Scrum risk management steps The SBOK® Guide is now available for download in English, Spanish, Portuguese, Deutsch, French, Italian, Chinese, Japanese & Arabic!
Global Accreditation Body for Scrum and Agile Certifications


Scrum risk management steps

Posted by SCRUMstudy® on June 11, 2024

Categories: Agile SBOK® Guide Scrum Scrum Master Sprint Backlog

Scrum risk management steps

Scrum incorporates proactive risk management through several key steps to ensure project success. Firstly, risks are identified and categorized during the initial planning stages, often facilitated by the Scrum Master and Product Owner. This involves gathering input from all team members to uncover potential issues. Once identified, risks are assessed for their impact and probability, allowing the team to prioritize them effectively. Mitigation strategies are then devised and integrated into the project plan. Throughout the project, continuous risk monitoring and communication ensure that new risks are promptly addressed and existing ones are managed. Regular Scrum ceremonies, such as Sprint Planning and Retrospectives, provide structured opportunities to review and update risk management plans, fostering an adaptive approach that aligns with Scrum's iterative nature.

1. Risk identification: Using various techniques to identify all potential risks

2. Risk assessment: Evaluating and estimating the identified risks

3. Risk prioritization – Prioritizing Risk to be included for specific action in the Prioritized Product Backlog

4. Risk mitigation: Developing an appropriate strategy to deal with the risk

5. Risk communication: Communicating the findings from the first four steps to the appropriate business stakeholders and determining their perception regarding the uncertain events.

Risk Identification

The Scrum Team members should attempt to identify all risks that could potentially impact the project. Only by looking at the project from different perspectives, and using a variety of techniques, can they do this job thoroughly. Risk Identification is done throughout the project and Identified Risks become inputs to several Scrum processes including Create Prioritized Product Backlog, Refine Prioritized Product Backlog, and Demonstrate and Validate Sprint.

Risk Assessment

The assessment of risk helps in understanding the potential impact of a risk, how likely it is to occur, and when the risk could materialize. The overall effect on business value should be estimated, and if that impact is significant enough to outweigh the business justification, a decision must be made on whether to continue the project. The assessment of risks is done with regard to probability, proximity, and impact. The probability of risks refers to the likelihood of the risk occurring, whereas proximity refers to when the risk might occur. Impact refers to the probable effect of the risks on the project or the organization. To estimate the probability of a risk various techniques may be used, including Probability Trees, Pareto Analysis, and a Probability and Impact Matrix. In addition to probability, risk assessment also evaluates the potential net effect of risks on the project or organization. These effects can be estimated using techniques such as Risk Models and Expected Monetary Value.

Risk Prioritization

Scrum allows for quick identification and assessment of risks. Identified Risks are taken into account when creating a Prioritized Product Backlog during Create Prioritized Product Backlog process, or when we update the Prioritized Product Backlog during the Refine Prioritized Product Backlog process—so a Prioritized Product Backlog could also be referred to as a Risk Adjusted Prioritized Product Backlog. The risks could be identified and assessed based on any of the Risk Identification and Risk Assessment techniques mentioned earlier.

Risk Mitigation

The response to each risk will depend on the probability and impact of the risk. However, the iterative nature of Scrum with its rapid turnaround time and feedback cycles allows for early detection of failures; therefore, practically speaking, it has a natural mitigation feature built in. Risk can be mitigated by implementing a number of responses. In most situations, responses are proactive or reactive. In the case of a risk, a plan B may be formulated, which can be used as a fallback in case the risk materializes – such a plan B is a reactive response. Sometimes risks are accepted and are an example of a risk response that is neither proactive nor reactive. Risks are accepted because of various reasons, as in a situation where the probability or impact of the risk is too low for a response. Acceptance can also be the case in a situation where the apprehension of secondary risks may deter the product owner from taking any action. The effort made by the Product Owner to reduce the probability or impact—or both—of the risk is an example of a proactive response to mitigating risks.

Risk Communication

Because business stakeholders have an interest in the project, it is important to communicate with them regarding risks. Information provided to business stakeholders related to risk should include potential impact and the plans for responding to each risk. This communication is ongoing and should occur in parallel with the four sequential steps discussed this far—risk identification, assessment, prioritization, and mitigation. The Scrum Team may also discuss specific risks related to their Tasks with the Scrum Master during Daily Standup Meetings. The Product Owner is responsible for the prioritization of risks and for communicating the prioritized list to the Scrum Team. An important tool that can be used for communicating information related to risks is the Risk Burndown Chart.