfied
circumstances force a change in direction).
 Unsatisfied
Examples of items that influence plan execution
Resources available for plan execution; funding allocated to the plan;  Partially Satisfied
responsibility for implementing the plan; authority for implementing plan;
verification of completion; visible support of management  Don’t Know
Examples of data that can be used to evaluate plan implementation
52 | CMU/SEI-2010-TR-017
Rationale
Mitigation Approach
13.
Mitigation Plan
14.
Executed Mitigation Plan

15.
53 | CMU/SEI-2010-TR-017
Tracking Data
16. Data for tracking mitigation plans are collected, analyzed,  Satisfied
documented, and reported.
Examples of items that influence collection of tracking data
Organizational guidance for selecting tracking measures; organizational  Unsatisfied
guidance for communicating, documenting, and updating tracking data;
requirements of methods and tools; needs of decision makers,  Don’t Know
stakeholders; approach for collecting measurement data; approach for
analyzing measurement data; frequency requirements for collecting
tracking data
Examples of tracking measures
Tracking Decision
17. Tracking decisions for mitigation plans are documented  Satisfied
appropriately.
Examples of items that influence tracking decisions
tracking decisions; requirements for approving tracking decisions;
requirements of methods and tools; needs of decision makers,  Don’t Know
stakeholders; decision-making criteria
Examples of common tracking decisions
Modify the mitigation approach and develop a new plan; modify an
existing mitigation plan; implement a contingency plan; close a risk
Controlled Risk Management Assets and Work Products

18. Selected risk management assets and work products are under  Satisfied
configuration control.
 Unsatisfied
Examples of assets under configuration control
Risk management plan; methods and tools; risk sources; risk criteria  Partially Satisfied
Examples of work products under configuration control
Risk profile; mitigation plans; tracking decisions; status reports
 Don’t Know
54 | CMU/SEI-2010-TR-017
Rationale
Tracking Data
16.
Tracking Decision
17.
Controlled Risk Management Assets and Work Products

18.
55 | CMU/SEI-2010-TR-017
Lessons Learned
19. Lessons learned are collected and documented for the risk  Satisfied
management practice.
Examples of items that influence lessons learned
Requirements for developing lessons learned; needs of decision  Unsatisfied
and other stakeholders; types of effectiveness measures collected for  Don’t Know
the risk management practice; strengths of the risk management
practice; weaknesses of the risk management practice; changes in best
practices; new standards or changes to existing standards or
regulations; new methods and tools or changes to existing methods and
tools
Updates to Risk Management Practice

20. The risk management practice is updated as appropriate based  Satisfied
on lessons learned.
 Unsatisfied
Examples of items that influence how lessons are incorporated
Change management process; organizational guidance for managing  Partially Satisfied
change; needs of decision makers, collaborators, partners,
subcontractors, suppliers, customers, and other stakeholders  Don’t Know
Examples of items that could be updated or changed
Risk management plan; funding for risk management; methods; tools;
resources; training
56 | CMU/SEI-2010-TR-017
Rationale
Lessons Learned
19.
Updates to Risk Management Practice

20.
57 | CMU/SEI-2010-TR-017
58 | CMU/SEI-2010-TR-017
References/Bibliography
URLs are valid as of the publication date of this document.
[Alberts 2002]
Alberts, Christopher & Dorofee, Audrey. Managing Information Security Risks: The OCTAVESM Ap-
proach. Boston, MA: Addison-Wesley, 2002 (ISBN 0-321-11886-3).
www.sei.cmu.edu/library/abstracts/books/0321118863.cfm
[Alberts 2009]
Alberts, Christopher & Dorofee, Audrey. A Framework for Categorizing Key Drivers of Risk
(CMU/SEI-2009-TR-007). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University,
2009. www.sei.cmu.edu/library/abstracts/books/09tr007.cfmw
[Charette 1990]
Charette, Robert N. Application Strategies for Risk Analysis. New York, NY: McGraw-Hill Book Com-
pany, 1990.
[Dorofee 1996]
Dorofee, A.; Walker, J.; Alberts, C.; Higuera, R.; Murphy, R.; & Williams, R. Continuous Risk Man-
agement Guidebook. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1996.
www.sei.cmu.edu/library/abstracts/books/crmguidebook.cfm
[Gallagher 1999]
Gallagher, Brian. Software Acquisition Risk Management Key Process Area (KPA)—A Guidebook Ver-
sion 1.02 (CMU/SEI-99-HB-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon
University, 1999. www.sei.cmu.edu/library/abstracts/reports/99hb001.cfm
[Gallagher 2005]
Gallagher, B.; Case, P; Creel, R.; Kushner, S.; & Williams, R. A Taxonomy of Operational Risks
(CMU/SEI-2005-TN-036). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University,
2005. www.sei.cmu.edu/library/abstracts/reports/05tn036.cfm
[Kloman 1990]
Kloman, H. F. “Risk Management Agonists.” Risk Analysis 10, 2 (June 1990): 201-205.
[Williams 1999]
Williams, R.; Pandelios, G.; & Behrens, S. Software Risk Evaluation (SRE) Method Description (Ver-
sion 2.0) (CMU/SEI-99-TR-029). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon
University, 1999. www.sei.cmu.edu/library/abstracts/reports/99tr029.cfm
59 | CMU/SEI-2010-TR-017
60 | CMU/SEI-2010-TR-017
Form Approved
REPORT DOCUMENTATION PAGE OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, search-
ing existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regard-
ing this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters
Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of
Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.
1. AGENCY USE ONLY 2. REPORT DATE 3. REPORT TYPE AND DATES
COVERED
(Leave Blank) August 2010
Final
4. TITLE AND SUBTITLE 5. FUNDING NUMBERS
Risk Management Framework FA8721-05-C-0003
6. AUTHOR(S)
Christopher J. Alberts and Audrey J. Dorofee
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION
REPORT NUMBER
Software Engineering Institute
Carnegie Mellon University CMU/SEI-2010-TR-017
Pittsburgh, PA 15213
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING
AGENCY REPORT NUMBER
HQ ESC/XPK
5 Eglin Street ESC-TR-2010-017
Hanscom AFB, MA 01731-2116
11. SUPPLEMENTARY NOTES
12A DISTRIBUTION/AVAILABILITY STATEMENT 12B DISTRIBUTION CODE

Unclassified/Unlimited, DTIC, NTIS
13. ABSTRACT (MAXIMUM 200 WORDS)
Although most programs and organizations use risk management when developing and operating software-reliant systems, preventable
failures continue to occur at an alarming rate. In many instances, the root causes of these preventable failures can be traced to weak-
nesses in the risk management practices employed by those programs and organizations. To help improve existing risk management
practices, Carnegie Mellon University Software Engineering Institute (SEI) researchers undertook a project to define what constitutes
best practice for risk management. The SEI has conducted research and development in the area of risk management since the early
1990s. Past SEI research has applied risk management methods, tools, and techniques across the life cycle (including acquisition, de-
velopment, and operations) and has examined various types of risk, including software development risk, system acquisition risk, opera-
tional risk, mission risk, and information security risk, among others.
In this technical report, SEI researchers have codified this experience and expertise by specifying (1) a Risk Management Framework
that documents accepted best practice for risk management and (2) an approach for evaluating a program’s or organization’s risk man-
agement practice in relation to the framework.
14. SUBJECT TERMS 15. NUMBER OF PAGES
risk, risk analysis, risk management, risk management framework 72
16. PRICE CODE
17. SECURITY CLASSIFICATION OF 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF
REPORT OF THIS PAGE OF ABSTRACT ABSTRACT
Unclassified Unclassified Unclassified UL
NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18
298-102

Risk Management Framework

Uploaded by

Copyright:

Available Formats

Risk Management Framework

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management Framework

Uploaded by

Copyright:

Available Formats

Risk Management Framework

Acquisition Support Program

SEI Administrative Agent

Copyright 2010 Carnegie Mellon University.

THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS

2 Risk Management Concepts 5

4 Prepare for Risk Management (Phase 1) 15

5 Perform Risk Management Activities (Phase 2) 19

6 Sustain and Improve Risk Management (Phase 3) 35

Appendix: Evaluating a Risk Management Practice 45

Figure 1: Components of Risk 6

Figure 2: Risk Management Activities 7

Figure 3: Framework Structure 9

Figure 4: Structure of Dataflow Diagrams 11

Figure 5: Dataflow for Phase 1 15

Figure 6: Dataflow for Phase 2 19

Figure 7: Dataflow for Activity 2.1 24

Figure 8: Dataflow for Activity 2.2 27

Figure 9: Dataflow for Activity 2.3 31

Figure 10: Dataflow for Phase 3 35

significant gaps in the risk management practices employed by programs

To help improve existing risk management practices, Carnegie Mellon

a Risk Management Framework that documents accepted best practice

foundation for a comprehensive risk management methodology

learning about what constitutes best practice in risk management

1. The potential for loss must exist.

Figure 1: Components of Risk

continuously assessing what could go wrong (i.e., assessing risks)

Figure 2: Risk Management Activities

creating a circumstance that produces a new threat

Phase 1 Phase 2 Phase 3

Figure 3: Framework Structure

description of the phase

Activity 2.1: Assess Risk

description of the activity

Inputs Framework Phase Outputs Inputs Framework Activity Outputs

Note: Activity diagrams are

Figure 4: Structure of Dataflow Diagrams

Note that dataflow diagrams include the following four elements:

inputs—items that are used by a phase or activity to produce an output or

In the Risk Management Framework, dataflow diagrams for activities are

C1 is the first risk management constraint (affects all phases).

The prefixes used in the dataflow diagrams are listed in Table 1.

Table 1: Prefixes Used in the Dataflow Diagrams

Phase 1 PI is an input to preparation activities.

PO is an output that is produced when preparation activities are

Phase 2 I is an input to the core risk management activities of Phase 2.

O is an output produced when the core risk management

PO is an output of Phase 1 that either acts as a constraint or is

Phase 3 SI is an input to sustainment and improvement activities.

SO is an output that is produced when sustainment and

Phase 1: Prepare for Risk Management

A set of worksheets that can be used to evaluate a risk management prac-

Key Questions This phase answers the following questions:

Who is sponsoring risk management?

Figure 5: Dataflow for Phase 1

Input The following is the input to this phase.

Resources The following are the resources required by this phase.

Description In this phase, risk management activities are performed as planned.

Key Questions This phase answers the following questions: