A Taxonomy of Operational Risks

In 1993, the Carnegie Mellon Software Engineering Institute (SEI) developed a taxonomy-based method for facilitating the systematic and repeatable identification of risks associated with the development of a software-dependent project. Since then, this method has also been used in the Software Risk Evaluation process to identify risks associated with the development of software-intensive systems. Recently, organizations that employ software-intensive systems have requested that the SEI help identify a baseline set of risks associated with missions performed at operational sites (e.g., satellite ground stations, military units, customer service units). While the concepts embodied in the software-based taxonomy apply in this context, the taxonomy presented in this report has been constructed to better suit an operational environment. This report presents a taxonomy-based method for identifying and classifying risks to operational aspects of an enterprise. It defines the key sources of risk associated with the mission, work processes, and constraints of an operational organization and establishes a structure for representing operational risks by grouping them into distinct classes, elements, and attributes. In addition, the appendix of this report contains a short taxonomy-based questionnaire that can be used by personnel at operational sites to identify and categorize risks.