9 min read • Guide 732 of 877
Risk Management in Software Projects
Risks ignored become crises. GitScrum helps teams identify, track, and mitigate project risks with visibility tools, early warning indicators, and proactive management features.
Understanding Risk
Risk Categories
SOFTWARE PROJECT RISK CATEGORIES:
┌─────────────────────────────────────────────────────────────┐
│ │
│ TECHNICAL RISKS: │
│ • New technology unfamiliar to team │
│ • Integration complexity │
│ • Performance requirements uncertain │
│ • Technical debt accumulation │
│ • Security vulnerabilities │
│ │
│ RESOURCE RISKS: │
│ • Key person dependency │
│ • Team availability │
│ • Skill gaps │
│ • Hiring delays │
│ • Burnout │
│ │
│ SCHEDULE RISKS: │
│ • Unrealistic deadlines │
│ • External dependencies │
│ • Scope creep │
│ • Unknown unknowns │
│ • Estimation errors │
│ │
│ REQUIREMENTS RISKS: │
│ • Unclear or changing requirements │
│ • Stakeholder disagreement │
│ • Missing requirements │
│ • Scope ambiguity │
│ │
│ EXTERNAL RISKS: │
│ • Third-party API changes │
│ • Vendor reliability │
│ • Regulatory changes │
│ • Market shifts │
└─────────────────────────────────────────────────────────────┘
Risk Assessment
RISK ASSESSMENT MATRIX:
┌─────────────────────────────────────────────────────────────┐
│ │
│ │ LOW IMPACT │ MEDIUM │ HIGH IMPACT │
│ ───────────┼──────────────┼──────────────┼──────────── │
│ HIGH │ MEDIUM │ HIGH │ CRITICAL │
│ LIKELIHOOD │ Monitor │ Mitigate │ Mitigate NOW │
│ ───────────┼──────────────┼──────────────┼──────────── │
│ MEDIUM │ LOW │ MEDIUM │ HIGH │
│ LIKELIHOOD │ Accept │ Monitor │ Mitigate │
│ ───────────┼──────────────┼──────────────┼──────────── │
│ LOW │ LOW │ LOW │ MEDIUM │
│ LIKELIHOOD │ Accept │ Accept │ Monitor │
│ │
│ RATING DEFINITIONS: │
│ │
│ LIKELIHOOD: │
│ High: >70% chance │
│ Medium: 30-70% chance │
│ Low: <30% chance │
│ │
│ IMPACT: │
│ High: Project failure, major delay, significant cost │
│ Medium: Feature cut, moderate delay │
│ Low: Minor inconvenience, workaround exists │
│ │
│ RESPONSE: │
│ Critical: Immediate action required │
│ High: Create mitigation plan │
│ Medium: Monitor and prepare contingency │
│ Low: Accept, no action needed │
└─────────────────────────────────────────────────────────────┘
Risk Identification
Discovery Methods
FINDING RISKS PROACTIVELY:
┌─────────────────────────────────────────────────────────────┐
│ │
│ TECHNICAL SPIKES: │
│ • Time-boxed investigation of unknowns │
│ • Prove feasibility before committing │
│ • Identify technical challenges early │
│ Schedule: Before sprint planning for risky features │
│ │
│ RETROSPECTIVES: │
│ • "What worries you about next sprint?" │
│ • Team surfaces concerns │
│ • Pattern recognition from past issues │
│ Schedule: End of each sprint │
│ │
│ DEPENDENCY MAPPING: │
│ • List all external dependencies │
│ • Identify single points of failure │
│ • Assess reliability of each │
│ Schedule: Project kickoff, quarterly review │
│ │
│ STAKEHOLDER CONVERSATIONS: │
│ • "What could derail this project?" │
│ • Business risks we're not seeing │
│ • Changing priorities │
│ Schedule: Bi-weekly check-ins │
│ │
│ PRE-MORTEM: │
│ • "Imagine the project failed - why?" │
│ • Surface risks people hesitate to mention │
│ • Create mitigation before problems occur │
│ Schedule: Project kickoff, major milestones │
└─────────────────────────────────────────────────────────────┘
Pre-Mortem Exercise
PRE-MORTEM WORKSHOP:
┌─────────────────────────────────────────────────────────────┐
│ │
│ SETUP: │
│ "It's 6 months from now. The project has failed │
│ spectacularly. What happened?" │
│ │
│ PHASE 1: BRAINSTORM (10 min) │
│ Everyone writes failure scenarios silently │
│ No judgment, capture everything │
│ │
│ SAMPLE OUTPUTS: │
│ • "Payment provider API changed without notice" │
│ • "Lead developer left mid-project" │
│ • "Requirements changed 3 times" │
│ • "Performance requirements impossible" │
│ • "Integration with legacy system took 3x longer" │
│ │
│ PHASE 2: GROUP & PRIORITIZE (15 min) │
│ Cluster similar items │
│ Vote on most concerning │
│ │
│ PHASE 3: MITIGATE (30 min) │
│ For top 3-5 risks: │
│ • What would prevent this? │
│ • How would we detect it early? │
│ • What's our contingency? │
│ │
│ OUTPUT: Risk register with mitigations │
│ │
│ WHY IT WORKS: │
│ Easier to imagine failure than success │
│ Permission to voice concerns │
│ Team-sourced, not top-down │
└─────────────────────────────────────────────────────────────┘
Risk Tracking
Risk Register
PROJECT RISK REGISTER:
┌─────────────────────────────────────────────────────────────┐
│ Project: Payment Platform v2 │
├─────────────────────────────────────────────────────────────┤
│ │
│ ID │ Risk │ L │ I │ Score │ Status │ Owner │
│─────┼───────────────────┼───┼───┼───────┼────────┼────────│
│ R1 │ API provider │ M │ H │ HIGH │ Active │ @alex │
│ │ reliability │ │ │ │ │ │
│─────┼───────────────────┼───┼───┼───────┼────────┼────────│
│ R2 │ Performance │ H │ M │ HIGH │ Active │ @jordan │
│ │ requirements │ │ │ │ │ │
│─────┼───────────────────┼───┼───┼───────┼────────┼────────│
│ R3 │ Lead dev leaving │ L │ H │ MED │ Watch │ @maria │
│─────┼───────────────────┼───┼───┼───────┼────────┼────────│
│ R4 │ Scope creep │ H │ M │ HIGH │ Active │ @sam │
│─────┼───────────────────┼───┼───┼───────┼────────┼────────│
│ R5 │ Integration │ M │ M │ MED │ Watch │ @alex │
│ │ complexity │ │ │ │ │ │
│ │
│ LEGEND: L=Likelihood, I=Impact │
│ Score: (L × I) → Low/Med/High/Critical │
│ │
│ STATUS: │
│ Active: Being actively mitigated │
│ Watch: Monitoring, no action yet │
│ Mitigated: Controls in place │
│ Occurred: Risk became an issue │
│ Closed: No longer relevant │
└─────────────────────────────────────────────────────────────┘
Mitigation Plans
RISK MITIGATION DETAIL:
┌─────────────────────────────────────────────────────────────┐
│ │
│ RISK: R1 - API Provider Reliability │
│ Score: HIGH (Medium likelihood × High impact) │
│ Owner: @alex │
│ │
│ DESCRIPTION: │
│ Payment API provider has had 3 outages in past year. │
│ Our payment flow depends entirely on their uptime. │
│ │
│ IMPACT IF OCCURS: │
│ • Cannot process payments during outage │
│ • Customer complaints │
│ • Revenue loss │
│ • Reputation damage │
│ │
│ MITIGATION STRATEGIES: │
│ │
│ 1. REDUCE LIKELIHOOD: │
│ ☐ Choose more reliable provider │
│ ☐ Review their SLA │
│ │
│ 2. REDUCE IMPACT: │
│ ☑ Implement failover to backup provider │
│ ☐ Queue failed transactions for retry │
│ ☐ Graceful degradation in UI │
│ │
│ 3. EARLY DETECTION: │
│ ☑ Monitor provider status page │
│ ☑ Alert on elevated error rates │
│ ☐ Synthetic transaction monitoring │
│ │
│ 4. CONTINGENCY: │
│ ☐ Runbook for provider outage │
│ ☐ Communication template for customers │
│ │
│ STATUS: Failover 50% complete, due Sprint 25 │
└─────────────────────────────────────────────────────────────┘
Early Warning Signs
Leading Indicators
RISK EARLY WARNING SIGNS:
┌─────────────────────────────────────────────────────────────┐
│ │
│ SCHEDULE RISK INDICATORS: │
│ ⚠️ Velocity declining for 2+ sprints │
│ ⚠️ Stories consistently carry over │
│ ⚠️ Estimates consistently missed │
│ ⚠️ Sprint burndown above ideal line │
│ ⚠️ Blocked items increasing │
│ │
│ TECHNICAL RISK INDICATORS: │
│ ⚠️ Bug count rising │
│ ⚠️ Same areas causing repeated issues │
│ ⚠️ Technical debt items accumulating │
│ ⚠️ Build/test times increasing │
│ ⚠️ Deployment failures increasing │
│ │
│ TEAM RISK INDICATORS: │
│ ⚠️ Increased overtime │
│ ⚠️ Team morale declining │
│ ⚠️ Communication breakdowns │
│ ⚠️ People updating resumes │
│ ⚠️ Meetings becoming contentious │
│ │
│ STAKEHOLDER RISK INDICATORS: │
│ ⚠️ Frequent priority changes │
│ ⚠️ New requirements late in sprint │
│ ⚠️ Unclear or conflicting feedback │
│ ⚠️ Stakeholder engagement dropping │
│ │
│ ACTION: When you see these, investigate immediately │
└─────────────────────────────────────────────────────────────┘
Risk Dashboard
GITSCRUM RISK VISIBILITY:
┌─────────────────────────────────────────────────────────────┐
│ Project Health Dashboard │
├─────────────────────────────────────────────────────────────┤
│ │
│ RISK SUMMARY: │
│ 🔴 Critical: 0 🟡 High: 2 🔵 Medium: 3 ⚪ Low: 4 │
│ │
│ VELOCITY TREND: │
│ [▁▂▃▅▇▇▆▅▄] Declining ⚠️ │
│ Last 3 sprints: 45 → 42 → 38 points │
│ │
│ BLOCKERS: │
│ Current: 4 items blocked │
│ Trend: ↗ Increasing (was 2 last sprint) │
│ │
│ DEPENDENCIES: │
│ External: 3 waiting on third parties │
│ Internal: 2 waiting on other teams │
│ │
│ SCOPE CHANGE: │
│ Original scope: 120 points │
│ Current scope: 145 points (+21%) │
│ Trend: ↗ Growing │
│ │
│ TEAM HEALTH: │
│ Overtime this sprint: 12 hours avg ⚠️ │
│ Carryover stories: 3 (was 1) │
│ │
│ RECOMMENDED ACTIONS: │
│ • Address blockers immediately │
│ • Review scope growth with stakeholders │
│ • Investigate velocity decline │
└─────────────────────────────────────────────────────────────┘