CRV2 RiskBasedApproach

Development notes:

* Doing things right or doing the right things... * Not all bugs are equal * long term or short term risk * Accept, Transfer, Avoid or Reduce * integrate into repeatable CCPM * mgmt will ultimately own the risk * CIA of risk * management of resources (machines, time, skills) * what is high risk? Ease of exposure? Value of loss? * analogy to car development/maintenance risk. Subjective or regimented risk, regulartory controls are higher risk * test everything or just high risk? * risk analysis involves cost/benifits analysis * sizing review would allow mgmt to know what resources are needed * redundancy and physical failure * high risk issues/features are candidate for automated testing/review checks * a lot of static analysis tools allow for modules/tests to be plugged in. High risk could be candiate to be mitigated in this way. * diff codelines for more sensitive code * quantitive vs qualative risk * risk could determine who reviews/how many people/# of signoffs etc * risk is chance of something bad happening and damage if it occurs