Apart from using a ‘Top 10’ risk method, what else can we do to manage risks in software intensive projects?
The normal approach to managing risk is to
- identify context/scope
- identify risks/opportunities
- prioritise and determine mitigation actions and budget
- launch into the project
Then step 5 is either
a) review the risks at each progress meeting and/or include them in the project status report with some actions; or
b) conduct a separate risk review meeting each week/month/etc to review each of the 50-100+ risks that have been identified.
Now even though both of these step 5’s will ensure risks get reviewed (even if only occasionally), both methods are far from optimal in the majority of projects in software development. By the time some projects have finished their first few phases, the risks themselves are often no longer accurate or useful as they’ve been superceded by new decisions and directions on the project (not to mention customer changes and expectations).
Instead of identifying all of the risks at the start of the project, we can:
- identify any high level, project-wide risks that are critical; and
- identify only those risks related to the current (and possibly next) phase – because by the time the next phase rolls around the assumptions and decisions taken will have changed. The risks that were based on them will have to be thoroughly revised anyway.
By looking at just the top risks in the current phase we can save loads of time that would have been spent in less-than-critical reviews. We can then use this time in more productive ways.
How many project meetings have you been in that reviewed the risks week after week, and everyone merely nodding their heads and ‘yep, same as last week’ status updates.
Instead forget the convention of identifying all risks – just do the immediate ones and worry about the mitigations for these!
One objection to this method is that the entire risk budget can’t be known in advance – but then again, how many projects have you been on that have had an explicit/separate risk budget.