Introduction to Risk Management
Every project contains some measure of uncertainty. Risk Management deals with this uncertainty,
trying to understand its potential influence on the project. The purpose of Risk Management is to increase the
probability and impact of positive events and decrease the probability and impact of events adverse to the project [PMI04]. The project manager, team, and stakeholders should be involved in risk
Identify risks as soon as the project starts and document them in the risk list. Continue identifying and managing
risks throughout the project. A common mistake is to identify risks only at the beginning of the project and then only
track the status of these initial risks. Revisit the risk list weekly, or as a minimum when performing iteration
planning, and add any newly discovered risks to the list.
Prioritize risks for further analysis or action. A good approach for prioritizing risks is to have an attribute called
risk magnitude, a combination of the risk probability and the risk impact. Each iteration provides a chance for
better understanding of stakeholder needs, the team capabilities, the technology at hand, and so on. Capture, qualify
and prioritize risks as they arise. High magnitude risks are attacked first, thus improving the chances of
project success and minimizing uncertainty.
Select Risk Response Strategies
You are trying to mitigate or tackle the high priority risks as early as possible in the project. In order to achieve
this you need to get a good grip on the risks the project is faced with, and have clear strategies on how to mitigate
or deal with them. Once you have chosen a set of risks to focus on, develop options and determine actions to
enhance opportunities and reduce threats, selecting a strategy, as described in Concept: Risk. Sometimes strategies can be determined for each cause, rather than each risk, eliminating many risks at once.
Plan Risk Response
For each selected strategy, identify and assign tasks to apply the strategy to the given risk. Place those tasks on the
work items list so they can be assigned to iterations. Keep a reference to the risk for traceability. The
effort must be appropriate to the magniture of the risk. Avoid spending more preventing a threat than the impact from
the risk if it occurs.