[Code of Federal Regulations]

[Title 48, Volume 1]

[Revised as of October 1, 2005]

From the U.S. Government Printing Office via GPO Access

[CITE: 48CFR39.102]



[Page 769]

 

            TITLE 48--FEDERAL ACQUISITION REGULATIONS SYSTEM

 

                CHAPTER 1--FEDERAL ACQUISITION REGULATION

 

PART 39_ACQUISITION OF INFORMATION TECHNOLOGY--Table of Contents

 

                          Subpart 39.1_General

 

Sec. 39.102  Management of risk.



    (a) Prior to entering into a contract for information technology, an 

agency should analyze risks, benefits, and costs. (See part 7 for 

additional information regarding requirements definition.) Reasonable 

risk taking is appropriate as long as risks are controlled and 

mitigated. Contracting and program office officials are jointly 

responsible for assessing, monitoring and controlling risk when 

selecting projects for investment and during program implementation.

    (b) Types of risk may include schedule risk, risk of technical 

obsolescence, cost risk, risk implicit in a particular contract type, 

technical feasibility, dependencies between a new project and other 

projects or systems, the number of simultaneous high risk projects to be 

monitored, funding availability, and program management risk.

    (c) Appropriate techniques should be applied to manage and mitigate 

risk during the acquisition of information technology. Techniques 

include, but are not limited to: prudent project management; use of 

modular contracting; thorough acquisition planning tied to budget 

planning by the program, finance and contracting offices; continuous 

collection and evaluation of risk-based assessment data; prototyping 

prior to implementation; post implementation reviews to determine actual 

project cost, benefits and returns; and focusing on risks and returns 

using quantifiable measures.