Page tree
Skip to end of metadata
Go to start of metadata
ObjectiveEarly identify risks, threats and vulnerabilities related to the product, and provide adequate avoidance or mitigation actions

This practice mostly concerns the development and maintenance phases of the product.


The practice applies to all projects. In particular, it is relevant in prototype projects that concern poorly explored areas or constructed with new technologies/architectures/hardware.

Addressed elements in SMM

3.1. Management of risks, threats and vulnerabilities

Prerequisites to applyThe project has been initiated, the stakeholders have been identified, and the requirements have been collected and analyzed.
  1. Setup and manage the risk registry
    1. Establish a dedicated registry for managing the identified risk factors that could negatively affect the product.
    2. Periodically analyze the risk factors (together with the team), to identify them, assign priorities to them and evaluate their impact.
    3. Involve stakeholders in the analysis.
  2. Maintain a risk management plan
    1. A risk factor can be either mitigated, or avoided, or accepted. Provide adequate actions for each risk factor.
    2. Evaluate the likelihood (probability) and impact of risk factors on the project plan and take corrective actions if necessary.
    3. Assign the responsibility for managing the registry to an experienced team member (or project leader)
  1. The risk registry is not maintained
    1. Some risk factors are not addressed.
    2. Some actions for handling the risk factors are not adequate to the actual needs.
    3. Actions are designed and implemented ad hoc.
  2. Stakeholders are not involved in the risk analysis
    1. Stakeholders are unaware of risk factors
Related practicesBP-B.5: Record and manage issues encountered with the product
SourceThis practice has been defined based on the literature and the results of the survey.
  • No labels