Identify and analyze project risks.


Refer to the Monitor Project Risks specific practice in the Project Monitoring and Control (PMC) (CMMI-DEV) process area for more information about risk monitoring activities.

Refer to the Risk Management (RSKM) (CMMI-DEV) process area for more information about identifying potential problems before they occur so that risk handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives.

Risks are identified or discovered and analyzed to support project planning. This specific practice should be extended to all plans that affect the project to ensure that appropriate interfacing is taking place among all relevant stakeholders on identified risks.


Project planning risk identification and analysis typically include the following:
  • Identifying risks
  • Analyzing risks to determine the impact, probability of occurrence, and time frame in which problems are likely to occur
  • Prioritizing risks

Example Work Products

  1. Identified risks
  2. Risk impacts and probability of occurrence
  3. Risk priorities


1. Identify risks.

The identification of risks involves the identification of potential issues, hazards, threats, vulnerabilities, and so on that could negatively affect work efforts and plans. Risks should be identified and described understandably before they can be analyzed and managed properly. When identifying risks, it is a good idea to use a standard method for defining risks. Risk identification and analysis tools can be used to help identify possible problems.


Examples of risk identification and analysis tools include the following:
  • Risk taxonomies
  • Risk assessments
  • Checklists
  • Structured interviews
  • Brainstorming
  • Process, project, and product performance models
  • Cost models
  • Network analysis
  • Quality factor analysis

2. Document the risks.

3. Review and obtain agreement with relevant stakeholders on the completeness and correctness of documented risks.

4. Revise risks as appropriate.


Examples of when identified risks may need to be revised include the following:
  • When new risks are identified
  • When risks become problems
  • When risks are retired
  • When project circumstances change significantly