by Ray C. Williams.
Abstract. In this position paper, the author asserts that all existing risk management standards promulgate compliance with the opinions held by a small sub-community of risk practitioners, rather promoting processes and practices that have demonstrated their effectiveness in managing risks in real organizations. The author takes the position that the CMMI RSKM process area, if viewed as a standard, shares this weakness in its basic features; however, when an organization can rise to the higher capability levels in RSKM (Capability Levels 4 and 5), the CMMI holds the promise of promoting and proving effective risk management.
To date, however, this promise has not been realized. .
The Problem with Risk Management Standards All risk management standards share a common fault: Regardless of the organization that creates and promotes them, they claim broad support from their community and purport to reflect "best practices" in risk management, and yet in each case they have been created by a select group of self-identified "experts" in the field from within the organization. While they may have received pre-publication review by members of a broader community of other "experts" and interested parties, they remain opinion pieces from a small in-group of practitioners who presume to speak for the larger community. They all take the position, "I am smarter about risk management than you are. Do as I say and you will begin practicing effective risk management."