How can risk be managed?
Risk Management consists of five steps:
1. Risk identification: Using various techniques to identify all potential risks
2. Risk assessment: Evaluating and estimating the identified risks
3. Risk prioritization – Prioritizing Risk to be included for specific action in the Prioritized Product
Backlog
4. Risk mitigation: Developing an appropriate strategy to deal with the risk
5. Risk communication: Communicating the findings from the first four steps to the appropriate
stakeholders and determining their perception regarding the uncertain events.
Risk Identification
The Scrum Team members should attempt to identify all risks that could potentially impact the project.
Only by looking at the project from different perspectives, using a variety of techniques, can they do this
job thoroughly. Risk Identification is done throughout the project and Identified Risks become inputs to
several Scrum processes including Create Prioritized Product Backlog, Groom Prioritized Product Backlog,
and Demonstrate and Validate Sprint.
Risk Assessment
The assessment of risk helps in understanding the potential impact of a risk, how likely it is to occur, and
when the risk could materialize. The overall effect on business value should be estimated, and if that
impact is significant enough to outweigh the business justification, a decision must be made whether to
continue the project.
The assessment of risks is done with regard to probability, proximity, and impact. Probability of risks
refers to the likelihood of the risk occurring, whereas proximity refers to when the risk might occur.
Impact refers to the probable effect of the risks on the project or the organization.
To estimate the probability of a risk various techniques may be used, including Probability Trees, Pareto
Analysis, and a Probability and Impact Matrix.
In addition to probability, risk assessment also evaluates the potential net effect of risks on the project
or organization. These effects can be estimated using techniques such as Risk Models and Expected
Monetary Value.
Risk Prioritization
Scrum allows for quick identification and assessment of risks. Identified Risks are taken into account
when creating a Prioritized Product Backlog during Create Prioritized Product Backlog process, or when
we update the Prioritized Product Backlog during Groom Prioritized Product Backlog process—so a
Prioritized Product Backlog could also be referred to as a Risk Adjusted Prioritized Product Backlog.
The risks could be identified and assessed based on any of the Risk Identification and Risk Assessment
techniques mentioned earlier.
Risk Mitigation
The response to each risk will depend on the probability and impact of the risk. However, the iterative
nature of Scrum with its rapid turnaround time and feedback cycles allows for early detection of failures;
therefore, practically speaking, it has a natural mitigation feature built in.
Risk can be mitigated by implementing a number of responses. In most situations, responses are
proactive or reactive. In the case of a risk, a plan B may be formulated, which can be used as a fall-back
in case the risk materializes – such a plan B is a reactive response. Sometimes risks are accepted and
are an example of a risk response which is neither proactive nor reactive. Risks are accepted because of
various reasons, as in a situation where the probability or impact of the risk is too low for a response.
Acceptance can also be the case in a situation where the apprehension of secondary risks may deter the
product owner from taking any action. The effort made by the Product Owner to reduce the probability
or impact—or both—of the risk is an example of a proactive response to mitigating risks.
Risk Communication
Because stakeholders have an interest in the project, it is important to communicate with them
regarding risks. Information provided to stakeholders related to risk should include potential impact
and the plans for responding to each risk. This communication is on-going and should occur in parallel
with the four sequential steps discussed thus far—risk identification, assessment, prioritization and
mitigation. The Scrum Team may also discuss specific risks related to their Tasks with the Scrum Master
during Daily Standup Meetings. The Product Owner is responsible for the prioritization of risks and for
communicating the prioritized list to the Scrum Team.
An important tool which can be used for communicating information related to risks is the Risk
Burndown Chart.