[Code of Federal Regulations]
[Title 48, Volume 1]
[Revised as of October 1, 2003]
From the U.S. Government Printing Office via GPO Access
[CITE: 48CFR39.102]

[Page 745]
 
            TITLE 48--FEDERAL ACQUISITION REGULATIONS SYSTEM
 
                CHAPTER 1--FEDERAL ACQUISITION REGULATION
 
PART 39_ACQUISITION OF INFORMATION TECHNOLOGY--Table of Contents
 
                          Subpart 39.1_General
 
Sec.  39.102  Management of risk.

    (a) Prior to entering into a contract for information technology, an 
agency should analyze risks, benefits, and costs. (See part 7 for 
additional information regarding requirements definition.) Reasonable 
risk taking is appropriate as long as risks are controlled and 
mitigated. Contracting and program office officials are jointly 
responsible for assessing, monitoring and controlling risk when 
selecting projects for investment and during program implementation.
    (b) Types of risk may include schedule risk, risk of technical 
obsolescence, cost risk, risk implicit in a particular contract type, 
technical feasibility, dependencies between a new project and other 
projects or systems, the number of simultaneous high risk projects to be 
monitored, funding availability, and program management risk.
    (c) Appropriate techniques should be applied to manage and mitigate 
risk during the acquisition of information technology. Techniques 
include, but are not limited to: prudent project management; use of 
modular contracting; thorough acquisition planning tied to budget 
planning by the program, finance and contracting offices; continuous 
collection and evaluation of risk-based assessment data; prototyping 
prior to implementation; post implementation reviews to determine actual 
project cost, benefits and returns; and focusing on risks and returns 
using quantifiable measures.