Guideline: Managing Risks
This is a fundamental practice that project managers should consider in their projects. Identifying and minimizing risks early in the project lifecycle is key factor for project success.
Main Description

Introduction to Risk Management

Every project contains some measure of uncertainty. Risk Management deals with this uncertainty, trying to understand its potential influence on the project. The purpose of Risk Management is to increase the probability and impact of positive events and decrease the probability and impact of events adverse to the project [PMI04]. The project manager, team, and stakeholders should be involved in risk management.

Identify Risks

Identify risks as soon as the project starts and document them in the risk list. Continue identifying and managing risks throughout the project. A common mistake is to identify risks only at the beginning of the project and then only track the status of these initial risks. Revisit the risk list weekly, or as a minimum when performing iteration planning, and add any newly discovered risks to the list.

Prioritize Risks

Prioritize risks for further analysis or action. A good approach for prioritizing risks is to have an attribute called risk magnitude, a combination of the risk probability and the risk impact. Each iteration provides a chance for better understanding of stakeholder needs, the team capabilities, the technology at hand, and so on. Capture, qualify and prioritize risks as they arise. High magnitude risks are attacked first, thus improving the chances of project success and minimizing uncertainty.

Select Risk Response Strategies

You are trying to mitigate or tackle the high priority risks as early as possible in the project. In order to achieve this you need to get a good grip on the risks the project is faced with, and have clear strategies on how to mitigate or deal with them.  Once you have chosen a set of risks to focus on, develop options and determine actions to enhance opportunities and reduce threats, selecting a strategy, as described in Concept: Risk. Sometimes strategies can be determined for each cause, rather than each risk, eliminating many risks at once.

Plan Risk Response

For each selected strategy, identify and assign tasks to apply the strategy to the given risk. Place those tasks on the work items list so they can be assigned to iterations. Keep a reference to the risk for traceability. The effort must be appropriate to the magniture of the risk. Avoid spending more preventing a threat than the impact from the risk if it occurs.

Monitor Risks

Follow up regularly on risk-mitigation actions. Risk reviews should be held when assessing the results during a project milestone to determine whether the information about project risks is up to date, and to assess whether any changes are necessary. The team may decide to try another strategy if the chosen strategy does not reduce/increase the magnitude of a risk.