MEU

Risk management

Oday Manhal Hadadden

What is risk management?

Risk Management Strategy

Risk is defined as being the threat that an event or action will adversely affect an organization's ability to achieve its objectives and to successfully execute its strategies. Risk Management is defined as the process by which risks are identified, evaluated and controlled. The Council recognizes it has a responsibility to manage both internal and external risks as a key component of good corporate governance and is committed to embedding risk management into the daily operations of the Council from the setting of objectives, to service and financial planning through to departmental processes. It believes that effective risk management will help the Council achieve its corporate objectives and provide better services.

Risk management ensures that an organization identifies and understands the risks to which it is exposed. Risk management also guarantees that the organization creates and implements an effective plan to prevent losses or reduce the impact if a loss occurs. A risk management plan includes strategies and techniques for recognizing and confronting these threats. Good risk management doesnt have to be expensive or time consuming; it may be as uncomplicated as answering these three questions: 1. What can go wrong? 2. What will we do, both to prevent the harm from occurring and in response to the harm or loss? 3. If something happens, how will we pay for it?

And it is a systematic process for the identification and evaluation of loss exposures faced by an organization or individual and for the selection and administration of the most appropriate

techniques for treating such exposures, including

Avoidance Retention Loss prevention Loss reduction Transfer contractually Transfer through insurance

Risk management provides a clear and structured approach to identifying risks. Having a clear understanding of all risks allows an organization to measure and prioritize them and take the appropriate actions to reduce losses. Risk management has other benefits for an organization, including:

Saving resources: Time, assets, income, property and people are all valuable resources that can be saved if fewer claims occur. Protecting the reputation and public image of the organization. Preventing or reducing legal liability and increasing the stability of operations. Protecting people from harm. Protecting the environment. Enhancing the ability to prepare for various circumstances. Reducing liabilities. Assisting in clearly defining insurance needs.

An effective risk management practice does not eliminate risks. However, having an effective and operational risk management practice shows an insurer that your organization is committed to loss reduction or prevention. It makes your organization a better risk to insure.

Risk Management aims to facilitate the exchange of information and expertise across countries and across disciplines. Its purpose is
3

to generate ideas and promote good practice for those involved in the business of managing risk. All too often assessments of risk are crudely made and the consequences of getting things wrong can be serious, including lost opportunities, loss of business, loss of reputation and even life. This journal examines both the problems and potential solutions.

Role of insurance in risk management

Insurance is a valuable risk-financing tool. Few organizations have the reserves or funds necessary to take on the risk themselves and pay the total costs following a loss. Purchasing insurance, however, is not risk management. A thorough and thoughtful risk management plan is the commitment to prevent harm. Risk management also addresses many risks that are not insurable, including brand integrity, potential loss of tax-exempt status for volunteer groups, public goodwill and continuing donor support.

Why manage your risk?

An organization should have a risk management strategy because:

People are now more likely to sue. Taking the steps to reduce injuries could help in defending against a claim. Courts are often sympathetic to injured claimants and give them the benefit of the doubt. Organizations and individuals are held to very high standards of care. People are more aware of the level of service to expect, and the recourse they can take if they have been wronged. Organizations are being held liable for the actions of their employees/volunteers. Organizations are perceived as having a lot of assets and/or high insurance policy limits.

The Benefits of Risk Management:

Risk management is a process which provides assurance that:

Objectives are more likely to be achieved; Damaging things will not happen or are less likely to happen; Beneficially things will be or are more likely to be achieved.

It is not a process for avoiding risk. The aim of risk management is not to eliminate risk, rather to manage the risks involved in all University activities to maximize opportunities and minimize adverse effects. Note: risk management is not the management of insurable risks. Insurance is an important way of transferring risk but most risks will be managed by other means. Good risk management provides upward assurance from business activities and administrative functions, from department to faculties, to the senior management team and ultimately to the governing body.

The potential benefits from risk management are: Supporting strategic and business planning; Supporting effective use of resources; Promoting continuous improvement; Fewer shocks and unwelcome surprises; Quick grasp of new opportunities; Enhancing communication between Schools and Departments; Reassuring stakeholders; Helping focus internal audit programmed

Risk Management Tools Assessment:

Risk management tools provide a way to assess risk and therefore manage ways to avoid these risks. It essentially provides a what if? sort of theme by applying the inherent possible risks in any given activity and then determines the best ways to avoid those risks and/or what actions can be taken if these risks do occur. Risk management tools usually take the form of software that allows these probable risks and outcomes and then determines what needs to be done to avoid those risks. These tools are very helpful for any activity and in particular for businesses as it can save them quite a bit of money by managing possible risks and outcomes to prevent them from ever occurring in the first place. In essence, by understanding the possible risks they can manage ways to avoid it. For example: If the business does not complete a contract by a certain date they lose so much money and so they plot out ways to avoid this by making sure all aspects dealing with the contract from employees to computer data are completing their functions to avoid this. That is just a tiny example and risk management tools go far beyond this simple function.

Risk Management Tools Avoiding Risk

Risk management tools in business use a similar method by creating mathematical and statistical data to determine risk. Once the risk assessment is complete they can then manage every possible action that may cause the risk and then determine in which ways they can avoid it. This is useful not only in managing employees but also in managing products and all activities associated with your particular business. There are many software applications available to fully utilize the application of risk management tools available and help keep your business running smoothly or for whatever particular activity you may be involved in that can benefit.

Risk Management Software Tools Multiple Applications

Risk management software tools provide a template with which to
assess risk and then use the software to manage possible risk. This can be applied to many different activities including business which uses the software to save money by being prepared for possible risks and understanding what causes it. This allows them to avoid that risk and therefore not lose money in the case of business. This can also be used for many different activities and is useful where there is an inherent risk in the activity, for instance in high rise construction work, laboratories, and others where there may be a high risk of danger. Even NASA uses risk management software tools to prevent possible risks and keep a safe work environment. Risk can also involve the loss of money for business practices. For this purpose you can assess what possible risks may take place with risk management software tools that will cause this loss of money and act accordingly to properly manage it and prevent it from happening again.

Risk Management Software Tools Economics and Beyond

There have been many risk management software tools developed by major universities for any number of applications. Even a risk software tool developed for, say a chemistry lab, can in many cases still be used for other activities that may have nothing to do with chemistry because the basic formula still applies. By laying it all out in an easily understandable and readable format the individual is able to see every aspect of the risk management to determine possible causes and therefore fix them before they become a problem. By following this process you can also narrow down causes of risk if something is continuously becoming a problem and can then be traced back to one particular area to be managed. This could be anything from a failure in data and other software to an employee or particular group. Action can then be taken to fix the problem and manage the risk. Risk management tools may also use graphs and other visual media to display risk management in one quick glance so you can see where

the biggest risk may be and therefore be able to manage the risk before it becomes a major problem.

Risk Management Software Tools Practicality

Risk management software tools are available online to help in maintains a practical business model, particularly where it applies to economics and business. First one must identify the possible risks, then determine how detrimental this risk may be to the business or activity, and then determine what actions must be taken to avoid that risk. Software provides a valuable method of filtering through this process efficiently and effectively while being able to maintain and see at a glance the risks and therefore be able to nip it in the bud and keep everything running smoothly. In business if figures dont come in properly it can then be determined why. The uses and practicality of risk management software tools are invaluable and can be applied to basically any activity to maintain and manage risk and allow things to run more smoothly.

Software Risk Management

The hierarchy of Software Risk Management (SRM) methodologies discussed in this paper Addresses two classes of functions: software acquisition and software development. The basic methodological framework with which functions are managed is composed of the Software Acquisition-Capability Maturity Model (SA-CMMSM ) and the Software Capability Maturity Model (SW-CMMSM ) and their supporting practices and constructs. This framework for software Risk management is supported by three groups of practices: 1. Software Risk Evaluation (SRE) 2. Continuous Risk Management (CRM) 3. Team Risk Management (TRM)

These practices are based on three basic constructs for software risk management developed At the Software Engineering Institute (SEI): Risk Management Paradigm, Risk Taxonomy, Risk Clinic, and Risk Management Guidebooks. The three constructs and three practices will be discussed in subsequent sections. The complexity of software risk management cannot be understood nor appropriately addressed from the above methodological context alone. To capture the multifarious aspects of This complexity, we make use of hierarchical holographic modeling, where we consider two additional visions or dimensions: the temporal and human dimensions. Thus the three dimensions adopted in this paper to represent the holistic vision of software risk management are The temporal dimension, The methodological dimension And the human dimension.

The temporal dimension is decomposed into two sub-visions: 1. Macro vision represents the global perspective of the acquisition life cycle. 2. Micro vision represents the view of the project manager. The methodological dimension has already been introduced. The human dimension addresses the intellectual dimension of software acquisitionthe most Critical dimension, since software development is such an intellectual activity. Four aspects Are identified here: 1. Individual 2. Team
9

3. Management 4. Stakeholder (including customer and client)

The last section shares the experience gained through the deployment of the above methodologies by SEI teams. Ample literature exists on the process of risk assessment and management. The majority of this literature, however, is devoted to theories and methodologies that have not been subjected to the ultimate test of practice. This paper presents comprehensive theories and processes developed at the SEI at Carnegie Mellon University that have been successfully deployed.

The goal of SEI Risk Program is to enable engineers, managers, and other decision makers to identify, sufficiently early, the risks associated with software acquisition, development, integration, and deployment so that appropriate management and mitigation strategies can be developed on a timely basis. Time is critical and the goal is to act early before a source of risk evolves into a major crisis. In other words, being mainly reactive in risk mitigation and control Rather than proactive in risk prevention and control is at the heart of good risk management. Furthermore, should the system fail regardless of all risk management efforts, then ensuring The safe failure (e.g., safe shutdown) of the system must be the mandate of the software risk Manager. Clearly, the secret to effective risk management is the trade-off of mitigation cost against the potential adverse effects of avoided risk. In this context, the value of the methodologies and tools for software risk management is to buy smarter, manage more effectively and identify opportunities for continuous improvement, use available information and databases more efficiently, improve industry and raise the communitys playing field, and review and Evaluate the progress made on risk management.
10

It is important to note that the developed software risk methodologies have three fundamentally different, albeit complementary, objectives: 1. Risk prevention 2. Risk mitigation and correction 3. Ensuring safe system failure The following seven risk management principles are instrumental in the quest to achieve these Three objectives: Shared product vision sharing product vision based upon common purpose, shared ownership, and Collective commitment focusing on results Teamwork working cooperatively to achieve a common goal pooling talent, skills, and knowledge Global perspective viewing software development within the context of the larger system-level Definition, design, and development recognizing both the potential value of opportunity and the potential impact Of adverse effects, such as cost overrun, time delay, or failure to meet Product specifications
11

Forward-looking view thinking toward tomorrow, identifying uncertainties, anticipating potential Outcomes Managing project resources and activities while anticipating uncertainties Open communication encouraging the free flow of information between all project levels enabling formal, informal, and impromptu communication using consensus-based process that values the individual voice (bringing Unique knowledge and insight to identifying and managing risk) Integrated management making risk management an integral and vital part of project management adapting risk management methods and tools to a projects infrastructure And culture4 CMU/SEI-96-TR-012 Continuous process maintaining constant vigilance Identifying and managing risks routinely throughout all phases of the projects Life cycle.

Risk is commonly defined as a measure of the probability and severity of adverse effects. Software technical risk can be defined as a measure of the probability and severity of adverse effects

12

inherent in the development of software that does not meet its intended functions and performance requirements.

The need to manage risk increases with system complexity. Figure 2 demonstrates this concept by indicating that as the complexity of the system increases, both technical and nontechnical (cost and schedule) risks increase. There is an increasing need for more systematic methods and tools to supplement individual knowledge, judgment, and experience. These human traits are often sufficient to address less complex risks. It is worth noting that many managers believe that they are managing risk in its multifaceted dimensions. The fact of the matter is that they are merely managing cost and schedule along with isolated cases of technical risk. The SEI Risk Program provides a structured process, supported by methods and tools, for Identifying, analyzing, and mitigating the uncertainties encountered in a specific software engineering effort. Many of the most serious issues encountered in system acquisition are the result of risks that either remain unrecognized and/or are ignored until they have already created serious consequences. This focus on risk management is important because structured Techniques, even quite simple ones, can be effective in identifying risk, and approaches, procedures, and techniques do exist for risk mitigation.

13

A Holistic Vision of Software Risk Management

The complex process of software acquisition encompasses most, if not all, aspects associated with software risk management. Thus, it seems natural to focus on the entire life cycle of the software acquisition process in developing a holistic vision of risk management. Indeed, risk management of software engineering cannot be restricted to any subset or a single phase of the life cycle of software development the following objectives of the overall methodological framework for software risk management apply to software-intensive systems

14

1. .Improve the process of software acquisition in organizations 2. Improve software risk management methodology, technology, and practice in the acquisition process 3. Improve the access to, acquisition, repository, use, and integration of .information and data for software acquisition in industry and government 4. In general, institutionalize risk management and decision support within the software acquisition community and make it an integral part of the communitys practice.

Temporal Dimension
It is plausible to assert that the genesis of a formal acquisition process can be traced to the Statement of Needs and Requirements. In terms of risk management, the seeds of critical sources of risk are often sown at this seemingly benign stage. An example from urban development demonstrates this point. A mayor and the city council identify a need for a new housing development. Given the high cost of land due to its scarcity, the requirements for meeting these needs evolve into the construction of high rise apartments. At this stage, the risks that the new project might become a major slum and a magnet for crime and drug distribution are not considered.

The goal of risk management is in the prevention of such risks. The

importance the Needs and Requirements stage places this stage at the foundation of the holistic vision of software risk management depicted in Figure 2, which follows the introduction of all components of the .hierarchical holographic model for software risk management. The total acquisition life cycle is presented in two separate yet overlapping visions. The micro vision primarily represents the view of the project manager. The macro vision represents the more global and broader perspective of the acquisition life cycle. It is worth noting that within each stage of the temporal domain, the human dimension (individual, team, manager, or Stakeholder) has a different and unique role to play.

15

Micro vision
1. Specification 2. )Solicitation (including request for proposal and contractor selection 3. )Design and development (including architecture . 4. )Systems integration (including deployment and maintenance .

Macro vision
1. Conceptual design . 2. Demonstration/validation . 3. Engineering, manufacturing, development, and production . 4. )Maintenance and major upgrade (including termination

16

17

_TRM_Team Risk Management

TRM extends risk management with team-oriented activities involving the customer and supplier (e.g., government and contractor), where both customer and supplier apply the methodologies together . methods, and ,TRM establishes an environment built on a set of processes tools that enables the customer and supplier to work cooperatively, continuously managing risks throughout the life cycle of a softwaredependent development program. It is built on a foundation of the seven principles of risk management discussed in the preface of this paper, and on the philosophy of cooperative teams. TRM further extends the SEI Risk , Guided by the seven principles Management paradigm by adding two functionsinitiate and team. Each risk goes through these functions sequentially, but the activity occurs continuously, concurrently, and iteratively throughout the project life cycle (e.g., planning for one risk may identify another). The TRM Guidebook provides an effective instrument with which to militarize the reader with the concepts, functions, processes, methods, .and products of TRM The guidebook accomplishes this through a description of the overall methodology, a road map for applying it within a project, and detailed descriptions of the processes and methods used to implement the functions of TRM. Figure 3 depicts the extension of the SEI Risk Management Paradigm by incorporating the TRM functions (initiate and team.

18

Project Management: Risk Management

In many projects, risks are identified and analyzed in a random, brainstorming, fashion. This is often fatal to the success of the project, as unexpected risks arise, which have not been assessed or planned for and have to be dealt with on an emergency basis, rather than be prepared for and defended against in a planned, measured, manner.

. 19

10 Golden Rules of Project Risk Management:

Rule 1: Make Risk Management Part of Your Project. Rule 2: Identify Risks Early in Your Project. Rule 3: Communicate About Risks. Rule 4: Consider Both Threats and Opportunities. Rule 5: Clarify Ownership Issues. Rule 6: Priorities Risks. Rule 7: Analyses Risks. Rule 8: Plan and Implement Risk Responses. Rule 9: Register Project Risks. Rule 10: Track Risks and Associated Tasks.

Risk Management Analysis: What is Risk Analysis?

Risk analysis helps you identify and manage factors that could undermine the success of key business objectives or projects. Risk is made up of two things: the likelihood of something going wrong, and the negative consequences that will happen if it does. You carry out a risk analysis by first identifying the possible threats that you face, and by then assessing the likelihood of these threats occurring. Risk analysis can be as simple or as involved as you want, and it's useful in a variety of situations. However, if you want to do an indepth analysis, you'll need to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts, or other relevant reports.

20

Risk management analysis is very helpful in examining the risks

and following a well planned process to hedge the risk. At the same time, the effectiveness of the process and the financial factors related to the process are also discussed through this analysis. The business sector always faces some kind of risk. The risk management initiatives are becoming all the more important with the growing competition in the global market. In the highly competitive global market there is hardly any scope to afford any kind of loss. As a result of this, the concept of risk management has gained considerable importance over the passage of time. The risk management analysis is very important for proper application of the risk management policies. This analysis is necessary because the demand of the market and the trends are changing constantly and only proper analysis of risks can help the businesses to achieve the set targets. There are a number of risks that can be handled through the risk management analysis. Different factors are related to the process of risk management analysis. These are the following: Discovering the Risk: The first step of risk management analysis is to mark the areas where risk factors are related and causing major threats to the businesses or the organizations. These risks are of different types like financial risk, political risk, technical risk, risk related to the operations or reputation of the business and many more. People related to the business may provide some kinds of threats. Estimating the Risk Factor: It is the second step of risk management analysis and starts after the identification of the risk factors. In this step, the possible losses and their impacts on the business are decided. At the same time, necessary finances for the prevention or recovery process are also decided. Managing the Risk Factor: After the impacts of the risk are decided, the company can look for the proper ways of managing these risks. Once the strategies are set, the process starts working. One of the most important factors is to select such a strategy that can be economical and can provide effective services to the business. Risk management can be done through different processes. The existing assets of the particular company can be used or new resources can be developed for the purpose. It can be done through contingency planning or through business continuity planning.

21

Regular Monitoring of the Applied Strategy: This is very necessary for the success of the risk management strategy because if the strategy does not work properly, it can be detected through the monitoring process and a new strategy can be applied.

When to Use Risk Analysis? Risk analysis is useful in many situations, for example, when you're: Planning projects, to help you anticipate and neutralize problems, or assess, say, the impact of going over budget. Deciding whether or not to move forward with a project. Improving safety and managing potential risks in the workplace. Preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters. Planning for changes in your environment, such as new competitors coming into the market, or changes to government policy.

How to Use Risk Analysis: To carry out a risk analysis, follow these steps: 1. Identify Threats The first step in risk analysis is to identify the existing and possible threats that you might face. These can come from many different areas. For instance:

Human From illness, death, injury, or other loss of a key individual. Operational From disruption to supplies and operations, loss of access to essential assets, or failures in distribution. Reputational From loss of customer or employee confidence, or damage to reputation in the market. Procedural From failures of accountability, internal systems and controls; or from fraud.

22

Project From going over budget, taking too long on key tasks, or experiencing issues with product or service quality. Financial From business failure, stock market fluctuations, interest rate changes, or non-availability of funding. Technical From advances in technology, or from technical failure. Natural From weather, natural disasters, or disease. Political From changes in tax, public opinion, government policy, or foreign influence. Structural From dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.

Example - IT Reorganization Project Background Contoso, Inc. has initiated a project to reorganize its IT departments. Contoso's primary infrastructure is shifting to a distributed environment from a centralized one. Risk Identification Using sound risk management practices, Contoso conducted various risk identification discussions to come up with a master risks list. Two of those risks are listed in the following table. Table: Contoso IT Reorganization Risk ID 0001

23

Project ID ITREORG010

Risk ID 0001

Root Cause Process

Business Effect Cost, Performance

Risk Present service desk process inefficiencies could lead to increased cost to support current IT services.

Situation Field office support is not a coordinated effort with centralized help desk functions. Often field support professionals respond to and resolve incidents without those incidents being recorded and a knowledge base being populated.

Consequence Without a comprehensive, shared knowledge base of incidents, problems, and resolutions, redundant incidentmanagement and problemmanagement activity will be performed throughout the support organization.

Downstream Effect Extended service outages as well as inadequate communications regarding status of resolutions will further alienate the customer from IT. This will enforce the view of IT as not being aligned with the needs of the business. The perceived value of the services provided by IT will be diminished.

Table: Contoso IT Reorganization Risk ID 0002

Project ID ITREORG010 Risk Changes implemented by one IT group could negatively affect systems and services delivered by other IT groups.

Risk ID 0002 Situation Although change management exists within some groups, a common formal changemanagement process does not exist across all IT groups. Additionally, some changes, when reviewed during the weekly status meeting, have not

Root Cause People, Process Consequence Lack of commitment to a standard set of operational processes will lead to business units that fail to trust each other. Frustration between IT groups will occur as systems under the responsibility of one group will be affected by others

Business Effect Cost, Performance Downstream Effect Service disruptions caused by failed changes will interrupt business functions. Additionally, failure to communicate planned downtime of mission-critical services to users and the help desk will result in reduced trust in IT.

24

been properly assessed for impact to all groups.

This will force the business to question the value of the current IT operations and to consider outsourcing IT functions.

Risk Prioritization
Once these risks were identified, the project team then focused on risk prioritization. Table: Contoso Prioritization of Risk ID 0001

Project ID ITREORG010

Risk ID 0001

Root Cause Process

Exposure Analysis Probability is based on best effort analysis of past experience. Impact could not be easily measured by monetary means. Impact was instead based on a 1-5 scale for the risk effect on potential service disruption.

Probability Impact (1-5) 70% 5

Business Effect Cost, Performance Exposure 3.5

25

Table: Contoso Prioritization of Risk ID 0002

Project ID ITREORG010 Exposure Analysis Probability is based on best effort analysis of past experience. Impact could not be easily measured by monetary means. Impact was instead based on a 1-5 scale for the risk effect on potential service disruption.

Risk ID 0002 Probability 65%

Root Cause Process Impact (1-5) 5

Business Effect Cost, Performance Exposure 3.25

Risk Planning and Tracking

Risks ID 0001 and ID 0002 were identified as the top risks for the project. They were the only two risks with an exposure of 3.0 or greater. The project team then went through an exercise to devise mitigations, triggers, and contingencies as part of the risk planning and tracking step. Project team members were assigned responsibilities to continually monitor their risks for potential changes and action items. Table: Contoso Tracking of Risk ID 0001

Project ID ITREORG010
Mitigation Implement Microsoft Operations Framework (MOF) incident and problem management processes. Coordinate secondline and third-line support groups.

Risk ID 0001 Contingencies Allocation of excessive resources to accommodate resolution of reactive issues. Fund the costs of increased support activities and staff.

Root Cause Process Triggers Continual incident resolution. Repeated problems occur. Uncoordinated and recurring changes. Poor average time to resolution.

Business Effect Cost, Performance -----

26

Table: Contoso Tracking of Risk ID 0002

Project ID ITREORG010 Mitigation A standard formalized and communicated MOF-based change management process will be implemented across all IT groups.

Risk ID 0002 Contingencies Assign additional resources to reactive problem management. Communication to customers and end-users in a prompt, descriptive and meaningful manner can reduce the negative effect on customer satisfaction.

Root Cause Process Triggers Information gathered during project status meetings and operations management reviews (OMRs) regarding process and service outages indicate that this risk is currently being actualized at some level.

Business Effect Cost, Performance

------

These two risks became the top risks list for the Contoso IT reorganization project. These risks were discussed at each OMR and various project status meetings. The purpose of this discussion was to discuss the progress of mitigation steps, to determine whether triggers were being fulfilled in the environment, and to ensure that the probability and impact levels were still properly set. This discussion was vital to the project to determine if contingencies identified in the master risks list needed to be acted upon to avoid service disruptions where possible. Risk Exposure Analysis As the project progressed, various mitigation activities around MOF-based change management processes and incident and problem management processes began to reduce the probability of these risks occurring. The project team then modified the probability, which in turn also reduced the exposure of the risks as noted in the following table. Table: Contoso Exposure Analysis of Risk ID 0001 27

Project ID ITREORG010
Modified Exposure Analysis Probability has decreased due to the implementation of MOF-based incident and problem management processes. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.

Risk ID 0001 Modified Probability 40%

Root Cause Process Impact (1-5) 5

Business Effect Cost, Performance Modified Exposure 2

Table: Contoso Exposure Analysis of Risk ID 0002

Project ID ITREORG010 Modified Exposure Analysis Probability has decreased due to the implementation of MOF-based change management processes. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.

Risk ID 0001 Modified Probability 35%

Root Cause Process Impact (1-5) 5

Business Effect Cost, Performance Modified Exposure 1.75

28

References:

. .

Chittister, Clyde & Haimes, Yacov. Assessment and

Management of Software Technical Risk, IEEE Transactions on Systems, Man, and Cybernetics 24, 2 (February 1994): 187-202

Kirkpatrick, Robert J.; Walker, Julie; & Firth, Robert.

Software Development Risk Management: An SEI Appraisal, Software Engineering Institute Technical Review 92 (CMU/SEI-92-REV). Pittsburgh, Pa.: Software Engineering Institute, Carnegie Mellon University, 1992

. Higuera, Ronald P.; Dorofee, Audrey J.; Walker, Julie

A.; & Williams, Ray

C. Team Risk Management: A New Model for Customer-Supplier Relationships (CMU/SEI-94-SR-005, ADA283987). Pittsburgh, Pa.: Software Engineering Institute, Carnegie Mellon University, 1994

Haimes, Yacov Y. Hierarchical Holographic Modeling, IEEE

Transactions on Systems, Man, and Cybernetics 11, 9 (September 1981): 606.617 ..1991

29

30