What is risk management in software engineering?

The Oxford English Dictionary defines “risk” as the possibility of loss, injury, or other adverse or unwelcome circumstance. Risk management in software engineering is the process of identifying and managing threats and hazards that can jeopardize the safety or efficacy of software products, software-based services, or software embedded in products such as airplanes, pacemakers, or automobiles.

Software risk management best practices
The risk management lifecycle
Hazard Analysis The first step is to evaluate potential conditions that may lead to failure or accidents, group these hazards into scenarios, and identify each scenario’s high-level probability.
Risk Identification Risk identification consists of a detailed assessment of potential adverse events, their probability of occurrence, and their potential impact, or severity. When hazards have already been identified, this step provides more detailed analysis.
Classification and Assessment Risks are classified according to industry-specific guidelines that take both probability and severity into account. Classification guidelines vary by industry, and within industries, by regulatory authority. Proper classification helps ensure that products are fit for the market.
Risk Mitigation Risks are mitigated by identifying controls that can either prevent, reduce the likelihood of, or minimize the severity of their occurrence. For example, to prevent potential injuries from falling out of a moving automobile, automatic door locking may be proposed as a control. Controls may consist of product features, QA automation, performance requirements, inspections, and more.
Risk Reduction Planning Controls are put into a plan to make them actionable by the organization. The plan identifies the steps the organization will take to implement the controls and assigns them to responsible individuals or teams.
Documentation and Reporting Dashboards, reports, and other documentation help organizations monitor the fulfillment of risk mitigation tasks, and provide auditable evidence of good risk management practices. In safety-critical industries, risk reporting may be required as a condition for selling into specific markets.
Software risk management solution: Codebeamer Ensure lifecycle-wide adherence to the highest risk management standards with Codebeamer, a requirements, risk, and test management solution that helps teams integrate risk management with day-to-day activities. Create a robust risk registry to identify, analyze, and mitigate hazards and risks. Comply with ISO 14971, IEC 60812, ISO 26262, IEC 61508, IEC 62304, IEC 60601, DO-178C, and other safety-critical regulations. Document and manage CAPA, FMEA, and other risk-related activities, and respond to regulatory audits with confidence. Benefit from closed-loop integration with the PTC engineering digital thread. Codebeamer helps build a culture of safety and quality throughout your organization.  Explore Codebeamer
Frequently asked questions

Adverse events can not only cause injury or death—they can also inflict grave reputational damage to brands and companies. Mature risk management practices reduce the probability of adverse events and help mitigate their impact when they do occur. Good risk management practices:

  • Improve customer satisfaction
  • Help protect customers from adverse events
  • Help protect companies from reputational damage
  • Required for participation in safety-critical industries

While not a complete list, the following standards and regulations utilize and/or reference common risk management practices:

  • Medical and pharmaceutical:
    • EU MDR and US FDA regulations and applicable standards: IEC 82304-1, IEC 62304, ISO 14971, ISO 13485, FDA 21 CFR Parts 11 & 820, GAMP 5, ISO 9001
  • Automotive and transportation:
    • ISO 26262, Automotive SPICE, CMMI, ISO 9001
  • Avionics and defense:
    • DO-178C, DO-254, AMC 20152A, ARP4754A