Identify and document the risks.

The identification of potential issues, hazards, threats, and vulnerabilities that could negatively affect work efforts or plans is the basis for sound and successful risk management. Risks must be identified and described in an understandable way before they can be analyzed and managed properly. Risks are documented in a concise statement that includes the context, conditions, and consequences of risk occurrence.

Risk identification should be an organized, thorough approach to seek out probable or realistic risks in achieving objectives. To be effective, risk identification should not be an attempt to address every possible event regardless of how highly improbable it may be. Use of the categories and parameters developed in the risk management strategy, along with the identified sources of risk, can provide the discipline and streamlining appropriate to risk identification. The identified risks form a baseline to initiate risk management activities. The list of risks should be reviewed periodically to reexamine possible sources of risk and changing conditions to uncover sources and risks previously overlooked or nonexistent when the risk management strategy was last updated.

Risk identification activities focus on the identification of risks, not placement of blame. The results of risk identification activities are not used by management to evaluate the performance of individuals.

There are many methods for identifying risks. Typical identification methods include the following:

·   Examine each element of the project work breakdown structure to uncover risks.

·   Conduct a risk assessment using a risk taxonomy.

·   Interview subject matter experts.

·   Review risk management efforts from similar products.

·   Examine lessons-learned documents or databases.

·   Examine design specifications and agreement requirements.

Typical Work Products

1.    List of identified risks, including the context, conditions, and consequences of risk occurrence

Subpractices

1.    Identify the risks associated with cost, schedule, and performance.

Cost, schedule, and performance risks should be examined to the extent that they impact project objectives. There may be potential risks discovered that are outside the scope of the project’s objectives but vital to customer interests. For example, the risks in development costs, product acquisition costs, cost of spare (or replacement) products, and product disposition (or disposal) costs have design implications. The customer may not have considered the full cost of supporting a fielded product or using a delivered service. The customer should be informed of such risks, but actively managing those risks may not be necessary. The mechanisms for making such decisions should be examined at project and organization levels and put in place if deemed appropriate, especially for risks that impact the ability to verify and validate the product.

In addition to the cost risks identified above, other cost risks may include those associated with funding levels, funding estimates, and distributed budgets.

Schedule risks may include risks associated with planned activities, key events, and milestones.

Performance risks may include risks associated with the following:

·   Requirements

·   Analysis and design

·   Application of new technology

·   Physical size

·   Shape

·   Weight

·   Manufacturing and fabrication

·   Functional performance and operation

·   Verification

·   Validation

·   Performance maintenance attributes

Performance maintenance attributes are those characteristics that enable an in-use product or service to provide originally required performance, such as maintaining safety and security performance.

There are other risks that do not fall into cost, schedule, or performance categories.

2.    Review environmental elements that may impact the project.

Risks to a project that frequently are missed include those supposedly outside the scope of the project (i.e., the project does not control whether they occur but can mitigate their impact), such as weather, natural or manmade disasters that affect continuity of operations, political changes, and telecommunications failures.

3.    Review all elements of the work breakdown structure as part of identifying risks to help ensure that all aspects of the work effort have been considered.

4.    Review all elements of the project plan as part of identifying risks to help ensure that all aspects of the project have been considered.

Refer to the Project Planning process area for more information about identifying project risks.

5.    Document the context, conditions, and potential consequences of the risk.

Risks statements are typically documented in a standard format that contains the risk context, conditions, and consequences of occurrence. The risk context provides additional information such that the intent of the risk can be easily understood. In documenting the context of the risk, consider the relative time frame of the risk, the circumstances or conditions surrounding the risk that has brought about the concern, and any doubt or uncertainty.

6.    Identify the relevant stakeholders associated with each risk.