After the project has been broken down into analysable components, we identify the source of the risk -- why is there uncertainty? What is causing this uncertainty or variability?
By addressing the causes or sources of the variability we will be better able to respond to the causes in addition to the effects.
Suppose we have identified a risk in the completion of the functional specification documents of a software development project. What we mean is that we have identified an uncertainty in the completion of these documents. They may take more or less time than expected. What might be the causes of this risk?
The specifications may take longer because the requirements may change as the project progresses. The specifications will change in proportion to the change in requirements.
The specifications may take longer because it may be realised later that the specifications do not cover its areas on the proper depth and scope.
These are two possible causes. Notice that responses required to mitigate the uncertainty could be very different. In the first cause, we need to look further at the requirements documents from which the specifications are being developed. In the second cause, we need to look at how we can identify gaps in the specifications documents. Of course it is possible that both causes occur.
Once we have identified the possible causes of the risks, we can proceed to identifying responses to address the causes, the risk, and the risk events.
* * *
References: Simister & Turner