A Project Management Process Area at Maturity Level 3

The purpose of Risk Management (RSKM) is to identify potential problems before they occur so that risk-handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives.

Risk management is a continuous, forward-looking process that is an important part of project management. Risk management should address issues that could endanger achievement of critical objectives. A continuous risk management approach effectively anticipates and mitigates risks that may have a critical impact on a project.

Effective risk management includes early and aggressive risk identification through collaboration and the involvement of relevant stakeholders as described in the stakeholder involvement plan addressed in the Project Planning process area. Strong leadership across all relevant stakeholders is needed to establish an environment for free and open disclosure and discussion of risk.

Risk management must consider both internal and external sources of cost, schedule, performance, and other risks. Early and aggressive detection of risk is important because it is typically easier, less costly, and less disruptive to make changes and correct work efforts during earlier, rather than the later, phases of the project.

When the project identifies and assesses project risks during project planning and manages risks throughout the life of the project, risk identification includes identifying risks associated with the acquisition process and the use of a supplier to perform project work. Initially, the acquisition strategy identifies risks associated with an acquisition. The approach to the acquisition is planned based on those risks. As the project progresses to the selection of a supplier, risks specific to the supplier’s technical and management approach become important to the success of the acquisition.

These risks refer to the capability of the supplier to meet contractual requirements, including schedules and cost targets. When the project selects a supplier and awards the supplier agreement, the acquirer continues to manage project risks, including risks related to the supplier meeting its contractual requirements. Typically the acquirer does not manage risks being addressed or managed by the supplier.

Risk management can be divided into three parts: defining a risk management strategy; identifying and analyzing risks; and handling identified risks, including the implementation of risk mitigation plans as needed.

Both the acquirer and supplier must understand project risks and how to modify the risk management strategy and plans as a project progresses through its lifecycle. Managing project risks requires a close partnership between the acquirer and supplier. Both must share appropriate risk management documentation, understand the risks, and develop and execute risk management activities.

The complexity of an acquirer-supplier relationship increases the need for early and aggressive risk identification. For example, acquirer capabilities, supplier experience working with the acquirer, financial stability of the supplier, and availability of well-defined dispute resolution processes all influence the risk of a project.

As represented in the Project Planning and Project Monitoring and Control process areas, organizations initially may focus on risk identification for awareness, and react to the realization of these risks as they occur. The Risk Management process area describes an evolution of these specific practices to systematically plan, anticipate, and mitigate risks to proactively minimize their impact on the project.

Although the primary emphasis of the Risk Management process area is on the project, these concepts can also be applied to manage organizational risks.

Refer to the Project Planning process area for more information about identifying project risks and planning the involvement of relevant stakeholders.

Refer to the Project Monitoring and Control process area for more information about monitoring project risks.

Refer to the Decision Analysis and Resolution process area for more information about using a formal evaluation process to evaluate alternatives for the selection and mitigation of identified risks.

Refer to the Solicitation and Supplier Agreement Development process area for more information about establishing supplier agreements.

Specific Goal and Practice Summary

SG 1 Prepare for Risk Management

SP 1.1       Determine Risk Sources and Categories

SP 1.2       Define Risk Parameters

SP 1.3       Establish a Risk Management Strategy

SG 2 Identify and Analyze Risks

SP 2.1       Identify Risks

SP 2.2       Evaluate, Categorize, and Prioritize Risks

SG 3 Mitigate Risks

SP 3.1       Develop Risk Mitigation Plans

SP 3.2       Implement Risk Mitigation Plans