Mission Risk Diagnostic (MRD) Method Description

Although most programs and organizations use risk management when developing and operating software-reliant systems, preventable failures continue to occur at an alarming rate. In many instances, the root causes of these preventable failures can be traced to weaknesses in the risk management practices employed by those programs and organizations. In particular, Carnegie Mellon? Software Engineering Institute (SEI) field experience indicates that programs and organizations throughout government and industry are unable to assess their risks effectively. For example, SEI independent assessments routinely uncover significant risks that have not been brought to the attention of key decision makers. When decision makers are unaware of significant risks, they are unable to take action to mitigate those risks. As a result, SEI researchers undertook a project to examine and improve the practice of risk assessment. The SEI has developed the Mission Risk Diagnostic (MRD) to assess risk in interactively complex, socio-technical systems across the life cycle and supply chain. To date, the SEI has employed the MRD in a variety of domains, including software acquisition and development, cybersecurity, software security, and business portfolio management. This technical note provides an overview of the MRD method.