The purpose of this step is to understand the critical risks the organization faces when developing and maintaining software. For example, a critical risk for an organization that develops software for tax returns might be the risk that the software will not be available for tax season. A vendor of medical equipment will likely be more concerned with delivering a defect free system than with meeting an aggressive target date. The critical risks should be those risks which can negatively impact the Critical Metrics Set. If they are not, then the Critical Metrics Set, or the critical risks should be reexamined.
There are a wealth of techniques that can reduce risk. Which ones can do the best job depends on what the risks are. Moreover as the business changes and as technology changes, the risks will also change. Some of the factors that will influence the risk profile include:
Regulated business vs. highly competitive
Development vs. maintenance
Many users vs. few users
Stable mature technology vs. new technology
Centralized system vs. distributed system
Large integrated system vs. small stand-alone system
Tight target dates
Rapidly changing business environment
Life critical product
The risk profile should heavily influence the priorities in the Defect Management Plan.