Project Risk Management | Probability & Impact Matrix
Project risk management uses probability x impact scoring to prioritize threats. GitScrum tracks risk registers and supports mitigation planning.
7 min read
Every project has risksβthings that might go wrong. The best teams don't ignore risks; they identify them early, assess their impact, and plan mitigations. Proactive risk management prevents surprises and keeps projects on track.
Risk Categories
| Category | Examples | Mitigation Focus |
|---|---|---|
| Technical | Unknown tech, integration | Spikes, prototypes |
| Resource | Key person leaves, capacity | Cross-training, buffer |
| External | Vendor delays, API changes | Contracts, alternatives |
| Scope | Requirements change | Clear process, buffer |
| Timeline | Deadline pressure | Realistic estimates |
Risk Identification
Finding Risks
RISK IDENTIFICATION PROCESS
βββββββββββββββββββββββββββ
TEAM BRAINSTORM:
βββββββββββββββββββββββββββββββββββββ
In planning session, ask:
βββ "What could go wrong?"
βββ "What are we uncertain about?"
βββ "What did we struggle with before?"
βββ "What depends on others?"
βββ "What's new to us?"
βββ Everyone contributes
CATEGORIES TO EXPLORE:
βββββββββββββββββββββββββββββββββββββ
Technical:
βββ Unknown technologies
βββ Integration complexity
βββ Performance concerns
βββ Security requirements
βββ Scale challenges
βββ "Will this work?"
People:
βββ Key person availability
βββ Skill gaps
βββ Team capacity
βββ Stakeholder availability
βββ Cross-team dependencies
βββ "Do we have the right people?"
External:
βββ Third-party vendors
βββ API dependencies
βββ Regulatory requirements
βββ Market timing
βββ Customer availability
βββ "What's out of our control?"
Scope:
βββ Unclear requirements
βββ Scope creep likelihood
βββ Stakeholder changes
βββ Competing priorities
βββ "Will scope stay stable?"
DOCUMENT EACH RISK:
βββββββββββββββββββββββββββββββββββββ
Risk: [Description]
Category: [Technical/People/External/Scope]
Probability: [High/Medium/Low]
Impact: [High/Medium/Low]
Mitigation: [Action to reduce risk]
Owner: [Who monitors this]
Status: [Open/Mitigating/Closed]
Risk Assessment
Probability Γ Impact
RISK MATRIX
βββββββββββ
IMPACT
Low Medium High
ββββββββββ¬βββββββββ¬βββββββββ
High β Medium β High βCriticalβ
ββββββββββΌβββββββββΌβββββββββ€ P
Med β Low β Medium β High β R
ββββββββββΌβββββββββΌβββββββββ€ O
Low βAccept β Low β Medium β B
ββββββββββ΄βββββββββ΄βββββββββ
PRIORITY BASED ON SCORE:
βββββββββββββββββββββββββββββββββββββ
Critical: Immediate mitigation required
High: Mitigation plan, active monitoring
Medium: Mitigation plan, regular review
Low: Accept, periodic check
Accept: Note but don't actively manage
EXAMPLE ASSESSMENT:
βββββββββββββββββββββββββββββββββββββ
Risk Prob Impact Score
ββββββββββββββββββββββββββββββββββββββββββββββββ
API provider changes terms Med High HIGH
Key developer leaves Low High MEDIUM
Requirements unclear High Med HIGH
Performance issues Med Med MEDIUM
Bug in new feature High Low MEDIUM
Focus on: API and Requirements (HIGH)
Plan for: Others (MEDIUM)
Mitigation Strategies
Response Types
RISK RESPONSE STRATEGIES
ββββββββββββββββββββββββ
AVOID:
βββββββββββββββββββββββββββββββββββββ
Eliminate the risk entirely.
Example:
Risk: "New database might not scale"
Avoid: Use proven database we know scales
When: Possible and practical
MITIGATE:
βββββββββββββββββββββββββββββββββββββ
Reduce probability or impact.
Example:
Risk: "Key developer might leave"
Mitigate: Cross-train team, document knowledge
When: Can't avoid but can reduce
TRANSFER:
βββββββββββββββββββββββββββββββββββββ
Shift risk to another party.
Example:
Risk: "Infrastructure might fail"
Transfer: Use cloud provider with SLA
When: Someone else can manage better
ACCEPT:
βββββββββββββββββββββββββββββββββββββ
Acknowledge and proceed.
Example:
Risk: "Minor UI bug might occur"
Accept: Will fix if happens, not worth preventing
When: Low impact, high cost to mitigate
CONTINGENCY:
βββββββββββββββββββββββββββββββββββββ
Plan for if risk occurs.
Example:
Risk: "Vendor might be late"
Contingency: Backup vendor identified,
can switch within 2 weeks
When: Can't prevent, can respond
Mitigation Plans
MITIGATION PLANNING
βββββββββββββββββββ
EXAMPLE RISK:
βββββββββββββββββββββββββββββββββββββ
Risk: Payment API integration might fail
ANALYSIS:
βββ Probability: Medium
βββ Impact: High (release blocked)
βββ Score: HIGH
βββ Must mitigate
MITIGATION ACTIONS:
βββββββββββββββββββββββββββββββββββββ
1. Spike first (Week 1)
βββ Prototype integration
βββ Validate API works as documented
βββ Identify issues early
βββ Owner: Senior dev
2. Backup provider (Week 2)
βββ Research alternative
βββ Have second option ready
βββ Owner: Tech lead
3. Communication plan
βββ Weekly updates on integration
βββ Early warning if issues
βββ Owner: PM
MONITORING:
βββββββββββββββββββββββββββββββββββββ
βββ Weekly risk review
βββ Update probability based on progress
βββ Escalate if probability increases
βββ Close when integration complete
Risk Tracking
Risk Register
RISK REGISTER
βββββββββββββ
Maintain list of all risks:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Project Risks - Release 2.0 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ID Risk Prob Impact Status Owner β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β R-1 API integration Med High Mitigating Alex β
β R-2 Key person leave Low High Monitor Lead β
β R-3 Scope creep High Med Mitigating PM β
β R-4 Performance Med Med Monitor Dev β
β R-5 Security audit Med High Mitigating Sec β
β β
β Last updated: 2024-02-15 β
β Next review: Sprint planning β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
REGULAR REVIEW:
βββββββββββββββββββββββββββββββββββββ
Sprint planning:
βββ Review all open risks
βββ Update status
βββ Add new risks discovered
βββ Close resolved risks
βββ Adjust probability based on new info
βββ 10-15 minutes
Risk changes:
βββ New risk identified β Add
βββ Risk occurred β Move to Issue
βββ Risk resolved β Close
βββ Probability changed β Update
βββ Keep current
Risk Communication
Stakeholder Updates
RISK COMMUNICATION
ββββββββββββββββββ
IN PROJECT UPDATES:
βββββββββββββββββββββββββββββββββββββ
Include risk section:
"Current Risks:
π΄ HIGH: API integration complexity
Status: Spike in progress
Mitigation: Backup provider identified
π‘ MEDIUM: Timeline pressure from scope add
Status: Trade-off discussion scheduled
Mitigation: Identifying scope to remove
π’ LOW: Minor bugs expected
Status: Accepted
No new risks this week.
R-4 closed (performance validated)."
ESCALATION:
βββββββββββββββββββββββββββββββββββββ
When risk becomes issue:
βββ Immediate notification
βββ Impact assessment
βββ Response plan
βββ Timeline update if needed
βββ Don't hide bad news
Stakeholders prefer:
βββ Early warning
βββ Clear impact
βββ Action plan
βββ Not surprises
βββ Trust through transparency
GitScrum Risk Tracking
Risk Features
GITSCRUM FOR RISKS
ββββββββββββββββββ
TRACKING RISKS:
βββββββββββββββββββββββββββββββββββββ
Create task type: Risk
βββ Custom fields for probability, impact
βββ Status workflow: Open β Mitigating β Closed
βββ Assign owner
βββ Link to related tasks
βββ Risk management in same tool
RISK DASHBOARD:
βββββββββββββββββββββββββββββββββββββ
Dashboard widget:
βββ Open risks by severity
βββ Risk trend (new/closed)
βββ Risks requiring attention
βββ Overdue mitigation actions
βββ Visibility
LINKING TO WORK:
βββββββββββββββββββββββββββββββββββββ
Risk: API integration
βββ Links to: Integration tasks
βββ Blocks: Frontend work (potentially)
βββ Mitigation task: Spike
βββ Connected context
AUTOMATION:
βββββββββββββββββββββββββββββββββββββ
βββ Alert when high risk added
βββ Reminder for risk review
βββ Overdue mitigation notification
βββ Keep risks visible
Best Practices
For Risk Management
Anti-Patterns
RISK MANAGEMENT MISTAKES:
β Ignoring risks
β No mitigation plans
β Never updating risk status
β Hiding risks from stakeholders
β Only project manager thinks about risks
β No regular review
β Over-documenting (analysis paralysis)
β Under-documenting (nothing tracked)