Software Risk Management | Pre-Mortem & Early Warnings
Software risk management prevents crises through early identification and monitoring. GitScrum tracks risks with assessment matrices and warning indicators.
9 min read
Risks ignored become crises. GitScrum helps teams identify, track, and mitigate project risks with visibility tools, early warning indicators, and proactive management features.
Understanding Risk
Risk Categories
SOFTWARE PROJECT RISK CATEGORIES:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β TECHNICAL RISKS: β
β β’ New technology unfamiliar to team β
β β’ Integration complexity β
β β’ Performance requirements uncertain β
β β’ Technical debt accumulation β
β β’ Security vulnerabilities β
β β
β RESOURCE RISKS: β
β β’ Key person dependency β
β β’ Team availability β
β β’ Skill gaps β
β β’ Hiring delays β
β β’ Burnout β
β β
β SCHEDULE RISKS: β
β β’ Unrealistic deadlines β
β β’ External dependencies β
β β’ Scope creep β
β β’ Unknown unknowns β
β β’ Estimation errors β
β β
β REQUIREMENTS RISKS: β
β β’ Unclear or changing requirements β
β β’ Stakeholder disagreement β
β β’ Missing requirements β
β β’ Scope ambiguity β
β β
β EXTERNAL RISKS: β
β β’ Third-party API changes β
β β’ Vendor reliability β
β β’ Regulatory changes β
β β’ Market shifts β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Risk Assessment
RISK ASSESSMENT MATRIX:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β β LOW IMPACT β MEDIUM β HIGH IMPACT β
β ββββββββββββΌβββββββββββββββΌβββββββββββββββΌββββββββββββ β
β HIGH β MEDIUM β HIGH β CRITICAL β
β LIKELIHOOD β Monitor β Mitigate β Mitigate NOW β
β ββββββββββββΌβββββββββββββββΌβββββββββββββββΌββββββββββββ β
β MEDIUM β LOW β MEDIUM β HIGH β
β LIKELIHOOD β Accept β Monitor β Mitigate β
β ββββββββββββΌβββββββββββββββΌβββββββββββββββΌββββββββββββ β
β LOW β LOW β LOW β MEDIUM β
β LIKELIHOOD β Accept β Accept β Monitor β
β β
β RATING DEFINITIONS: β
β β
β LIKELIHOOD: β
β High: >70% chance β
β Medium: 30-70% chance β
β Low: <30% chance β
β β
β IMPACT: β
β High: Project failure, major delay, significant cost β
β Medium: Feature cut, moderate delay β
β Low: Minor inconvenience, workaround exists β
β β
β RESPONSE: β
β Critical: Immediate action required β
β High: Create mitigation plan β
β Medium: Monitor and prepare contingency β
β Low: Accept, no action needed β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Risk Identification
Discovery Methods
FINDING RISKS PROACTIVELY:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β TECHNICAL SPIKES: β
β β’ Time-boxed investigation of unknowns β
β β’ Prove feasibility before committing β
β β’ Identify technical challenges early β
β Schedule: Before sprint planning for risky features β
β β
β RETROSPECTIVES: β
β β’ "What worries you about next sprint?" β
β β’ Team surfaces concerns β
β β’ Pattern recognition from past issues β
β Schedule: End of each sprint β
β β
β DEPENDENCY MAPPING: β
β β’ List all external dependencies β
β β’ Identify single points of failure β
β β’ Assess reliability of each β
β Schedule: Project kickoff, quarterly review β
β β
β STAKEHOLDER CONVERSATIONS: β
β β’ "What could derail this project?" β
β β’ Business risks we're not seeing β
β β’ Changing priorities β
β Schedule: Bi-weekly check-ins β
β β
β PRE-MORTEM: β
β β’ "Imagine the project failed - why?" β
β β’ Surface risks people hesitate to mention β
β β’ Create mitigation before problems occur β
β Schedule: Project kickoff, major milestones β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Pre-Mortem Exercise
PRE-MORTEM WORKSHOP:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β SETUP: β
β "It's 6 months from now. The project has failed β
β spectacularly. What happened?" β
β β
β PHASE 1: BRAINSTORM (10 min) β
β Everyone writes failure scenarios silently β
β No judgment, capture everything β
β β
β SAMPLE OUTPUTS: β
β β’ "Payment provider API changed without notice" β
β β’ "Lead developer left mid-project" β
β β’ "Requirements changed 3 times" β
β β’ "Performance requirements impossible" β
β β’ "Integration with legacy system took 3x longer" β
β β
β PHASE 2: GROUP & PRIORITIZE (15 min) β
β Cluster similar items β
β Vote on most concerning β
β β
β PHASE 3: MITIGATE (30 min) β
β For top 3-5 risks: β
β β’ What would prevent this? β
β β’ How would we detect it early? β
β β’ What's our contingency? β
β β
β OUTPUT: Risk register with mitigations β
β β
β WHY IT WORKS: β
β Easier to imagine failure than success β
β Permission to voice concerns β
β Team-sourced, not top-down β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Risk Tracking
Risk Register
PROJECT RISK REGISTER:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Project: Payment Platform v2 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ID β Risk β L β I β Score β Status β Owner β
βββββββΌββββββββββββββββββββΌββββΌββββΌββββββββΌβββββββββΌβββββββββ
β R1 β API provider β M β H β HIGH β Active β @alex β
β β reliability β β β β β β
βββββββΌββββββββββββββββββββΌββββΌββββΌββββββββΌβββββββββΌβββββββββ
β R2 β Performance β H β M β HIGH β Active β @jordan β
β β requirements β β β β β β
βββββββΌββββββββββββββββββββΌββββΌββββΌββββββββΌβββββββββΌβββββββββ
β R3 β Lead dev leaving β L β H β MED β Watch β @maria β
βββββββΌββββββββββββββββββββΌββββΌββββΌββββββββΌβββββββββΌβββββββββ
β R4 β Scope creep β H β M β HIGH β Active β @sam β
βββββββΌββββββββββββββββββββΌββββΌββββΌββββββββΌβββββββββΌβββββββββ
β R5 β Integration β M β M β MED β Watch β @alex β
β β complexity β β β β β β
β β
β LEGEND: L=Likelihood, I=Impact β
β Score: (L Γ I) β Low/Med/High/Critical β
β β
β STATUS: β
β Active: Being actively mitigated β
β Watch: Monitoring, no action yet β
β Mitigated: Controls in place β
β Occurred: Risk became an issue β
β Closed: No longer relevant β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Mitigation Plans
RISK MITIGATION DETAIL:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β RISK: R1 - API Provider Reliability β
β Score: HIGH (Medium likelihood Γ High impact) β
β Owner: @alex β
β β
β DESCRIPTION: β
β Payment API provider has had 3 outages in past year. β
β Our payment flow depends entirely on their uptime. β
β β
β IMPACT IF OCCURS: β
β β’ Cannot process payments during outage β
β β’ Customer complaints β
β β’ Revenue loss β
β β’ Reputation damage β
β β
β MITIGATION STRATEGIES: β
β β
β 1. REDUCE LIKELIHOOD: β
β β Choose more reliable provider β
β β Review their SLA β
β β
β 2. REDUCE IMPACT: β
β β Implement failover to backup provider β
β β Queue failed transactions for retry β
β β Graceful degradation in UI β
β β
β 3. EARLY DETECTION: β
β β Monitor provider status page β
β β Alert on elevated error rates β
β β Synthetic transaction monitoring β
β β
β 4. CONTINGENCY: β
β β Runbook for provider outage β
β β Communication template for customers β
β β
β STATUS: Failover 50% complete, due Sprint 25 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Early Warning Signs
Leading Indicators
RISK EARLY WARNING SIGNS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β SCHEDULE RISK INDICATORS: β
β β οΈ Velocity declining for 2+ sprints β
β β οΈ Stories consistently carry over β
β β οΈ Estimates consistently missed β
β β οΈ Sprint burndown above ideal line β
β β οΈ Blocked items increasing β
β β
β TECHNICAL RISK INDICATORS: β
β β οΈ Bug count rising β
β β οΈ Same areas causing repeated issues β
β β οΈ Technical debt items accumulating β
β β οΈ Build/test times increasing β
β β οΈ Deployment failures increasing β
β β
β TEAM RISK INDICATORS: β
β β οΈ Increased overtime β
β β οΈ Team morale declining β
β β οΈ Communication breakdowns β
β β οΈ People updating resumes β
β β οΈ Meetings becoming contentious β
β β
β STAKEHOLDER RISK INDICATORS: β
β β οΈ Frequent priority changes β
β β οΈ New requirements late in sprint β
β β οΈ Unclear or conflicting feedback β
β β οΈ Stakeholder engagement dropping β
β β
β ACTION: When you see these, investigate immediately β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Risk Dashboard
GITSCRUM RISK VISIBILITY:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Project Health Dashboard β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β RISK SUMMARY: β
β π΄ Critical: 0 π‘ High: 2 π΅ Medium: 3 βͺ Low: 4 β
β β
β VELOCITY TREND: β
β [ββββ
ββββ
β] Declining β οΈ β
β Last 3 sprints: 45 β 42 β 38 points β
β β
β BLOCKERS: β
β Current: 4 items blocked β
β Trend: β Increasing (was 2 last sprint) β
β β
β DEPENDENCIES: β
β External: 3 waiting on third parties β
β Internal: 2 waiting on other teams β
β β
β SCOPE CHANGE: β
β Original scope: 120 points β
β Current scope: 145 points (+21%) β
β Trend: β Growing β
β β
β TEAM HEALTH: β
β Overtime this sprint: 12 hours avg β οΈ β
β Carryover stories: 3 (was 1) β
β β
β RECOMMENDED ACTIONS: β
β β’ Address blockers immediately β
β β’ Review scope growth with stakeholders β
β β’ Investigate velocity decline β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ