search menu icon-carat-right cmu-wordmark

A Framework for Categorizing Key Drivers of Risk

April 2009 Technical Report
Christopher J. Alberts, Audrey J. Dorofee

This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


In today's business and operational environments, multiple organizations routinely work collaboratively in pursuit of a common mission, creating a degree of programmatic complexity that is difficult to manage effectively. Success in these distributed environments demands collaborative management that effectively coordinates task execution and risk management activities among all participating groups. Approaches for managing program risk have traditionally relied on tactical, bottom-up analysis, which does not readily scale to distributed environments. Systemic risk management is an alternative approach that is being developed by the Software Engineering Institute (SEI). A systemic approach for managing risk starts at the top-with the identification of a program's key objectives. Once the key objectives are known, the next step is to identify a set of critical factors, called drivers, that influence whether or not the key objectives will be achieved. The set of drivers also forms the basis for subsequent risk analysis. This technical report describes a driver-based approach for managing systemic risk in programs that acquire or develop software-intensive systems and systems of systems. It features a framework for categorizing drivers and also provides a starter set of drivers that can be tailored to the unique requirements of each program.