risk management msce
Post on 30-May-2018
233 Views
Preview:
TRANSCRIPT
-
8/14/2019 Risk Management Msce
1/28
2009 Carnegie Mellon University
Mission Success in ComplexEnvironments (MSCE)
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
-
8/14/2019 Risk Management Msce
2/28
2Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mission Success in Complex Environments(MSCE) Project
Part of the SEI Acquisition Support Program (ASP), the MSCE Projectdevelops methods, tools, and techniques for
Advancing the state-of-the-practice for risk management
Assuring success in complex, uncertain environments
The project builds on more than 17 years of SEI research anddevelopment in risk management.
Continuous Risk Management for software-development projects
Operationally Critical Threat, Asset, and Vulnerability Evaluation(OCTAVE) for organizational security
-
8/14/2019 Risk Management Msce
3/28
3Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Widespread Use of Risk Management
Most programs and organizations implement some type of riskmanagement approach when developing and operating software-intensive systems.
Risk management plan
Processes
Tools
However, preventable failures continue to occur.
Uneven and inconsistent application of risk-management practice
Significant gaps in risk-management practice
Ineffective integration of risk-management practice
Increasingly complex management environment
-
8/14/2019 Risk Management Msce
4/28
4Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Changing Risk Paradigm
From Traditional Paradigm To New Paradigm
Tactical analysis that produces point mitigation
solutions
Systemic analysis that produces strategic
mitigation solutions
Failure-oriented (playing not to lose) Success-oriented (playing to win)
Narrow tradeoff space based on type of risk
(e.g., program, security)
Broad tradeoff space based on mission and
objectives
Applicable to a specific life-cycle phase and asingle group or team
Applicable across the life cycle and supplychain (multi-enterprise/system environments)
Stand-alone management practiceIntegrated with program and organizationalmanagement practices
Bureaucratic and time-intensive Practical, straightforward, and easy to apply
-
8/14/2019 Risk Management Msce
5/28
5Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Tactical and Systemic Approaches
-
8/14/2019 Risk Management Msce
6/28
6Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mosaic
WhatA suite of risk-based methods and guidance for managing systemic risk across thelife cycle and supply chain
BenefitsFocused on achieving operational success
Enables continuous management of risk
Applicable across all life-cycle phases
Designed for multi-enterprise, multi-systemenvironments
Provides a means of analyzing risk in relation tomanagement models, frameworks, and standards
-
8/14/2019 Risk Management Msce
7/28
7Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mosaic ManagementGuidance
Mosaic: Focus on Assessment
Every organization haspreferred management practices
The foundation of the Mosaicapproach is a suite of methodsfor assessing risk continuously
Mosaic also provides guidancefor leveraging existing management
practices to develop, implement,and track risk mitigation plans
Do
Act
-
8/14/2019 Risk Management Msce
8/28
8Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mosaic Assessments
Mosaic provides a suite ofmethods for assessing risk
Mosaic assessments aremodular in design
Driver identification and analysisprovide a common front endfor multiple back-end analyses
R
iskAnalysis
MissionSuccess
Analysis
MissionAssuran
ce
Analysis
Inte
gratedRiskand
OpportunityAnal
ysis
G
apAnalysis
Other
TypesofAnalysis
-
8/14/2019 Risk Management Msce
9/28
9Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mosaic: Driver-Based Assessment
Key Objectives
Positive Conditions andFuture Events
Negative Conditions andFuture Events
Driver 2Driver 1 Driver 3 Driver N
A driver is a factor that has a strong influence on the eventualoutcome or result.
-
8/14/2019 Risk Management Msce
10/28
10Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Driver Framework
The driver framework is a common structure for classifying aset of drivers.
EnvironmentPreparationObjectives ResilienceExecution Result
Driver Categories
-
8/14/2019 Risk Management Msce
11/28
11Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Driver Attributes
Attribute Description Example
Name A concise label that describesthe basic nature of the driver Process
Success StateA driver exerts a positiveinfluence on the outcome
The process being used todevelop and deploy the system
is sufficient.
Failure StateA driver exerts a negativeinfluence on the outcome
The process being used todevelop and deploy the systemis insufficient.
CategoryThe category to which thedriver belongs
Preparation
-
8/14/2019 Risk Management Msce
12/28
12Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Basic Set of Drivers for Software Development
1. Program Objectives
2. Plan
3. Process4. Task Execution
5. Coordination
6. External Interfaces7. Information Management
8. Technology
9. Facilities and Equipment
10. Organizational Conditions
11. Compliance
12. Event Management
13. Requirements14. Design and Architecture
15. System Capability
16. System Integration17. Operational Support
18. Adoption Barriers
19. Operational Preparedness
20. Certification and Accreditation
-
8/14/2019 Risk Management Msce
13/28
13Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Driver Analysis
Driver questions are phrased from the success perspective.Probability is incorporated into the range of answers for each driver.
The rationale for selecting an answer is recorded.
-
8/14/2019 Risk Management Msce
14/28
14Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Integrating Tactical Data
A driver-based approach enables integration of tactical data.
-
8/14/2019 Risk Management Msce
15/28
15Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Driver Profile
A simple analysis provides insight into current conditions.
1.ProgramO
bjectiv
es
3.Proce
ss
8.Technolo
gy
5.Coordination
9.Facilities&Equipment
2.Plan
10.OrganizationalConditio
ns
12.EventManagement
11.Complian
ce
4.TaskExecution
6.ExternalInterfac
es
7.InformationManagement
13.Requirements
16.SystemIntegration
19.OperationalPreparedne
ss
17.OperationalSupport
18.AdoptionBarrie
rs
20.Certification&Accreditation
15.SystemCapability
14.Design&Architectu
re
ProbabilityofSuccessState
ProbabilityofSucc
essState
-
8/14/2019 Risk Management Msce
16/28
16Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Primary Relationships among DriverCategories
Environment
Objectives Resilience Execution Result
Preparation
-
8/14/2019 Risk Management Msce
17/28
17Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Additional Analysis of Drivers
Drivers provide a foundation for program decision making.
A variety of back-end analyses can be used to analyze a set of driver
values. Gap analysis
Risk analysis
Mission success analysis Mission assurance analysis
Integrated risk and opportunity analysis
-
8/14/2019 Risk Management Msce
18/28
18Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
From Drivers to Risks
Risk Probability Impact
Risk
Exposure
3. The process being used to developand deploy the system is insufficient.
High Severe High
Determined using results of
driver analysis
Determined using standard
risk analysis methods
-
8/14/2019 Risk Management Msce
19/28
19Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Multi-Enterprise Environments: Network of Objectives
-
8/14/2019 Risk Management Msce
20/28
20Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Multi-Enterprise Environments: Applying the DriverFramework
Assessing a distributed program requires examining
Each individual group
The end-to-end program
Framework Org A
O P E E R R
Framework Org B
O P E E R R
Framework Org C
O P E E R R
Framework Org D
O P E E R R
Framework for theEnd-to-End Program
O P E E R R
-
8/14/2019 Risk Management Msce
21/28
21Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mosaic Assessments: Application in MultipleDomains
Software acquisition and development programs
Process improvement
Mission assurance
Software assurance
Information technology management
Cyber security management
Critical infrastructure protection
-
8/14/2019 Risk Management Msce
22/28
22Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Risk Management Framework -1
-
8/14/2019 Risk Management Msce
23/28
23Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Risk Management Framework -2
The Risk Management Framework is implementation independent.
Defines risk management activities
Does not specify how to perform those activities
The framework provides a
Foundation for a comprehensive risk management methodology
Basis for improving a risk management practice
-
8/14/2019 Risk Management Msce
24/28
24Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mosaic Portfolio - 1
Courses
Risk Management Framework: Best Practices in Risk Management
Introduction to Practical Risk Management Practical Risk Management: Framework and Methods
Workshops
Risk Management Tailoring andImprovement Workshops
Course and Workshop Combinations
-
8/14/2019 Risk Management Msce
25/28
25Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Mosaic Portfolio - 2
Evaluations
Program Risk Evaluation
Mission Success Evaluation Risk Management Framework Evaluation
Custom Evaluation
-
8/14/2019 Risk Management Msce
26/28
26Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
Future Research
Metrics
Risk-based improvement
Modeling and simulation
-
8/14/2019 Risk Management Msce
27/28
27Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
For Additional Information
Christopher AlbertsEmail: cja@sei.cmu.eduPhone: 412-268-3045
Fax: 412-268-5758
Audrey DorofeeEmail: ajd@sei.cmu.eduPhone: 412-268-6396
Fax: 412-268-5758
WWW http://www.sei.cmu.edu/msce/
U.S. mail Software Engineering InstituteCarnegie Mellon University
Pittsburgh, PA 15213-3890
-
8/14/2019 Risk Management Msce
28/28
28Mission Success in Complex Environments (MSCE)
2009 Carnegie Mellon University
top related