Articles

To some degree we all live with uncertainty. We have no control over the future. Yet we carry on, we persevere, because, I guess, it’s the way we’re made.” – Karen Walker Thompson

When many of us think of risks, we think of a child’s roller skate left on the front doorstep or the possibility of a hover board catching fire under one’s feet. As serious as these two examples are, businesses often face risks that impact many more people.

Risk is defined as an uncertain event—or set of events—that can affect the objectives of a project and may contribute to its success or failure, according to A Guide to the Scrum Body of Knowledge (SBOK™). In business and project management, risks can be positive or negative. Risks that are likely to have a positive impact on the project are referred to as opportunities whereas those that could affect the project in a negative manner are called threats.

Opportunities can turn negative over time—sometimes faster than one would think. Sean Connery, the actor famous as the quintessential James Bond, had the opportunity to play the role of Gandalf in Peter Jackson’s The Lord of the Rings trilogy. He passed on the role that earned Ian McKellen an Academy Award nomination. Likewise, Will Smith avoided an uncertain event by turning down the role of Neo in The Matrix. Keanu Reeves took it on and remained in the role as it became a modern Hollywood franchise. As Joel Barker points out, Swiss watch makers in the 1980s snubbed the opportunity to go to quartz and missed out on the largest expansion of the watch market in history. This ability of missed opportunities to represent lost benefits is probably what puts them in the risk category.

Managing risk must be done proactively, and in Scrum it is an iterative process that should begin at project initiation and continue throughout the project’s lifecycle. The process of managing risks should follow some standardized steps to ensure that risks are identified, evaluated and a proper course of action is determined and acted upon accordingly.

Standardized Risk Management typically consists of five steps:

1. Risk identification
2. Risk assessment
3. Risk prioritization
4. Risk mitigation
5. Risk communication

The SBOK™ says that risks should be identified, assessed and responded to based on two factors: the probability of each risk’s occurrence and the possible impact in the event of such occurrence. Risks with a high probability and impact value should be addressed before those with a relatively lower value. In general, once a risk is identified it is important to understand its probable causes and the potential effects if it occurs.

In a Scrum environment, risks are generally minimized, largely due to the work being done in Sprints whereby a continuous series of deliverables is produced in very short cycles. The deliverables are compared to expectations in the Sprint Review meeting, and the Product Owner—who is responsible for seeing that the project delivers real business value—is actively engaged throughout each Sprint and the entire project.

Even in the simplest of projects, things can go wrong. So it is important to have a strategy to identify and manage risks and keep your feet out of the fire.