Ways to Use Risk Management in Software Companies

Most of you have heard about risk management in the context of project management. While irreplaceable in project management, we can use it in other parts of the business.

The aim of this article is not to tell you how to use the practice. Instead, it will give you clues as to when to use it. We will see how risk management can improve estimates, communication between teams, or business efficiency. We will also cover some of the risks of introducing the practice.

Risk Management as a Tool to Improve Estimates

The technology business is notorious for the inaccuracy of estimates, exemplified by the #NoEstimates debate. Their purpose is to provide a communication protocol between business leaders and developers. It is badly misused because developers see estimates as an arbitrary number while the business leaders see them as a commitment. Estimates are either over-confident or under-confident, depending on whether the developer feels threatened or not. To compensate, a business leader often multiplies the provided estimate with a number. That number can be arbitrary or based on historical data. All in all, it’s a big mess.

By looking at any development as a mini-project, we ensure that the miscommunication is minimal. The risk management allows development to always provide an optimistic estimate, together with all possible risks involved. The business side has two benefits:

  1. They can understand the level of uncertainty and use it to make better decisions
  2. They can proactively address risks involved

It makes sense. Project managers often lack the technical knowledge while being responsible for resource usage and fulfillment of deadlines. The additional advantage of risk management is that it’s easy to adapt to a given circumstance and the level of detail needed.

Risk Management as a Tool to Reduce the Uncertainty of Dependencies

Another place where miscommunication often occurs is when there are dependencies between teams or departments. Each team works with its own set of priorities and timelines. It’s hard for the team to estimate where to place the requested feature in the backlog. They often decide by how “loud” is the requesting side. In the end, they complete the work either too early or too late. Each has its own set of issues.

If the set of risks is provided together with the dependency feature, the receiving team can make an informed decision on whether to delay its commitments or not.

Risk Management as a Tool to Improve Business Efficiency

As companies grow, so does the difference between expectations and the realities in the code. Various KPIs can describe this difference – changes in team velocity, test pass rate, broken deadlines, misses in the estimation, etc. Most of these only indicate that something’s wrong, but not what it is. Through using these metrics, business leaders give up on details regarding their business. Instead, rely on various committees who can interpret the KPIs. The business complexity grows, and the company becomes more inert than it should be.

With a risk management process, business leaders can understand the most common inefficiencies of their business. Then they can and act on them.

Risks of Structured Risk Management

Risk management practice comes with some risks, no pun intended. The rule of thumb is, the smaller the company is – the less it benefits from this practice. That’s mainly because risk management adds complexity to the business on its own.

All risks used by multiple stakeholders must be consistent in defining the probability and impact of it occurring. If high impact means something for one person and something else for another, the practice can even harm the company. Risk registers mostly mitigate this, as they set a baseline.

Keeping the risk log(s) updated is another issue. The outdated risk log has no value, so we must keep it updated. You can use methods like you use to ensure documentation is fresh.


The purpose of this article was to demonstrate that risk management is not something exclusive to project managers. There are probably a lot more similar examples, but you get the idea.

After reading this, I hope you will look at your business (or the part you are responsible for) for the inefficiencies. Think whether this practice would have solved the inefficiency.


Leave a comment

Your email address will not be published. Required fields are marked *