Define the parameters used to analyze and categorize risks, and the parameters used to control the risk management effort.
Parameters for evaluating, categorizing, and prioritizing risks include the following:
· Risk likelihood (i.e., probability of risk occurrence)
· Risk consequence (i.e., impact and severity of risk occurrence)
· Thresholds to trigger management activities
Risk parameters are used to provide common and consistent criteria for comparing the various risks to be managed. Without these parameters, it would be very difficult to gauge the severity of the unwanted change caused by the risk
and to prioritize the necessary actions required for risk mitigation planning.
Typical Work Products
1. Risk evaluation, categorization, and prioritization criteria
2. Risk management requirements (e.g., control and approval levels, and reassessment intervals)
Subpractices
1. Define consistent criteria for evaluating and quantifying risk likelihood and severity levels.
Consistently used criteria (e.g., the bounds on the likelihood and severity levels) allow the impacts of different risks to be commonly understood, to receive the appropriate level of scrutiny, and to obtain the management attention
warranted. In managing dissimilar risks (e.g., personnel safety versus environmental pollution), it is important to ensure consistency in end result (e.g., a high risk of environmental pollution is as important as a high risk to personnel
safety).
2. Define thresholds for each risk category.
For each risk category, thresholds can be established to determine acceptability or unacceptability of risks, prioritization of risks, or triggers for management action.
Examples of thresholds include the following:
· Project-wide thresholds could be established to involve senior management when product costs exceed 10 percent of the target cost or when Cost Performance Indexes (CPIs) fall below 0.95.
· Schedule thresholds could be established to involve senior management when Schedule Performance Indexes (SPIs) fall below 0.95.
· Performance thresholds could be set to involve senior management when specified key items (e.g., processor utilization or average response times) exceed 125 percent of the intended design.
These may be refined later, for each identified risk, to establish points at which more aggressive risk monitoring is employed or to signal the implementation of risk mitigation plans.
3. Define bounds on the extent to which thresholds are applied against or within a category.
There are few limits to which risks can be assessed in either a quantitative or qualitative fashion. Definition of bounds (or boundary conditions) can be used to help scope the extent of the risk management effort and avoid
excessive resource expenditures. Bounds may include exclusion of a risk source from a category. These bounds can also exclude any condition that occurs less than a given frequency.
705/1102 - 0 sub articles
CMMI-DEV 1.2
4. 
SP 1.2 Define Risk Parameters