Determine risk sources and categories.
Identifying risk sources provides a basis for systematically examining changing situations over time to uncover circumstances that affect the ability of the project to meet its objectives. Risk sources are both internal and external
to the project. As the project progresses, additional sources of risk can be identified. Establishing categories for risks provides a mechanism for collecting and organizing risks as well as ensuring appropriate scrutiny and management attention to
risks that can have serious consequences on meeting project objectives.
Acquirers initially identify and categorize risk sources and categories for the project and refine those sources and categories over time (e.g., schedule, cost, sourcing, contract management, supplier execution, technology
readiness, human safety, reliability related risks, other issues outside the control of the acquirer). The supplier is also a source of risk (e.g., financial stability of the suppler, the possibility of the supplier’s acquisition by another
organization).
Example Work Products
1. Risk source lists (external and internal)
2. Risk categories list
Subpractices
1. Determine risk sources.
Risk sources are fundamental drivers that cause risks in a project or organization. There are many sources of risks, both internal and external to a project. Risk sources identify where risks can originate.
Typical internal and external risk sources include the following:
· Uncertain requirements
· Unprecedented efforts (i.e., estimates unavailable)
· Infeasible design
· Competing quality attribute requirements that affect technical solution and design
· Supplier architectural decisions that affect quality attribute requirements or acquirer’s business objectives
· Unavailable technology
· Unrealistic schedule estimates or allocation
· Inadequate staffing and skills
· Cost or funding issues
· Uncertain or inadequate subcontractor capability
· Uncertain or inadequate supplier capability
· Inadequate communication with actual or potential customers or with their representatives
· Disruptions to the continuity of operations
· Regulatory constraints (e.g. security, safety, environment)
Many of these sources of risk are accepted without adequately planning for them. Early identification of both internal and external sources of risk can lead to early identification of risks. Risk mitigation plans can then be
implemented early in the project to preclude occurrence of risks or reduce consequences of their occurrence.
2. Determine risk categories.
Risk categories are “bins” used for collecting and organizing risks. Identifying risk categories aids the future consolidation of activities in risk mitigation plans.
The following factors can be considered when determining risk categories:
· Phases of the project’s lifecycle model (e.g., requirements, design, manufacturing, test and evaluation, delivery, disposal)
· Supplier risks (e.g., financial viability of the supplier, the geographic location of supplier resources)
· Product safety, security, and reliability
· Types of processes used
· Types of products used
· Project management risks (e.g., contract risks, budget risks, schedule risks, resource risks)
· Technical performance risks (e.g., quality attribute related risks, supportability risks)
A risk taxonomy can be used to provide a framework for determining risk sources and categories.
317/656 - 0 sub articles
CMMI for Acquisition 1.3
4. 