How can I tell if a risk has really been mitigated?
How can I tell if a risk has really been mitigated? Should I just take the team member's word it's been addressed?
Have you ever read the works on the Missouri license plate? Missouri is referred to as the "Show Me" state, which is a mentality we believe project managers need to adopt. It's not that we don't trust people, but how can a project manager reliably measure "done"—especially on something as critical as a risk to the project? Risk mitigation plans therefore need to include
success criteria, some measure to demonstrate the risk to the project has been reduced or eliminated.
For technical efforts, this can be a performance specification or a specific demonstration of functionality. For other efforts there needs to be a similar measurable element to define success. Define criteria for each risk as you develop the plan to mitigate it. At the same time, define exactly how you'll validate it using those criteria. Through a review involving certain people? Through a testing activity? To supplement your own assessment, involve other team members who need that risk to be gone to be able to complete their own work. If the risk involved a customer feature or performance, then have marketing do the assessment as the internal representative of the customer.
In short, don't just take anyone's word for it! Using success criteria and specific plans for validating that a risk is no more, the project manager and team can all confidently breathe easier knowing that one more threat is truly off the table.