The purpose of Risk Management is to identify, analyze, and mitigate risks to organizational assets that could adversely affect the operation and delivery of services.
Risk management is a basic and essential organizational capability. The organization must identify, analyze, and mitigate risk commensurate with its risk tolerances and appetite to ensure that it prevents potential disruptions that could interfere with its ability to meet its mission. At a tactical level, to accomplish this goal, the organization must control operational risk—the risk that results from operating services and associated assets on a day-to-day basis. Operational risk encompasses the potential impact that could result from
• failed internal processes
• inadvertent or deliberate actions of people
• problems with systems or technology
• external events
Managing operational risk significantly influences operational resilience. The risk of disruption to any asset potentially renders associated services unable to meet their mission, hence reducing operational resilience. The organization must identify this risk, analyze it, and determine the extent to which it could affect operations. Mitigating such risk requires a careful balance between strategies for protecting and sustaining assets and services while considering the cost of these strategies and the value of the assets and services to the organization.
The Risk Management process area establishes the organization’s responsibility to develop and implement an operational risk management plan and program that comprehensively and cooperatively cover the high-value assets and services of the organization. The organization explicitly establishes its risk tolerances and appetite based on its strategic drivers, market position, competitive environment, financial position, and other factors. With this appetite as a guide, risks to the assets of the organization are periodically identified, analyzed, and categorized, and mitigation strategies are developed and implemented for those risks that the organization cannot afford to ignore. The impact of risk is considered and measured against the organization’s risk evaluation criteria. Most important, the information gathered in risk assessment can be used to improve the effectiveness of strategies to protect and sustain assets and services.
All uses of “risk” in Risk Management refer to operational risk, specifically, risk to the operation and delivery of services. Other risk categories are beyond the scope of this process area.
The identification of vulnerabilities that may pose risk to the organization is performed in the Vulnerability Analysis and Resolution process area.
The development and implementation of control strategies to mitigate risk are performed in the Controls Management process area.
The development, testing, and implementation of service continuity plans to address the consequences of realized risk are performed in the Service Continuity process area.
Preparation for risk management is performed.
Preparation for operational risk management requires the organization to develop and maintain a strategy for identifying, analyzing, and mitigating operational risks. This strategy is documented in a risk management plan and addresses the activities that the organization performs enterprise-wide to carry out a continuous risk management program. This includes identifying the sources and types of operational risk and establishing a strategy that details the organization’s approach, activities, and objectives for managing these risks as a fundamental operational resilience management process.
The sources of risk to assets and services are identified and the categories of risk that are relevant to the organization are determined.
Identifying risk sources helps the organization to determine and categorize the types of operational risk that are most likely to affect day-to-day operations and to seed an organization-specific risk taxonomy that can be used as a tool for managing risk on a continuous basis as operating conditions change and evolve. The sources of risk can be both internal and external to the organization.
Categorizing operational risks provides the organization a means by which to perform advanced analysis and mitigation activities that allow for similar types of risks to be effectively neutralized or contained by limited actions by the organization.
Typical work products
Subpractices
Risk sources are the fundamental areas of risk that can affect organizational services and associated assets while they are in operation to meet the organization’s mission. Risk sources represent common areas where risks may originate. Typical internal and external sources include
• poorly designed and executed business processes and services
• inadvertent actions of people, such as accidental disclosures or modifications of information
• intentional actions of people, such as insider threat and fraud
• failure of systems to perform as intended, or risks posed by the complexity and unpredictability of interconnected systems
• failures of technology, such as the unanticipated results of the execution of software and the failure of hardware components such as servers and telecommunications
• external events and forces, such as natural disasters, failures of public infrastructure, and failures in the organization’s supply chain
Advance definition of specific risk sources for the organization provides a means for early identification of risk and can seed mitigation plans that can cover a broad array of operational risks before the organization realizes the consequences of these risks.
Risk categories provide a means for collecting and organizing risk for ease of analysis and mitigation. Typical operational risk categories align with the various sources of operational risk such as failed processes, actions of people, systems and technology, and external events but can be as granular as necessary for the organization to effectively manage risk. Operational risks may also align with the types of assets they are most likely to affect—risks to the availability of people, the confidentiality, integrity, and availability of information, etc.
An organization-specific risk taxonomy is a way to collect and catalog common operational risks that the organization is subject to and must manage. The risk taxonomy is a means for communicating these risks and for developing organizational unit and line-of-business–specific mitigation actions if operational assets and services are affected by them.
A strategy for managing operational risk relative to strategic objectives is established and maintained.
Because of the pervasive nature of operational risk, a comprehensive operational risk management strategy is needed to ensure proper consideration of risk and the effects on operational resilience. The strategy provides a common foundation for the performance of operational risk management activities (which are typically dispersed throughout the organization) and for the collection, coordination, and elevation of operational risk to the organization’s enterprise risk management process.
Typical items addressed in an operational risk management strategy include
• the scope of operational risk management activities
• the methods to be used for operational risk identification, analysis, mitigation, monitoring, and communication
• the sources of operational risk
• how the sources of operational risk should be organized, categorized, compared, and consolidated
• parameters for measuring and taking action on operational risks
• risk mitigation techniques to be used, such as the development of layered administrative, technical, and physical controls and the development of service continuity plans
• definition of risk measures to monitor the status of the operational risks
• time intervals for risk monitoring and reassessment
• staff involved in operational risk management and the extent of their involvement in the activities noted above
The operational risk management strategy should be developed to facilitate the accumulation of operational risks as input to the organization’s enterprise risk management strategy and program. The strategy should be documented and communicated to all relevant stakeholders, internal and external, that are responsible for any operational risk management activity.
Typical work products
Subpractices
Risk tolerances are identified and documented and the focus of risk management activities is established.
Risk parameters help the organization to establish a foundation for consistent risk consideration and measurement. Risk parameters reflect the organization’s stated risk tolerances and appetite and ensure that there is consistent measurement of operational risk across the organization. They provide common and consistent criteria for comparing risks and for characterizing the severity of consequences to the organization if risk is realized. This facilitates the organization’s process for prioritizing risk and for developing mitigation strategies.
The organization’s risk parameters are defined.
Risk parameters provide the organization a means for consistent measurement of operational risk across the organization. The establishment of risk tolerance thresholds, in particular, reflects the organization’s level of risk adversity by providing levels of acceptable risk in each operational risk category that the organization establishes. Risk parameters also establish the organization’s philosophy on risk management—how risks will be controlled, who is authorized to accept risk on behalf of the organization, and how often and to what degree operational risk should be assessed.
Typical work products
Subpractices
Risk thresholds are a management tool to determine when risk is in control or has exceeded acceptable organizational limits. They must be set for each category of operational risk that the organization establishes as a means for measuring and managing risk. For example, a risk threshold for virus intrusions may be whenever more than 200 users are affected; this would indicate that management needs to act to prevent operational disruption.
Criteria for measuring the organizational impact of realized risk are established.
A specific type of risk parameter that requires the organization’s attention is risk measurement criteria. Risk measurement criteria are objective criteria that the organization uses for evaluating, categorizing, and prioritizing operational risks. Without these criteria, the organization would have a difficult time consistently gauging the potential effect that an operational risk could have on one or more important impact areas for the organization.
Typical work products
Subpractices
Organizational impact areas identify the categories where realized risk may have meaningful and disruptive consequences. These areas typify what is important to the organization and to the accomplishment of its mission.
The prioritization of impact areas allows the organization to determine the relative importance of these areas to allow them to be used for risk prioritization and mitigation.
Risk measurement and evaluation criteria provide the bounds on the severity of consequences to the organization across the organizationally defined impact areas. The consistent application of these criteria across all operational risks ensures that risks are prioritized according to organizational importance (even if they are specific to an organizational unit or line of business) and are mitigated accordingly. The range of criteria can be either qualitative (high, medium, low) or quantitative (based on levels of loss, fines, number of customers lost, etc.).
While risk probability may be difficult to establish for operational risks, the organization should establish parameters for risk probability that are used to further guide risk prioritization and mitigation. These parameters can be qualitative (high, medium, or low) or quantitative (based on experience where available).
Operational risks are identified.
The level and extent of operational risks to which the organization is subjected directly affect the organization’s operational resilience. A key activity in managing and controlling operational resilience is the identification of operational risk and the mitigation of this risk before the organization is subjected to the consequences of realized risk.
Operational risks that affect assets that support services are identified.
Operational risks that can affect assets such as people, information, technology, and facilities must be identified and mitigated in order to actively manage the operational resilience of these assets and, more important, the services to which these assets are connected.
Risk identification is a foundational risk management activity. It requires the organization to identify and assess the types and extent of threats, vulnerabilities, and disruptive events that can pose risk to the operational capacity of assets and services. It is not an attempt to identify all operational risks, but only those that have meaning in the context of the categories of risk and the risk parameters established by the organization. Identified risks form a baseline from which a continuous risk management process can be established and managed.
There are many techniques that can be used to identify risk, such as
• using questionnaires and surveys
• interviewing vital managers and subject matter experts
• review of process controls
• using tools, techniques, and methodologies, such as information security risk assessments
• performing internal audits and performance reviews
• performing business impact analysis
• performing scenario planning and analysis
• using risk taxonomies for similar organizations and industries
• using lessons-learned databases, such as the incident knowledgebase
• reviewing vulnerability catalogs, such as the US-CERT Vulnerability Notes Database and MITRE’s Common Vulnerabilities and Exposures (CVE) project
The identification of vulnerabilities that may pose risk to the organization is performed in the Vulnerability Analysis and Resolution process area. The activities performed in this process area can be used as a source for seeding a list of operational risks.
Typical work products
Subpractices
Ensure that these tools, techniques, and methods are accessible to staff and that appropriate training is available.
Develop risk statements that clearly articulate the context, conditions, and consequences of the risk.
Consequences resulting from realized risk should be described relative to the impact areas that the organization defined as part of defining risk measurement criteria. (For example, consequences should be articulated in terms of how the organization’s reputation is affected, or if any fines and legal penalties result.)
Operational risks that potentially affect services as a result of asset risk are identified.
The disruption of asset productivity due to operational risk affects the ability of associated services to meet their mission. Thus, risks associated with organizational assets must be examined in the context of these services to determine if there is a potential impact on mission assurance, which in turn could affect the organization’s ability to meet its mission. Examining risk in the context of services provides the organization additional information that must be considered when prioritizing risks for disposition and mitigation.
The identification of high-value services is performed in the Enterprise Focus process area. The association of services to their associated assets is performed in the Asset Definition and Management process area. Relevant practices in these process areas must be performed before operational risks can be examined in a service context.
Typical work products
Risks are analyzed to determine priority and importance.
Risk analysis is performed by the organization to determine the relative importance of each identified operational risk and is used to facilitate the organization’s risk disposition and mitigation activities. Risk analysis helps the organization to place identified risks in the context of the organization’s risk drivers (tolerances, appetite, and measurement criteria), which further facilitates mitigation planning.
Risks are evaluated against risk tolerances and criteria, and the potential impact of risk is characterized.
To determine the extent of the operational risk, the consequences of the risk must be evaluated using the organization’s risk measurement criteria. Not all risks are the same for all organizations; what might be a major concern for one organization might be minor for another for many reasons, such as financial solvency, market position, cash reserves, and industry. Using the organization’s risk measurement criteria for valuation ensures that the risks that are most important to the organization’s unique operating circumstances are prioritized higher than those that do not directly impact organizational drivers.
Typical work products
Subpractices
Each risk is evaluated and assigned values in accordance with the defined risk parameters and risk measurement criteria. (These include likelihood, consequence, consequence severity, and thresholds.) The organization may weight the valuation of the risks by adjusting for the priority of impact areas (reputation, finance, etc.) that it established as part of the risk measurement criteria. This will ensure that impact areas of most importance to the organization will influence more strongly which risks are prioritized higher for mitigation. The organization can further influence the prioritization by applying a probability factor, if known.
The valuation can be qualitative (high, medium, or low) or can be a quantitative relative risk score that combines likelihood, impact area weighting, and consequence value. The valuation assigned to the risk statement will be used as a factor in deciding what to do with the risk.
Risks are categorized and prioritized relative to risk parameters, and risks that have to be mitigated are identified.
Categorizing operational risks can aid significantly in helping the organization to prioritize these risks for disposition and mitigation. This allows the organization to view risks according to their source, taxonomy, or other commonality, which may provide insight into disposition strategies at an aggregate level. It can also facilitate further analysis and effectively streamline the risk mitigation process, resulting in more effective mitigation strategies that cover a range of potential risks.
Typical work products
Subpractices
Risks are categorized into defined risk categories or other forms of categorization. This may result in merging similar risk statements or eliminating risk statements. Related risks are identified and grouped for efficient handling, and the cause-and-effect relationship between related risks is identified.
A relative priority is determined for each risk statement (or merged risk statements) based on the assigned risk valuation. The intent of prioritization is to determine the risks that most need attention because of their potential to affect operational resilience.
The disposition of each identified risk is documented and approved.
An important part of risk management is to determine a strategy for each identified risk and to implement actions to carry out the strategy. Strategy development begins with assigning a risk disposition to each risk, that is, a statement of the organization’s intention for addressing the risk.
Risk dispositions can vary widely across organizations but typically include
• risk avoidance—altering operations to avoid the risk while still providing the essential service
• risk acceptance—acknowledgment of the risk but consciously not taking any action (in essence, accepting the potential consequences of the risk)
• risk monitoring—performing further research and deferring action on the risk until the need to address the risk is apparent
• risk transfer—assigning the risk to a willing and able entity
• risk control and mitigation—taking active steps to minimize the risk
Because risk can rarely be eliminated, the organization must actively seek to monitor the disposition of known risks to ensure that risk conditions do not warrant changes in the assigned disposition.
Typical work products
Subpractices
A risk disposition is assigned to each risk statement or group of statements. The organization must establish a range of acceptable and consistent risk dispositions and their definitions.
Risks that are to be accepted must be approved by a sufficient level of organizational management that accepts responsibility and authority for the potential impact on operational resilience that could result. For risks that are to be transferred, there must be a clear and willing organization or person able to accept the risk. Risks that are to be researched or deferred must be carefully examined to ensure that delaying mitigation will not result in the realization of the risk or effects on operational resilience.
Continuous risk management requires that the organization periodically review identified risks to ensure that they have been minimized or that changes in the risk environment do not warrant changes in the risk disposition.
The development of risk mitigation plans is performed in RISK:SG5.
Risks to assets and services are mitigated and controlled to prevent disruption of operational resilience.
Risk mitigation involves the development of strategies that seek to minimize the risk to an acceptable level. This includes actions to
• reduce the likelihood (probability) of the vulnerability or threat and resulting risk
• minimize exposure to the vulnerability or threat from which the risk arises
• develop service continuity plans that would keep an asset or service in production if affected by realized risk
• develop recovery and restoration plans to address the consequences of realized risk
An organization may mitigate risks through any combination of these actions depending on the affected assets and services, their value to the organization, and the cost of the mitigation strategies versus the value of the assets and services. Mitigation may also involve revisiting resilience requirements, improving controls, and improving strategies to sustain assets and services.
Risk mitigation requires the organization to perform two distinct actions: (1) develop risk mitigation plans and (2) implement and monitor these plans for effectiveness.
The development of protection strategies through the selection and implementation of controls is performed in the Controls Management process area. The development and implementation of service continuity plans are performed in the Service Continuity process area.
Risk mitigation plans are developed.
When the consequences of risk exceed the organization’s risk thresholds and are determined to be unacceptable, the organization must act to mitigate risk to the extent possible.
Risk mitigation requires the development of risk mitigation plans that may include a wide range of activities. In some cases, risk mitigation will simply require adjustments to current strategies for protecting and sustaining assets and services. In other cases, the organization will find itself designing and implementing new controls and developing and implementing new service continuity plans. The result of risk assessment can be very costly risk mitigation plans and activities, so the organization must consider these costs in the plan development. In addition, because not all risk can be mitigated, the organization must be able to address residual risk—the risk that remains and is accepted by the organization after mitigation plans are implemented. This risk must be analyzed and determined to be acceptable before the risk mitigation plan is in place.
Typical work products
Subpractices
Developing risk mitigation plans is an extensive activity that will vary by organization. There are some common elements of risk mitigation plans that should be considered for all plans:
• how the threat or vulnerability will be reduced
• the actions that will prevent or limit an actor from exploiting a threat or vulnerability
• the controls that will have to be implemented or updated to reduce exposure, including an articulation of administrative, physical, and technical controls
• the service continuity plans that would be used to reduce the impact of consequences should risk be realized
• the staff who are responsible for implementing and monitoring the mitigation plan
• the cost of the plan, and a cost-benefit analysis that demonstrates the value of the plan commensurate with the value of the related assets and services or avoidance of consequences
• the implementation specifics of the plan (when, where, how)
• the residual risk that would not be addressed by the plan
The risk mitigation plans should be validated against the current controls in place to protect assets and services and the service continuity plans available to manage the consequences of risk. Any gaps should be reflected in the plan. (Improving controls and strategies to sustain services as a result of risk management activities is addressed in RISK:SG6.)
Residual risk must be specifically accepted, deferred, or transferred. Otherwise, it must be considered as a risk that must be mitigated, requiring reconsideration of the risk mitigation plan.
Risk strategies and mitigation plans are implemented and monitored.
Effective management and control of risk require the organization to monitor risk and the status of risk strategies. Because the operational environment is constantly changing, risks identified and addressed may have to be revisited, and a new disposition and strategy may have to be developed.
The risk management strategy defines the intervals at which the status of risk strategies must be revisited. This may align with the organization’s regular intervals of risk identification, or it may be an activity that is performed independently of risk identification.
The implementation of risk strategies requires the monitoring of risks according to their disposition and the implementation and monitoring of risk mitigation plans.
Typical work products
Subpractices
The disposition of risks that are not being mitigated must be periodically assessed and revised as necessary. Some risks may, under future circumstances, require the development of a mitigation plan.
Information gathered from identifying, analyzing, and mitigating risk is used to improve the operational resilience management system.
Because of the direct effect of risk management on operational resilience, continuous risk management processes can be a force in improving and sustaining operational resilience. What is learned in risk identification, assessment, and mitigation directly affects existing strategies for protecting and sustaining assets and services, which can benefit from the risk management process.
To use risk information to manage operational resilience, the organization must directly use risk information as input to validating the effectiveness of current protection and sustainment strategies and to improve these strategies based on an understanding of risk.
Controls implemented to protect assets and services from risk are evaluated and updated as required based on risk information.
The controls that an organization uses to protect assets and services from operational risk are typically based on resilience requirements. However, considerations of risk as identified in the risk management process can result in improvements and enhancements to the internal control system that cannot be envisioned through translation of resilience requirements into an internal control system. Thus, improving and sustaining the organization’s operational resilience is also dependent upon using the lessons learned in risk management to improve controls by implementing missing controls and updating existing controls to consider new and emerging risks.
Typical work products
Subpractices
Comparing risk mitigation plans to existing internal control systems may help the organization to identify controls that are not working properly, controls that have to be updated or revised, and missing controls.
Service continuity plans are developed to ensure services are sustained and plans are evaluated and updated as required based on risk information.
Just as the controls structure can be improved to prevent risk realization, the organization’s ability to sustain assets and services in light of realized risk can be improved through what is learned in the risk management cycle. This can result in the identification of inadequate plans, plans that have to be revised or updated, or missing plans. Validating plans through identified risks also provides another means to ensure plan effectiveness in covering a range of possible threats and operational risks.
Typical work products
Subpractices
Comparing risk mitigation plans to existing plans will identify plans that may be inadequate, in need of updating and revision, or missing.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Risk Management process area.
The operational resilience management system supports and enables achievement of the goals of the Risk Management process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Risk Management process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices RISK:SG1.SP1 through RISK:SG6.SP2 are performed to achieve the goals of the risk management process.
Risk management is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the risk management process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the risk management process.
Subpractices
Elaboration:
Elaboration:
Establish and maintain the plan for performing the risk management process.
Elaboration:
The plan for the risk management process should be directly influenced by the strategic and operational planning processes of the organization and reflect strategic objectives and initiatives where appropriate.
The plan for the risk management process should not be confused with a risk management plan or plans for mitigating risk as described in RISK:SG5.SP1. The plan for the risk management process details how the organization will perform risk management, including the development of risk management and mitigation plans.
Subpractices
Elaboration:
Special consideration in the plan may have to be given to the adequacy of the internal control system for information, technology, facility, and people assets and the services they support.
Provide adequate resources for performing the risk management process, developing the work products, and providing the services of the process.
Subpractices
Elaboration:
It should be noted that this generic goal related to risk management refers to staffing the risk management process plan, not the individual risk management mitigation plans. (Assigning resources to risk management mitigation plans is described in RISK:SG5.SP2.)
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for risk management.
Elaboration:
Assign responsibility and authority for performing the risk management process, developing the work products, and providing the services of the process.
Elaboration:
RISK:SG4.SP3 describes the level of management responsibility and authority required based on risk disposition but does not directly address responsibility and authority for carrying out the risk management process plan.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Elaboration:
Organizations may establish a risk officer, a risk management group, or a risk management process group to take responsibility for the overall risk management process. This group may also formally interface with higher-level managers for the purposes of reporting on organizational progress against risk management process goals as part of the governance process.
Elaboration:
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the risk management process as needed.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Elaboration:
Elaboration:
Certification training is an effective way to improve risk management skills and attain competency. While operational risk management certifications are not widespread, GIAC (Global Information Assurance Certification) does offer a Certified Project Manager Certification that includes risk management of IT projects and application development. The Information Systems Examination Board (ISEB) of the British Computer Society offers a Practitioner Certificate in Information Risk Management.
Place designated work products of the risk management process under appropriate levels of control.
Elaboration:
Identify and involve the relevant stakeholders of the risk management process as planned.
Elaboration:
Several RISK-specific practices address the involvement of stakeholders in the risk management process. For example, RISK:SG1.SP2 addresses the communication of the operational risk management strategy to relevant stakeholders. RISK:SG3.SP1 calls for identifying relevant stakeholders associated with each documented risk.
Subpractices
Elaboration:
Monitor and control the risk management process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Elaboration:
Elaboration:
Reviews of the risk management process may result from periodic examination or post-event audits that seek to identify problems that must be corrected. Elevating the results of these examinations to managers provides an opportunity to correct risk management process deficiencies and to make managers aware of variations in the risk management process that not only have localized impact but may also affect the organization’s resilience as a whole.
Elaboration:
Deviations from the risk management plan may occur because operational risks for assets and services vary widely, and thus the mitigation of these risks may require process deviations. The organization must determine if the deviations are appropriate given the risk parameters and whether the deviation will result in an impact on operational resilience.
In addition, deviations from the risk management plan may occur when organizational units fail to follow the enterprise-sponsored process. These deviations may affect the operational resilience of the organizational unit’s services but may also have a cascading effect on enterprise operational resilience objectives.
Objectively evaluate adherence of the risk management process against its process description, standards, and procedures, and address non-compliance.
Review the activities, status, and results of the risk management process with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Risk management is institutionalized as a defined process.
Establish and maintain the description of a defined risk management process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect risk management work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices