Risk Management
- Risk Management
- the activity consisting of the cohesive collection of all
tasks that are primarily performed to lower
risks to acceptable levels
As illustrated in the preceding figure, Risk Management is part of the following inheritance hierarchy:
- Type: Abstract
- Superclass: Activity
- Subclasses:
The typical responsibilities of Risk Management are to:
- Reduce risks to levels that are acceptable to major stakeholders.
- Identify and understand the major risks.
- Avoid the risks that can be avoided.
- Mitigate the impact of risks that cannot be avoided.
Risk Management typically may begin when the following conditions hold:
- The endeavor has started.
- The system, application, or center exists.
- At least one of the associated team(s) are:
- Initially staffed.
- Adequately trained in risk management tasks and techniques.
Risk Management is typically complete when the following postconditions hold:
- The endeavor has completed.
- The system, application, or center has been retired.
Risk Management typically involves the following teams performing the following tasks
in an iterative, incremental, parallel, and time-boxed manner:
- The endeavor or center team(s), which perform:
Risk Management is typically performed using the following environment(s) and associated tools:
Risk Management typically results in the production of all
or part of the following management work products:
Risk Management tasks are typically performed during the following phases:
| Phase |
Relevant Tasks |
| Business Strategy |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Business Optimization |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Initiation |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Construction |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Initial Production |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Full-Scale Production |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Delivery |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Usage |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
| Retirement |
Risk Management Planning,
Risk Identification,
Risk Analysis,
Risk Control, and
Risk Monitoring |
- Not having an effective risk management program is a major source of risk.
- Some managers create a climate where risk is a “four-letter word” that must not be said.
Engineers on such endeavors are pressured into using words like ‘concern’ or ‘issue’
instead of risk. There risk repository contains few risks, and these risks tend to be at a very high and
vague level of abstraction. However, avoiding talking about risks does not make them go away.
- Risk management should be everyone’s business, not just the responsibility of some manager or technical leader.
- A repeatable risk management activity with well defined tasks and work products is
a major approach to risk avoidance and mitigation.
- Risk management overlaps safety and security engineering because many important risks are
safety or security risks.
- It is typically better to avoid a risk that to mitigate its damage once it has occured.
- Risks can be divided into the following categories:
- Business Risks:
- Requirements Scope Creep
- Changing Market Pressures
- Loss of Market Share
- Bad Public Relations
- Loss of Life or Property
- Litigation
- Financial Risks:
- Cost Overrun
- Inadequate Cost Estimates
- Resource Risks:
- Inadequate Staffing
- Inadequately Trained Staff
- Inadequate Staff Productivity
- Inadequate Development Tools
- Schedule Risks:
- Unrealistic Schedule
- Inadequate Schedule Estimates
- Upgrades to COTS components and tools not available
when promised (vaporware)
- Excessive Time To Market
- Technical Risks:
- The application will not provide all required functionality.
- The application’s transactions will not be auditable.
- The application will not adequately support internationalization.
- The application will not provide personalization.
- The application will contain excessive defects.
- The application’s outputs will be inadequately accurate or precise.
- This activity is documented using the typical
configuration for large projects. It is intended to be
configured (i.e., instantiated, extended, and tailored) to
meet the needs of specific projects.
- The preconditions of this activity should be the union
of the preconditions of its constituent tasks.
- The completion criteria for this activity should be the
union of the postconditions of its constituent tasks.
