I would want to confirm my understanding is correct which is,
If scalability, Security, performance and availability are already clearly mentioned as NFRs in the assignment, then they should not appear in risk list any more.
I disagree. Just because something is a requirement doesn't mean it's not a risk. I personally feel Security is almost always the biggest risk on an external facing project, just look at the recent trouble Sony had.
Thanks Will. I still have security in my risk list. What about scalability and performance?
I had all of them in list earlier, but removed them cos I got a feeling that if design and architecture address these issues enough, aren't the risks automatically mitigated or there aren't risks existing anymore to do with scalability and performance.