# PROCESS PURPOSE
The purpose is to regularly identify, analyze, treat and monitor the process related (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) and the product related (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.).
# PROCESS OUTCOMES
O1
The sources of (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) are identified and regularly updated.
O2
Potential undesirable events are identified as they develop during the conduct of the (Project = Endeavor with defined start and finish dates undertaken to create a product or service in accordance with specified resources requirements.).
O3
The (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) are analyzed and the priority in which to apply resources to treatment of these (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) is determined.
O4
The (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) (Measure = An activity to achieve a certain intent.) are defined, applied, and assessed to determine changes in the statuses of the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) and the progress of the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) treatment activities.
O5
Appropriate treatment is taken to correct or avoid the impact of (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) based on its priority, probability, and consequence or other defined (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) threshold.
# BASE PRACTICES
BP1
Identify sources of risks. (
O1 )
Identify and regularly update the sources of (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) with affected parties. Note 1: (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) may include technical, economical, and schedule (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.). Note 2: (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) may include the suppliers’ (Deliverable = Any unique and verifiable product, result, or capability to perform a service that must be produced to complete a process, phase, or project. Often used more narrowly in reference to an external deliverable, which is a deliverable that is subject to approval by the project sponsor or customer.) and services. Note 3: The (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) sources may vary across the entire (Project = Endeavor with defined start and finish dates undertaken to create a product or service in accordance with specified resources requirements.) lifecycle.
BP2
Identify the potential undesirable events. (
O2 )
Identify the potential undesirable events within the scope of the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) management for the (Project = Endeavor with defined start and finish dates undertaken to create a product or service in accordance with specified resources requirements.).
Linked Knowledge Nuggets: arrow_forward "Examples of potential undesirable events"
personAuthor: Process Fellows
Throughout the entire project lifecycle, various undesirable events may occur, affecting internal and/ or external stakeholders. These events can be categorized for example into process-related and technical product-related ones.
Process-Related Undesirable Events:
These refer to disruptions or deviations in project execution and collaboration:
Project progress deviates from the planned schedule or effort estimates.
Resources, including personnel, are unavailable when needed.
Commitments made by development partners are at risk of not being fulfilled.
Technical Product-Related Undesirable Events:
These concern the quality and suitability of the delivered product:
Defective product is delivered to the customer.
Requirements are incomplete or missing and therefore the product does not provide the needed capabilities.
Changes in the product lead to unintended impacts on product's behavior.
BP3
Determine the risks. (
O3 )
Determine the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) by analyzing the probability, consequence and severity of the potential undesirable events to support priorities for the mitigation of the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.). Note 4: Different methods may be used to analyze technical (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) of a (System = A collection of interacting components organized to accomplish a specific function or set of functions within a specific environment.), for example, functional analysis, simulation, FMEA, FTA etc.
BP4
Define risk treatment options. (
O4, O5 )
For each (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) define a treatment option to accept, mitigate, avoid, or share (transfer) the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.).
Define and perform (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) activities for the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) treatment options.
BP6
Monitor the risks. (
O4 )
Regularly re-evaluate the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) to determine changes in the status of a (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) and to evaluate the progress of the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) treatment activities. Note 5: (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) of high priority may need to be communicated to and monitored by higher levels of management.
personAuthor: Process Fellows
Risk registers are not enough. MAN.5.BP6 expects continuous monitoring, i.e. a regular update, including mitigation actions. Use heat maps, risk burndown charts, and regular risk reviews.
arrow_forward "Why is a regular risk monitoring helpful?"
personAuthor: Process Fellows
Risks should be tracked regularly in risk management for several important reasons:
Risks Can Evolve Over Time:
Risks are not static. Their likelihood, impact, or relevance can change due to internal or external factors such as project progress, market shifts, regulatory updates, or technical developments. Regular tracking ensures that the risk profile remains accurate and up to date.
Enables Timely Mitigation:
By monitoring risks continuously, teams can respond quickly when a risk becomes more critical or imminent. This allows for proactive mitigation strategies rather than reactive crisis management.
Supports Decision-Making:
Updated risk information helps stakeholders make informed decisions about priorities, resource allocation, and contingency planning. It ensures that decisions are based on current realities rather than outdated assumptions.
BP7
Take corrective action. (
O5 )
When (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) treatment activities are not effective, take appropriate corrective action. Note 6: Corrective actions may involve reevaluation of (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.), developing and implementing new mitigation concepts or adjusting the existing concepts.
# OUTPUT INFORMATION ITEMS
15-51
Analysis results (
O1, O2, O3, O5 )
Results of analysis of an object or (Task = A definition, but not the execution, of a coherent set of atomic actions.).Identifies:
Object under analysis
Analysis criteria
Selection criteria or prioritization scheme
Decision criteria
Quality criteria
Includes:
Decisions and selections performed
Assumptions and constraints
Evaluation criteria, for example correctness, completeness or consistency to a work product
Examples and references:
Verifiability analysis results, for example when a test machine becomes defective
Results of a feasibility analysis
Used by these processes:
ACQ.4 Supplier Monitoring
HWE.1 Hardware Requirements Analysis
HWE.2 Hardware Design
MAN.5 Risk Management
MAN.6 Measurement
MLE.1 Machine Learning Requirements Analysis
MLE.2 Machine Learning Architecture
PIM.3 Process Improvement
SWE.1 Software Requirements Analysis
SWE.2 Software Architectural Design
SYS.1 Requirements Elicitation
SYS.2 System Requirements Analysis
SYS.3 System Architectural Design
14-02
Corrective action (
O4, O5 )
(Activity = Execution of a task by a stakeholder or an involved party.) required to resolve a problem.Identifies:
Initial problem description
Ownership of (Activity = Execution of a task by a stakeholder or an involved party.)
Definition of solution(s)
Series of actions
Includes:
Timing needs, for example required closure or analysis date
Status indicator
Further activities needed, for example a follow up audit.
Used by these processes:
ACQ.4 Supplier Monitoring
MAN.3 Project Management
MAN.5 Risk Management
SUP.1 Quality Assurance
08-55
Risk measure (
O4, O5 )
Quantitative or qualitative value to express the level of a (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.).Identifies:
(Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) to be mitigated, avoided, or shared (transferred)
Related activities
Criteria for success or failure of activities
Frequency of monitoring
Includes:
Exposure and detectability information
Originator
Alternative treatment options
(Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) justifications, for example as claims
Used by these processes:
MAN.5 Risk Management
15-09
Risk status (
O1, O3, O4, O5 )
Status or change of an identified (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.).Identifies:
(Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) statement
Sources of the (Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.)
Impact, for example in relation to severity and probability
Owner
Includes:
Category
Threshold value(s)
(Risk = The combination of the probability of occurrence and the consequences of a given future undesirable event.) treatment activities and their progress
MAN.5
Risk Management
