PP.SP 2.2 Identify Risks
Summary
Identify and analyze risks.
Description
Refer to the Risk Management (RSKM) (CMMI-SVC) process area for more information about identifying potential problems before they occur so that risk handling activities can be planned and invoked as needed across the life of the product or work to mitigate adverse impacts on achieving objectives.
Refer to the Monitor Risks specific practice in the Work Monitoring and Control process area for more information about risk monitoring activities.
Risks are identified or discovered and analyzed to support work planning. This specific practice should be extended to all plans that affect the work to ensure that appropriate interfacing is taking place among all relevant stakeholders on identified risks.
Work planning risk identification and analysis typically include the following:
- Identifying risks
- Analyzing risks to determine the impact, probability of occurrence, and time frame in which problems are likely to occur
- Prioritizing risks
Example Work Products
- Identified risks
- Risk impacts and probability of occurrence
- Risk priorities
Subpractices
1. Identify risks.
The identification of risks involves the identification of potential issues, hazards, threats, vulnerabilities, and so on that could negatively affect work efforts and plans. Risks should be identified and described understandably before they can be analyzed and managed properly. When identifying risks, it is a good idea to use a standard method for defining risks. Risk identification and analysis tools can be used to help identify possible problems.
Examples of risk identification and analysis tools include the following:
- Risk taxonomies
- Risk assessments
- Checklists
- Structured interviews
- Brainstorming
- Process, product, and work performance models
- Cost models
- Network analysis
- Quality factor analysis
2. Document risks.
3. Review and obtain agreement with relevant stakeholders on the completeness and correctness of documented risks.
4. Revise risks as appropriate.
Examples of when identified risks may need to be revised include the following:
- When new risks are identified
- When risks become problems
- When risks are retired
- When work circumstances change significantly