	 :	''"If a project has no risks, don't do it."'' - WaltzingWithBears by TomDeMarco and TimothyLister

----
RiskManagement is balancing the amount of risk we want to take with the amount of risk our project exposes us to.

Our RiskExposure varies over the length of a project. RiskManagement therefore must be a continuous iterative process even if our project lifecycle is not.

A RiskManagementCycle:
* (re)discover the risks that might impact the project
* break new risks into resolvable components - RiskTree
* estimate the probability and lifetime of each new risk
* create a ContingencyPlan for each new problem
* cost any mitigation required by the ContingencyPlan
* decide on a strategy for each risk
* add RiskMitigation tasks and a RiskReserve to the schedule
* as risks materialise, start their ContingencyPlan''''''s
* remove risks once they have materialised or expired
* at regular intervals return to the discovery phase

The FiveCoreRisks of software projects should number among our identified risks. They are:
* inherent schedule flaw
* FeatureCreep
* employee turnover
* ambiguous specification
* poor productivity

For more on RiskManagement strategies see:
* ContingencyPlan
* RiskAcceptance
* RiskAvoidance
* RiskTransfer
* RiskReserve
* RiskMitigation
* RiskReduction

A common risk is lack of skills. For example, when developers who have written nothing but Visual Basic are expected to crank out production Java code. In this situation:
* RiskAvoidance: write in Visual Basic
* RiskReduction: hire an expert to lead the team
* RiskMitigation: train your programmers in Java
* RiskTransfer: liquidated damages; insurance
* RiskAcceptance: add slack to the schedule for learning and mistakes[1]
* RiskEvasion: hope they work it out

RiskDiscovery is feedback. If we don't act on it, we have wasted our time collecting it. HandWaving is a common RiskEvasion tactic. However, RiskManagement takes time and resources like any other part of ProjectManagement. Once we have our RiskExposure for each risk, we can sort our risks and manage only the TopTenRisks.

[1] acceptance means accepting a portion of the impact equal to the probability and padding the cost/schedule accordingly; this is in contrast to evasion, where we trust to luck that the impact will not occur.
----

Contributors: LaurentBossavit, PaulSinnett, and others

----
'''Resources'''

''EnterpriseRiskManagement framework summary 2004'' http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf

----
See AnatomyOfRisk, AtsRiskManagement, ExtremeRiskManagement