Page 35 -
P. 35
document and identified in a Delphi session are another good source of potential risks.
The team should go through them and evaluate each assumption for potential risks as part
of the risk brainstorming session.
Estimate the impact of each risk
Once the team has generated a final set of risks, they have enough information to estimate
two things: a rough estimate of the probability that the risk will occur, and the potential
impact of that risk on the project if it does eventually materialize. The risks must then be
prioritized in two ways: in order of probability, and in order of impact. Both the probabil-
ity and impact are measured using a relative scale by assigning each a number between 1
and 5.
These numbers are arbitrary; they simply are used to compare the probability or impact of
one risk with another, and do not carry any specific meaning. The numbers for probability
and impact are assigned to each risk; a priority can then be calculated by multiplying these
numbers together. It is equally effective to assign a percentage as a probability (i.e., a risk
is 80% likely to occur) and a real duration for impact (i.e., it will cost 32 man-hours if the
risk occurs). However, many teams have trouble estimating these numbers, and find it
easier to just assign an arbitrary value for comparison.
Many people have difficulty prioritizing, but there is a simple technique that makes it
much easier. While it’s difficult to rank all of the risks in the list at once, it is usually not
hard to pick out the one that’s most likely to occur. Assign that one a probability of 5.
Then select the one that’s least likely to occur and assign that one a probability of 1. With
those chosen, it’s much easier to rank the others relative to them. It might help to find
another 5 and another 1, or if those don’t exist, find a 4 and a 2. The rest of the probabili-
ties should start to fall in place. Once that’s done, the same can be done for the impact.
After the probability and impact of each risk have been estimated, the team can calculate
the priority of each risk by multiplying its probability by its impact. This ensures that the
highest priority is assigned to those risks that have both a high probability and impact, fol-
lowed by either high-probability risks with a low impact or low-probability risks with a
high impact. This is generally the order in which a good project manager will want to try
to deal with them: it allows the most serious risks to rise to the top of the list.
Make a mitigation plan
All of this risk brainstorming and estimation is only useful if it leads to the team taking
actions to avoid the most pressing risks. The remainder of the risk planning meeting
should be dedicated to identifying these actions. The project manager should start with the
highest-priority risk, working with the team to decide on any actions that should be taken.
After that, the team should move down the list of risks, until they decide that the priority
of each of the remaining risks is low enough that no action would be required.
SOFTWARE PROJECT PLANNING 27
