Risk is a potential (uncertain) future event that has negative consequences (See Risk Management Overview). In acquisition, the risk event or consequence is often related to not achieving program objectives. Risk Management is the art or practice of controlling risk, by identifying and tracking risk areas, performing periodic risk assessments to determine risks and their potential impact, developing risk mitigation plans, and continuously monitoring and managing risks. The key to risk management success is early planning, aggressive execution, and an integrated approach that involves performance, cost, and schedule.
Risk management is performed over the life of the program and should involve the entire program team, including the contractor. Risk management in the development phase should start by revisiting any pre-award risk identification activities to assess the continued validity of the risks and to alter as necessary any mitigation strategies based on program progress. Note that in terms of handling identified risks, a program manager may decide to do nothing (accept the risk), or mitigate the risk (take action to prevent, reduce the probability and/or severity, or eliminate the risk). If a risk cannot be reasonably mitigated, then a response action should be planned to identify what will be done if the risk occurs. It should also be noted that mitigation plans often involve expenditure of resources, so in this event, there should be a reasonable return on investment. A program with effective risk management will exhibit the following characteristics: 
- Appropriately tailored risk management strategies are defined and implemented.
- Potential problems (risks) that could impact project success are identified.
- The likelihood and consequences of these risks are understood.
- A priority order in which risks should be addressed is established.
- Mitigation alternatives appropriate for each potential problem are carefully considered based on project circumstances.
Software risk management should be integrated with the overall program approach to risk management. Software risks should be tracked as part of the overall risk activity, and should be a continuous focus of the integrated acquisition and developer software team(s). 
AcqLinks and References: