Risk Management Framework

Although most programs and organizations use risk management when developing and operating software- reliant systems, preventable failures continue to occur at an alarming rate. In many instances, the root causes of these preventable failures can be traced to weaknesses in the risk management practices employed by those programs and organizations. To help improve existing risk management practices, Carnegie Mellon University Software Engineering Institute (SEI) researchers undertook a project to define what constitutes best practice for risk management. The SEI has conducted research and development in the area of risk management since the early 1990s. Past SEI research has applied risk management methods, tools, and techniques across the life cycle (including acquisition, development, and operations) and has examined various types of risk, including software development risk, system acquisition risk, operational risk, mission risk, and information security risk, among others. In this technical report, SEI researchers have codified this experience and expertise by specifying (1) a Risk Management Framework that documents accepted best practice for risk management and (2) an approach for evaluating a program’s or organization’s risk management practice in relation to the framework.