Please note that this no longer represents my view on this subject, but is maintained for posterity.
Risk Management is a part of everyday life, crossing the street or even walking downstairs in the morning carries with it some risk factor. A project is no different. When projects were managed by default by using high overhead techniques such as PRINCE2, risk was an integral part of running a project; they were cataloged, monitored and actively mitigated through the use of logs and registers. Many of us have since abandoned these heavy methods in favour of lighter approaches, such as Scrum or Kanban. However, amid all of the confusion in the revolution, we appear to have thrown the baby out with the bath water. Even now, risk is rarely included as an active element in our practice, and rarely done well. I would propose a new method of managing risk, something lightweight that fits with our de facto practices, but with the rigour of the old guard.
What is Risk?
First, let’s define risk. The ISO31000 standard defined risk as an uncertain event, which should it occur, will have an effect on the project meeting it’s objectives. Notice the lack of connotation here, risk isn’t some inherently bad thing, it’s simply a degree of uncertainty. The message is clear, we should be looking for, and actively managing, all forms of uncertainty.
Risk sits in the middle of cause and effect, some cause may trigger an effect, although we don’t know.