If we did not have risk in the world, we would have no need for testing.

Definitions of risk
A concept that is central to the software development process will of course generate many different definitions.

Some are listed below

• Risk is the possibility of suffering loss, injury, disadvantage, or destruction.
  [Webster's Third New International Dictionary 1981]
• Risk is the potential for realization of unwanted negative consequences of an event.
  [Rowe, William D. An Anatomy of Risk 1988]
• Risk is the measure of the probability and severity of adverse effects.
  [Lowrance, William W. Of Acceptable Risk 1976]
• An ongoing or upcoming concern that has a significant probability of adversely afffcting the success of major milestones.
  [Rational Unified Process]

Risk Management Strategy
The Capability Maturity Model for Integration (CMMI) uses the following for a benchmark of a Risk Management Strategy.

Rational Unified Process (RUP)
The RUP is a "Software Development Approach" or "software engineering process" that puts mitigation at the centre. Using an iterative approach to developing software, the RUP seeks to mitigate the largest risks early on. Using Tom Gilbs phrase "if you do not actively attack the risks they will actively attack you".

A pointed comparison is made with the Waterfall approach to development. For the same project, the risk of failure is at the same high level for both RUP and Waterfall approaches. However as the project progresses the risk become significantly less for the RUP managed project. Whilst for the Waterfall approach, risk remains high for far longer. Typically until there is a big bang system and integration test.

Risk Diagram for RUP

The RUP tries to systematically reduce the risk of failure as the project progresses through each phase. These are Inception, Elaboration, Construction and Transition

Within each phase a number of iterations take place. Each phase is completed with the passing of a major milestone. The phases are defined by the state of the project, which in turn are defined by the risks to be mitigated.

During Inception and Elaboration the solutions are very broad brush stroke, or "Coarse". As each the phases and iterations progress, the solutions become finer and the system more integrated. As the product is increasingly integrated, it can be shown to stakeholders for feedback.

The further into the project risk is further reduced by successfully freezing the requirements.

CMMI The CMMI is not a methodology but a framework for process improvement, against which organisations can be assesse. There are 5 maturity levels. Organisations at Capability Level 1 are performing processes that contribute to development, but the processes are "adhoc and chaotic". At level 5 the organisation is highly optimised. Defects hardly ever occur due to a culture of eradicating them before they can exist. Having a Risk Management Strategy is one of the requirements to attain level 3, or defined process.

The CMMI labels the process of managing risk as a Project Management activity. Risk management should address issues that could endanger achievement of critical objectives. The organisation must continously and effectively, anticipate and mitigate risk.

Overall the tone is early and aggressive risk identification, by all stakeholders in the project. Internal and external risks have to be considered.

Risk management under the CMMI consists of three sections:-

defining the risk management strategy
indentifying and analysing risks
handling of identified risks.

Initially organisations can choose to just identify the risks and slowly build up to the full strategy.

Currently the hottest topics in risk are the Sarbanes-Oxley Act and Basel II. Sarbanes-Oxley is the American legislation that places a duty on companies to disclose large amounts of financial information.

Basel II requires banks to keep regulatory capital that is suitable for their risk profile.