Determine risk sources and categories.


Identifying risk sources provides a basis for systematically examining changing situations over time to uncover circumstances that affect the ability of the project to meet its objectives. Risk sources are both internal and external to the project. As the project progresses, additional sources of risk can be identified. Establishing categories for risks provides a mechanism for collecting and organizing risks as well as ensuring appropriate scrutiny and management attention to risks that can have serious consequences on meeting project objectives.

Example Work Products

  1. Risk source lists (external and internal)
  2. Risk categories list


1. Determine risk sources.

Risk sources are fundamental drivers that cause risks in a project or organization. There are many sources of risks, both internal and external to a project. Risk sources identify where risks can originate.


Typical internal and external risk sources include the following:
  • Uncertain requirements
  • Unprecedented efforts (i.e., estimates unavailable)
  • Infeasible design
  • Competing quality attribute requirements that affect solution selection and design
  • Unavailable technology
  • Unrealistic schedule estimates or allocation
  • Inadequate staffing and skills
  • Cost or funding issues
  • Uncertain or inadequate subcontractor capability
  • Uncertain or inadequate supplier capability
  • Inadequate communication with actual or potential customers or with their representatives
  • Disruptions to the continuity of operations
  • Regulatory constraints (e.g. security, safety, environment)

Many of these sources of risk are accepted without adequately planning for them. Early identification of both internal and external sources of risk can lead to early identification of risks. Risk mitigation plans can then be implemented early in the project to preclude occurrence of risks or reduce consequences of their occurrence.

2. Determine risk categories.

Risk categories are “bins” used for collecting and organizing risks. Identifying risk categories aids the future consolidation of activities in risk mitigation plans.


The following factors can be considered when determining risk categories:
  • Phases of the project’s lifecycle model (e.g., requirements, design, manufacturing, test and evaluation, delivery, disposal)
  • Types of processes used
  • Types of products used
  • Project management risks (e.g., contract risks, budget risks, schedule risks, resource risks)
  • Technical performance risks (e.g., quality attribute related risks, supportability risks)

A risk taxonomy can be used to provide a framework for determining risk sources and categories.