Risk Management is a topic that is either ignored, done hap hazardly, and many times done correctly in domains that depend on managing risk. Of course ALL domains that work projects depend on properly managing risk.
<RANT> Doing Agile development is NOT - I repeat NOT - managing risk. They may be doing fine grained exposure to potential risks, but they are not MANAGING risks. Anyone claiming so is simply confusing risk response - by revealing short cycle functionality testing - with the management of the risk handling process. </RANT>
OK, now let's look at a Risk Matrix from a Real Program. This one is the Space Based Infrared System (SBIRS). SBIRS is the current anti-ballistic missle defense system, some of which is built in my neighborhood here in Boulder Colorado.
This is the risk categorization of the risks in terms of liklihood and severity of the outcomes. This answers the question what is likley to happen and if it does how bad is it going to be for our program?
This chart is embedded in the process of Managing Risk. One process - the one used by US DoD - for these activties is shown below.
So when we hear we need to manage risk or we're doing risk management look to see that you have four things in place:
- A risk management process flow as shown above
- A Cardinal risk and impact ranking matrix define before the start seeking out risks. If you have an Ordinal risk process - like many do - of ranking relative comparisons Low, Medium, High, then you risk process is seriously flawed.
- Finally to you have a Risk Register, where the risks are kept, along with the Cardinal information about the risk, and most importantly the Risk Handling processes or Risk Responses.
- Do you have the risk handling planned and budgeted? If not when your risk comes true - that is turns into an issue, you'll be late and have no money for handling it. A general bad response.
