Disciplined Agile

Risk Lists on Agile Teams

A risk list is exactly what it sounds – a list of the risks current faced by a team. Although risks can be both positive (opportunities) and negative (threats) risk lists are typically used to track threats. Disciplined Agile (DA) teams will purposefully identify, track, and address risks (see the Address Risk process goal).

Figure 1 presents an example risk list maintained in a simple spreadsheet. There are four columns:

  1. Risk. A brief description of the threat.
  2. Probability. The chance of the risk occurring. In this example, we’re using an integer ranking of 1-10 although we could easily have used percentages instead. Choose a ranking strategy and stick to it.
  3. Impact. If the risk does occur, how much will it impact the team. In this case we’re using a scale of 1-10 again, with 1 being negligible impact and 10 being major impact. Once again, choose a ranking strategy and then apply it consistently.
  4. Magnitude. This is a calculated column. Magnitude = Probability * Impact. By using numeric scores for Probability and Impact the calculation is very easy. The larger the magnitude, the bigger the risk to the team.

Risk

Probability (1 - 10)

Impact (1 - 10)

Magnitude

Insufficient access to stakeholders

8

10

80

Security framework not available on or before June 15

4

10

40

The data transport infrastructure is not sufficiently resilient

7

5

35

We are unable to hire a web designer to start on or before March 18

6

4

24

Figure 1. A risk list captured via a spreadsheet.

Not shown in Figure 1, it could have included other, optional columns:

  • Owner. The person(s) who have taken responsibility for seeing that the risk is addressed.
  • Status. Current status of the risk, typically one of Identified, Accepted, In Progress, Resolved, or Issue (the risk has happened).
  • Date identified. When the risk was first identified.
  • Date resolved. When the risk was resolved.
  • Days active. A calculated field – For an unresolved risk, it is Today’s Date – Date Identified. For a Resolved risk, it is Date Resolved – Date Identified.
  • Resolution strategy. The strategy to address the risk. 

February 2022