Determine risk sources and categories.
Identification of risk sources provides a basis for systematically examining changing situations over time to uncover circumstances that impact the ability of the project to meet its objectives. Risk sources are both internal and
external to the project. As the project progresses, additional sources of risk may be identified. Establishing categories for risks provides a mechanism for collecting and organizing risks as well as ensuring appropriate scrutiny and management
attention for those risks that can have more serious consequences on meeting project objectives.
Typical Work Products
1. Risk source lists (external and internal)
2. Risk categories list
Subpractices
1. Determine risk sources.
Risk sources are the fundamental drivers that cause risks within a project or organization. There are many sources of risks, both internal and external, to a project. Risk sources identify common areas where risks may originate.
Typical internal and external risk sources include the following:
· Uncertain requirements
· Unprecedented efforts—estimates unavailable
· Infeasible design
· Unavailable technology
· Unrealistic schedule estimates or allocation
· Inadequate staffing and skills
· Cost or funding issues
· Uncertain or inadequate subcontractor capability
· Uncertain or inadequate vendor capability
· Inadequate communication with actual or potential customers or with their representatives
· Disruptions to continuity of operations
Many of these sources of risk are often accepted without adequate planning. Early identification of both internal and external sources of risk can lead to early identification of risks. Risk mitigation plans can then be implemented
early in the project to preclude occurrence of the risks or reduce the consequences of their occurrence.
2. Determine risk categories.
Risk categories reflect the “bins” for collecting and organizing risks. A reason for identifying risk categories is to help in the future consolidation of the activities in the risk mitigation plans.
The following factors may be considered when determining risk categories:
· The phases of the project’s lifecycle model (e.g., requirements, design, manufacturing, test and evaluation, delivery, and disposal)
· The types of processes used
· The types of products used
· Program management risks (e.g., contract risks, budget/cost risks, schedule risks, resources risks, performance risks, and supportability risks)
A risk taxonomy can be used to provide a framework for determining risk sources and categories.