Define parameters used to analyze and categorize risks and to control the risk management effort.
Parameters for evaluating, categorizing, and prioritizing risks include the following:
· Risk likelihood (i.e., probability of risk occurrence)
· Risk consequence (i.e., impact and severity of risk occurrence)
· Thresholds to trigger management activities
Risk parameters are used to provide common and consistent criteria for comparing risks to be managed. Without these parameters, it is difficult to gauge the severity of an unwanted change
caused by a risk and to prioritize the actions required for risk mitigation planning.
Acquirers should document the parameters used to analyze and categorize risks so they are available for reference throughout the life of the project since circumstances change over time.
Using these parameters, risks can easily be re-categorized and analyzed when changes occur.
The acquirer may use tools such as failure mode and effects analysis to
examine risks such as potential failures in products or processes. A tool may also be used to evaluate risk management priorities for mitigating known threat vulnerabilities.
Typical Work Products
1. Risk evaluation, categorization, and prioritization criteria
2. Risk management requirements (e.g., control and approval levels and reassessment intervals)
Subpractices
1. Define consistent criteria for evaluating and quantifying risk likelihood and severity levels.
Consistently used criteria (e.g., bounds on likelihood and severity levels) allow impacts of different risks to be commonly understood, to receive the appropriate level of scrutiny, and to
obtain the management attention warranted. In managing dissimilar risks (e.g., personnel safety versus environmental pollution), it is important to ensure consistency in the end result (e.g., a high risk of environmental pollution is as important as
a high risk to personnel safety).
2. Define thresholds for each risk category.
For each risk category, thresholds can be established to determine acceptability or unacceptability of risks, prioritization of risks, or triggers for management
action.
Examples of thresholds include the following:
· Project-wide thresholds could be established to involve senior management when product costs exceed 10 percent of the target cost or when cost performance indices (CPIs) fall below 0.95.
· Schedule thresholds could be established to involve senior management when schedule performance indices (SPIs) fall below 0.95.
· Performance thresholds could be established to involve senior management when specified key items (e.g., processor utilization or average response times) exceed 125 percent of the intended design.
For each identified risk, establish points at which more aggressive risk monitoring is employed or to signal the implementation of risk mitigation plans. These points can be redefined later
in the project as necessary.
3. Define bounds on the extent to which thresholds are applied against or within a category.
There are few limits to which risks can be assessed in either a quantitative or qualitative fashion. Definition of bounds (or boundary conditions) can be used to help define the extent of the
risk management effort and avoid excessive resource expenditures. Bounds may include the exclusion of a risk source from a category. These bounds can also exclude any condition that occurs less than a given frequency.
321/353 - 0 sub articles
CMMI-ACQ 1.2
4. 
SP 1.2 Define Risk Parameters