Risk Management consists of five steps:
1. Risk identification: Using various techniques to identify all potential risks
2. Risk assessment: Evaluating and estimating the identified risks
3. Risk prioritization – Prioritizing Risk to be included for specific action in the Prioritized Product Backlog
4. Risk mitigation: Developing an appropriate strategy to deal with the risk
5. Risk communication: Communicating the findings from the first four steps to the appropriate stakeholders and determining their perception regarding the uncertain events.
The Scrum Team members should attempt to identify all risks that could potentially impact the project. Only by looking at the project from different perspectives, using a variety of techniques, can they do this job thoroughly. Risk Identification is done throughout the project and Identified Risks become inputs to several Scrum processes including Create Prioritized Product Backlog, Groom Prioritized Product Backlog, and Demonstrate and Validate Sprint.
Risk Assessment
The assessment of risk helps in understanding the potential impact of a risk, how likely it is to occur, and when the risk could materialize. The overall effect on business value should be estimated, and if that impact is significant enough to outweigh the business justification, a decision must be made whether to continue the project. The assessment of risks is done with regard to probability, proximity, and impact. Probability of risks refers to the likelihood of the risk occurring, whereas proximity refers to when the risk might occur. Impact refers to the probable effect of the risks on the project or the organization. To estimate the probability of a risk various techniques may be used, including Probability Trees, Pareto Analysis, and a Probability and Impact Matrix. In addition to probability, risk assessment also evaluates the potential net effect of risks on the project or organization. These effects can be estimated using techniques such as Risk Models and Expected Monetary Value.
Risk Prioritization
Scrum allows for quick identification and assessment of risks. Identified Risks are taken into account when creating a Prioritized Product Backlog during Create Prioritized Product Backlog process, or when we update the Prioritized Product Backlog during Groom Prioritized Product Backlog process—so a Prioritized Product Backlog could also be referred to as a Risk Adjusted Prioritized Product Backlog. The risks could be identified and assessed based on any of the Risk Identification and Risk Assessment techniques mentioned earlier.
Risk Mitigation
The response to each risk will depend on the probability and impact of the risk. However, the iterative nature of Scrum with its rapid turnaround time and feedback cycles allows for early detection of failures; therefore, practically speaking, it has a natural mitigation feature built in. Risk can be mitigated by implementing a number of responses. In most situations, responses are proactive or reactive. In the case of a risk, a plan B may be formulated, which can be used as a fall-back in case the risk materializes – such a plan B is a reactive response. Sometimes risks are accepted and are an example of a risk response which is neither proactive nor reactive. Risks are accepted because of various reasons, as in a situation where the probability or impact of the risk is too low for a response. Acceptance can also be the case in a situation where the apprehension of secondary risks may deter the product owner from taking any action. The effort made by the Product Owner to reduce the probability or impact—or both—of the risk is an example of a proactive response to mitigating risks.
Risk Communication
Because stakeholders have an interest in the project, it is important to communicate with them regarding risks. Information provided to stakeholders related to risk should include potential impact and the plans for responding to each risk. This communication is on-going and should occur in parallel with the four sequential steps discussed thus far—risk identification, assessment, prioritization and mitigation. The Scrum Team may also discuss specific risks related to their Tasks with the Scrum Master during Daily Standup Meetings. The Product Owner is responsible for the prioritization of risks and for communicating the prioritized list to the Scrum Team. An important tool which can be used for communicating information related to risks is the Risk Burndown Chart.