Determine risk sources and categories.
Identifying risk sources provides a basis for systematically examining changing situations over time to uncover circumstances that impact the ability of the project to meet its objectives.
Risk sources are both internal and external to the project. As the project progresses, additional sources of risk may be identified. Establishing categories for risks provides a mechanism for collecting and organizing risks as well as ensuring
appropriate scrutiny and management attention to risks that can have serious consequences on meeting project objectives.
Acquirers initially identify and categorize risk sources and categories for the project and refine those sources and categories over time (e.g., schedule, cost, sourcing, contract management,
supplier execution, technology readiness, human safety, reliability related risks and other issues outside the control of the acquirer). The supplier is also a source of risk (e.g., financial stability of the suppler and the possibility of the
supplier’s acquisition by another organization).
Typical Work Products
1. Risk source lists (external and internal)
2. Risk categories list
Subpractices
1. Determine risk sources.
Risk sources are fundamental drivers that cause risks in a project or organization. There are many sources of risks, both internal and external to a project. Risk sources identify where risks
may originate.
Typical internal and external risk sources include the following:
· Uncertain requirements
· Unprecedented efforts (i.e., estimates unavailable)
· Infeasible design
· Unavailable technology
· Unrealistic schedule estimates or allocation
· Inadequate staffing and skills
· Cost or funding issues
· Uncertain or inadequate subcontractor capability
· Uncertain or inadequate supplier capability
· Inadequate communication with customers
· Disruptions to the continuity of operations
Many of these sources of risk are often accepted without adequately planning for them. Early identification of both internal and external sources of risk can lead to early identification of
risks. Risk mitigation plans can then be implemented early in the project to preclude occurrence of risks or reduce consequences of their occurrence.
2. Determine risk categories.
Risk categories are the “bins” used for collecting and organizing risks. Identifying risk categories aids the future consolidation of activities in risk mitigation
plans.
The following factors may be considered when determining risk categories:
· Phases of the project’s lifecycle model (e.g., requirements, design, manufacturing, test and evaluation, delivery, and disposal)
· Types of processes used
· Types of products used
· Project management risks (e.g., contract risks, budget/cost risks, schedule risks, resource risks, performance risks, and supportability risks)
· Supplier risks (e.g., financial viability of the supplier and the geographic location of supplier resources)
· Product safety, security, and reliability
A risk taxonomy can be used to provide a framework for determining risk sources and categories.
320/353 - 0 sub articles
CMMI-ACQ 1.2
4. 
SP 1.1 Determine Risk Sources and Categories