This paper presents a six-step metrics-based methodology for assessing the risks associated with - and hence the resources required to implement - the requirements contained within a software requirements specification (SRS). The method seeks to eliminate the use of subjective probability assessments in models of risk exposure (RE) and risk reduction leverage (RRL). Measurements are taken of the number of requirements and the class of risk, the number of change requests and their date of issue, and the cost of each requirement change. The class of requirements risk is tailored to a given organisation using the Delphi method. The information collected is stored as an historical database for use in the analysis of subsequent SRSs.