How to manage requirements and risk analysis in Jira

Written by Rina Nir

Risk management

Managing requirements and risk analysis in Jira

This is an updated version of the post: “risk analysis in Jira.” It relates to all Jira variants: Cloud, Server and Data Center.

Risk management is vital component in any project. Jira has the tools to help you manage all the elements of the traceability matrix. This includes requirements and the risk analysis itself. If your risks are all closely linked to requirements, this will help your team keep them in mind during the implementation work. In managing risk analysis in Jira, you can include a live link from each risk to the relevant mitigation. This ensures that the traceability between risks and requirements is always current. No need for manual maintenance.

Assuming you’ve already read our article on managing requirements in Jira and use Jira as such, we’ll show you how to set it up to include the risk elements.

To follow these guidelines, you will need to have the Risk Register plugin installed in Jira.

(Jira examples relate to Jira server, version 7.3.1.)

Risk model

How to record your Risk Analysis in Jira

  1. If you haven’t already, add your list of requirements to Jira.
  2. As you perform the risk analysis for a specific requirement, complete the relevant risk analysis fields:
    • Add the current date to the ‘risk analysis date’ field.
    • Indicate whether or not risks are identified.
  3. If risks are identified, create a new issue of type ‘Risk.’ Describe the risk and qualify its severity, occurrence and detectability.
  4. Link the risk issue to the the requirement that triggered it.
    • Note: Several requirements may be linked to the same risk.
  5. Define how risks will be mitigated, defining each mitigation as a new requirement. That is, unless the requirement already exists. Create a ‘mitigated by’ link between each risk and its mitigations.
    • Note: You could represent mitigations as functional specifications rather than requirements. Both approaches have their merits. Either way, it’s important to make sure each mitigation is clearly identified and connected with the relevant system tests.
  6. In the risk issue, indicate the residual risk that remains once the relevant mitigation has been carried out.

Risk model

Administration and setup

Before you can begin risk analysis in Jira, a Jira administrator will need to set it up as follows:

  1. Define the following issue types in Jira and associate them with the Jira project that you use to record your specifications:
    • Requirement: add the following custom fields to this issue type:
      • Risk analysis date: the most recent date when risk analysis was carried out for this requirement
      • Conclusion of risk analysis: whether risks were identified or not
    • Functional specification
    • Risk: If you’re using the Risk Register plugin, this this issue type will be created automatically
  2. Configure Risk Register to support your model of FMEA analysis (see the example in Risk analysis for computerised systems):
    • Change the names and default values of the following four fields to support your risk analysis needs:
      • Impact → change to ‘Severity/Occurrence,’ and add the following options: ‘High/High,’ ‘High/Medium,’ ‘Medium/High,’ ‘Medium/Medium,’ ‘Medium/Low,’ ‘Low/High,’ ‘Low/Medium,’ ‘Low/Low.’
      • Probability → change to ‘Detectability,’ and add the options ‘High,’ ‘Medium’ and ‘Low.’
      • Residual impact → Change the name to ‘Residual severity/Occurrence’ – the options will automatically reflect those for ‘Severity/Occurrence.’
      • Residual probability → Change the name to ‘Residual risk.’ The options will automatically reflect those for ‘Probability.’
    • Set up the risk model scale according to your conventions and define which combinations of severity, occurrence and detectability map to the high, medium and low risk priorities.


Blog posts in this series:

  1. Why you should manage requirements in Jira
  2. Advice for selecting traceability matrices
  3. Requirement specifications
  4. Digital health company? Here is your guide for risk management using Jira cloud

Have an idea for your Quality Management System?

We’d love to learn more about your project.

Let’s have a chat