HKSM

Updated Risks are the latest set of identified, analyzed, reprioritized, and status-adjusted risks captured after Scrum events or risk reviews. They include newly discovered risks, changes to probability-impact ratings, assigned owners, and agreed responses that guide upcoming work and risk burndown tracking.

Key Points

• ITTO Type: both an output of risk assessment activities and an input to planning and execution in SBOK processes.
• Captured in the risk log/register and visualized through the risk burndown chart.
• Reflects additions, removals, reprioritization, ownership changes, and response decisions.
• Feeds Product Backlog ordering, Sprint Backlog risk response tasks, and risk spikes.
• Refreshed during Backlog Refinement, Sprint Planning, Daily Standup, Sprint Review, and Retrospective.
• Facilitated by the Scrum Master, owned by designated risk owners, and visible to stakeholders.

Purpose

Updated Risks provide the current risk picture so the team can make informed decisions, reduce uncertainty, and timebox effective responses. They keep risk information actionable, ensuring mitigation and opportunities are incorporated into backlog items, plans, and the risk burndown chart.

Key Terms & Clauses

• Risk Register or Risk Log - the repository where Updated Risks and their attributes are maintained.
• Probability-Impact (P-I) rating - qualitative or numeric scoring used to prioritize risks.
• Risk Exposure - an estimate of potential effect, often derived from probability and impact.
• Risk Owner - the person accountable for monitoring the risk and executing the response.
• Response Strategies - for threats: avoid, mitigate, transfer, accept; for opportunities: exploit, enhance, share, accept.
• Risk Burndown Chart - trend view of total risk exposure over sprints.

How to Develop/Evaluate

• Capture new risks and triggers during refinement, planning, standups, reviews, and retrospectives.
• Screen each risk for clarity, root cause, category, and linkage to epics or user stories.
• Assess probability and impact, estimate exposure, and assign a risk owner.
• Decide on a response strategy, define actions, and estimate effort for mitigation tasks or spikes.
• Reprioritize the risk list, close obsolete risks, and document any residual risks.
• Update the risk burndown chart and communicate changes to stakeholders.

How to Use

• As input to plan risk responses and to select mitigation tasks for the Sprint Backlog.
• To influence Product Backlog ordering by bringing high-risk items forward or adding exploratory spikes.
• To inform acceptance criteria, Definition of Ready concerns, and risk-based testing focus.
• To escalate near-certain threats that have materialized into the Impediment Log for immediate removal.
• To guide release planning decisions, contingency, and stakeholder communications.

Example Snippet

• R-12: OAuth library change may break login. P 0.4, I 8, Exposure 3.2. Owner: Dev Lead. Response: 4-hour spike and regression tests in Sprint 5. Status: Open. Linked to US-145.
• R-07: Third-party API rate limit could delay data sync. P 0.3, I 13, Exposure 3.9. Owner: PO. Response: Mitigate with caching and request batching tasks. Status: In progress. Linked to Epic E-03.
• R-19: Opportunity - new UI toolkit could cut development time. P 0.5, I 5 benefit, Exposure 2.5. Owner: UX Lead. Response: Pilot spike and cost-benefit review. Status: Open.

Risks & Tips

• Do not confuse issues with risks; issues go to the Impediment Log, risks stay in the risk log until realized.
• Keep attributes complete: owner, trigger, P-I, response, status, and links to backlog items.
• Avoid over-mitigating low-exposure risks; focus on the few that materially affect objectives.
• Include positive risks (opportunities) and plan to exploit or enhance them where valuable.
• Timebox risk discussions; update little and often rather than infrequent big updates.
• Close or downgrade risks promptly to keep the risk burndown chart meaningful.

PMP/SCRUM Example Question

After a Sprint Review, the team adds a new compliance risk and lowers the likelihood of an earlier performance risk. What should the Scrum Master ensure is documented and used as input to plan risk responses for the next sprint?

1. Impediment Log.
2. Definition of Done.
3. Updated Risks.
4. Release notes.

Correct Answer: C - Updated Risks

Explanation: The refreshed risk list becomes an input to planning responses, backlog ordering, and the risk burndown. Impediments and DoD do not capture evolving probability-impact risk information.