Software Engineering Institute

The Continuous Risk Management Guidebook describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization. Risk management can be used to continuously assess what can go wrong in projects (i.e., what the risks are), determine which of these risks are most important, and implement strategies to deal with these risks. The guidebook is based on proven practices confirmed through research, field testing, and direct work with clients.

The Continuous Risk Management Guidebook was developed to help a project or organization establish continuous risk management as a routine practice and then continue to improve this process. It is organized so that different users can read different parts of the book and get different benefits. For example, technical managers and lead engineers can read the book to learn how to build a risk management process that is tailored to their specific project or organization; software engineers can use it to understand how to perform the risk management methods and use the tools described in the guidebook; and change agents (such as members of software engineering process groups) can read it to understand why continuous risk management should be used and how to get projects to tailor it and start using it. In addition, all users of this guidebook will gain a greater understanding of continuous risk management.

The authors describe both what continuous risk management is and how to implement it. They explain the concepts, principles, and functions of continuous risk management in detail and provide a view of what risk management could look like when implemented within a project. It then shows how an organization might tailor continuous risk management to fit in its specific environment, provides methods and tools that can be used to perform continuous risk management, and presents a roadmap to help organizations install a continuous risk management process. Although this guidebook deals primarily with performing continuous risk management in a software development environment, it can easily address systems, hardware, and other domains.

The information in this guidebook will help an organization address the following questions:

• What is continuous risk management and why would I want to use it?
• What does continuous risk management look like when implemented within a typical project?
• How would a project get started and install continuous risk management?
• What do you need to put in place for a successful risk management program?
• What methods and tools can be used to perform continuous risk management?

The authors have more than 90 years of software development experience in defense, aeronautics, robotics, commercial, steel, and nuclear industries, including more than 25 years in the field of risk management. In the last six years, they and other members of the Software Engineering Institute (SEI) Risk Program have worked with more than 50 programs from the Department of Defense, civil agencies, and industry. The programs have ranged from large-scale aerospace programs to small, turnkey projects. These efforts have ranged from stand-alone risk assessments to broad-based, organization-wide adaptation and implementation of risk management practices. This guidebook codifies the best practices in risk management.