5.9.1 Software Risk Evaluation (SRE)
This is a formal approach developed by the Software Engineering Institute
(SEI) using a risk management paradigm that defines a continuous set of
activities to identify, communicate, and resolve software risks. These
activities are to identify, analyze, plan, track, and control. (The SEI
activities are analogous to the activities of the risk management process
defined in this section.)
This methodology is initiated by the PM, who tasks an independent SRE team
to conduct a risk evaluation of the contractor’s software development effort.
The team executes the following SRE functions in performing this evaluation,
and prepares findings that will provide the PM with the results of the
- Detection of the software technical risks present in
the program. An SEI Taxonomy-Based Questionnaire is used to ensure that all
areas of potential risk are identified. This questionnaire is based on the
SEI Software Development Risk Taxonomy, which provides a systematic way of
organizing and eliciting risks within a logical framework.
- Specification of all aspects of identified technical
software risks, including their conditions, consequences/impacts, and
- Assessment of the risks to determine the probability of
risk occurrence and the severity of its consequences/impacts.
- Consolidation of the risk data into a concise format
suitable for decision making.
A detailed discussion of the SRE methodology is found in Software
Engineering Institute Technical Report CMU/SEI-94-TR-19, Software Risk
Evaluation Model, Version 1.0, December