Risk Management

Risk Management
Risk: An unwanted event that may happen during the software
development.

Risk analysis and management are a series of steps that help a

software team to understand and manage uncertainty.
Many problems may affect a software project.
Risk is a potential problem. It may or may not happen.
It is good to identify it ,assess its probability of occurrence,
estimate its impact and establish a contingency plan to deal it.
Everyone involved in the software process-mangers ,software
engineers and customers participate in risk analysis and
management

Risk Management
Different steps in Risk Analysis and Management involves:
1. Risk identification
2. Risk analysis
Determine the likelihood that it will occur and damage that it will
do if does occur

3. Risks are ranked by probability and impact

4. A plan is developed to manage those risks with high

probability and high impact
So the work product of this phase is a RMMM plan.(Risk
Mitigation Monitoring and Management Plan)

Risk Management
Risk strategies

Reactive strategy
Proactive strategy

Risk Management
Reactive Strategy
Never worry about problems until they happened
At best, a reactive strategy monitors the project for likely
risks.
Resources are set aside to deal with them, when it become
actual problem
i.e. the software team does nothing about risks until
something goes wrong
When it happens ,the team flies into the action in an
attempt to correct the problem rapidly.
This is called fire fighting mode.
When this fails Crisis Management takes over and the
project is in a real jeopardy.
This strategy is not commonly used.

Risk Management

Proactive strategy

More intelligent strategy

This strategy begins long before technical work is initiated

Potential risks are identified ,their probability and impact
are assessed and they are ranked by importance.
Then the software team establishes a plan for managing
risk.
The primary objective is to avoid risks, but because not all
risks can be avoided ,the team works to develop a
contingency plan that will enable it to respond in a
controlled and effective manner.

Risk Management

Software risks
An unwanted event
It possess two characteristics
Uncertainty
Loss

Uncertainty
The risk may or may not happen
There are no 100% probable risks

Loss
If the risk become a reality ,unwanted consequences or
losses will occur.

Risk Management
Different categories of risks
Project Risks
Threaten the project plan
i.e. if the project risks become real ,it is likely that project
schedule will slip and that cost will increase.
Project risk identify the potential budgetary ,schedule
,personnel(staffing and organization),resource, customer
and requirements problem and their impact on a software
project.
Project complexity ,size and degree of structural
uncertainty were also defined as project and estimation risk
factor.

Risk Management
Technical risks

Threaten the quality and timeliness of the software to be

produced
If the technical risks become a reality ,implementation may
become difficult or impossible
Technical risks identify potential design, implementation,
interface, verification and maintenance problems

In addition specification ambiguity ,technical uncertainty

etc are also risk factors
Technical risks occur because the problem is harder to
solve than we thought it would be.

Risk Management
Business risks

Threaten the viability of the software to be built

Business risks often affect the project or the product.

Candidates for the top five business risks

Building an excellent product or system that no one really

wants (market risk)
Building a product that no longer fits into the overall
business strategy for the company (strategic risk)
Building a product that sales force doesnt understand how
to sell
Losing the support of senior mangement due to change in
focus or change in people (management risk)
Losing budgetory or personnel commitment (budget risks)

Risk Management
Another classification of risks:

Known risks
That can be uncovered after careful evaluation of the
project plan, the business and technical environment in
which the project is being developed or other reliable
information sources

Predictable risks
Are extrapolated from past project experience
(e.g. staff turn over, poor communication with the
customer, dilution of staff effort)
Unpredictable risks
They can and do occur
But they are extremely difficult to identify in advance

Risk Management

Risk identification
Risk identification is a systematic attempt to specify threats
to the project (estimates ,schedule, resource loading etc.)
By knowing the known and predictable risks, the project
manager takes a first step towards avoiding them when
possible and controlling them when necessary.
There are two distinct types of risks for each of the
categories of software risks:
Generic
Product-specific risks

Risk Management
Generic risks are a potential threat to every software project.
Product-specific risks can be identified by only by those with
a clear understanding of the technology,the people and the
environment that is specific to the project at hand.

This can be identified by examining the project plan and

software statement scope and finding the answer to the
question
what special characteristics of this product may threaten your
project plan

Risk Management

One method for identifying risks is to create a risk item

checklist.
The checklist can be used for risk identification and focuses on
some subset of known and predictable risks in the following
generic sub-categories:
Product size
Business impact
Customer characteristics
Process definition
Development environment
Technology to be built
Staff size and experience.

Risk Management
Product size
Risks associated with the overall size of the software to
be built or modified.
Business impact
Risks associated with constraints imposed by
management or the market place
Customer characteristics
Risks associated with the sophistication of the customer
and the developers ability to communicate with the
customer in a timely manner
Process definition
Risks associated with the degree to which the software
process has been defined and is followed by the
development organization

Risk Management
Development environment
Risks associated with the availability and uality of the
tools to be used to build the product.
Technology to be built
Risks associated with the complexity of the system to be
built and the newness of the technology that is packaged
by the system.
Staff size and experience.
Risks associated with the overall technical and project
experience of the software engineers who will do the
work

Risk Management
The risk item check list can be organized in different ways:
Questions relevant to each of the topics can be answered
for each software project.
These answers allow the planner to estimate the impact of
risk.
Or simply lists characteristics that are relevant to each
generic sub category
Finally a set of risk components and drivers are listed along
with their probability of occurrence.

Risk Management
Risk components and drivers
The following are the risk components.
Performance risk:
the degree of uncertainty that the product will meet
its requirements and be fit for its intended use
Cost risk
The degree of uncertainty that the project budget
will be maintained
Support risk
The degree of uncertainty that the resultant software
will be easy to correct ,adapt and enhance
Schedule risk
The degree of uncertainty that the project schedule
will be maintained and that the product will be
delivered on time.

Risk Management
The impact of each risk driver on the risk component is
divided into one of four impact categoriesnegligible,marginal,critical and catastropic.

Risk Management
Risk Projection
Risk projection also known as risk estimation attempts to
rate each risk in two ways
1. Likelihood or probability that risks is real and
2. consequences of the problems associated with the risk
when it occur.

Risk Management
The project planner ,along with other mangers and technical
staff ,performs four risk projection activities:
1. Establish a scale that reflects the perceived likelihood of a
risk.
2. Delineate the consequences of the risk
3. Estimate the impact of the risk on the project and the
product
4. Note the overall accuracy of the risk projection so that
there will be no misunderstandings.

Risk Management
Developing a Risk table
A risk table provides a project manger with a simple
techniue for risk projection
A simple risk table is illustrated in fig.

Risk Management
Assessing Risk Impact
Three factors affect the consequences that are likely if a
risk does occur: its nature ,its scope and its timing.
The nature of the risk indicates the problems that are likely
if it occurs
The scope of a risk combines the severity with its overall
distribution
i.e. how much of the project will be affected or how many
customers are harmed.

The timing of a risk considers when and for how long the
impact will be felt

Risk Management
The overall risk exposure ,RE is determined using the
following relationship:

RE=PC
Pprobability of occurrence
Ccost to the project should the risk occur

Risk Management

Risk Assessment
At this point of risk mangement,a set of triples is formed

[ , , ]

During risk assessment,we further examine ,the accuracy of

the estimates that were made during projection,attempt to
rank the risks that have been uncovered and try to control
these risks that are likely to occur.
For this risk referent level must be defined
The risk components performance ,cost ,schedule and
support also represent risk referent levels

Risk Management
i.e. there is a level for performance degradation ,cost
overrun,support difficulty or schedule slippage that will cause
the project to be terminated
If a combination of risks create problems that cause one or
more of these referent levels to be exceeded ,work will stop.

In the software risk analysis ,a risk referent level has a single

point,called reference point or break point,at which the
decision to proceed with the project or terminate it
Fig shows the situation

Risk Management
Project Termination

fig 2. Risk referent level

Risk Management
The steps during risk assessment are
Define the risk referent levels for the project
Attempt to develop a relationship between each [ , , ] and

each of the referent levels.

Predict the set of referent points that define a region of
termination ,bounded by a curve of areas of uncertainty
Try to predict how compound combination of risks will
affect a referent level.

28

Risk Management
Risk Mitigation,Monitoring and Management
The goal of the risk analysis activity is to assist the
project team in developing a strategy for dealing with a
risk.
An effective strategy must consider three issues
Risk avoidance
Risk monitoring
Risk management and contingency planning

29

Risk Management
If the software adopts a proactive approach to
risk,avoidance is always the best strategy .
This is achieved by developing a plan for risk mitigation
As the project proceeds ,risk monitoring activities
commence.
The project manager monitors factors that may provide an
indication of whether the risk is becoming more or less
likely.
Risk mangement and contingency planning assumes that
mitigation efforts have failed and that the risk has become
reality.

30

Risk Management
RMMM plan
A risk management strategy can be included in the
software project plan or the risk management steps can be
organized into a separate Risk Mitigation,Monitoring and
Management Plan.
The RMMM plan documents all work performed as a part
of risk analysis and is used by the project manager as part
of the overall project plan.
Some software team documents each risks individually
using a Risk Information Sheet(RIS)
31

Risk Management
In most cases RIS is maintained using a database system,so
that creation and information entry ,priority ordering
,searches and other analysis may be accomplished easily.

32

Risk Management
Once RMMM has been documented and project has
begun, risk mitigation and moitoring steps commence.
Risk mitigation is a problem avoidance activity.
Risk monitoring is a project tracking activity with three
primary objectives:
1. To assess whether predicted risks do occur
2. To ensure that risk aversion steps defined for the risk
are being properly applied.
3. To collect information that can be used for future risk
analysis

33

Risk Management
Problems that occur during a project can be traced to more
than one risk.
Another job of risk monitoring is to attempt to allocate
origin i.e. what risk caused which problem throughout the
project

34