FAR 39.102—Management of risk.
Plain-English Summary
FAR 39.102 explains how agencies should manage risk when acquiring information technology. It requires agencies to analyze risks, benefits, and costs before awarding an IT contract, and it ties that analysis to requirements definition, project selection, and program implementation. The section identifies common IT risk categories such as schedule, technical obsolescence, cost, contract type risk, technical feasibility, system dependencies, workload from multiple high-risk projects, funding availability, and overall program management risk. It also directs agencies to use practical risk-management techniques, including prudent project management, modular contracting, acquisition planning aligned with budget planning, continuous risk-based data collection and evaluation, prototyping, post-implementation reviews, and quantifiable measures of risk and return. In practice, this section is meant to keep agencies from treating IT acquisitions as purely transactional purchases; instead, it pushes them to make disciplined investment decisions and to monitor performance throughout the life of the project.
Key Rules
Analyze risk before contracting
Before entering into an IT contract, the agency should evaluate the risks, benefits, and costs. This analysis is part of sound requirements definition and should inform whether the project should proceed and how it should be structured.
Reasonable risk is allowed
The FAR does not require agencies to avoid all risk. Reasonable risk taking is appropriate when the agency can control and mitigate the risk through planning, oversight, and management.
Shared responsibility for risk
Contracting and program office officials are jointly responsible for assessing, monitoring, and controlling risk. That responsibility applies both when selecting projects for investment and during program execution.
Identify common IT risk types
Agencies should consider schedule risk, technical obsolescence, cost growth, contract-type risk, technical feasibility, dependencies with other systems or projects, the number of simultaneous high-risk projects, funding availability, and program management risk.
Use active mitigation techniques
Agencies should apply appropriate techniques to manage and reduce risk during acquisition. The section specifically points to prudent project management, modular contracting, acquisition planning tied to budget planning, ongoing risk-based data collection, prototyping, post-implementation reviews, and quantifiable risk/return measures.
Responsibilities
Agency
Analyze risks, benefits, and costs before entering into an IT contract; ensure reasonable risk is controlled and mitigated; and use risk-management techniques throughout acquisition and implementation.
Contracting Officer
Work jointly with the program office to assess, monitor, and control risk; help structure the acquisition to reflect risk considerations; and align acquisition planning with the contract strategy and funding realities.
Program Office
Work jointly with contracting officials to assess, monitor, and control risk; define requirements with risk in mind; and manage implementation so that technical, schedule, and performance risks are actively tracked and reduced.
Finance Office
Participate in acquisition planning so that project planning and budget planning are aligned, and help ensure funding availability is considered as part of the risk analysis.
Practical Implications
Agencies should not approve IT projects based only on need or enthusiasm; they need a documented risk-benefit-cost judgment before award.
Modular contracting is often a practical way to reduce exposure by breaking large IT efforts into smaller, more manageable increments.
A common pitfall is treating risk management as a one-time pre-award exercise; this section expects continuous monitoring during implementation.
Another frequent problem is underestimating dependencies, funding instability, or the impact of running too many high-risk projects at once.
Post-implementation reviews matter because they show whether the project actually delivered the expected cost, benefit, and return results, which improves future acquisition decisions.
Official Regulatory Text
(a) Prior to entering into a contract for information technology, an agency should analyze risks, benefits, and costs. (See part 7 for additional information regarding requirements definition.) Reasonable risk taking is appropriate as long as risks are controlled and mitigated. Contracting and program office officials are jointly responsible for assessing, monitoring and controlling risk when selecting projects for investment and during program implementation. (b) Types of risk may include schedule risk, risk of technical obsolescence, cost risk, risk implicit in a particular contract type, technical feasibility, dependencies between a new project and other projects or systems, the number of simultaneous high risk projects to be monitored, funding availability, and program management risk. (c) Appropriate techniques should be applied to manage and mitigate risk during the acquisition of information technology. Techniques include, but are not limited to: prudent project management; use of modular contracting; thorough acquisition planning tied to budget planning by the program, finance and contracting offices; continuous collection and evaluation of risk-based assessment data; prototyping prior to implementation; post implementation reviews to determine actual project cost, benefits and returns; and focusing on risks and returns using quantifiable measures.