Software And Systems Engineering Risk Management

Similar documents
Satisfying DoD Contract Reporting With Agile Artifacts

Implementation of the Best in Class Project Management and Contract Management Initiative at the U.S. Department of Energy s Office of Environmental

Joint JAA/EUROCONTROL Task- Force on UAVs

Kelly Black Neptune & Company, Inc.

Implementing Open Architecture. Dr. Tom Huynh Naval Postgraduate School

Choosing the Right Measures -

Climate Change Adaptation: U.S. Navy Actions in the Face of Uncertainty

Aeronautical Systems Center

Predicting Disposal Costs for United States Air Force Aircraft (Presentation)

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

Flexible Photovoltaics: An Update

1 ISM Document and Training Roadmap. Challenges/ Opportunities. Principles. Systematic Planning. Statistical Design. Field.

Navy s Approach to Green and Sustainable Remediation

Army Systems Engineering Career Development Model

DoD Environmental Information Technology Management (EITM) Program

Incremental Sampling Methodology Status Report on ITRC Guidance

Characterizing PCB contamination in Painted Concrete and Substrates: The Painted History at Army Industrial Sites

ISO 31000:2009 IEC/ISO 31010:2009 & ISO Guide 73:2009 International Standards for the Management of Risk

The Business Case for Systems Engineering: Comparison of Defense-Domain and Non- Defense Projects

Stakeholder Needs and Expectations

Deciding in a Complex Environment : Human Performance Modeling of Dislocated Organizations

Department of Defense Green Procurement Program and Biobased Products

EXPLOSIVE CAPACITY DETERMINATION SYSTEM. The following provides the Guidelines for Use of the QDARC Program for the PC.

Stormwater Asset Inventory and Condition Assessments to Support Asset Management Session 12710

Update on ESTCP Project ER-0918: Field Sampling and Sample Processing for Metals on DoD Ranges. Jay L. Clausen US Army Corps of Engineers, ERDC CRREL

Improving Strategic Decision and Senior-level Teamwork in U.S. National Security Organizations

Joint Expeditionary Collective Protection (JECP) Family of Systems (FoS)

Safe Disposal of Secondary Waste

Process for Evaluating Logistics. Readiness Levels (LRLs(

Grinding & Superfinishing. Methods & Specifications

Red-cockaded Woodpecker (RCW) Management at Fort Stewart

Air Intakes for Subsonic UCAV Applications - Some Design Considerations

Risk management Principles and guidelines

Overview of USD-AT&L Memo on Cr 6+ and Other Regulatory Issues

Joint Logistics Strategic Plan

US Naval Facilities Engineering Service Center Environmental Program on Climate Change

Parametric Study of Heating in a Ferrite Core Using SolidWorks Simulation Tools

UNITED STATES DEPARTMENT OF INTERIOR GEOLOGICAL SURVEY DISPOSAL SITE IN NORTHEASTERN HARDEMAN COUNTY,

Enhance Facility Energy Management at Naval Expeditionary Base Camp Lemonnier, Djibouti. 12 May 2011

Protective Design. Force Protection Standards and Historic Preservation Policy. DoD Conservation Conference

THE NATIONAL SHIPBUILDING RESEARCH PROGRAM

Risk Management Update ISO Overview and Implications for Managers

SAIC Analysis of Data Acquired at Camp Butner, NC. Dean Keiswetter

Magnesium-Rich Coatings

Evaluation of Dipsol IZ-C17 LHE Zinc-Nickel Plating

Avoiding Terminations, Single Offer Competition, and Costly Changes with Fixed Price Contracts

Title: Human Factors Reach Comfort Determination Using Fuzzy Logic.

STORAGE OF LIMITED QUANTITIES OF EXPLOSIVES AT REDUCED Q-D

Counters for Monitoring

Testing Cadmium-free Coatings

Supply-Chain Risk Analysis

Views on Mini UAVs & Mini UAV Competition

Fraud Risk Management

Concept of Risk Management in Medical Equipment Application of ISO in IEC rd Edition

Development of an integrated ISFET ph sensor for high pressure applications in the deep-sea

A Conceptual Model of Military Recruitment

Transparent Ceramic Yb 3+ :Lu2O3 Materials

Fall 2014 SEI Research Review. Team Attributes &Team Performance FY14-7 Expert Performance and Measurement

RAISING THE STANDARD THE NEW ISO RISK MANAGEMENT STANDARD

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

Novel Corrosion Control Coating Utilizing Carbon Nanotechnology

Integrated Systems Engineering and Test & Evaluation. Paul Waters AIR FORCE FLIGHT TEST CENTER EDWARDS AFB, CA. 16 August 2011

Static and dynamic testing of bridges and highways using long-gage fiber Bragg grating based strain sensors

AFRL-RX-TY-TP

Logistics Technology Assessment

AND Ti-Si-(Al) EUTECTIC ALLOYS Introduction. temperatur-dependent

Obsolescence Management for Structural, Mechanical, and Electrical Items in Conjunction with Electronics

Use of Residual Compression in Design to Improve Damage Tolerance in Ti-6Al-4V Aero Engine Blade Dovetails

Considerations for Characterization of PAHs at Skeet Ranges and the Possible Future of PAH Risk Assessment

The Latest on ISO 31000: Advancing the Mission

Evaluation of Zn-rich Primers and Rust Converters for Corrosion Protection of Steel Leonardo Caseres

VARTM PROCESS VARIABILITY STUDY

Solar Powered AUVs; Sampling Systems for the 21 st Century

PROJECT MANAGEMENT INSTITUTE:

Risk Management and Corporate Governance in Local Government

Information technology Security techniques Information security management systems Overview and vocabulary

EDUCATION AND TRAINING

NOTICE OF CHANGE DEPARTMENT OF DEFENSE DESIGN CRITERIA STANDARD HUMAN ENGINEERING

Engineered Resilient Systems

Title: Nano shape memory alloy composite development and applications

THE TARDEC ADVANCED SYSTEMS ENGINEERING CAPABILITY (ASEC)

TSP Performance and Capability Evaluation (PACE): Customer Guide

Yttria Nanoparticle Reinforced Commercially Pure (CP) Titanium

SIO Shipyard Representative Bi-Weekly Progress Report

ISO 28002: RESILIENCE IN THE SUPPLY CHAIN: REQUIREMENTS WITH GUIDANCE FOR USE

Understanding And Implementing ISO 14001:2015

INTEGRATING ISO 9000 METHODOLOGIES WITH PROJECT QUALITY MANAGEMENT

ISO Standards in Strengthening Organizational Resilience, Mitigating Risk & Addressing Sustainability Concerns

ERDC/GSL TN-14-2 August 2014 Review of Instrumentation and Monitoring for USACE Levees

DOD Methodology for the Valuation of Excess, Obsolete, and Unserviceable Inventory and Operating Materials and Supplies

DRAFT ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management system implementation guidance

DEFENSE ACQUISITION REVIEW JOURNAL

Sediment and Terrestrial Toxicity and Bioaccumulation of Nano Aluminum Oxide. Click to edit Master subtitle style

USACE Environmental Support to the Army and the Nation

SIO Shipyard Representative Bi-Weekly Progress Report

EFFECT OF MATERIAL PHASE CHANGE ON PENETRATION AND SHOCK WAVES

Ultraviolet Curable Powder Coatings With Robotic Curing for Aerospace Applications

RISKS FROM HANDLING EXPLOSIVES IN PORTS

Atmospheric Plasma Depainting. Peter Yancey Atmospheric Plasma Solutions, Inc.

Report No. DODIG April 19, Defense Contract Management Agency Santa Ana Quality Assurance Oversight Needs Improvement

Transcription:

Software And Systems Engineering Risk Management John Walz VP Technical and Conferences Activities, IEEE Computer Society Vice-Chair Planning, Software & Systems Engineering Standards Committee, IEEE Computer Society US TAG to ISO TMB Risk Management Working Group Systems and Software Technology Conference, SSTC 2010 1

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE APR 2010 2. REPORT TYPE 3. DATES COVERED 00-00-2010 to 00-00-2010 4. TITLE AND SUBTITLE Software And Systems Engineering Risk Management 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) IEEE Computer Society,2001 L Street N.W., Suite 700,Washington,DC,20036-4928 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 11. SPONSOR/MONITOR S REPORT NUMBER(S) 13. SUPPLEMENTARY NOTES Presented at the 22nd Systems and Software Technology Conference (SSTC), 26-29 April 2010, Salt Lake City, UT. Sponsored in part by the USAF. U.S. Government or Federal Rights License 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Same as Report (SAR) 18. NUMBER OF PAGES 32 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Agenda What is the change in Risk? What are the other Risk definitions? What is Risk Management (RSKM)? What are the other RSKM standards? Where is RSKM in the enterprise and project? RSKM in Software and System Technology (SST) supply chain? What are the RSKM processes? What is the RSKM standards history? What changed in RSKM? What can you do? 2

"change the game" This year, the Systems and Software Technology Conference will explore various technologies which are expected to make abrupt changes to common thought. We will explore the tools, the processes, and the ideas which will "change the game" and make the way we have done things in the past - obsolete. The DOD supply chain has implements risk management processes to meet customer needs for the major objectives of timely delivery of functionality with quality. As software and systems complexity increased, these objectives have been difficult to achieve together. During system operations, unknown quality issues and events have placed missions at risk. What s changing the game are coordinated standards issued late in 2009: Risk management Principles and guidelines Risk management Vocabulary Risk management Risk Assessment 3

Changed Risk definition Published RSKM Vocabulary, ISO Guide 73 2002 combination of the probability of an event and its consequence 2009 effect of uncertainty on objectives This is where ISO 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening the event to the effect on objectives. Kevin W. Knight 4

RSMK Concepts from New Zealand Society for Risk Management RSMK concepts which underpin both AS/NZS4360:2004 and ISO 31000:2009 Risk defined as "the effect of uncertainty on objectives" The change in definition shifts the emphasis from "the event" (something happens) to "the effect" which is the effect of the event on objectives. So, the "risk" isn't the chance of having a fire (for example) but the chance that value will be destroyed and or income flow disrupted (assuming preserving value and income flow was part of the objective). http://www.risksociety.org.nz/what_is_risk_management 5

Risk Events human health viewpoint public acceptance Events Events safety environment al protection Risk Objectives legal and regulatory compliance efficiency in operations Events Events governance and reputation Events security 6 Events product quality Events project management Events

What are the other Risk definitions? 7

risk effect of uncertainty on objectives, Guide 73-2009 NOTE 1! and/or negative. NOTE 2! An effect is a deviation from the expected positive Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). NOTE 3! events and consequences, or a combination of these. NOTE 4! Risk is often characterized by reference to potential Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. NOTE 5! Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. 8

risk management, risk management process, establishing the context, & risk assessment Guide 73-2009 risk management coordinated activities to direct and control an organization with regard to risk risk management process systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk establishing the context defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy risk assessment overall process of risk identification, risk analysis and risk evaluation. 9

What is Risk Management (RSKM)? 10

Risk management Principles and Guidelines ISO 31000:2009 Provides principles and generic guidelines on risk management Can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000 is not specific to any industry or sector Can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and asset Can be applied to any type of risk, whatever its nature, whether having positive or negative consequences Although provides generic guidelines, it is not intended to promote uniformity of risk management across organizations Design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed Utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards Not intended for the purpose of certification 11

ISO 31000 Risk management Principles / Benefits For risk management to be effective, an organization should at all levels comply with the principles below. creates and protects value contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation is an integral part of all organizational processes is part of decision making explicitly addresses uncertainty is systematic, structured and timely is based on the best available information is tailored takes human and cultural factors into account is transparent and inclusive is dynamic, iterative and responsive to change facilitates continual improvement of the organization 12

RSKM Framework 13

Risk management process Establishing the context Communication and consultation Risk assessment Risk identification Risk analysis Risk evaluation IS 31010 Monitoring and review Risk treatment 14

RSKM Maturity good level 0. Pay out for risk occurrences (insurance premiums & payouts) level 1. Test in risk detection & mitigation (verification / validation) level 2. Design in risk aversion (preventative action) 15

Risk assessment techniques IEC/ISO 31010:2009 Answer the following fundamental questions: what can happen and why (by risk identification)? what are the consequences? what is the probability of their future occurrence? are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk? is the level of risk tolerable or acceptable and does it require further treatment? Provides input to decisions about: how to maximize opportunities; whether risks need to be treated; prioritizing risk treatment options; whether an activity should be undertaken; choosing between options with different risks; the most appropriate selection of risk treatment strategies that will bring adverse risks to a tolerable level. 16

Benefits of performing risk assessment, IEC/ISO 31010 understanding the risk and its potential impact upon objectives; providing information for decision makers; contributing to the understanding of risks, in order to assist in selection of treatment options; identifying the important contributors to risks and weak links in systems and organizations; comparing of risks in alternative systems, technologies or approaches; communicating risks and uncertainties; assisting with establishing priorities; contributing towards incident prevention based upon post-incident investigation; selecting different forms of risk treatment; meeting regulatory requirements; providing information that will help evaluate whether the risk should be accepted when compared with pre-defined criteria; assessing risks for end-of-life disposal. 17

Risk Assessment, IEC/ISO 31010 Expands Risk analysis: Controls assessment Consequence analysis Preliminary analysis Likelihood analysis and probability estimation Uncertainties and sensitivities Risk assessment Risk identification Risk analysis Risk evaluation * from ISO 31000 18

What are the other RSKM standards? 19

Standards addressing RSKM from Technical Committees Technical Area Committee Std # Standards title Risk Management ISO TMB Guide 73 Risk Management Vocabulary ISO 31000 Risk Management Principles & Guidance Dependability IEC TC 56 IEC/ISO 31010 Risk Assessment Software & JTC1/SC7 IS 12207 Software Engineering Life Cycle Processes System Engineering IS 15288 Systems Engineering Life Cycle Processes IS 16085 Risk Management Process Quality ISO TC 176 ISO 9001 Quality Management System ISO 9000 Quality Management Vocabulary Environment ISO TC 207 ISO 14001 Environmental Management System IT Security JTC1/SC22 IS 27005 Information Security RSKM Supply Chain Security ISO TC 8 ISO/PAS 28001 Security management systems for the supply chain Societal security ISO TC 223 ISO/PAS 22399 Guideline for incident preparedness and operational continuity management Medical Devices ISO TC 210 ISO 14971 Application of risk management to medical devices 20

Where is RSKM in the enterprise and project? 21

Governance Risk Compliance (GRC) VOLUNTARY BOUNDARY boundary defined by management ncludlng pub ic oommltments, organizatjonal values, contractual obligations, and other volu tary pol cles BUSINESS MODEL stndagy. people, process, tachi1ok)gy.,d lnfrastrucbn In place to drtve toward objectives OBJECTIVES strateg c, operational, customer, oompllance and reporting objectives obstacles Impede progress toward achieving ObJectives MANDATED BOUNDARY boundary estabhshed by external forces Inc udng laws, government regulation and other ma dates Open Compliance & Ethics Group (OCEG) 22

Risk Management in SST organization Enterprise ISO 31000, ISO 31010 Acquirer Products & services Enterprise IEEE 16085 Supplier Products & services Enterprise GRC 31000 31010 Products & services 15288/12207 16085 Supply chain management 23

Enterprise vs. Project The management of risk extends from devices to enterprise systems, from quality management, to project management, to product development, and to system operations. The collection of software and systems engineering standards based on IEEE/ISO/IEC 12207/15288 frameworks covers risk management with specific details in IEEE 16085 Risk Management Processes. Alternate framework of CMMI-DEV covers the Risk Management Process Area. 24

RSKM in Software and System Technology (SST) supply chain? 25

Standards affecting SST supply chain S2E Life Cycle Processes IEEE/ISO/IEC 12207/15288 Risk Management Processes IEEE/ISO/IEC 16085:2006 Risk management Principles and Guidelines ISO 31000:2009 Risk management -- Risk assessment techniques IEC/ISO 31010:2009 Risk management Vocabulary Guide 73:2009 26

What are the RSKM processes? 27

RSKM Process Model, IS16085 lnlormatioft Needs O Technical r-------~~------~ and Managomont Dcci$ions Management Processes Project Rislt Profile 8 ~ -... nd Alsk Actton Request RiSk TrHtmen1....,. la ~~ f) Plan ~nd - Man~go...---~-:...,. the 1m plomont - Risk,...... -;..~ II Proj«1 Management r- Jo Pefform Rtsk Risk Profile Analy~ 4 ~ L.-- J0 ~RIM -II Monitoring II 28

What is the RSKM standards history? 29

Risk Management (RSKM) Standards Selected History Year Std # Std Title 1995 AS/NZS 4360 RSKM 1999 AS/NZS 4360 RSKM 2001 JIS Q 2001 Guidelines for Development and Implementation of RSKM System 2001 IEEE 1540 Software Life Cycle Processes RSKM 2001 IEC 62198 Project RSKM Application Guidelines 2002 ISO/IEC Guide 73 RSKM Vocabulary Guidelines for Use in Standards 2004 AS/NZS 4360 RSKM 2004 COSO Enterprise RSKM Framework 2006 ISO/IEC 16085 Risk Management Process 2008 ISO/IEC 12207 Software Lifecycle Processes 2009 ISO/IEC Guide 73 Risk management Vocabulary 2009 ISO 31000 Risk management Principles and guidelines 2009 IEC/ISO 31010 Risk management Risk Assessment 30

Where can you do? 31

ISO 31000 Implementation The SST supply chain s practice of risk management must be reexamined to include the positive opportunity with the negative view of risk expand application of risk to any organizational objective expand risk management to the enterprise carefully define their Context as there is little guidance integrate RSKM into their ISO 9001 clause 8.5.3 Preventive action avoid offers for conformity assessments use 16085 for product & service development and deploymnet 32

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback