ࡱ> s Thjbjb kk dI]8F$j"j  >  @"B"B"B"B"B"B",#%n" a " n"     @"j @"4@"^ 45u !LName: _____________________________________________________ Organization (ESC Two Letter Affiliation): ___________________________ Project Name: _______________________________________________ Role in your organization: _____________________________________ Name of Risk Process: ________________________________________ If your organization (e.g. ESC) or your project has implemented a risk management process, this survey can help you decide how well the process meets the CMMI goals and specific practices. The first part of the survey deals with specific goals (SG) and their associated specific practices (SP). Your process must meet all of these specific goals and practices (a Yes answer with supporting evidence) to achieve any process capability level above 0. The second part of the survey deals with generic goals (GG) and their associated generic practices (GP) for capability levels 1 (Performed) through 5 (Optimizing). If you have not met the complete set of Generic Goal 1 generic practices (a Yes answer with supporting evidence), your capability level is 0 (Incomplete). The extent to which your process meets these generic goals and practices indicates the level of process capability from 1 (Performed) through 5 (Optimizing). A satisfactory process would meet all of the specific goals and practices (a Yes answer with supporting evidence) and all of the generic goals through level 3 (i.e., GG 1, GG 2, and GG 3) and their associated generic practices (a Yes answer with supporting evidence). SG 1 Prepare for Risk Management: Preparation for risk management is conducted. SP 1.1 Determine Risk Sources and Categories: Determine risk sources and categories. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you have an approach to determining risk sources and categories? (Process Step 2 Action 4)Yes No PartiallyIf yes, what are the indicators that risk sources have been identified and categorized?Examples of Evidence ( Risk source lists (technology, environment, non-technical, etc) ( Risk category lists by life cycle phase (COTS, integration, schedule, requirements, deployment, operations, etc.) ( Risk taxonomies (SEI, OSS&E, WBS, C4ISP, lessons learned, etc.) Use of Affinity Diagrams for categorizing risks ( Other (Specify) ________________________ SP 1.2 Define Risk Parameters: Define the parameters used to analyze and classify risks, and the parameters used to control the risk management effort. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you have an approach to defining the parameters used to analyze and classify risks, and the parameters used to control the risk management effort? (Process Step 3 Actions 1, 2, and 3)Yes No PartiallyIf yes, what are the indicators for the existence of parameters used to categorize risks?Examples of Evidence ( Defined criteria for evaluating risk likelihood, risk consequences, and severity levels ( Definitions of thresholds for risks identified ( Definition of bounds that define the extent the thresholds are applied (What are the lower likelihood, consequence, and severity cutoff levels?) ( Other (Specify) ________________________ SP 1.3 Establish a Risk Management Strategy: Establish and maintain the strategy and methods to be used for risk management. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Have you established and are you maintaining a strategy and a set of methods to be used for risk management? (Process Step 1 Action 4 and Step 6 Action 1)Yes No PartiallyIf yes, what are the indicators of risk management strategies? (Look for a plan describing overall risk management strategy including scope of the effort, project-specific sources of risks, classification of risks, thresholds, risk mitigation techniques to be used, risk measures determining risk status, etc.)Examples of Evidence ( Documented risk management plan including: Scope of effort Methods and tools Sources and categories of risk Organization and classification of risk Risk mitigation techniques ( Other (Specify) ________________________If yes, what are the indicators that risk management is planned?Examples of Evidence Risk management plan or references to it ( Other (Specify) ________________________If yes, what are the indicators that risk management strategy is maintained?Examples of Evidence Risk management plan revisions Other (Specify) ________________________ SG 2 Identify and Analyze Risks: Risks are identified and analyzed to determine their relative importance. SP 2.1 Identify Risks: Identify and document the risks. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you identify and document the risks? (Process Step 2 Actions 3 and 5)Yes No PartiallyIf yes, what are the indicators that risks are identified and documented?Examples of Evidence ( Lists or database of identified risks ( Other (Specify) ________________________ SP 2.2 Evaluate, Classify, and Prioritize Risks: Evaluate and classify each identified risk using the defined risk categories and parameters, and determine its relative priority. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you evaluate and classify each identified risk using the defined risk categories and parameters, and determine its relative priority? (Process Step 3 Actions 1, 2, 3 and 5)Yes No PartiallyIf yes, what are the indicators that risks are assigned relative importance?Examples of Evidence Assessment of likelihood of risks Meeting minutes Lists of risks and consequences assigned to each Prioritized list of risks based on parameters and categories defined in the risk management plan Documented risks and rating of parameter values assigned to each Documented list of risks with actual assigned priorities Other (Specify)________________________ SG 3 Mitigate Risks: Risks are handled and mitigated, where appropriate, to reduce adverse impact on achieving objectives. SP 3.1 Develop Risk Mitigation Plans: Develop a risk mitigation (handling) plan for the most important risks to the project, as defined by the risk management strategy. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you develop risk mitigation (handling) plans for the most important risks to the project, as defined by the risk management strategy? (Process Step 4 Action 5 and Step 5 Actions 1, 2, and 3)Yes No PartiallyIf yes, what are the indicators that projects establish mitigation (handling) plans?Examples of Evidence Handling plans are developed and implemented on selected risks Alternative handling plan review minutes Documentation of risk handling activities/options Tradeoff analysis to prioritize handling plans for implementation Thresholds are established that defines when risks are unacceptable, or trigger action Contingency plans, fall-back positions are documented Risk handling addresses: avoidance, control, transfer, and monitor and acceptance Other (Specify)________________________ SP 3.2 Implement Risk Mitigation Plans: Monitor the status of each risk periodically and implement the risk mitigation (handling) plan as appropriate. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you monitor the status of each risk periodically and implement the risk mitigation (handling) plan as appropriate? (Process Step 3 Action 4; Step 6 Action 4; and Step 7 Action 1)Yes No PartiallyIf yes, what are the indicators that risks are periodically monitored?Examples of Evidence Meeting minutes Action item lists Revisions of project plans Revised lists of risk status Revised lists of risk-handling options Revised handling plans Risk status periodically monitored. Re-assessments of risk likelihood and consequences Methods for tracking open risk-handling action items to closure are established Collecting performance metrics as part of risk handling activities (TPM, EVM, S/W Metrics) Other (Specify) ________________________ GG 1 Achieve Specific Goals. (Capability Level 1 - Performed) GP 1.1 Perform Base Practices: Perform the base practices of the risk management process to develop work products and provide services to achieve the specific goals of the process area. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Are you performing the base practices of the risk management process to develop work products and provide services to achieve the specific goals of the process area? (Satisfying all of the 3 specific goals and associated practices listed above) (Process Steps 1 through 7 All Actions and Step 7 All Decision)Yes No PartiallyIf yes, are indicators available to document performance of all the specific practices?Yes ( No (  GG 2 Institutionalize a Managed Process. (Capability Level 2 - Managed) GP 2.1 Establish an Organizational Policy: Establish and maintain an organizational policy for planning and performing the risk management process. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Have you established and are you maintaining an organizational policy for planning and performing the risk management process? (Process Step 1 Action 4 and Step 6 Action 1)Yes No PartiallyIf yes, are indicators available to document your organizational policy and its maintenance?Examples of Evidence A documented policy establishes organizational expectations for defining a risk management plan and implementing a risk management process Other (Specify) ________________________ GP 2.2 Plan the Process: Establish and maintain the requirements and objectives, and plans for performing the risk management process. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Have you established and are you maintaining the requirements and objectives, and plans for performing the risk management process? (Process Step 1 Action 4 and Step 6 Action 1)Yes No PartiallyIf yes, are indicators available to document your risk management plan? (These requirements, objectives, and plans are described in the plan for risk management. This plan for risk management differs from the risk management strategy described in the specific practice in this process area. The risk management strategy addresses risk sources, categories, parameters, and management control and reporting requirements; whereas the plan for risk management addresses high level planning for all the risk management activities.)Examples of Evidence A documented risk management plan Other (Specify) ________________________ GP 2.3 Provide Resources: Provide adequate resources for performing the planned process, developing the work products and providing the services for the risk management process. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Are you providing adequate resources for performing the planned process, developing the work products and providing the services for the risk management process? (Process Step 1 Actions 1 and 2; and Step 2 Action 3, Step 5 Action 3)Yes No PartiallyIf yes, are indicators available to document the resources you are providing?Examples of Evidence A risk management database has been established Risk management tools are being used Risk monitoring tools (e.g. metrics or action plan monitoring) are being used Other (Specify) ________________________ GP 2.4 Assign Responsibility: Assign responsibility and authority for performing the process, developing the work products, and providing the services of the risk management process. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Have you assigned responsibility and authority for performing the process, developing the work products, and providing the services of the risk management process? (Process Step 1 Action2 1 and 2; and Step 4 Action 4)Yes No PartiallyIf yes, are indicators available to document the assignment of responsibility and authority?Examples of Evidence Personnel are assigned to the risk management process their responsibilities and authority are documented Responsibility is assigned to individuals or groups for risk handling actions Authority and resources are provided to accomplish risk handling actions Identified project stakeholders are responsible for identifying risks Other (Specify) ________________________ GP 2.5 Train People: Train the people performing or supporting the risk management process as needed. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Have you trained the people performing or supporting the risk management process as needed? (Process Step 2 Actions 1 and 2)Yes No PartiallyIf yes, are indicators available to document the training? (Examples of training topics include the following: [1] Risk management concepts and practices (e.g., risk identification, evaluation, monitoring, mitigation); [2] Metric selection for risk mitigation)Examples of Evidence Training materials are available Records indicate training has been accomplished Stakeholders have been trained in risk management Other (Specify) ________________________ GP 2.6 Manage Configurations: Place designated work products of the risk management process under appropriate levels of configuration management. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Have you placed designated work products of the risk management process under appropriate levels of configuration management? (Process Step 4 Action 5 and Step 7 Action 4)Yes No PartiallyIf yes, are indicators available to document the configuration management of risk work products? Examples of Evidence Risk management plan is baselined and change controlled Risk database is updated and controlled to reflect new risk assessments and handling plan status Risk handling plans are approved, integrated in the project work plans, and change controlled Other (Specify) ________________________ GP 2.7 Identify and Involve Relevant Stakeholders: Identify and involve the relevant stakeholders of the risk management process as planned. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Have you identified and involved the relevant stakeholders of the risk management process as planned? (Process Step 1 Action 2 and Step 2 Action 1)Yes No PartiallyIf yes, are indicators available to document the identification and involvement of relevant stakeholders? Examples of Evidence A list of internal and external risk management stakeholders (includes the customer, the end users, the contractor, subcontractors, program manager, chief engineer, sustainment representative, architect, product IPT leads, etc.) Meeting minutes listing stakeholders participating in risk assessments and action plan status meetings Risk Management plan with stakeholder roles identified Other (Specify) ________________________ GP 2.8 Monitor and Control the Process: Monitor and control the risk management process against the plan and take appropriate corrective action. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Are you monitoring and controlling the risk management process against the plan and taking appropriate corrective action? (Process Step 3 Action 4; Step 7 Actions 1 through 4; and Step 7 four Decisions)Yes No PartiallyIf yes, are indicators available to document the monitoring and controlling of the planned risk management process? Examples of Evidence Number of risks identified, managed, tracked, and controlled Periodic reassessment meetings are being held as scheduled Risk Management Plan has been updated when required New stakeholders are included in risk management process Comparison of estimated vs. actual risk handling effort and impact Other (Specify) ________________________ GP 2.9 Objectively Evaluate Adherence: Objectively evaluate adherence of the risk management process and the work products and services of the process to the applicable requirements, objectives, and standards, and address noncompliance. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you objectively evaluate adherence of the risk management process and the work products and services of the process to the applicable requirements, objectives, and standards, and address noncompliance? (Process Step 7 Actions 1 through4 and Decision 4)Yes No PartiallyIf yes, are indicators available to document the adherence of the risk management process to requirements? Examples of Evidence Compliance requirements for acquisition and operational risk management are identified in the risk management plan Risk management plan (periodic review and revisions, if required) Minutes of risk assessment meetings Risk mitigation plans and documented tracking of the plans to closure Revisions, if required, to risk handling plans Other (Specify) ________________________ GP 2.10 Review Status with Higher-Level Management: Review the activities, status, and results of the risk management process with management and resolve issues. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Do you review the activities, status, and results of the risk management process with management and resolve issues? (Process Step 7 Decision 2)Yes No PartiallyIf yes, are indicators available to document the presentation of activities, status, and results with management? (Reviews of the project risk status are held on a periodic and event-driven basis with appropriate levels of management, to provide visibility into the potential for project risk exposure and appropriate corrective action.) Examples of Evidence Critical risks are reviewed periodically and at major internal and external milestone events with higher level management (contractor and government) minutes or slides available Critical risk probability and consequence are presented to higher level management minutes or slides available Status of risk mitigation actions for higher level risks are reviewed with minutes or slides available Other (Specify) ________________________ GG 3 Institutionalize a Defined Process. (Capability Level 3 - Defined) GP 3.1 Establish a Defined Process: Establish and maintain the description of a defined risk management process. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Has your organization (e.g., ESC) established and is it maintaining the description of a defined (standardized) risk management process? (Process Step 1 through 7 All Actions and Step 7 four Decisions)Yes No PartiallyIf yes, what are the indicators that the description of the process is defined and maintained?Examples of Evidence Documented standard risk management process distributed to and recognized by organizations personnel (standard organizational process may be documented and tailored, if necessary, in the risk management plan) Documented review and revisions, if required, to the organizations risk management process (reflecting feedback from projects within the organization) Other (Specify)________________________ GP 3.2 Collect Improvement Information: Collect work products, measures, and improvement information derived from planning and performing the risk management process to support the future use and improvement of the organizations processes and process assets. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Is your organization (e.g., ESC) collecting work products, measures, and improvement information derived from planning and performing the risk management process to support the future use and improvement of the organizations processes and process assets? (Risk Toolkit contains the process and support material revisions are made as new material becomes available)Yes No PartiallyIf yes, what are the indicators that the data is being collected?Examples of Evidence An organizational repository of risk management plans, tools, forms, etc. being used by projects within the organization A repository of recommended changes to the organizations standard risk management process and documented review of the changes on a periodic basis Other (Specify)________________________ GG 4 Institutionalize a Quantitatively Managed Process. (Capability Level 4 Quantitatively Managed) GP 4.1 Establish a Quality Objectives: Establish and maintain quantitative objectives for the risk management process about quality and process performance based on customer needs and business objectives. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Has your organization (e.g., ESC) established and is it maintaining quantitative objectives for the risk management process about quality and process performance based on customer needs and business objectives? (Risk Toolkit contains a list of qualitative objectives in the process training executive briefing quantitative measures not presently established)Yes No PartiallyIf yes, what are the indicators that the quantitative objectives are defined and maintained?Examples of Evidence Documented organizational risk management standards (e.g., frequency of risk assessments and reassessments, reporting of top 10 risks, how fast mitigation activities are initiated for critical operational risks) are established and distributed as part of the organizational process Documented review and revisions, if required, to the organizations risk management quantitative standards (reflecting feedback from projects within the organization and changes in top-down directives [e.g. operational risk management, safety, security]) Other (Specify)________________________ GP 4.2 Stabilize Subprocess Performance: Stabilize the performance of one or more subprocesses of the risk management process to determine its ability to achieve the established quantitative quality and process performance objectives. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Has your organization (e.g., ESC) stabilized the performance of one or more subprocesses of the risk management process to determine its ability to achieve the established quantitative quality and process performance objectives? (The Risk Assessment subprocess [Step 2 Actions 1 through 5 and Step 3 Actions 1, 2, and 5] are stable and are part of the ESC/BP ASP preparation)Yes No PartiallyIf yes, what are the indicators that the subprocess performance is stabilized, measured, and evaluated?Examples of Evidence Documented analysis of a stable subprocess (e.g., risk assessment for ASP) to determine effectiveness of risk identification and mitigation activities (e.g., successful incorporation into acquisition strategy and RFP) Documented analysis of subprocess results, and revisions, to the standard risk management process Other (Specify)________________________ GG 5 Institutionalize an Optimizing Process. (Capability Level 5 Optimizing) GP 5.1 Ensure Continuous Process Improvement: Ensure continuous improvement of the risk management process in fulfilling the relevant business goals of the organization. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Does your organization (e.g., ESC) ensure continuous improvement of the risk management process in fulfilling the relevant business goals of the organization? (Revisions to the Risk Tool Kit are made to continuously improve the process)Yes No PartiallyIf yes, what are the indicators that the continuous improvement is occurring?Examples of Evidence Standard risk management process is reviewed against any stated or documented changes in organizational business goals Data is collected and analyzed to measure contribution of risk management process to organizational goals Standard risk management process is revised to meet changes in organizational business goals Other (Specify)________________________ GP 5.2 Correct Common Cause of Problems: Identify and correct the root causes of defects and other problems in the risk management process. QuestionResponse (Check Yes, No, or Partially and any evidence that supports the answer)Does your organization (e.g., ESC) identify and correct the root causes of defects and other problems in the risk management process? (Participants in training sessions are asked to provide feedback which is analyzed for improvement of the process)Yes No PartiallyIf yes, what are the indicators that the identification and correction of root causes of defects and risk management process problems is occurring?Examples of Evidence Red Team results and lessons learned are incorporated into organizational risk taxonomies for consideration by programs Process problem symptoms are analyzed and discussed with process groups (representation from the projects) to identify root causes and potential solutions Program managers with program failures or major restructuring are interviewed [documented] to determine if it was caused by unanticipated risks Other (Specify)________________________ Risk Management Process Self Assessment Version 2.2 PAGE 1 D X ^ _ O h - .   ? @ F G _ `uv 6KLKLq<=CDT{ 5 jCJ 56CJ5CJ jCJU CJOJQJCJW<=DE  W X $ & F$` & F>>?@Ip7>AKL0Kwx#$q<=uv#&01{ @P#\           !      Q i p s } ~ -  > ? @ $ & F$` & FV$ h$  & F$ !$-$$l0V' 45`u>?@ID`$  & F$ !$-$$l0V'$ & F$Ip7>AKL0Kwxɰɰ & F!$$  & F$ !$-$$l0V'$ & F$#$q<=uvì|$ & F$` & F & F$$$ !-$$l0V'$  & F$ !#&01{$ & F$`$-$$l0V'  & F$ !$ @P#\$$ & F$` & F & F$$$-$$l0V'  & F$ !  *6K/ 0 7 8 Y !!!!7"L"$R$X$Y$q$_&&&&'''''g'm'n''()))w))A*B*H*I*[*++++-._.`.a.g.h.{.0X0m0n00011111X333344555555666675 CJOJQJ jCJ 56CJCJ5CJZ  6K'~ . / 0 $!%!!!!!!7"L"\"n""""" #<###$$Q$R$ % %%=%h%i%&&&&& ''''e'g'''(,(W(X() ))))w)                        M  6K'~ . \8  & F$  & F$ !$$  & F$ !$ !-$$l0V'$ & F$. / 0 $!%!!!!!!7"L"\"n"",ф & F$$$  & F$ !$ !$ & F$`-$$l0V'"""" #<###$$Q$R$ % %%=%h%i%,$ & F$` & F-$$l0V' & F$ & F$ & F$ & F$i%&&&&& ''''e'g'''(,(W(X() )$ & F$` & F$-$$l0V'  & F$ !$ ! ))))w))*@*A*B*****%+&++++Ɯ$ !$ & F$`  & F$ !$$-$$l0V'  & F$ !w))*@*A*B*****%+&++++++-.5.^._.`.///D/o/p/Y0`0c0m0n0001&1u1111W2X2a22223333344445^5555555!6L6M6666666778K8}8888:9;9D9k99          V+++-.5.^._.`.///D/o/p/Y0`0c0m0 $ !$ & F$`  & F$ !$$-$$l0V'  & F$ !m0n0001&1u1111W2X2a2222333Ѽ  & F$ !$ !$ & F$`  & F$ !$$-$$l0V'33344445^5555555!6L6M66ƔL$ !$ & F$`  & F$ !$$-$$l0V'  & F$ !666666778K8}8888:9;9D9$ & F$`  & F$ !$$$d%d&d'd-$$l0V'  & F$ !$ !7788888:B:W:X:::;;;;;&<C=p====>?????AmAAAA BB`CaCbChCiCCyEEEE-FBFGGGGGG/IJI_I`IJJWLLLLLL$NdNyNzNNNPPPPPRRSgShSSST^UdUeUU[WWXX5 CJOJQJ 56CJ5CJCJ\D9k999C:J:M:W:X:::;i;;;;;d  & F"$ !  & F$ !$$$d%d&d'd  & F$ !$ !-$$l0V'$ & F$99C:J:M:W:X:::;i;;;;;<<<<<<q=x={====>>S?????F@G@P@w@@@nAuAxAAAA BKBBBB6C_C`CaCODPDYDDDDEEEEE-FBFFFGaGGGGG]H        #   "         L;<<<<<<q=x={====>>S?äø  & F#$ !  & F$ !$$$d%d&d'd  & F$ !$ !-$$l0V'$ & F$`S?????F@G@P@w@@@nAuAxAAAt  & F$ !$ !$ & F$`-$$l0V'  & F$ !  & F#$ !AA BKBBBB6C_C`CaCODPDYDDDDT$ & F$`-$$l0V'  & F$ ! & F$$d%d&d'd$$$d%d&d'dDEEEEE-FBFFFGaGGGGG  & F$ ! & F$$d%d&d'd$$$d%d&d'd-$$l0V'  & F$ !$ !G]H^HgHHHHKIRIUI_I`IJJJØÄ $$$d%d&d'd$  & F$ !$ !-$$l0V'$ & F$`]H^HgHHHHKIRIUI_I`IJJJ}KKWLLLLLL>M?MHMoMMMeNlNoNyNzNNNOXPPPPQQQQQQSSZS]SgShSSS8TTTTT]U^U+V,V5V\VVVWWWXXcXxXYZZZ                    LJ}KKWLLLLLL>M?MHMoMMMeN|$ !$ & F$` & F-$$l0V'  & F$ ! & F$$d%d&d'deNlNoNyNzNNNOXPPPPQQQQQQ$ & F$` & F$  & F$ !$$-$$l0V'  & F$ !QSSZS]SgShSSS8TTTTT]U^U+V,V4` & F & F$  & F$ !$$-$$l0V'  & F$ !$ !,V5V\VVVWWWXXcXxXYZZZZ[ ` & F$  & F$ !$$  & F$ !$ !-$$l0V'$ & F$XcXxXZZZZZ\{]]]]^s_____laaaab2bccccc e{eee%f:f h h8hChDhEhFhLhMhNhOhPhTh0J j0JU 5EHH*EHH* 56CJ( 56CJ5CJCJ0ZZ[[[[\\|]]]]]]^^J_r_s_t___p`q`z````aaaaab2bbcpcccc&d'd0dWddd|eeeee%f:ffOggh h hDhEhPhQhTh            @[[[[\\|]]]]]]^^J_r_s_t_4Lj & F & F$  & F$ !$$  & F$ !$ !-$$l0V'$ & F$t___p`q`z````aaaaab2bbc(  & F$ !$$  & F$ !$ !-$$l0V'$ & F$` & Fcpcccc&d'd0dWddd|eeeee%f:f8 $$  & F$ !$ !$ & F$`-$$l0V' & F$  & F$ !:ffOggh h hDhEhPhQhRhShThh&`#$$ !#-$$l0V' & F$  & F$ ! 1h/ =!"#$%0T~ =e>L9!y[ C/+QL8B  + 5VP?xTOA~nQa96@M<`Ġ$$*7.2-c3iOr5bW=qA1DoLNWbɾy$̼YhM35{{ΌBz#lUN ]p.ut>-͒G˘A ^/*Ցݤ'$@ ,wnrvbWDIUJR U@_`>ğV*  A;].^.>3;>"n^IB J!_$.rwGDptkxwE"6fk}b|t G"Oj"|K6%%mPTᨰ]5M{?NkR(N(fvj>>y = _㿜@#p\`W:1SO^4Q fd`,0 ,Tuw[Iuȑ!ʳ /*^]I~uý?;w觇@aoKQz?qZb6zѳrU0yX Է)ulU^Mk7mWtE+oS#dt^'~Έ'Dv9i$ V`eVRS9-T,R|*U=pU%nZB;\rf=hkkedl#PN.l.KGY7$fqkyt Me=n@Cw` FɝWtMFFng5hLQ0ƘQĖuXvmR@ sb[rNa|[}cTfQ^ٿߜO֓~o+\ )#\TI^T|{"/ EړC~w t-t|wp)*y)^1rtܭ_حIV;h{cŎ++!;t9=͊!x8ͰdʐmS#ˁGQ,"3җe@6~ʌ4#/) ٖ2%1d.7:(5M:ȾceuWc'~?~!|=i1 19h]a)tүTӔARJ{Kz6;y5Ӡf<NғگIZlNUmՋfS*9)鎝4H$;o$Ҟ6Zo秝f'"UP+%2#ʶOV=u1yO}}6ΧSӈ3 *̙#|5uqċ1D3%7Ҵ/=րKy #?U<^3Adg'< S*&?7, (kN ;[?4aخnC3AeA9  ˀ:ebO8&͂iynH2 4}҆%t\;p--H"n\ F1;I0JyS^O}-v\j#;5?C2vA^{m%*0lcS= )?[3:tuf9"{L-nM1}|$\󯜧AlKse)SiS<DO@z-ԜҸa[sA*PRZ1RϴD⩂ W eedO7y—=v-O|dY>sJS>n)ͱ< zLLfhU~4>iM2N2N\m^I2% }̺e״h\e'Ҿǖ%GKU|!]Xl#_Qs\= pTԡF.ٖ*$/&po]փQ}XKZ,ߞ zʺy[/:N̼*xs)m_мH^o{sǮO[[J2URlS=v"Î~)lyݗyz/$7N]@0/xW?r*?kAԉG [8@8 NormalCJ_HaJmH sH tH Z@Z Heading 1$ & F<@&5CJ KH OJQJ\^JaJ :@: Heading 2$ & F@&5\VV Heading 3$ & F<@&5CJOJQJ\^JaJP@P Heading 4$dx@&5KH OJQJmHnHu<@< Heading 5$$@&a$ 56CJ<A@< Default Paragraph FontJYJ  Document Map-D M OJQJ^J,@, Header  !X @XFooter$ !d1$a$5CJKH OJQJmHnHu&)@!& Page Number2goal-statement:  ,$d!%d$&d!'d$-D ^`)56CJOJQJ_HmHnHsH tH u~B~ sp-statement6$ d<$d!%d$&d!'d$*$-D ^ 56CJOJQJmHnHuDORD body$ dxx*$^ CJOJQJtObt list-bullet' & F Pd<<^ `P#CJOJQJ_HmHnHsH tH ufrf capability-sp-level!$$dxx*$^ CJOJQJVOaVlist-bullet-border $$$d%d&d'dFOQF body-border$$d%d&d'd:Q: example-break CJ*B@* Body Text6.J@. Subtitle 5tH u(U@( Hyperlink>*B*Td              1 #a*17b?HPVu[TdP}k{?Hf I  P;;HHHK7XTh5>JW I. "i% )+m036D9;S?ADGJeNQ,V[t_c:fTh689:;<=@ABCDFGHIKMNOPQSTUVYZ[\w)9]HZTh7?ELRX;BDK!t?2$j >||t:J:2 2$pAOVvI B$ C/+QL8B " @(  J  # A$"B S  ?Td84 _Toc492970938 _Toc492970941R `*Ud`*;UdU X ::VVWWPX\XXYYY.Z8ZZ [ d dEdOdRdUd%&S@ 3 p #R !=!g!,$V$&$'D+n+..!2K2k5588w<<@@DDoIIMM^QoQQ*R\RRWX\\W`` d dEdOdRdUd Michael Bloom Michael Bloom Michael Bloom Michael Bloom Michael Bloom Michael Bloom Michael BloomJennifer K. AndersonJennifer K. AndersonMITRE Employee>mitre_portals:RiskToolkit:compliance:files:CMPL_RiskAssess.doc#>D| ) |L|`P ;7|L|U# fv > AV|L|V|"|L|\N%|L|2& lwd.|L|L3|L|q3J$1g3|L|S4|L|H8|L|Y\; Eh<|L|uh`@|L| A %sH|L|VfM R O dY c] _ Z:` jc 0c|L|7f Rf fFNo>)o K9}|L| hh^h`OJQJo( hh^h`OJQJo(hh^h`o(.P8^`Po(..^`o(...x^`xo(....  ^`o( .....  X@ ^ `Xo( ......  ^ `o(....... 8x^`8o(........ `H^``o(......... hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo(@P^`P. hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo( hh^h`OJQJo(hh^h`B*OJQJo( hh^h`OJQJo( hh^h`OJQJo(#`P 7fRfc]VfM>D| AU#>Z:`o>)o2&Y\;jcO dYH8%sHg3\N%) AVuh`@7K9}q3fS4lwd.L3V|"fv_R0cEh<#@j JTd`@GTimes New Roman5Symbol3 Arial;Wingdings5& z!TahomaA Arial Narrow"1hcsfcsfKW&x}R*U+!0dMe dRisk Management Self AssessmentDavid H. KitsonMITRE Employee Oh+'0 $ @ L X dpx' Risk Management Self AssessmentiskDavid H. KitsonaviNormal.MITRE Employee2TRMicrosoft Word 8.0f@@9>@=k@=kx}R ՜.+,0$ hp  'Software Engineering Institutef*Me  Risk Management Self Assessment Title  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abdefghijklmnopqrstuvxyz{|}~Root Entry F⛟1Tablec&WordDocumentSummaryInformation(wDocumentSummaryInformation8CompObjXObjectPool⛟⛟ FMicrosoft Word DocumentNB6WWord.Document.8