A risk is any event or situation that would harm your software development project in some way. The goal of risk management is to limit the likelihood of something bad happening to your software project. It's therefore something that all software project managers should practice. If you were to start your initiation in risk management with IEEE Std 1540-2001 on Risk Management, or a Software Engineering Institute (SEI) method, or the Guide to the Project Management Body of Knowledge, you'd be scared to death. Or you'd think that risk management is only for large, complex projects with a plethora of staff and lots of time to waste.

But risk management doesn't have to be complicated, formal, or heavily bureaucratic. And it's totally appropriate to practice even for the smallest projects. The recipes to do so are actually very simple, are perfectly aligned with the standards, and can be executed in a lightweight, nimble fashion, suitable to the most agile method. The only tool you'll ever need is a spreadsheet.

I've selected six papers to introduce you to the craft of risk management; curiously, they're all more than 10 years old. They have stood the test of time, and there's nothing in them I would change in 2007.

Start with the all-time 1991 classic, "Software Risk Management: Principles and Practices," in which Barry Boehm defines the key risk management concepts?impact, exposure, mitigation, and so on. He presents a six-step strategy and a handful of simple practices, such as monitoring the "top 10 risks." Not quite convinced? Need some reinforcement? Then move on to Dick Fairley's article. Dick has a simple seven-step approach, not too different from Boehm's, which he illustrates with an extensive case study. Art Gemmer provides additional practical advice. In particular, he elaborates on the concepts of probability and impact, and how to elicit them from your stakeholders and team members.

The other articles I recommend were all published in the same special issue of IEEE Software on risk management. The whole issue is probably worth reading, starting with the introduction by Barry Boehm and Tom DeMarco. But I'll focus on three of the articles. First, Ray Williams, Julie Walker, and Audrey Dorofee will guide you step by step on how to establish a risk management process for your project or organization using the SEI risk paradigm. Their taxonomy of risks is very useful input to give you ideas about what can go wrong. Tony Moynihan summarizes how 14 managers in small commercial projects assess the risk implications of a project's specific context. He also provides a partial confirmation of the SEI's risk taxonomy. Finally, Edmund Conrow and Patricia Shishido give us an example from a large defense project.

Now you should be ready to go and implement your own risk management strategy. You can even revisit the standards with confidence: you're probably compliant. Wasn't that easy?

Philippe Kruchten is a professor in the Department of Electrical and Computer Engineering at the University of British Columbia. He spent more than 30 years in the telecomm, defense, aerospace, and transportation industries. Some of his experience is embodied in the Rational Unified Process, whose development he directed from 1995 to 2003. He's an associate editor in chief of IEEE Software magazine, an IEEE Certified Software Development Professional, and a licensed Professional Engineer.