SP 2.2 Identify Project Risks

CMMI for Acquisition, version 1.2

4. Generic Goals and Generic Practices, and the Process Areas

4.18. Project Planning

SG 2 Develop a Project Plan

SP 2.2 Identify Project Risks

Process Area	PP
Level	2
Goal	SG 2
Practice	SP 2.2

Identify and analyze project risks.

Refer to the Risk Management process area for more information about risk management activities.

Refer to the Monitor Project Risks specific practice in the Project Monitoring and Control process area for more information about risk monitoring activities.

Risks are identified or discovered and analyzed to support project planning. This specific practice should be extended to all plans that affect the project to ensure that appropriate interfacing is taking place among all relevant stakeholders on identified risks.

Project planning risk identification and analysis typically include the following:

· Identifying risks

· Analyzing risks to determine the impact, probability of occurrence, and time frame in which problems are likely to occur

· Prioritizing risks

Risks are identified from multiple perspectives (e.g., acquisition, technical, management, operational, supplier agreement, industry, support, and end user) to ensure all project risks are considered comprehensively in planning activities. Applicable regulatory and statutory requirements with respect to safety and security must be considered while identifying risks.

The acquisition strategy and the risks identified in other project planning activities form the basis for some of the criteria used in evaluation practices in the Solicitation and Supplier Agreement Development process area. As the project evolves, risks may be revised based on changed conditions.

Typical Work Products

1. Identified risks

2. Risk impacts and probability of occurrence

3. Risk priorities

Subpractices

1. Identify risks.

The identification of risks involves the identification of potential issues, hazards, threats, vulnerabilities, and so on that could negatively affect work efforts and plans. Risks must be identified and described in an understandable way before they can be analyzed. When identifying risks, it is a good idea to use a standard method for defining risks. Risk identification and analysis tools can be used to help identify possible problems.

Examples of risk identification and analysis tools include the following:

· Risk taxonomies

· Risk assessments

· Checklists

· Structured interviews

· Brainstorming

· Performance models

· Cost models

· Network analysis

· Quality factor analysis

Numerous risks are associated with acquiring products through suppliers (e.g., the stability of the supplier, the ability to maintain sufficient insight into the progress of their work, the supplier’s capability to meet product requirements, and the skills and availability of supplier resources to meet commitments).

The process, product, and service level measures and associated thresholds should be analyzed to identify instances where thresholds are at risk of not being met. These project measures are key indicators of project risk.

2. Document risks.

3. Review and obtain agreement with relevant stakeholders on the completeness and correctness of documented risks.

4. Revise risks, as appropriate.

Examples of when identified risks may need to be revised include the following:

· When new risks are identified

· When risks become problems

· When risks are retired

· When project circumstances change significantly

Keywords : acquisition ; acquisition strategy ; appropriate ; assessment ; DAR ; development ; document ; measure ; process ; process area ; product ; product requirements ; project ; project plan ; quality ; reference ; relevant stakeholder ; requirement ; risk identification ; risk management ; service ; service level ; service level measure ; solicitation ; specific practice ; stakeholder ; standard ; subpractice ; supplier ; supplier agreement ; typical work product ; work product