Risk Management Standards
Organizations should establish risk management standards and procedures for all complex or mission-critical projects. Risk management activities, which are sometimes included within quality assurance programs, should include procedures for identifying and managing internal and external project risks.
The procedures should be designed to ensure internal and external project risks are identified and assessed, reported and monitored, and appropriately managed. Managing identified risks requires organizations to develop strategies regarding risk acceptance, mitigation, transfer, or a combination of these. For example, a mitigation strategy to address risks involved with initiating projects having a high number of functional requirements might be to review the project scope and eliminate any unnecessary functional requirements. Transferring an identified risk, such as natural disasters, might be accomplished by acquiring insurance policies.
Structured project management techniques provide ways to reduce project risks. However, project management differs from risk management. Project management focuses on controlling project activities as opposed to project risks. For example, project management procedures (in a software development project) involve scheduling programmers to script programs; risk management procedures would involve establishing contingency plans in case several programmers quit in the middle of a project. Similarly, project management procedures (in an acquisition project) involve assessing a vendor's financial stability; risk management procedures would involve reviewing the accuracy of the assessment and establishing contingency plans in case the vendor fails to meet its obligations.
Quality Assurance Standards