RSKM.SP 2.1 Identify Risks
Summary
Identify and document risks.
Description
Identifying potential issues, hazards, threats, and vulnerabilities that could negatively affect work efforts or plans is the basis for sound and successful risk management. Risks should be identified and described understandably before they can be analyzed and managed properly. Risks are documented in a concise statement that includes the context, conditions, and consequences of risk occurrence.
Risk identification should be an organized, thorough approach to seek out probable or realistic risks in achieving objectives. To be effective, risk identification should not attempt to address every possible event. Using categories and parameters developed in the risk management strategy and identified sources of risk can provide the discipline and streamlining appropriate for risk identification. Identified risks form a baseline for initiating risk management activities. Risks should be reviewed periodically to reexamine possible sources of risk and changing conditions to uncover sources and risks previously overlooked or nonexistent when the risk management strategy was last updated.
Risk identification focuses on the identification of risks, not the placement of blame. The results of risk identification activities should never be used by management to evaluate the performance of individuals.
- Examine each element of the work breakdown structure.
- Conduct a risk assessment using a risk taxonomy.
- Interview subject matter experts.
- Review risk management efforts from similar products.
- Examine lessons learned documents or databases.
- Examine design specifications and agreement requirements.
Example Work Products
- List of identified risks, including the context, conditions, and consequences of risk occurrence
Subpractices
1. Identify the risks associated with cost, schedule, and performance.
Risks associated with cost, schedule, performance, and other business objectives should be examined to understand their effect on work objectives. Risk candidates can be discovered that are outside the scope of work objectives but vital to customer interests. For example, risks in development costs, product acquisition costs, cost of spare (or replacement) products, and product disposition (or disposal) costs have design implications.
The customer may not have considered the full cost of supporting a fielded product or using a delivered service. The customer should be informed of such risks, but actively managing those risks may not be necessary. Mechanisms for making such decisions should be examined at work activity and organization levels and put in place if deemed appropriate, especially for risks that affect the work group’s ability to verify and validate the product.
In addition to the cost risks identified above, other cost risks can include the ones associated with funding levels, funding estimates, and distributed budgets.
Risks associated with service agreements, such as supplier dependencies, customer processes, and unrealistic service levels also should be considered.
Schedule risks can include risks associated with planned activities, key events, and milestones.
- Service interruptions
- Meeting service levels
- Impacts of customer processes
- Requirements
- Analysis and design
- Application of new technology
- Physical size
- Shape
- Weight
- Manufacturing and fabrication
- Service system behavior and operation with respect to functionality or quality attributes
- Verification
- Validation
- Performance maintenance attributes
Performance maintenance attributes are those characteristics that enable an in-use product or service to provide required performance, such as maintaining safety and security performance.
There are risks that do not fall into cost, schedule, or performance categories, but can be associated with other aspects of the organization’s operation.
- Dependency on customer provided resources (e.g., equipment, facilities)
- Operational resiliency
- Dependencies on suppliers
- Over reliance on key staff
- Strikes
- Diminishing sources of supply
- Technology cycle time
- Competition
2. Review environmental elements that can affect the work.
Risks to the work that frequently are missed include risks supposedly outside the scope of the work group (i.e., the work group does not control whether they occur but can mitigate their impact). These risks can include weather or natural disasters, political changes, and telecommunications failures.
3. Review all elements of the work breakdown structure as part of identifying risks to help ensure that all aspects of the work effort have been considered.
4. Review all elements of the work plan as part of identifying risks to help ensure that all aspects of the work have been considered.
5. Document the context, conditions, and potential consequences of each risk.
Risk statements are typically documented in a standard format that contains the risk context, conditions, and consequences of occurrence. The risk context provides additional information about the risk such as the relative time frame of the risk, the circumstances or conditions surrounding the risk that has brought about the concern, and any doubt or uncertainty.
6. Identify the relevant stakeholders associated with each risk.