Risk management is an important tool executives have at their disposal for understanding, monitoring, and making decisions about individual project risks. A good definition of an individual risk is “an uncertain event that, if it occurs, has a positive or negative effect on one or more objectives.”¹ Risk management is the process of identifying individual risks, understanding and analyzing them, and then managing them by doing something about them. Examples of individual risks include bad weather, a shortage of experienced software engineers, an earthquake, or an economic recession. The types of risks executives and project sponsors care about are those that threaten the project's business objectives.² The risk of a shortage of experienced software engineers is only interesting to an executive if the shortage is a real threat to the project's business objectives.

In this chapter, I describe how to get the most value from risk management. Often risk management is not used to its full potential. Sometimes not enough discipline is applied. Sometimes there is too much focus on the minutiae. When this happens, the executives and project team miss an opportunity to align on the important risks and decide on the best course of action to manage those risks.

Too often the communication between the business and the project team about risk is problematic. Part of the difficulty is that both parties have different ...