Identify and document risks.
Identifying potential issues, hazards, threats, and vulnerabilities that could negatively affect work efforts or plans is the basis for sound and successful risk management. Risks must be
identified and described understandably before they can be analyzed and managed properly. Risks are documented in a concise statement that includes the context, conditions, and consequences of risk occurrence.
Risk identification should be an organized, thorough approach to seek out probable or realistic risks that may affect achieving objectives. To be effective, risk identification should not
attempt to address every possible event regardless of how improbable it may be. Using categories and parameters developed in the risk management strategy and identified sources of risk can provide the discipline and streamlining appropriate for risk
identification. Identified risks form a baseline for initiating risk management activities. Risks should be reviewed periodically to reexamine possible sources of risk and changing conditions to uncover sources and risks previously overlooked or
nonexistent when the risk management strategy was last updated.
Risk identification focuses on identifying risks, not placement of blame. The results of risk identification activities should never be used by management to evaluate the performance of
individuals.
There are many methods used for identifying risks. Typical identification methods include the following:
· Examine each element of the project work breakdown structure.
· Conduct a risk assessment using a risk taxonomy.
· Interview subject matter experts.
· Review risk management efforts from similar products.
· Examine lessons-learned documents or databases.
· Examine design specifications and agreement requirements.
Some risks are identified by examining the supplier’s WBS, product, and processes using the categories and parameters developed in the risk management strategy. Risks can be identified in
many areas (e.g., requirements, technology, design, testing, vulnerability to threats, and lifecycle costs). An examination of the project in these areas can help to develop or refine the acquisition strategy and the risk-sharing structure between
the acquirer and supplier.
The acquirer considers risks associated with a supplier’s capability (e.g., meeting schedule and cost requirements for the project), including potential risks to the acquirer’s intellectual
capital or security vulnerabilities introduced by using a supplier.
Typical Work Products
1. List of identified risks, including the context, conditions, and consequences of risk occurrence
Typical Supplier Deliverables
1. List of identified risks, including the context, conditions, and consequences of risk occurrence
Subpractices
1. Identify the risks associated with cost, schedule, and performance.
Cost, schedule, and performance risks should be examined in the acquirer’s intended environment to the extent that they impact project objectives. Potential risks may be discovered that are
outside the scope of project objectives but vital to customer interests. For example, risks in development costs, product acquisition costs, cost of spare (or replacement) products, and product disposition (or disposal) costs have design
implications. The customer may not have considered the full cost of supporting a fielded product or using a delivered service. The customer should be informed of such risks, but actively managing those risks may not be necessary. Mechanisms for
making such decisions should be examined at project and organization levels and put in place if deemed appropriate, especially for risks that impact the project’s ability to verify and validate the product.
In addition to the cost risks identified above, other cost risks may include those associated with funding levels, funding estimates, and distributed budgets.
Schedule risks may include risks associated with planned activities, key events, and milestones.
Performance risks may include risks associated with the following:
· Requirements
· Analysis and design
· Application of new technology
· Physical size
· Shape
· Weight
· Manufacturing and fabrication
· Functional performance and operation
· Verification
· Validation
· Performance maintenance attributes
Performance maintenance attributes are those characteristics that enable an in-use product or service to provide required performance, such as maintaining safety and security
performance.
There are other risks that do not fall into cost, schedule, or performance categories.
Examples of these other risks include those related to the following:
· Strikes
· Diminishing sources of supply
· Technology cycle time
· Competition
2. Review environmental elements that may impact the project.
Risks to a project that frequently are missed include those supposedly outside the scope of the project (i.e., the project does not control whether they occur but can mitigate their impact),
such as weather, natural or manmade disasters that affect the continuity of operations, political changes, and telecommunications failures.
3. Review all elements of the work breakdown structure as part of identifying risks to help ensure that all aspects of the work effort
have been considered.
4. Review all elements of the project plan as part of identifying risks to help ensure that all aspects of the project have been
considered.
Refer to the Project Planning process area for more information about identifying project risks.
5. Document the context, conditions, and potential consequences of each risk.
Risk statements are typically documented in a standard format that contains the risk context, conditions, and consequences of occurrence. The risk context provides additional information
about the risk such as the relative time frame of the risk, the circumstances or conditions surrounding the risk that has brought about the concern, and any doubt or uncertainty.
6. Identify the relevant stakeholders associated with each risk.
324/353 - 0 sub articles
CMMI-ACQ 1.2
4. 
SP 2.1 Identify Risks