Summary

The purpose of Risk Management (RSKM) is to identify potential problems before they occur so that risk handling activities can be planned and invoked as needed across the life of the product or work to mitigate adverse impacts on achieving objectives.

Description

Risk management is a continuous, forward-looking process that is an important part of work management. Risk management should address issues that could endanger achievement of critical objectives. A continuous risk management approach effectively anticipates and mitigates risks that can have a critical impact on work activities.

Effective risk management includes early and aggressive risk identification through collaboration and the involvement of relevant stakeholders as described in the stakeholder involvement plan addressed in the Work Planning process area. Strong leadership among all relevant stakeholders is needed to establish an environment for free and open disclosure and discussion of risk.

Risk management should consider both internal and external, as well as both technical and non-technical, sources of cost, schedule, performance, and other risks. Early and aggressive detection of risk is important because it is typically easier, less costly, and less disruptive to make changes and correct work efforts during the earlier, rather than the later, phases of the work lifecycle.

For example, decisions related to service system architecture are often made early before their impacts can be fully understood, and thus the risk implications of such choices should be carefully considered.

Industry standards can help when determining how to prevent or mitigate specific risks commonly found in a particular industry. Certain risks can be proactively managed or mitigated by reviewing industry best practices and lessons learned.

Risk management can be divided into the following parts:

  • Defining a risk management strategy
  • Identifying and analyzing risks
  • Handling identified risks, including the implementation of risk mitigation plans as needed


As represented in the Work Planning and Work Monitoring and Control process areas, organizations initially may focus on risk identification for awareness and react to the realization of these risks as they occur. The Risk Management process area describes an evolution of these specific practices to systematically plan, anticipate, and mitigate risks to proactively minimize their impact on the work.

Although the primary emphasis of the Risk Management process area is on the work or work group, these concepts can also be applied to manage organizational risks.

References

Refer to the Service Continuity (SCON) (CMMI-SVC) process area for more information about establishing and maintaining plans to ensure continuity of services during and following any significant disruption of normal operations.


Refer to the Decision Analysis and Resolution (DAR) (CMMI-SVC) process area for more information about analyzing possible decisions using a formal evaluation process that evaluates identified alternatives against established criteria.


Refer to the Work Monitoring and Control (WMC) (CMMI-SVC) process area for more information about monitoring risks.


Refer to the Work Planning (WP) (CMMI-SVC) process area for more information about identifying risks and planning stakeholder involvement.

Contains

RSKM.SG 1 Prepare for Risk Management
Preparation for risk management is conducted.
RSKM.SG 2 Identify and Analyze Risks
Risks are identified and analyzed to determine their relative importance.
RSKM.SG 3 Mitigate Risks
Risks are handled and mitigated as appropriate to reduce adverse impacts on achieving objectives.