This practice ensures the team continues to update their risk log, analysis, and strategies as the project progresses and the environment changes.

Complacency is a top killer for projects. If a team becomes complacent and fails to monitor risks (or identify new ones), a project can suffer.

The last step in the process is monitoring and controlling the risk management process by making sure our strategies are effective, continually looking for new or escalating risks and ways to improve.

Risk Burn-Down Graphs

Risk burn-down graphs are a great way of showing the project's cumulative risk position and trends over time. They are stacked area graphs of risk severity that allow trends, along with new and escalating risks to be easily identified.

Risk retrospectives are periodic reviews of the risk and opportunity log and risk management processes being used on the project. Just as we review the evolving product and team processes throughout the project, so should we be evaluating the effectiveness of the risk management plan and processes being used by the team.

What are some types of questions we could/should be asking when we regularly review our risk management approach?

1. Are we eliminating or reducing our risks?
2. How is our remaining Risk EMV burning down?
3. What is our Risk EMV Reduction Velocity per iteration?
4. When will our remaining Risk EMV be zero?
5. Do we have any new or escalating risks?
6. What are the root causes of our risks and can we eliminate any of them?
7. Which risk avoidance or elimination strategies are working and which are not?
8. For risks that we chose to transfer, how are the third parties managing them?
9. What can we learn from them, or would we be better bringing them back internally?
10. How are our team risk management capabilities developing?
11. Where do we still need mentoring and support

Finally, reviewing is not enough — we need to update our risk management artifacts, update our risk lists and EMV scores, and groom the backlog with new features and new risk responses; and always rebalancing the priorities. Update the risk information radiator graphs (like our risk burn-down graphs), and make sure people are not only looking at the impacts of new work in terms of estimates, but potential risks, too.