Assessing Risks in the Scrum Framework

What Is Software Risk?

Risk is the potential for loss that may or may not occur in the future. This potential is based on the probability of occurrence and the impact on the business/project and software (time delay, financial loss, performance reduction, reputation loss, etc.).

The Five Phases of an SRM Process

An SRM process will usually include five core phases, the phases are:

Phase 1: Risk identification

The first and most crucial stage of the entire process is identifying the risks that may arise as part of the development process.

Phase 2: Risk analysis

In this phase, the team determines the risk level for each item identified. The likelihood of the risk determines the level of risk to occur and its impact on the user.

As part of the analysis process, I instruct my teams to follow simple guiding questions. This allows them to gain the required data to determine the impact and probability and then prioritize the mitigation steps to limit the risk. Here are some of the core questions:

§ What reasons (design issue, unclear requirements, logical error, etc.) triggered the risk?

• How does this risk affect business reputation, share price, and early commitments?
• How does the risk affect the project resources, timelines, and testing effort?
• How does the risk affect critical aspects of the application (performance, user experience, etc.)?
• What value will we have if we mitigate the risk?
• What is the potential (probability) the risk will materialize?
• What is the impact of this risk occurring?
• What is the impact of fixing this risk (change in design, additional testing)?

Phase 3: Mitigation

A plan is created and implemented based on the analyzed information to handle each risk with a corresponding set of actions.

Phase 4: Track/Monitor

Track the set of decisions and actions that were issued.

Phase 5: Control

Fixing any deviations that occurred at the implementation stage.

Assessing Risks in the Scrum Framework

In Scrum projects, we can use the same SRM techniques used in traditional projects to reduce the risks to an acceptable level. However, due to the rapid releases and the high rate of change, we need to adjust those techniques to be more suitable for the Scrum framework.

The use of the SRM process assists the team in designing a test strategy, identifying quality risks, and estimating the effort required to reduce those risks.

In Scrum projects, quality risk analysis takes place in three main places (although it can be used in many other activities as well):

• Release planning – As part of the release planning, there is a high-level review of the features involved in the release, which makes it a perfect time for different stakeholders to share their technical, business, and project risks. Once the risks are identified, the team can start working on a mitigation plan and a high-level test/development strategy.
• Sprint planning – The whole team works together to plan the upcoming sprint. During this process, the team identifies and assesses quality risks that will directly impact which stories are added to the sprint backlog and what their estimates are.
• Sprint retrospective – At the end of this meeting, the team generates a list of impediments that will be prioritized. The SRM process fits perfectly here, as it allows the team to prioritize the impediments based on the risk they add and their impact on the team.