What is the Risk Burndown Chart and what is it used for? Risks are assessed, categorized and addressed based on severity levels that are established with the following formula: Probability X Impact = Severity. A common way that risks can be managed is with a Cumulative Risk Burndown Chart.  With this chart, the expectation is that risk severity levels should be decreasing during the project life cycle or during a specified time-period. This is an example of proactively managing risk. The Risk Burndown Chart displays several important pieces of information:

1. Is the overall risk level for the project or program increasing or decreasing over the specified time-period?
2. Are risk severity levels being reduced or are they increasing?
3. Is there a specific risk with severity levels that are increasing or decreasing?
4. Are we seeing the occurrence of new risks during the project or program?

Risk Burndown Chart: Cumulative

Let’s look at how the Cumulative Risk Burndown chart is created.

Step 1:

The first step is to create a risk burndown table for a specified period. Table 1. shows a cumulative risk chart for a four-month period.

Risk Category	Risk Title	April	May	June	July
Impact	Probability	Severity	Impact	Probability	Severity	Impact	Probability	Severity	Impact	Probability	Severity
Technical	Java	5	3	15	5	4	20	5	1	5	5	1	5
Operational	Inadequate Resources	3	3	9	3	3	9	3	2	6	3	1	3
Schedule	Scope changes	4	3	12	4	2	8	4	2	8	4	0	0
Financial	Vendor dispute	0	0	0	0	0	0	3	3	9	3	1	3
Operational	Priority Conflicts	0	0	0	0	0	0	5	3	15	0	0	0
Technical	Legacy system stability	3	1	3	3	1	3	3	0	0	3	0	0
Technical	Beta testing shows poor results	3	3	9	3	3	9	3	3	9	3	0	0
Operational	Logistical issues	2	2	4	1	1	1	1	0	0	1	0	0
Technical	New architecture inadequate	3	2	6	3	2	6	3	3	9	3	2	6
Schedule	Customer Care tools arrive late	4	4	16	4	3	12	4	2	8	4	1	4
Schedule	Resource having surgery			74			68			69			21

Table 1. Cumulative Risk Burndown Data Table

Step 2:

The next step is to create a graph in Excel with the data from the Table 1.

Step 3.

The next step is to update the risk burndown data to show that risk mitigation activities have occurred and risk have been monitored. See Table 2. for details. The impact and probability levels are both between (1-5).

Risk Category	Risk Title	April	May	June	July
Impact	Probability	Severity	Impact	Probability	Severity	Impact	Probability	Severity	Impact	Probability	Severity
Technical	Java	3	3	9	2	4	8	1	1	1	3	1	3
Operational	Inadequate Resources	2	3	6	3	3	9	3	2	6	3	1	3
Schedule	Scope changes	1	3	3	1	2	2	1	2	2	1	0	0
Financial	Vendor dispute	0	0	0	0	0	0	3	3	9	3	1	3
Operational	Priority Conflicts	0	0	0	0	0	0	1	3	3	0	0	0
Technical	Legacy system stability	1	1	1	1	1	1	3	0	0	3	0	0
Technical	Beta testing shows poor results	1	3	3	1	3	3	3	3	9	1	0	0
Operational	Logistical issues	1	2	2	1	1	1	1	0	0	1	0	0
Technical	New architecture inadequate	2	2	4	3	2	6	3	3	9	3	2	6
Schedule	Customer Care tools arrive late	2	4	8	1	3	3	1	2	2	1	1	1
Schedule	Resource having surgery			36			33			41			16

Table 2. Updated Cumulative Risk Data Table

Step 3.

The first thing that is apparent on the updated Risk Burndown Chart is that the risk severity levels have decreased.

Risk Burndown Chart: Assessment

The risk assessment process involves the numerical assignment of values (impact, probability, severity) that are used to measure risk for input to the risk burndown chart. The process also delivers the data that is needed to decide upon risk responses. These responses include, but are not limited to accept, transfer, exploit, avoid, and mitigate. These charts and graphs can be used to track overall project and/or program level risk management. The chart under discussion, is used to show that during the iterations, residual risk can be cumulative. There is also secondary risk that can further increase or decrease the severity level for the Scrum project and/or program. The chart should be added to the list of information radiators so that the Scrum Team (Scrum Master, Product Owner and Development Team) can be proactive and participative with risk identification, monitoring and control.

We found these books great for finding out more information on Agile Scrum:

Risk Management

Agile projects are inclusive of risk management without adding any extra processes. Risks should be evaluated at every iteration and ceremony. It is recommended that during every time-boxed event, risk reviews are addressed. This will result in daily risk monitoring and control. The Agile team can become involved with brainstorming sessions to uncover potential risks and why and when these events might occur. It is also important to mention that the focus should be on both negative and positive risks during team discussions. In addition, it is important to:

• Fully understand the risk appetite and the tolerance levels for a project.
• Recognize project level threats and opportunities so that there is a balance between the rewards and risks that are encountered during detection.  
• Have appreciation for the risk preferences of each of the team members.  There should also be an appreciation of the impact of the social and the cultural influences that effect risk management.
• Understand the identification and prioritization levels for risk response strategies that are based upon the risk exposure. This should be consistent with the Agile methods (For example, high value and high-risk items have priority in the product backlog).
• Possess the capability to determine if a has risk been effectively and efficiently managed and monitored.
• Be aware of residual risk at the sprint / iteration level.  Also be aware of its impact to overall risk levels.