Issue and Risk Management in Scrum

Today I met with an organization who has three simultaneous development teams and is closely following the Scrum rules for managing risks and issues. I tend to think this approach is deficient, however. Perhaps it's the traditional Project Manager in me, but I have really come to rely on a well managed risk and issue log as part of my tool box. In fact, I would frequently spend more time in my issue and risk log than in my backlogs (in Scrum) or project files (in RUP or my company's methodology). I recently received this e-mail from "MN:"

From: MN
Sent: Tuesday, March 04, 2008
To: Santiago, John
Subject: Risk management

I was wondering how risk management gets done in scrum. Is this an explicit activity or is it sort of inherent in the prioritization process?

I have this voice in the back of my head saying: "Mike, you should be doing risk management..."
_ _ _ _
My response:
In theory, “Frequent risk and mitigation plans are developed by the development team itself. – Risk Mitigation, Monitoring and Management (risk analysis) is incorporated at every stage and with “genuinity”.

I always took a more proactive approach and kept a classic risk and an issue log complete with mitigation plans and results, so that I could help remind the team of past decisions and make sure items don’t get lost. Sometimes issues or risks would manifest themselves as actual backlog items. The reason I ask in our standups about work is being held up or roadblocks the team has is to identify Issues and sometimes Risks. During Planning meetings I watch for any backlog items that are uncertain, and those quickly become risks. It also helps to ask the team during Planning, “What problems do you think we could encounter?” They can usually answer that question, but can’t always answer a more formal question such as “What issues or risks do you see?”