Requirement Specifications and Risk

I was skimming through Death March today and was reading a bit on specifications and one thing kind of jumped out at me. I have been thinking a lot about risk management lately, mostly since I recently had to write a workshop handout for the 3rd year students, so this struck me as rather interesting. The thing that jumped out at me was that Yourdon suggests specifying risks associated with requirements as part of the requirements specification.

Now this struck me because I'd never thought of having risks linked so closely to the requirements. Now that I've thought about it makes quite a lot of sense. If you're going to do an assessment of the feasibility of each requirement then this is really part of your risk analysis anyway. Furthermore, risk is one of the fundamental decision making tools that exist in a project, so being able to prioritise requirements is made easier when the risks associated with it are right there alongside.

From the point of view of risk management this might complicate the risk specification procedures as they will be in more than one place but I think that, if it done in an intelligent way, then it won't cause problems. I'm sure that it's possible to write a script to extract the risks from the requirements specification and place them in a risk log. It would mean that updates to the requirements would make it obvious that updates to the risks are also necessary.

Finally, I think it should make the importance of risk management apparent to the entire team if risks are present in their requirements specification. From what I've seen of student projects, risk is something that often isn't given serious thought.

So, next time you're writing a requirements specification think about putting the corresponding risks in there with the requirements. I'm interested to see what others think about this idea.