<aside>
🎯 In this chapter, we will explore common areas to consider for risks, and how to address uncertainties around the decision. Decisions will almost always have risks but that shouldn’t prevent decisions from being made.
</aside>
Documenting risks in a decision record is part of the due dilligence and will build confidence that you considered all angles of the decision. Be transparent about open risks and share them with the team. Team members will feel more confident to add their concerns and you will build buy-in for the decision.
<aside>
🚨 Anticipate the concerns of skeptical or critical stakeholders and record them as risks if they have merit. This can be used to get ahead of concerns that would otherwise sink the decision.
</aside>
To identify risks, It may be helpful to reflect on the different types of decision risks. They typically break down into one of the following categories.
- Technical Risks. The component or technology may not be compatible with the rest of your solution. This can lead to additional effort, higher costs, or all-out integration failure. These are best mitigated with POCs to unravel uncertainty.
- Functional Risks. The selection may not function as anticipated. POCs can help but also rely on vendor demos and sales support. Be wary of promises from vendors to add new functionality that is critical for your solution. For open source, understanding functional gaps may require deeper exploration and potentially customization.
- Business Risks. The selection may end up costing more than anticipated, support may be challenging to access, or the selection could diverge from your use case over time. Be clear on contractual commitments and consult others customers to assess the reputation of the vendor.
If we consider potential risks for an Identity Provider selection, they may include the following:
- Security - Your company wants to sell this solution to big enterprise and they may not trust a hosted Identity solution.
- Support - The company or the community solution you selected may not be supported in 2 years.
- Feature - The provider doesn’t support conditional MFA although the provider has it in roadmap for sometime later.
So how do you move forward with open risks?
- Call them out. First thing first, just call out the risk. Write it down using the format below. Consider also adding them to your organization or project’s Risk Register.
- What is risk?
- What is the impact?
- What is the likelihood of the risk being realized?
- What are options to mitigate the risk?
- Discuss the impact in terms of the project timelines, completeness, and funding.