Risk Management
 

 

 What is Risk?

Risk management is not a new concept. It is redefined for software industry. This science has always existed in all industries.

 

Risk management exists wherever there is any uncertainty: Eg: information that is ambiguous, events that are not clear. It applies to things we know that can happen and may affect our business.

 

 

Software risk

Software risk is a measure of the likelihood and loss of an unsatisfactory outcome affecting the software project, process, or product. Hence we can classify Software risk as:

 

1.    Software project risk

2.    Software process risk

3.    Software product risk

 

Software project risk

·         Project risk is primarily a management responsibility

·         Project risk includes: resources, constraints, external interfaces, supplier relationships, or contract restrictions

·         Funding is the most significant project risk reported in risk assessments.

 

Software process risk

·         Includes both management and technical work procedures

·         Planning, staffing, tracking, quality assurance and configuration management

·         Requirement analysis, design, code, and test

 

Software product risk

·         Intermediate and final work product characteristics

·         Product risk is primarily a technical responsibility

·         Product risk is difficult to manage.

 

 

 

Concepts of Risk Management

 

Goal

  • Manage risk in relation to a specific goal and can affect only the work that remains to achieve the goal
  • What is the risk in the plan?
  • What is the risk in the remaining work?
  • Well defined goal with measurable success criteria bounds acceptable risk

 

Uncertainty

Uncertainty is that which we do not know, inherent in all of our assumptions and the future itself.

 

Loss

Unless there is potential for loss there is no risk. The loss can be either a bad outcome or a lost opportunity. An unsatisfactory outcome might be a product with an unacceptable latent defect rate, or failure to meet the desired delivery date. Opportunity is the chance of a good outcome; opportunity cost is the loss of a missed opportunity. Opportunity cost can be calculated in lost customer satisfaction and lost profit.

 

Time

we need time to anticipate and prevent problems. Time is a great equalizer because every day we each have the same amount. Although a valuable resource, we cannot accumulate time. As time goes by, viable options tend to decrease. By managing risk, we reduce wasted time by using it to our advantage.

 

Choice

Unless there is a choice there is no risk management. Sometimes we cannot control risk, or do not feel empowered to select from the available options. Doing something or doing nothing should be a conscious choice. Understanding the goal, and the risk of not achieving the goal, helps us to make the right choice. we can discover the risk of software risk management by first defining its goal.

 

Make intelligent decisions

we make intelligent decisions based on awareness, insight, and understanding of risk. Risk management provides a process to communicate risk information and provide visibility into software risks at all project levels.

 

Resolve risk

Develop and execute a risk action plan to resolve risk. The key to resolving risk is finding risk when there is time to take action and knowing when to accept a risk. Risk resolution strategy is not to minimize risk alone but to maximize opportunity

 

Prevent problems

Resolution of software risk prevents problems and surprises. Risk management is a proactive strategy to reduce the problem of costly rework.

 

 

 

Need for Software Risk Management

 

There are many reasons that risk management is currently in use on software projects.

 

  • The ability to manage uncertainty on projects is a requirement designed to deal with scarce resources, advances in technology, and the increased demand for complex systems in a rapidly changing environment.
  • Given the current business climate of shrinking profit margins, the global economy and its uncertain market conditions, and the competitive forces pressured by rapid technology advances.
  • Risk management techniques were introduced to the software community in 1980’s 
  • The father of software risk management is Barry Boehm, whose contributions include the Spiral Model, a software life cycle model that is iterative and risk driven.

 

Risk in the large

  • Those who practice risk management agree that it must be performed regularly throughout the life cycle of a software system. Risks are dynamic, meaning that they change over time 
  • Risk is neither more nor less important than work; it is, instead a part of the effort remaining.
  • Two perspectives hinder routine risk management

 

Risk viewed as extra activity: The danger perceiving risks as less important then assigned work is that we may not address risks when work priorities escalate

 

Risk viewed as outside activity: The pitfall in perceiving risk as someone else’s responsibility is that when that person is not around, risk management will cease.

 

 

 

The Six Discipline Model

 

Envision

develop a vision for a software product. Apple computer developed the user friendly Macintosh out of Steven jobs vision of the computer as a household appliance.

 

Plan

plan the project by mapping resources to the goals established for the software. This discipline refers to mapping available resources to requirements, which are derived from project goals and objectives. Although management is responsible for high level project planning, everyone plans with respect to accomplishing assigned work.

           

Work

Produce the product based on the current plan. This discipline refers to implementing the plan to produce the product Work is any activity to produce the product, including intermediate and disposable work products.(derived documents, design documents, and test drivers.)

 

Measure

Report the variance between expected and actual results to update the plan This discipline refers to comparing expected and actual results. We analyze variance and recommend corrective action.

 

Improve

Analyze benchmarks and organization project measures to improve processes and metrics. This discipline refers to learning from past experience. Internal measures and external benchmarks help us to know how to change plan.

 

Discover

Assess the uncertainty of our work and external enigma for risk and opportunity, which we manage through changes to the plan and vision. The sixth discipline means becoming aware of the future.

We seek to know by investigating what we do not know.

 

 

 

Disciplines of Awareness

 

Personal awareness

Watts Humphrey states that “the personal software process is a self-improvement process (improve). We are each blessed with unique talents and opportunities. We need to decide what to do with them (plan).consistent high performance takes persistent effort (work), an understanding of our own abilities (measure),and a dedication to personal excellence (envision)

 

Risk and personal progress

The point at which your project exists today is your current status of project. Between the Estimated task completions and Actual task completions are project risks which manager needs to mitigate and foresee from time to time.

 

Consequence of knowledge

 

  1. Six disciplines
    1. 6D model
    2. Specialization requires that there is a manager who plans, an engineer who works, and a measurement analyst who measures

 

  1. Individual intelligence
    1. Fitting square people in round jobs
    2. Individual contribution is a key to high performance teams and profitable organisaton
    3. Consequence of ignorance
    4. Lack of skills
    5. Lost opportunity
    6. Suffer from mistakes
    7. Pain of regret

 

 

Reactive & pro-active

Risk management is a proactive activity. We plan for risks ahead of time. When the risk occurs, we react to it by our risk resolution plan.

 

 

Risk Management Plan Outline

 

  1. INTRODUCTION
    1. Purpose
    2. Background
    3. Scope
    4. Policy
    5. Approach

 

  1. RISK IDENTIFICATION LIST
  2. RISK ASSESSMENT
  3. RISK ACTION PLAN

 

Risk Management (RM) is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk. It also refers to the process of accepting, transferring, or mitigating risk.

 

Risk Management activities include documenting and identifying project risks; analysis, assessment, and prioritization of those project risks; and laying out plans to implement actions to reduce the project risks throughout the project's life cycle.

 

Risk Management planning provides a control mechanism to monitor, report, and direct all risk mitigation activities. Risk management is initiated during the System Concept Development Phase and continues through all subsequent phases.

 

  • Risk Categories
  • Product Size
  • Business impact
  • Customer characteristics
  • Process definition
  • Development environment
  • Technology to be built
  • Staff size and experience

 

 

Steps to Manage Risk

 

  1. Risk Identification
  2. Risk Analysis
  3. Risk Planning
  4. Risk Tracking
  5. Risk Control
  6. Risk Communication

 

Risk Identification

Risk is an undesirable situation or circumstance, which has both a probability of occurring and a potential consequence to project success. Risk has an impact on cost, schedule, and performance. Risk identification is the process of identifying uncertainty within all aspects of a project. In other words: what might go wrong and what happens if it does. For most information system projects, these risks may be grouped in the following categories:

 

Technical: Risk associated with creating a new capability or capacity

Supportability: Risk associated with implementing, operating, and maintaining a new capability

Programmatic: Risk caused by events outside the project's control, such as public law changes

Cost and Schedule: Risk that cost or schedule estimates are inaccurate or planned efficiencies are not realized

 

Risks should be identified continuously by project participants (at all levels) and the project management team should capture these risks in definitive statements of probability and impact. Lessons-Learned from previous projects may be a significant source for identifying potential risks on a new project.

 

  • Risk identification process goals
  • Encourage input of perceived risk from the team
  • Identify risk while there is time to take action
  • Uncover risk and sources of risk
  • Capture risk in a readable format
  • Communicate risk to those who can resolve it
  • Prevent project surprises
  • Checklist, interview, meeting, review, routine input, survey, working group.

 

 

Risk Analysis

Risk Analysis quantifies the identified risks and conducts detailed sensitivity studies of the most critical variables involved. The outcome of these analyses may be a quantified list of probabilities of occurrence and consequences that may be combined into a single numerical score. This single score allows project risks to be prioritized.

 

 Risk analysis process goals

  • Analyze risk in a cost efficient manner
  • Refine the risk context
  • Determine the source of risk
  • Determine the risk exposure
  • Determine the time frame for action
  • Determine the highest-severity risk

 

 

 

Analysis process activities

  • Groups similar and related risk
  • Determine risk drivers
  • Determine the source of risk
  • Use risk analysis techniques and tools
  • Estimate the risk exposure
  • Evaluate risk against criteria
  • Rank risks related to other risks

 

 Risk Exposure (RE) = Probability x Cost

 

 

Risk Planning

Risk planning decides what to do about a project risk. Available actions are:

 

  • Avoid the risk.
  • Assume the risk
  • Transfer the risk

 

The action selected for each risk will depend on the project phase, the options that are available, and the resources that can be used for risk management. A majority of project activities involve tracking and controlling the project risk.

 

Risk planning process goals

  • Provide visibility for key events and conditions
  • Reuse successful risk resolution strategies
  • Optimize selection criteria
  • Understand the next action for each high severity risk
  • Establish automatic triggering mechanisms
  • Risk planning process activities
  • Develop risk scenarios for high severity risks
  • Develop risk resolution alternatives
  • Select the risk resolution approach
  • Develop a risk action plan
  • Establish thresholds for early warning

 

 

Risk Tracking

Risk tracking involves gathering and analyzing project information that measures risk. For example, test reports, design reviews, and configuration audits are risk tracking tools used by project management to assess the technical risk of moving forward into the next life cycle phase.

 

Risk Tracking Process Goals

  • Monitor the events and conditions of risk scenarios
  • Track risk indicators for early warning
  • Provide notification for triggering mechanism
  • Capture results of risk resolution efforts
  • Report risk measure and metrics regularly
  • Provide visibility in risk status

 

 

Risk Control

Risk control takes the results of risk tracking and decides what to do and then does it. For example, if a project design review shows inadequate progress in one area, the decision may be made to change technical approaches or delay the project.

 

 

Risk Mitigation Techniques

Risk mitigation techniques are used to control or transfer risk until an acceptable risk level is reached. The most common techniques are inherent in good management and engineering practice:

 

  • Budget management reserve - mitigates cost risk
  • Schedule slack - mitigates schedule risk
  • Parallel development - mitigates technical risk
  • Prototyping - mitigates technical risk
  • Incentive fee and incentive-firm contract
  • Types - mitigates cost risk
  • Incremental deliveries mitigates: Entrance and exit criteria for major design reviews - mitigates cost, schedule and technical risks

 

 

Risk resolution process goals

  • Assign responsibility and authority to the lowest possible level
  • Follow a documented risk action plan
  • Report results of risk resolution efforts
  • Provide for risk aware decision making
  • Determine the cost effectiveness of risk mgmt
  • Is prepared to adapt to changing circumstances
  • Take corrective actions when necessary
  • Improve communication within the team
  • Systematically control the software risk

 

 

 

Risk resolution process activities

  • Respond to notification of triggering event
  • Execute the risk action plan
  • Report action against the plan
  • Correct the deviation from the plan

 

 

Risk Communication

Risk information should be communicated to all levels of the project organization and to appropriate external organizations. This ensures understanding of the project risks and the planned strategies to address the risk. Risk information then feeds the decision processes within the project and should establish support within external organizations for mitigation activities. For example, an agency comptroller who understands the project risks is more likely to allow the project manager to have a management reserve within the project budget.

 

Communicating risk information in a clear, understandable, balanced, and useful manner is difficult. The ability to state the problem at hand clearly, concisely, and without ambiguity is essential.

 

 

 

 

 

Home

Risk Analysis

 

"I don't make software. I make it better" - Software Tester