Unit 15: Risk Management
Objectives
To explain the concept of risk & to develop its role
within the software development process
To introduce the use of risk management as a
means of identifying & controlling risk in software
development
What is risk?
It is not just a game!
�Definitions of risk
The possibility of suffering harm or loss; danger
The possibility of loss or injury
Chance of danger, injury, loss
A measure of the probability & severity
of adverse effects
Probability/
uncertainty
Something bad
happening
Risks in the everyday world
Financial risks - your house is at risk if you fail to
repay your mortgage or any loans secured on it
Health risks - the chance that a person will
encounter a specified adverse health outcome (like
die or become disabled)
Environmental & ecological risks - the likelihood
of extinction due to exposure of terrestrial wildlife to
contaminants
Security risks - there is a significant risk that
widespread insertion of government-access key
recovery systems into the information infrastructure
will exacerbate, not alleviate, the potential for crime
and information terrorism
More examples?
�How is risk dealt with?
Basic process: identify the risk -> analyse its
implications -> determine treatment methods ->
monitor performance of treatment methods
Techniques & heuristics for the identification,
analysis, treatment & monitoring of risk
Insurance companies depend on understanding risk
Risk management is a project management tool to
assess & mitigate events that might adversely impact
a project, thereby increasing the likelihood of success
Why is the software world interested in risk?
Many post-mortems of software project disasters
indicate that problems would have been avoided (or
strongly reduced) if there had been an explicit early
concern with identifying & resolving high-risk
elements!
Browse the forum on Risks
An obvious cost factor!
To The Public In Computers
& Related Systems
http://catless.ncl.ac.uk/Risks
Successful project managers are good risk managers!
�Sources of software risk (systems context)
Technology
Hardware
Software
SYSTEM
People
Schedule
Cost
Reproduced from [Higuera 1996]
Software Risk Management, Technical Report
CMU/SEI-96-TR-012, ESC-TR-96-012, June 1996
Why is it often forgotten?
Optimistic enthusiasm at the start of projects
Software process can lead to over-commitment &
binding requirements much too early on
Premature coding
The add-on syndrome
Warning signals are missed
Legal implications
Poor software risk management by project managers
�Software risk management
Objectives
To identify, address & eliminate risk items before
they become either threats to successful software
operation or major sources of software rework
Necessary that some form of measurement is
undertaken to determine & classify the range of
risks a software development project faces, & to
identify areas where a significant exposure exists
The discipline attempts to provide a set of principles &
practices to achieve the above
A response to change & uncertainty
The need to manage risk
Risk
Methods, tools &
processes
Expert knowledge,
judgement & experience
Individual knowledge,
judgement & experience
System complexity
Reproduced from [Higuera 1996]
�The questions
What can go wrong?
What is the likelihood
it will go wrong?
What are the consequences?
What can be done?
What options are available?
Software risk management steps & techniques
Risk identification
Risk assessment
Risk analysis
Risk prioritisation
Risk management
Risk-management planning
Risk control
[Boehm 1991]
Risk resolution
Risk monitoring
Checklists
Decision-driver analysis
Assumption analysis
Decomposition
Performance models
Cost models
Network anal ysis
Decision analysis
Quality-factor analysis
Risk exposure
Risk leverage
Compound-risk reduction
Buying information
Risk avoidance
Risk transfer
Risk reduction
Risk-element planning
Risk-plan integration
Prototypes
Simulations
Benchmarks
Analyses
Staffing
Milestone tracking
Top 10 tracking
Risk reassessment
Corrective action
�Risk assessment
Risk identification - listing project-specific
risk items that are likely to compromise a
projects success
Risk analysis - assessing the loss
probability & loss magnitude for each
identified risk item, & assessing compound
risks
Risk prioritisation - ordering & ranking the
risk items identified & analysed
Risk control
Risk-management planning - doing
the ground work so as to be in a position
to address each risk item
Risk resolution - producing a situation
in which risk items are eliminated or
resolved
Risk monitoring - tracking the projects
progress towards resolving risk items &
taking corrective action where required
�E.g. top 10 risks in software project mgmt
Personnel shortfalls
[Boehm 1991]
Unrealistic schedules & budgets
Developing the wrong functions & properties
Developing the wrong user interface
Gold-plating
Continuing stream of requirements changes
Shortfalls in externally furnished components
Shortfalls in externally performed tasks
Real-time performance shortfalls
Straining computer-science capabilities
Determine a risk-management technique to deal with each of these
E.g. project sizing matrix
Always a question
of balance
- full risk analysis
may not
improve risk
probability
estimation
significantly!
[Used @ DERA]
�E.g. prioritisation scheme
Risk-exposure quantity is an effective technique for
risk prioritisation
Assess risk probabilities & losses on a scale 0-10
Multiply probability by loss to determine exposure
Unsatisfactory outcome
Probability of
unsatisfactory
outcome
Loss caused by
unsatisfactory
outcome
Risk
exposure
Software error loses key data
3-5
24-40
Processor memory insufficient
Relies on accurate estimates of the probability &
loss associated with an unsatisfactory outcome
E.g. risk management plan
The Risk Management Plan (RMP) presents the
process for implementing proactive risk management
as part of overall project management
The RMP describes techniques for identifying,
analysing, prioritising & tracking risks; developing
risk-handling methods; & planning for adequate
resources to handle each risk, should they occur
The RMP also assigns specific risk
management responsibilities & describes
the documenting, monitoring & reporting
processes to be followed
�E.g. PMP summarised as a risk register
[Used @ DERA]
Ways of dealing with risks
Elimination: where exposure to risk is terminated
Retention: where the risk is made tolerable, perhaps
after some modification
Avoidance: where the risk is negated in some way,
possibly by redesign of work methods
Transfer: where the risk is passed to a third party,
either contractually or via insurance
Need to balance acceptable risks
10
�Implement & . track
An on-going process of measuring the effect that
implementation of a risk management programme has
had & its ability to continue
Focus on the high-risk, high-leverage
critical success factors
Rank a projects most significant risk items
(prepare)
Establish a regular schedule for review of progress
(meet)
Summarise progress on top risk items (discuss)
Focus on handling any problems in resolving the
risk items (act)
Putting risk management into practice
Insert risk management principles & practices into
your software development process, so they are riskoriented & risk-driven - do this gradually &
incrementally
Start with a top 10 risk-item tracking process lightweight, cheap & good returns!
Develop a WWWWWHHM RMP template to populate
Not a prescription - relies on good human judgement!
A focus on CSFs can help you win work!
11
�The BIGGEST risk?
Not knowing
what the
risks are!
Key points
The enemy of the software manger is risk
Software projects must manage risks to minimise
their consequences
Time spent identifying, analysing & managing risk
pays off!
You can use the 6 stage conceptual framework with
its associated techniques as a solid starting point
If nothing else, be risk aware
12
�Core references
B. W. Boehm, "Software Risk Management: Principle
and Practices," IEEE Software, Vol. 8, No. 1, January
1991, pp. 32-41
Roger Pressman, Software Engineering: A
Practitioners Approach, McGraw-Hill, 5th edition,
ISBN: 0-07-709677-0 (Chapter 6)
Contains pointers
You are strongly advised to
to lots more refs
read one of these!
Ian Sommerville, Software Engineering, AddisonWesley, 6th Edition, ISBN: 0-201-39815-X (Chapter
4.4)
Supplementary references
P. G. Neumann, Computer Related Risks, ACM
Press, 1995
J. Adams, Risk, UCL Press, 1995
LOTS of general
risk info on the web!
B. W. Boehm, Software Risk Management, CS Press,
1989
Tom Gilb, Principles of Software Engineering
Management, Addison-Wesley, 1998, ISBN: 0-20119246-2 (Chapter 6)
IEEE Software - Special issues on Risk - May 1994 &
May/June 1997
13
