2.9 KiB
2.9 KiB
Here’s a simple way to make “risk budget” feel like a real, live dashboard rather than a dusty policy—plus the one visualization that best explains “budget burn” to PMs.
First, quick background (plain English)
- Risk budget = how much unresolved risk we’re willing to carry for a release (e.g., 100 “risk points”).
- Burn = how fast we consume that budget as unknowns/alerts pop up, minus how much we “pay back” by fixing/mitigating.
What to show on the dashboard
-
Heatmap of Unknowns (Where are we blind?)
- Rows = components/services; columns = risk categories (vulns, compliance, perf, data, supply-chain).
- Cell value = unknowns count × severity weight (unknown ≠ unimportant; it’s the most dangerous).
- Click-through reveals: last evidence timestamp, owners, next probe.
-
Delta Table (Risk Decay per Release)
- Each release row compares Before vs After: total risk, unknowns, known-high, accepted, deferred.
- Include a “risk retired” column (points dropped due to fixes/mitigations) and “risk shifted” (moved to exceptions).
-
Exception Ledger (Auditable)
- Every accepted risk has an ID, owner, expiry, evidence note, and auto-reminder.
The best single chart for PMs: Risk Budget Burn-Up
(This is the one slide they’ll get immediately.)
-
X-axis: calendar dates up to code freeze.
-
Y-axis: risk points.
-
Two lines:
- Budget (flat or stepped) = allowable risk over time (e.g., 100 pts until T‑2, then 60).
- Actual Risk (cumulative) = unknowns + knowns − mitigations (daily snapshot).
-
Shaded area between lines = Headroom (green) or Overrun (red).
-
Add vertical markers for major changes (feature freeze, pen-test start, dependency bump).
-
Add burn targets (dotted) to show where you must be each week to land inside budget.
How to compute the numbers (lightweight)
- Risk points = Σ(issue_severity_weight × exposure_factor × evidence_freshness_penalty).
- Unknown penalty: if no evidence ≤ N days, apply multiplier (e.g., ×1.5).
- Decay: when a fix lands and evidence is refreshed, subtract points that day.
- Guardrail: fail gate if unknowns > K or Actual Risk > Budget within T days of release.
Minimal artifacts to ship
- Schema:
issue_id, component, category, severity, is_unknown, exposure, evidence_date, status, owner. - Daily snapshot job: materialize totals + unknowns + mitigations per component.
- One chart, one table, one heatmap (don’t overdo it).
Copy‑paste labels for the board
- Top-left KPI: “Headroom: 28 pts (green)”
- Badges: “Unknowns↑ +6 (24h)”, “Risk retired −18 (7d)”, “Exceptions expiring: 3”
- Callout: “At current burn, overrun in 5 days—pull forward libX fix or scope‑cut Y.”
If you want, I can mock this with sample data (CSV → chart) so your team sees exactly how it looks.