You can use Jira to manage all elements of the traceability matrix, including the risk analysis itself.

If your risks are all closely linked to requirements, this will help your team keep them in mind during the implementation work. In Jira, you can include a live link from each risk to the relevant mitigation. This will ensure that the traceability between risks and requirements is always current, without the need for manual maintenance.

Assuming you already maintain your requirements in Jira, we’ll show you how to set it up to include the risk elements.

To follow these guidelines, you will need to have the Risk Register plugin installed in Jira.

(Jira examples relate to Jira server, version 7.3.1.)

Setup the risk model according to your conventions

Setup the risk model according to your conventions

How to record your Risk Analysis in Jira

  1. If you haven’t already, add your list of requirements to Jira.
  2. As you perform the risk analysis for a specific requirement, complete the relevant risk analysis fields:
    • Add the current date to the ‘Risk analysis date’ field.
    • Indicate whether or not risks are identified.
  3. If risks are identified, create a new issue of type ‘Risk’. Describe the risk and qualify its severity, occurrence and detectability.
  4. Link the risk issue to the the requirement that triggered it. (Note: Several requirements may be linked to the same risk.)
  5. Define how risks will be mitigated, defining each mitigation as a new requirement (unless the requirement already exists). Create a ‘Mitigated by’ link between each risk and its mitigation(s). (Note: You could represent mitigations as functional specifications rather than requirements – both approaches have their merits. Either way, it’s important to make sure each mitigation is clearly identified and connected with the relevant system tests.)
  6. In the Risk issue, indicate the residual risk that remains once the relevant mitigation has been carried out.
Overview of risks identified (and mitigated)

Overview of risks identified and mitigated

Administration and setup

Before you can use Jira for risk analysis, a Jira administrator will need to set it up as follows:

  1. Define the following issue types in Jira and associate them with the Jira project that you use to record your specifications:
    • Requirement: add the following custom fields to this issue type:
      • Risk analysis date: the most recent date when risk analysis was carried out for this requirement
      • Conclusion of risk analysis: whether risks were identified or not
    • Functional specification
    • Risk: If you’re using the Risk Register plugin, this this issue type will be created automatically
  2. Configure Risk Register to support your model of FMEA analysis (see the example in Risk analysis for computerised systems):
    • Change the names and default values of the following four fields to support your risk analysis needs:
      • Impact → change to ‘Severity/Occurance’, and add the following options: ‘High/High’, ‘High/Medium’, ‘Medium/High’, ‘Medium/Medium’, ‘Medium/Low’, ‘Low/High’, ‘Low/Medium’, ‘Low/Low’
      • Probability → change to ‘Detectability’, and add the options ‘High’, ‘Medium’ and ‘Low’
      • Residual impact → Change the name to ‘Residual severity/Occurance’ – the options will automatically reflect those for ‘Severity/Occurance’
      • Residual probability → Change the name to ‘Residual risk’ – the options will automatically reflect those for ‘Probability’
    • Set up the risk model scale according to your conventions and define which combinations of severity, occurance and detectability map to the high, medium and low risk priorities.