Determine Risk Sources and Categories

Identification of risk sources provides a basis for systematically examining changing situations over time to uncover circumstances that impact the ability of the project to meet its objectives. Risk sources are both internal and external to the project. As the project progresses, additional sources of risk may be identified. Establishing categories for risks provides a mechanism for collecting and organizing risks as well as ensuring appropriate scrutiny and management attention for those risks that can have more serious consequences on meeting project objectives..

• Determine risk sources. Risk sources are the fundamental drivers that cause risks within a project or organization. There are many sources of risks, both internal and external to a project. Risk sources identify common areas where risks may originate. Typical internal and external risk sources include the following:
  • Uncertain requirements
  • Unprecedented efforts—estimates unavailable
  • Infeasible design
  • Unavailable technology
  • Unrealistic schedule estimates or allocation
  • Inadequate staffing and skills
  • Cost or funding issues
  • Uncertain or inadequate subcontractor capability
  • Uncertain or inadequate vendor capability
  Many of these sources of risk are often accepted without adequate planning. Early identification of both internal and external sources of risk can lead to early identification of risks. Risk mitigation plans can then be implemented early in the project to preclude occurrence of the risks or reduce the consequences of their occurrence.
• Determine risk categories. Risk categories reflect the “bins” for collecting and organizing risks. A reason for identifying risk categories is to help in the future consolidation of the activities in the risk mitigation plans. The following factors may be considered when determining risk categories:
  • The phases of the project’s life-cycle model (e.g., requirements, design, manufacturing, test and evaluation, delivery, disposal)
  • The types of processes used
  • The types of products used
  • Program management risks (e.g., contract risks, budget/cost risks, schedule risks, resources risks, performance risks, supportability risks)
  A risk taxonomy can be used to provide a framework for determining risk sources and categories..