Reactive risk strategies have been laughingly called the “Indiana Jones school of risk management”. In the movies that carried his name, Indiana Jones, when faced with overwhelming difficulty, would invariably say, “Don’t worry, I’ll think of something!” Never worrying about problems until they happened, Indy would react in some heroic way.
Sadly, the average software project manager is not Indiana Jones and the members of the software project team are not his trusty sidekicks. Yet, the majority of software teams rely solely on reactive risk strategies. At best, a reactive strategy monitors the project for likely risks. Resources are set aside to deal with them, should they become actual problems. More commonly, the software team does nothing about risks until something goes wrong. Then, the team flies into action in an attempt to correct the problem rapidly. This is often called a fire fighting mode. When this fails, “crisis management” takes over and the project is in real jeopardy.
A considerably more intelligent strategy for risk management is to be proactive. A proactive strategy begins long before technical work is initiated. Potential risks are identified, their probability and impact are assessed, and they are ranked by importance. Then, the software team establishes a plan for managing risk. The primary objective is to avoid risk, but because not all risks can be avoided, the team works to develop a contingency plan that will enable it to respond in a controlled and effective manner. Throughout the remainder of this chapter, we discuss a proactive strategy for risk management.
Risk identification is the first step in risk management. We need to identify both project and product risk by using certain techniques. Some of the most common techniques which can be applied to identify different risks are using risk templates, interviewing the stakeholders, project retrospectives etc.
You should try to include as many stakeholders as you can to identify different risk because the broadest range of stakeholders will provide the maximum risk items associated to the product.
Several formal techniques like Failure Mode and Effect Analysis (FMEA) and Failure Mode Effect and Criticality Analysis (FMECA) are used to find the risk. These techniques identify the effects of the risk if in case that becomes an outcome. The effects can be on people,society, users, customers etc.