Systems and software engineering -- Life cycle processes -- Risk management

This document: — provides risk management elaborations for the processes described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, — provides the users of ISO/IEC/IEEE 15288, ISO/IEC/IEEE 12207 and their associated elaboration standards with common terminology and specialized guidance for performing risk management within the context of systems and software engineering projects, — specifies the required information items that are to be produced through the implementation of risk management process for claiming conformance, and — specifies the required contents of the information items. This document provides a universally applicable standard for practitioners responsible for managing risks associated with systems and software over their life cycle. This document is suitable for the management of all risks encountered in any organization or project appropriate to the systems or software projects regardless of context, type of industry, technologies utilized, or organizational structures involved. This document does not provide detailed information about risk management practices, techniques, or tools which are widely available in other publications. Instead this document focuses on providing a comprehensive reference for integrating the large and wide variety of processes, practices, techniques, and tools encountered in systems and software engineering projects and other lifecycle activities into a unified approach for risk management, with the purpose of providing effective and efficient risk management while meeting the expectations and requirements of organization and project stakeholders.

Ingénierie des systèmes et du logiciel -- Processus du cycle de vie -- Gestion des risques

General Information

Status
Published
Publication Date
14-Jan-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
17-Nov-2020
Completion Date
16-Nov-2020
Ref Project

RELATIONS

Buy Standard

Standard
ISO/IEC/IEEE 16085:2021 - Systems and software engineering -- Life cycle processes -- Risk management
English language
47 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC/IEEE FDIS 16085 - Systems and software engineering -- Life cycle processes -- Risk management
English language
47 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC/
STANDARD IEEE
16085
First edition
2021-01
Systems and software engineering —
Life cycle processes — Risk
management
Ingénierie des systèmes et du logiciel — Processus du cycle de vie —
Gestion des risques
Reference number
ISO/IEC/IEEE 16085:2021(E)
ISO/IEC 2021
IEEE 2021
---------------------- Page: 1 ----------------------
ISO/IEC/IEEE 16085:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021
© IEEE 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO or IEEE at the

respective address below or ISO’s member body in the country of the requester.
ISO copyright office Institute of Electrical and Electronics Engineers, Inc
CP 401 • Ch. de Blandonnet 8 3 Park Avenue, New York
CH-1214 Vernier, Geneva NY 10016-5997, USA
Phone: +41 22 749 01 11
Email: copyright@iso.org Email: stds.ipr@ieee.org
Website: www.iso.org Website: www.ieee.org
Published in Switzerland
© ISO/IEC 2021 – All rights reserved
ii © IEEE 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC/IEEE 16085:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ..............................................................................................................................................................................................................................vii

1 Scope ................................................................................................................................................................................................................................. 1

1.1 Overview ...................................................................................................................................................................................................... 1

1.2 Purpose .......................................................................................................................................................................................................... 1

1.3 Field of application .............................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 2

3 Terms and definitions ..................................................................................................................................................................................... 2

4 Conformance ............................................................................................................................................................................................................. 5

4.1 Intended usage ........................................................................................................................................................................................ 5

4.2 Conformance to information items ....................................................................................................................................... 5

4.3 Conformance to process ................................................................................................................................................................. 5

4.4 Full conformance................................................................................................................................................................................... 5

5 Key concepts and application ................................................................................................................................................................. 5

5.1 Key concepts ............................................................................................................................................................................................. 5

5.1.1 Risk and opportunity ................................................................................................................................................... 5

5.1.2 Project and organizational specific terminology ................................................................................. 5

5.1.3 Systems and software .................................................................................................................................................. 6

5.1.4 Uncertainty and its relationship to risk ....................................................................................................... 6

5.1.5 Complexity and its relationship to risk ........................................................................................................ 6

5.1.6 Risk management above the project level ................................................................................................. 6

5.1.7 Purpose and principles for risk management ........................................................................................ 6

5.2 Application ................................................................................................................................................................................................. 7

5.2.1 General...................................................................................................................................................................................... 7

5.2.2 Application with ISO/IEC/IEEE 15288 or ISO/IEC/IEEE 12207 ........................................... 8

5.2.3 Application with ISO 31000 ................................................................................................................................... 8

5.2.4 Application with ISO 9001 ...................................................................................................................................... 8

5.2.5 Application with other ISO, IEC, ISO/IEC, and ISO/IEC/IEEE standards ........................ 9

6 Risk management process .......................................................................................................................................................................... 9

6.1 Purpose .......................................................................................................................................................................................................... 9

6.2 Process ........................................................................................................................................................................................................... 9

6.3 Outcomes ..................................................................................................................................................................................................11

6.4 Activities and tasks ...........................................................................................................................................................................11

6.4.1 General...................................................................................................................................................................................11

6.4.2 Plan risk management .............................................................................................................................................11

6.4.3 Manage the risk profile............................................................................................................................................12

6.4.4 Analyze risks ....................................................................................................................................................................13

6.4.5 Treat risks ...........................................................................................................................................................................16

6.4.6 Monitor risks ....................................................................................................................................................................18

6.4.7 Evaluate the risk management process ....................................................................................................18

7 Risk management in life cycle processes .................................................................................................................................19

7.1 Overview ...................................................................................................................................................................................................19

7.2 Risk management in agreement processes .................................................................................................................19

7.2.1 General...................................................................................................................................................................................19

7.2.2 Acquisition process ....................................................................................................................................................19

7.2.3 Supply Process ................................................................................................................................................................20

7.3 Risk management in organizational project-enabling processes ............................................................21

7.3.1 General...................................................................................................................................................................................21

7.3.2 Life cycle model management process ......................................................................................................22

7.3.3 Infrastructure management process ...........................................................................................................22

7.3.4 Portfolio management process .........................................................................................................................23

7.3.5 Human resource management process .....................................................................................................23

© ISO/IEC 2021 – All rights reserved
© IEEE 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC/IEEE 16085:2021(E)

7.3.6 Quality management process.............................................................................................................................24

7.3.7 Knowledge management process ..................................................................................................................24

7.4 Risk management in technical management processes ...................................................................................25

7.4.1 General...................................................................................................................................................................................25

7.4.2 Project planning process ........................................................................................................................................25

7.4.3 Project assessment and control process ..................................................................................................26

7.4.4 Decision management process .........................................................................................................................27

7.4.5 Risk management process ....................................................................................................................................27

7.4.6 Configuration management process ............................................................................................................28

7.4.7 Information management process ................................................................................................................29

7.4.8 Measurement process ..............................................................................................................................................30

7.4.9 Quality assurance process ....................................................................................................................................30

7.5 Risk management in technical processes .....................................................................................................................31

7.5.1 General...................................................................................................................................................................................31

7.5.2 Business or mission analysis process .........................................................................................................31

7.5.3 Stakeholder needs and requirements definition process ..........................................................32

7.5.4 System/Software requirements definition process ........................................................................33

7.5.5 Architecture definition process .......................................................................................................................34

7.5.6 Design definition process ......................................................................................................................................35

7.5.7 System analysis process..........................................................................................................................................35

7.5.8 Implementation process ........................................................................................................................................36

7.5.9 Integration process .....................................................................................................................................................37

7.5.10 Verification process ....................................................................................................................................................37

7.5.11 Transition process .......................................................................................................................................................38

7.5.12 Validation process .................. .................................................... ..................................................................................39

7.5.13 Operation process ........................................................................................................................................................39

7.5.14 Maintenance process .................................................................................................................................................40

7.5.15 Disposal process ............................................................................................................................................................41

7.6 Tailoring process ................................................................................................................................................................................41

7.6.1 Typical risk areas ...................................................................... ....................................................................................41

7.6.2 Typical opportunity areas .....................................................................................................................................42

7.6.3 Typical treatments ......................................................................................................................................................42

8 Information items ............................................................................................................................................................................................42

8.1 Risk management plan ..................................................................................................................................................................42

8.1.1 Purpose .................................................................................................................................................................................42

8.1.2 Risk management plan outline .........................................................................................................................42

8.2 Risk treatment plan .........................................................................................................................................................................44

8.2.1 Purpose .................................................................................................................................................................................44

8.2.2 Risk treatment plan outline .................................................................................................................................44

Bibliography .............................................................................................................................................................................................................................46

IEEE Notices and Abstract ...........................................................................................................................................................................................48

© ISO/IEC 2021 – All rights reserved
iv © IEEE 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC/IEEE 16085:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

rules given in the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating

Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its

standards through a consensus development process, approved by the American National Standards

Institute, which brings together volunteers representing varied viewpoints and interests to achieve the

final product. Volunteers are not necessarily members of the Institute and serve without compensation.

While the IEEE administers the process and establishes rules to promote fairness in the consensus

development process, the IEEE does not independently evaluate, test, or verify the accuracy of any of

the information contained in its standards.

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see https:// patents .iec .c).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 7, Systems and software engineering, in cooperation with the Systems and Software

Engineering Standards Committee of the IEEE Computer Society, under the Partner Standards

Development Organization cooperation agreement between ISO and IEEE.

This edition cancels and replaces ISO/IEC 16085:2006, which has been technically revised.

The main changes compared to ISO/IEC 16085:2006 are as follows:

— Use common terminology, common process names, and common process structure with

ISO/IEC/IEEE 15288:2015 and ISO/IEC/IEEE 12207:2017.

— Improve consistency with ISO 31000:2018, which provides generic principles, framework, and

process for managing all forms of risk.

— Provide specialized guidance for performing risk management within the context of systems and

software engineering projects.

This document is intended to be used in conjunction with ISO/IEC/IEEE 15288:2015,

ISO/IEC/IEEE 12207:2017, ISO 31000 and IEC 31010, and is not a replacement.
© ISO/IEC 2021 – All rights reserved
© IEEE 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC/IEEE 16085:2021(E)

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2021 – All rights reserved
vi © IEEE 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC/IEEE 16085:2021(E)
Introduction

This document is an elaboration standard for the risk management process described in

ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207. This document provides requirements for the tasks

and activities of the risk management process in Clause 6, consistent with these life cycle process

International Standards. This document provides a definition of the content of the risk management

plan (8.1) and risk treatment plan (8.2). This document also provides guidance for how risk management

outcomes, activities, and tasks pertain to other processes.

This document prescribes a continuous process for risk management. Clause 1 provides an overview

and the purpose, scope, and field of application. Clause 2 lists the normative references. Clause 3

provides terms and definitions. Clause 4 prescribes conformance criteria. Clause 5 describes key

concepts and application with other International Standards. Clause 6 elaborates the risk management

process as required by ISO/IEC/IEEE 15288 or ISO/IEC/IEEE 12207. Clause 6 also defines required

purpose, outcomes, tasks, and activities of the risk management process for application to systems

and software engineering projects in an integrated manner as described in Clause 7 and produces the

information products described in Clause 8. Clause 7 suggests some typical risk areas, some typical

opportunity areas, and some typical treatments for each life cycle process. Clause 8 prescribes the

content for the risk management information items. The Bibliography lists informative references that

are either referenced by this document or of interest to users of this document.
© ISO/IEC 2021 – All rights reserved
© IEEE 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC/IEEE 16085:2021(E)
Systems and software engineering — Life cycle processes
— Risk management
1 Scope
1.1 Overview
This document:

— provides risk management elaborations for the processes described in ISO/IEC/IEEE 15288 and

ISO/IEC/IEEE 12207,

— provides the users of ISO/IEC/IEEE 15288, ISO/IEC/IEEE 12207 and their associated elaboration

standards with common terminology and specialized guidance for performing risk management

within the context of systems and software engineering projects,

— specifies the required information items that are to be produced through the implementation of

risk management process for claiming conformance, and
— specifies the required contents of the information items.

This document provides a universally applicable standard for practitioners responsible for managing

risks associated with systems and software over their life cycle. This document is suitable for the

management of all risks encountered in any organization or project appropriate to the systems or

software projects regardless of context, type of industry, technologies utilized, or organizational

structures involved.

This document does not provide detailed information about risk management practices, techniques, or

tools which are widely available in other publications. Instead this document focuses on providing a

comprehensive reference for integrating the large and wide variety of processes, practices, techniques,

and tools encountered in systems and software engineering projects and other lifecycle activities

into a unified approach for risk management, with the purpose of providing effective and efficient

risk management while meeting the expectations and requirements of organization and project

stakeholders.
1.2 Purpose

This document provides information on how to design, develop, implement, and continually improve

risk management in a systems and software engineering project throughout its life cycle.

1.3 Field of application

This document is compatible with risk management as described in ISO/IEC/IEEE 15288 and

ISO/IEC/IEEE 12207 and can also be applied in conjunction with ISO 31000. Depending on the scope

and context of the systems or software engineering project of interest, there are a number of additional

International Standards that can be applicable to the risk management effort including ISO 9001. This

document is intended to provide additional information useful in implementing a system for integrated

risk management for systems and software engineering projects. 5.2 discusses in more detail how this

document can be applied with other standards.
This document is applicable to:

— project teams which use ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207 on projects dealing with

man-made systems, software-intensive systems, software and hardware products, and services

© ISO/IEC 2021 – All rights reserved
© IEEE 2021 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC/IEEE 16085:2021(E)

related to those systems and products, regardless of organization or project scope, product(s),

methodology, size, or complexity;

— project teams performing risk management activities to aid in ensuring that their application of risk

management conforms to ISO/IEC/IEEE 15288 and/or ISO/IEC/IEEE 12207;

— project teams using ISO/IEC/IEEE 15289 on projects dealing with human-made systems,

software-intensive systems, software and hardware products, and services related to those

systems and products, regardless of organization or project scope, product(s), methodology, size,

or complexity; and

— project teams generating information items developed during the application of risk management

processes to conform to ISO/IEC/IEEE 15289.

This document can be applied in conjunction with ISO 31000 and IEC 31010 to augment risk management

performed within the context of ISO/IEC/IEEE 15288 and/or ISO/IEC/IEEE 12207.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC/IEEE 12207:2017, Systems and software engineering — Software life cycle processes

ISO/IEC/IEEE 15288:2015, Systems and software engineering — System life cycle processes

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO, IEC, and IEEE maintain terminological databases for use in standardization at the following

addresses:
— ISO Online browsing platform: available at https:// www .iso .org/
— IEC Electropedia: available at http:// www .electropedia .org/
— IEEE Standards Dictionary Online: available at: http:// dictionary .ieee .org

NOTE Definitions for other system and software engineering terms typically can be found in

ISO/IEC/IEEE 24765, available at www .computer .org/ sevocab.
3.1
consequence
outcome of an event affecting one or more stakeholders (3.11)
Note 1 to entry: An event can lead to a range of consequences.

Note 2 to entry: A consequence can be certain or uncertain and can have positive or negative effects on

objectives (3.3).
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through follow-on effects.

[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — In the definition, "objectives" has been replaced by

"one or more stakeholders"; the notes to entry have be
...

FINAL
INTERNATIONAL ISO/IEC/
DRAFT
STANDARD IEEE/FDIS
16085
ISO/IEC JTC 1/SC 7
Systems and software engineering —
Secretariat: BIS
Life cycle processes — Risk
Voting begins on:
2020­09­21 management
Voting terminates on:
Ingénierie des systèmes et du logiciel — Processus du cycle de vie —
2020­11­16
Gestion des risques
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/IEC/IEEE/FDIS 16085:2020(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
ISO/IEC 2020
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. IEEE 2020
---------------------- Page: 1 ----------------------
ISO/IEC/IEEE/FDIS 16085:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020
© IEEE 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO or IEEE at the

respective address below or ISO’s member body in the country of the requester.
ISO copyright office Institute of Electrical and Electronics Engineers, Inc
CP 401 • Ch. de Blandonnet 8 3 Park Avenue, New York
CH­1214 Vernier, Geneva NY 10016­5997, USA
Phone: +41 22 749 01 11
Email: copyright@iso.org Email: stds.ipr@ieee.org
Website: www.iso.org Website: www.ieee.org
Published in Switzerland
© ISO/IEC 2020 – All rights reserved
ii © IEEE 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC/IEEE/FDIS 16085:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ..............................................................................................................................................................................................................................vii

1 Scope ................................................................................................................................................................................................................................. 1

1.1 Overview ...................................................................................................................................................................................................... 1

1.2 Purpose .......................................................................................................................................................................................................... 1

1.3 Field of application .............................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 2

3 Terms and definitions ..................................................................................................................................................................................... 2

4 Conformance ............................................................................................................................................................................................................. 5

4.1 Intended usage ........................................................................................................................................................................................ 5

4.2 Conformance to information items ....................................................................................................................................... 5

4.3 Conformance to process ................................................................................................................................................................. 5

4.4 Full conformance................................................................................................................................................................................... 5

5 Key concepts and application ................................................................................................................................................................. 5

5.1 Key concepts ............................................................................................................................................................................................. 5

5.1.1 Risk and opportunity ................................................................................................................................................... 5

5.1.2 Project and organizational specific terminology ................................................................................. 5

5.1.3 Systems and software .................................................................................................................................................. 6

5.1.4 Uncertainty and its relationship to risk ....................................................................................................... 6

5.1.5 Complexity and its relationship to risk ........................................................................................................ 6

5.1.6 Risk management above the project level ................................................................................................. 6

5.1.7 Purpose and principles for risk management ........................................................................................ 6

5.2 Application ................................................................................................................................................................................................. 7

5.2.1 General...................................................................................................................................................................................... 7

5.2.2 Application with ISO/IEC/IEEE 15288 or ISO/IEC/IEEE 12207 ........................................... 8

5.2.3 Application with ISO 31000 ................................................................................................................................... 8

5.2.4 Application with ISO 9001 ...................................................................................................................................... 8

5.2.5 Application with other ISO, IEC, ISO/IEC, and ISO/IEC/IEEE standards ........................ 9

6 Risk management process .......................................................................................................................................................................... 9

6.1 Purpose .......................................................................................................................................................................................................... 9

6.2 Process ........................................................................................................................................................................................................... 9

6.3 Outcomes ..................................................................................................................................................................................................11

6.4 Activities and tasks ...........................................................................................................................................................................11

6.4.1 General...................................................................................................................................................................................11

6.4.2 Plan risk management .............................................................................................................................................11

6.4.3 Manage the risk profile............................................................................................................................................12

6.4.4 Analyze risks ....................................................................................................................................................................13

6.4.5 Treat risks ...........................................................................................................................................................................16

6.4.6 Monitor risks ....................................................................................................................................................................18

6.4.7 Evaluate the risk management process ....................................................................................................18

7 Risk management in life cycle processes .................................................................................................................................19

7.1 Overview ...................................................................................................................................................................................................19

7.2 Risk management in agreement processes .................................................................................................................19

7.2.1 General...................................................................................................................................................................................19

7.2.2 Acquisition process ....................................................................................................................................................19

7.2.3 Supply Process ................................................................................................................................................................20

7.3 Risk management in organizational project­enabling processes ............................................................21

7.3.1 General...................................................................................................................................................................................21

7.3.2 Life cycle model management process ......................................................................................................22

7.3.3 Infrastructure management process ...........................................................................................................22

7.3.4 Portfolio management process .........................................................................................................................23

7.3.5 Human resource management process .....................................................................................................23

© ISO/IEC 2020 – All rights reserved
© IEEE 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC/IEEE/FDIS 16085:2020(E)

7.3.6 Quality management process.............................................................................................................................24

7.3.7 Knowledge management process ..................................................................................................................24

7.4 Risk management in technical management processes ...................................................................................25

7.4.1 General...................................................................................................................................................................................25

7.4.2 Project planning process ........................................................................................................................................25

7.4.3 Project assessment and control process ..................................................................................................26

7.4.4 Decision management process .........................................................................................................................27

7.4.5 Risk management process ....................................................................................................................................27

7.4.6 Configuration management process ............................................................................................................28

7.4.7 Information management process ................................................................................................................29

7.4.8 Measurement process ..............................................................................................................................................30

7.4.9 Quality assurance process ....................................................................................................................................30

7.5 Risk management in technical processes .....................................................................................................................31

7.5.1 General...................................................................................................................................................................................31

7.5.2 Business or mission analysis process .........................................................................................................31

7.5.3 Stakeholder needs and requirements definition process ..........................................................32

7.5.4 System/Software requirements definition process ........................................................................33

7.5.5 Architecture definition process .......................................................................................................................34

7.5.6 Design definition process ......................................................................................................................................35

7.5.7 System analysis process..........................................................................................................................................35

7.5.8 Implementation process ........................................................................................................................................36

7.5.9 Integration process .....................................................................................................................................................37

7.5.10 Verification process ....................................................................................................................................................37

7.5.11 Transition process .......................................................................................................................................................38

7.5.12 Validation process .................. .................................................... ..................................................................................39

7.5.13 Operation process ........................................................................................................................................................39

7.5.14 Maintenance process .................................................................................................................................................40

7.5.15 Disposal process ............................................................................................................................................................41

7.6 Tailoring process ................................................................................................................................................................................41

7.6.1 Typical risk areas ...................................................................... ....................................................................................41

7.6.2 Typical opportunity areas .....................................................................................................................................42

7.6.3 Typical treatments ......................................................................................................................................................42

8 Information items ............................................................................................................................................................................................42

8.1 Risk management plan ..................................................................................................................................................................42

8.1.1 Purpose .................................................................................................................................................................................42

8.1.2 Risk management plan outline .........................................................................................................................42

8.2 Risk treatment plan .........................................................................................................................................................................44

8.2.1 Purpose .................................................................................................................................................................................44

8.2.2 Risk treatment plan outline .................................................................................................................................44

Bibliography .............................................................................................................................................................................................................................46

IEEE notices and abstract ............................................................................................................................................................................................48

© ISO/IEC 2020 – All rights reserved
iv © IEEE 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC/IEEE/FDIS 16085:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non­governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

rules given in the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating

Committees of the IEEE Standards Association (IEEE­SA) Standards Board. The IEEE develops its

standards through a consensus development process, approved by the American National Standards

Institute, which brings together volunteers representing varied viewpoints and interests to achieve the

final product. Volunteers are not necessarily members of the Institute and serve without compensation.

While the IEEE administers the process and establishes rules to promote fairness in the consensus

development process, the IEEE does not independently evaluate, test, or verify the accuracy of any of

the information contained in its standards.

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see https:// patents .iec .c).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 7, Systems and software engineering, in cooperation with the Systems and Software

Engineering Standards Committee of the IEEE Computer Society, under the Partner Standards

Development Organization cooperation agreement between ISO and IEEE.

This edition cancels and replaces ISO/IEC 16085:2006, which has been technically revised.

The main changes compared to ISO/IEC 16085:2006 are as follows:

— Use common terminology, common process names, and common process structure with

ISO/IEC/IEEE 15288:2015 and ISO/IEC/IEEE 12207:2017.

— Improve consistency with ISO 31000:2018, which provides generic principles, framework, and

process for managing all forms of risk.

— Provide specialized guidance for performing risk management within the context of systems and

software engineering projects.

This document is intended to be used in conjunction with ISO/IEC/IEEE 15288:2015,

ISO/IEC/IEEE 12207:2017, ISO 31000 and IEC 31010, and is not a replacement.
© ISO/IEC 2020 – All rights reserved
© IEEE 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC/IEEE/FDIS 16085:2020(E)

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2020 – All rights reserved
vi © IEEE 2020 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC/IEEE/FDIS 16085:2020(E)
Introduction

This document is an elaboration standard for the risk management process described in

ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207. This document provides requirements for the tasks

and activities of the risk management process in Clause 6, consistent with these life cycle process

International Standards. This document provides a definition of the content of the risk management

plan (8.1) and risk treatment plan (8.2). This document also provides guidance for how risk management

outcomes, activities, and tasks pertain to other processes.

This document prescribes a continuous process for risk management. Clause 1 provides an overview

and the purpose, scope, and field of application. Clause 2 lists the normative references. Clause 3

provides terms and definitions. Clause 4 prescribes conformance criteria. Clause 5 describes key

concepts and application with other International Standards. Clause 6 elaborates the risk management

process as required by ISO/IEC/IEEE 15288 or ISO/IEC/IEEE 12207. Clause 6 also defines required

purpose, outcomes, tasks, and activities of the risk management process for application to systems

and software engineering projects in an integrated manner as described in Clause 7 and produces the

information products described in Clause 8. Clause 7 suggests some typical risk areas, some typical

opportunity areas, and some typical treatments for each life cycle process. Clause 8 prescribes the

content for the risk management information items. The Bibliography lists informative references that

are either referenced by this document or of interest to users of this document.
© ISO/IEC 2020 – All rights reserved
© IEEE 2020 – All rights reserved vii
---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC/IEEE/FDIS 16085:2020(E)
Systems and software engineering — Life cycle processes
— Risk management
1 Scope
1.1 Overview
This document:

— provides risk management elaborations for the processes described in ISO/IEC/IEEE 15288 and

ISO/IEC/IEEE 12207,

— provides the users of ISO/IEC/IEEE 15288, ISO/IEC/IEEE 12207 and their associated elaboration

standards with common terminology and specialized guidance for performing risk management

within the context of systems and software engineering projects,

— specifies the required information items that are to be produced through the implementation of

risk management process for claiming conformance, and
— specifies the required contents of the information items.

This document provides a universally applicable standard for practitioners responsible for managing

risks associated with systems and software over their life cycle. This document is suitable for the

management of all risks encountered in any organization or project appropriate to the systems or

software projects regardless of context, type of industry, technologies utilized, or organizational

structures involved.

This document does not provide detailed information about risk management practices, techniques, or

tools which are widely available in other publications. Instead this document focuses on providing a

comprehensive reference for integrating the large and wide variety of processes, practices, techniques,

and tools encountered in systems and software engineering projects and other lifecycle activities

into a unified approach for risk management, with the purpose of providing effective and efficient

risk management while meeting the expectations and requirements of organization and project

stakeholders.
1.2 Purpose

This document provides information on how to design, develop, implement, and continually improve

risk management in a systems and software engineering project throughout its life cycle.

1.3 Field of application

This document is compatible with risk management as described in ISO/IEC/IEEE 15288 and

ISO/IEC/IEEE 12207 and can also be applied in conjunction with ISO 31000. Depending on the scope

and context of the systems or software engineering project of interest, there are a number of additional

International Standards that can be applicable to the risk management effort including ISO 9001. This

document is intended to provide additional information useful in implementing a system for integrated

risk management for systems and software engineering projects. 5.2 discusses in more detail how this

document can be applied with other standards.
This document is applicable to:

— project teams which use ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207 on projects dealing with

man-made systems, software-intensive systems, software and hardware products, and services

© ISO/IEC ISO pub-date year – All rights reserved
© IEEE 2020 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC/IEEE/FDIS 16085:2020(E)

related to those systems and products, regardless of organization or project scope, product(s),

methodology, size, or complexity;

— project teams performing risk management activities to aid in ensuring that their application of risk

management conforms to ISO/IEC/IEEE 15288 and/or ISO/IEC/IEEE 12207;

— project teams using ISO/IEC/IEEE 15289 on projects dealing with human-made systems,

software-intensive systems, software and hardware products, and services related to those

systems and products, regardless of organization or project scope, product(s), methodology, size,

or complexity; and

— project teams generating information items developed during the application of risk management

processes to conform to ISO/IEC/IEEE 15289.

This document can be applied in conjunction with ISO 31000 and IEC 31010 to augment risk management

performed within the context of ISO/IEC/IEEE 15288 and/or ISO/IEC/IEEE 12207.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document, (including any amendments) applies.

ISO/IEC/IEEE 12207:2017, Systems and software engineering — Software life cycle processes

ISO/IEC/IEEE 15288:2015, Systems and software engineering — System life cycle processes

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO, IEC, and IEEE maintain terminological databases for use in standardization at the following

addresses:
— ISO Online browsing platform: available at https:// www .iso .org/
— IEC Electropedia: available at http:// www .electropedia .org/
— IEEE Standards Dictionary Online: available at: http:// dictionary .ieee .org

NOTE Definitions for other system and software engineering terms typically can be fo

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.