RSKM.SP 1.1 Determine Risk Sources and Categories
Summary
Determine risk sources and categories.
Description
Identifying risk sources provides a basis for systematically examining changing situations over time to uncover circumstances that affect the ability of the work group to meet its objectives. Risk sources are both internal and external to the work. As the work progresses, additional sources of risk can be identified. Establishing categories for risks provides a mechanism for collecting and organizing risks as well as ensuring appropriate scrutiny and management attention to risks that can have serious consequences on meeting work objectives.
Example Work Products
- Risk source lists (external and internal )
- Risk categories list
Subpractices
1. Determine risk sources.
Risk sources are fundamental drivers that cause risks in work activities or organization. There are many sources of risks, both internal and external to a work group. Risk sources identify where risks can originate.
- Uncertain requirements
- Unprecedented efforts (i.e., estimates unavailable)
- Infeasible design
- Competing quality attribute requirements that affect service system solution selection and design
- Architectural decisions that affect quality attribute requirements (e.g., for capacity and availability) for the service system, or business objectives
- Unavailable technology
- Unrealistic schedule estimates or allocation
- Inadequate staffing and skills
- Cost or funding issues
- Uncertain or inadequate subcontractor capability
- Uncertain or inadequate supplier capability
- Inadequate communication with actual or potential customers or with their representatives
- Disruptions to the continuity of operations
- Regulatory constraints (e.g. security, safety, environment)
Many of these sources of risk are accepted without adequately planning for them. Early identification of both internal and external sources of risk can lead to early identification of risks. Risk mitigation plans can then be implemented early in the work to preclude occurrence of risks or reduce consequences of their occurrence.
2. Determine risk categories.
Risk categories are “bins” used for collecting and organizing risks. Identifying risk categories aids the future consolidation of activities in risk mitigation plans.
- Phases of the work lifecycle
- Types of processes used
- Types of products used
- Work management risks (e.g., contract risks, budget risks, schedule risks, resource risks)
- Technical performance risks (e.g., quality attribute related risks, supportability risks)
A risk taxonomy can be used to provide a framework for determining risk sources and categories.