Identify and document risks.


Identifying potential issues, hazards, threats, and vulnerabilities that could negatively affect work efforts or plans is the basis for sound and successful risk management. Risks should be identified and described understandably before they can be analyzed and managed properly. Risks are documented in a concise statement that includes the context, conditions, and consequences of risk occurrence.

Risk identification should be an organized, thorough approach to seek out probable or realistic risks in achieving objectives. To be effective, risk identification should not attempt to address every possible event. Using categories and parameters developed in the risk management strategy and identified sources of risk can provide the discipline and streamlining appropriate for risk identification. Identified risks form a baseline for initiating risk management activities. Risks should be reviewed periodically to reexamine possible sources of risk and changing conditions to uncover sources and risks previously overlooked or nonexistent when the risk management strategy was last updated.

Risk identification focuses on the identification of risks, not the placement of blame. The results of risk identification activities should never be used by management to evaluate the performance of individuals.


Many methods are used for identifying risks. Typical identification methods include the following:
  • Examine each element of the project work breakdown structure.
  • Conduct a risk assessment using a risk taxonomy.
  • Interview subject matter experts.
  • Review risk management efforts from similar products.
  • Examine lessons learned documents or databases.
  • Examine design specifications and agreement requirements.

Example Work Products

  1. List of identified risks, including the context, conditions, and consequences of risk occurrence


1. Identify the risks associated with cost, schedule, and performance.

Risks associated with cost, schedule, performance, and other business objectives should be examined to understand their effect on project objectives. Risk candidates can be discovered that are outside the scope of project objectives but vital to customer interests. For example, risks in development costs, product acquisition costs, cost of spare (or replacement) products, and product disposition (or disposal) costs have design implications.

The customer may not have considered the full cost of supporting a fielded product or using a delivered service. The customer should be informed of such risks, but actively managing those risks may not be necessary. Mechanisms for making such decisions should be examined at project and organization levels and put in place if deemed appropriate, especially for risks that affect the project’s ability to verify and validate the product.

In addition to the cost risks identified above, other cost risks can include the ones associated with funding levels, funding estimates, and distributed budgets.

Schedule risks can include risks associated with planned activities, key events, and milestones.


Performance risks can include risks associated with the following:
  • Requirements
  • Analysis and design
  • Application of new technology
  • Physical size
  • Shape
  • Weight
  • Manufacturing and fabrication
  • Product behavior and operation with respect to functionality or quality attributes
  • Verification
  • Validation
  • Performance maintenance attributes

Performance maintenance attributes are those characteristics that enable an in-use product or service to provide required performance, such as maintaining safety and security performance.

There are risks that do not fall into cost, schedule, or performance categories, but can be associated with other aspects of the organization’s operation.


Examples of these other risks include risks related to the following:
  • Strikes
  • Diminishing sources of supply
  • Technology cycle time
  • Competition

2. Review environmental elements that can affect the project.

Risks to a project that frequently are missed include risks supposedly outside the scope of the project (i.e., the project does not control whether they occur but can mitigate their impact). These risks can include weather or natural disasters, political changes, and telecommunications failures.

3. Review all elements of the work breakdown structure as part of identifying risks to help ensure that all aspects of the work effort have been considered.

4. Review all elements of the project plan as part of identifying risks to help ensure that all aspects of the project have been considered.

Refer to the Project Planning (PP) (CMMI-DEV) process area for more information about identifying project risks.

5. Document the context, conditions, and potential consequences of each risk.

Risk statements are typically documented in a standard format that contains the risk context, conditions, and consequences of occurrence. The risk context provides additional information about the risk such as the relative time frame of the risk, the circumstances or conditions surrounding the risk that has brought about the concern, and any doubt or uncertainty.

6. Identify the relevant stakeholders associated with each risk.