For anyone involved in risk management the thought of applying risk techniques to software opens many questions, including can we really identify risk areas in code? Can we identify what software items contribute to hazardous situations? Can we identify mitigations and be sure we have covered all cases?