# Risk Management — Exercises ## Exercise 1: Pre-Mortem for a Release **Task:** Your team is shipping a "payments v2" release in 6 weeks. Run a pre-mortem: list 5 reasons the release failed. Prioritize the top 2 and for each, suggest one mitigation. **Validation:** - [ ] 5 failure modes listed - [ ] Top 2 selected and justified - [ ] Each has at least one mitigation idea - [ ] Mitigations are concrete (not "try harder") **Hints:** 1. Think: integration, people, scope, vendors, testing 2. "We underestimated" is common—dig into *what* was underestimated 3. Mitigation examples: "Spike on Stripe API in week 1," "Document rollback runbook" --- ## Exercise 2: Risk Matrix and Prioritization **Task:** Plot these risks on a 3×3 matrix (Prob × Impact): (A) Vendor delays API by 2 weeks—M prob, H impact. (B) Dev leaves mid-project—L prob, H impact. (C) Minor UI bugs in edge cases—H prob, L impact. (D) Security audit finds critical flaw—L prob, H impact. Which do you address first? Why? **Validation:** - [ ] All 4 plotted correctly - [ ] Priority order explained - [ ] At least one "accept" (don't mitigate everything) **Hints:** 1. A: Mitigate (parallel work, fallback) 2. B: Mitigate (knowledge share) or Transfer (retention) 3. C: Accept (low impact) 4. D: Mitigate (early audit) or Avoid (security review upfront) --- ## Exercise 3: Risk Register for a Sprint **Task:** Create a risk register for a 2-week sprint. Include: (1) Integration risk with external API, (2) Key person on PTO, (3) Scope creep from stakeholder. For each: probability, impact, response strategy, and owner. **Validation:** - [ ] 3 risks in register format - [ ] Prob/impact assigned - [ ] Response is Avoid/Mitigate/Transfer/Accept - [ ] Owner is named **Hints:** 1. Integration: Mitigate—spike early, mock for tests 2. PTO: Mitigate—handoff, documentation 3. Scope creep: Avoid—sprint goal lock; or Mitigate—"we'll add to backlog" --- ## Exercise 4: Dependency Map **Task:** Draw a dependency map for "User can reset password via email." Include: your app, email service, auth service, database, and any teams. For each dependency, note: failure mode and owner. **Validation:** - [ ] At least 4 dependencies - [ ] Failure mode per dependency - [ ] Owner identified - [ ] At least one external dependency (email, auth) **Hints:** 1. Email: SendGrid/AWS SES—delays, rate limits, deliverability 2. Auth: Your service or third-party—token validation 3. DB: User records—availability, migration 4. Owner: Who fixes it if it breaks? --- ## Exercise 5: Risk Communication Draft **Task:** Your highest risk is "Payment gateway may not support recurring billing by our launch date." Write a 4-sentence status for an executive. Include: the risk, current status, what you're doing, and when you'll know more. **Validation:** - [ ] No alarmist language - [ ] Risk + response included - [ ] Timeline or next check-in stated - [ ] Tone is "we're managing it" **Hints:** 1. Lead: "We're tracking a dependency on the payment gateway." 2. Status: "Confirmed support by [date] or we have a fallback." 3. Action: "Weekly sync with vendor; fallback design in progress." 4. Next: "Update at next steering."