I’m looking for perspectives on how risk analysis is performed when there’s not precisely a “dollar value” associated with the risk, as in an Open Source project. Traditionally, risk analysis takes the form of
Asset Value X Annual Probability of Loss X Probable Outcome of Loss = Risk
Open source projects provide great value to people, and their development faces significant risks, both from a project standpoint (ranging from wasted developer cycles to failure to ever deliver) and from a product standpoint (users could not like the product, and update could make people leave or a security hole could leave millions of systems vulnerable to a nasty malware attack).
Who is responsible for identifying and managing these risks? How does the team decide which ones are most significant to the outcome of the project? Are there any official standards or approaches in this area?