For a long time, when I communicated the status of a project to my stakeholders, I would say something like, “Here is where we stand, and here’s what that tells us about our delivery date. I have 80% confidence this date will hold, and I’ll keep you updated as things change.”

I would spend significant time explaining the complexities of software projects – iterative estimation and planning, the difference between a plan and a promise, and the assumptions underlying the plan. (See my post titled Undercommit and Overdeliver for a better approach to timeline estimation and communication.)

This approach, however, missed a critical element: risk management. It essentially implied, “Things will change, and I’ll inform you when they do.” But that’s a passive approach. What you need is to actively manage these uncertainties.

There are three essential steps to effective risk management:

1. Identify the risks that could jeopardize your delivery date.
2. Develop actions to reduce the likelihood of those risks.
3. Incorporate those actions into your project plan as early as possible.

Identifying Risks

When planning your project, you’re likely making assumptions. You might assume a critical technology will be available on time. You might assume your estimates are accurate or that remaining work will follow patterns similar to what’s been done so far. You might assume priorities won’t change, or that team members will stay on the project. If any of these assumptions turn out to be false, they will affect your plan – probably not for the better.

Additionally, you may be aware of certain unknowns. Maybe a decision from another project that yours depends on hasn’t been made yet. Perhaps leadership changes are imminent, and priorities will shift, but you don’t yet know how. Or, you may know that the operating system your app relies on will undergo updates (e.g. the annual release of new versions of iOS), but you have no idea what will change.

These assumptions and unknowns are your risks.

Create a detailed list of these risks. Be as thorough as possible. Then, review them with your team, partners, and stakeholders to identify additional risks you may have overlooked.

Mitigation Actions

For each identified risk, create a plan to confirm or disprove your assumptions and get the answers you need as soon as possible. This may involve prioritizing the estimation of remaining work, or engaging with teams responsible for dependencies to ensure progress. It could mean establishing reliable communication channels so you are immediately informed of priority changes. It may also require investing in practices like paired programming or documentation to safeguard against the loss of critical knowledge if a team member leaves.

Whatever the risk, there are actions you can take to minimize its impact by addressing unknowns and validating assumptions early.

Determine the necessary actions for each risk.

Taking Action

These mitigation steps require effort. You need to plan, prioritize and allocate resources to execute them alongside your project’s core tasks. These measures should be integrated into your project plan because they are critical to accurately projecting your delivery date.

Having a clear list of risks and demonstrating your process for mitigating them is also key to building and maintaining trust with your leadership team. They will appreciate the assurance that you are not only thinking ahead but also actively managing your delivery date.

Iterating on Risk Management

While the goal is to identify risks and unknowns as early as possible, new risks will inevitably emerge as the project evolves. Your risk list – and the actions to address them – must be dynamic. Keep it updated and reprioritize mitigation efforts as needed.

What strategies have you used to identify and mitigate risks? How do you communicate them? I’d love to hear your thoughts.