Management of risk
Effective risk management is mandatory for all federal IT acquisitions, requiring joint responsibility and proactive mitigation strategies throughout the project lifecycle.
Overview
FAR 39.102 emphasizes the importance of risk management in the acquisition of information technology (IT) by federal agencies. Before entering into IT contracts, agencies must analyze the associated risks, benefits, and costs, ensuring that reasonable risks are taken only when they are controlled and mitigated. Both contracting and program office officials share responsibility for assessing, monitoring, and controlling risk throughout the project lifecycle, from selection to implementation. The regulation identifies various types of risks, such as schedule, technical obsolescence, cost, contract type, technical feasibility, interdependencies, project volume, funding, and program management. To manage these risks, agencies are encouraged to use techniques like prudent project management, modular contracting, comprehensive acquisition and budget planning, continuous risk assessment, prototyping, post-implementation reviews, and quantifiable risk-return analysis.
Key Rules
- Pre-Contract Risk Analysis
- Agencies must analyze risks, benefits, and costs before entering into IT contracts.
- Joint Risk Responsibility
- Contracting and program office officials are jointly responsible for risk management throughout the project.
- Types of Risk
- Risks include schedule, technical obsolescence, cost, contract type, technical feasibility, dependencies, project volume, funding, and program management.
- Risk Management Techniques
- Agencies should use techniques such as modular contracting, acquisition planning, continuous risk assessment, prototyping, and post-implementation reviews.
Responsibilities
- Contracting Officers: Ensure risk analysis and mitigation strategies are in place before and during IT acquisitions.
- Contractors: Comply with agency risk management requirements and participate in risk mitigation activities as required.
- Agencies: Oversee risk assessment, monitoring, and control throughout the IT project lifecycle.
Practical Implications
- This section exists to ensure IT acquisitions are managed with a focus on minimizing and controlling risk, improving project outcomes, and safeguarding government investments.
- It impacts daily contracting by requiring structured risk analysis and ongoing risk management.
- Common pitfalls include inadequate risk assessment, failure to use appropriate mitigation techniques, and lack of coordination between contracting and program offices.