Escolar Documentos
Profissional Documentos
Cultura Documentos
May 4, 2015
SE 477: Lecture 6
1 of 115
Administrivia
Comments and feedback
Reminders
May 4, 2015
Journal
Team Project
Are you on schedule? You do have a plan, schedule and deliverables?!
Charter should be finished
Scope should be finished
Preliminary description of product finished
WBS fleshed out
MS Project file started
Re-read the assignment: Review the Charter for deliverables:
especially user survey, documentation and training; make sure you
have an activity for each
Are people attending meetings and doing work? On schedule and good
quality? If not complain to the group.
See my paper How to lose in SE 477
SE 477: Lecture 6
2 of 115
Assignment 3
Due tonight
The students need to provide at a minimum the start and completion
date, duration, and effort (in staff-hours).
There should also be a summary for management. This might include a
breakdown of estimates by phase and/or resource (personnel). Give
enough information that an executive would not need to look at the
Project file to get a good idea of the project.
Important points to note:
Holidays need to be accounted for.
Phases need to start on a new day.
Activities are all sequential (Finish to start)
May 4, 2015
SE 477: Lecture 6
3 of 115
Assignment 4
Assignment 4 due May 18, 2015
Develop a risk management plan for the software
development infra-structure of a project (Identify risks;
estimate risk probability and impact; identify potential for risk
mitigation; identify potential risk responses)
Build a Risk Register
Policies to implement
Risk audit (what to look for and what to check)
Use the risk register template for this.
You should add a summary assessment on the current state
of the project vs. the ideal state and make
recommendations.
May 4, 2015
SE 477: Lecture 6
4 of 115
SE 477 Class 6
Topic: Project Risk Management
Risk Management:
Planning
Risk identification, Quantification and prioritization
Risk analysis
Response planning
Contingency planning
Avoidance, Mitigation, Monitoring and control
Risk response planning outputs
The risk register
Reading:
May 4, 2015
SE 477: Lecture 6
5 of 115
May 4, 2015
SE 477: Lecture 6
6 of 115
May 4, 2015
SE 477: Lecture 6
7 of 115
Last Time
Project Time Management
Size and complexity Estimation
Activity Resource Estimating
Activity Duration Estimating
Project Planning Schedule Development
Scheduling
Schedule network analysis
Calculating float
Schedule compression
Resource leveling
Schedule development output
Mythical Man Month
Project Planning Schedule Development Workflow and Example
Appendix
PERT Estimation; Critical Path Method (CPM)
May 4, 2015
SE 477: Lecture 6
8 of 115
May 4, 2015
SE 477: Lecture 6
9 of 115
Risk Management
Whatevercanpossiblygowrongwill.
Murphys Law
Eventsthatareextremelyimprobabletendtooccuratthemost
inopportunetime.[Or,Theprobabilityofaneventisinversely
proportionaltoitsdesirability.]
Gumpersons Law
May 4, 2015
SE 477: Lecture 6
10 of 115
Black Swans
Risk management: There are no black swans
The March 2011 earthquake and tsunami and crisis with the
nuclear plant.
May 4, 2015
SE 477: Lecture 6
11 of 115
ACA HealthCare.gov
ACA signed into law on March 23, 2010
HealthCare.gov is a healthcare exchange website.
May 4, 2015
SE 477: Lecture 6
12 of 115
Navigation: broken UI
Stability: intermittent crashes, availability 43%
Functionality: incorrect and incomplete data
Error rate (per page) 6%
Scalability: < 1,100 concurrent users
Enrollment completion rate < 30%
May 4, 2015
SE 477: Lecture 6
13 of 115
May 4, 2015
SE 477: Lecture 6
14 of 115
May 4, 2015
SE 477: Lecture 6
15 of 115
Write-down-all-the-requirements-then-build-to-those-requirements
Did not adopt an agile development approach.
Committed to an all-or-nothing launch date.
May 4, 2015
SE 477: Lecture 6
16 of 115
Computer related:
Lose file;
Lose flash drive;
Lose hard drive; damaged
Lose computer; damaged, lost or stolen
Crash computer; corrupted files
No network? Cannot access D2L
Attendance and time management
Miss class or late
Late home work submission
Miss home work submission
May 4, 2015
SE 477: Lecture 6
17 of 115
SE 477: Lecture 6
18 of 115
Denitions
Risk is the probability of incurring some net loss while pursuing a goal
Pursuing a positive risk (usually called an opportunity), such as a
nancial investment, may result in either a net gain or loss
A reducible risk is one which is predictable or within our control: we can
reduce the likelihood of loss by taking steps to mitigate or avoid the risk
Irreducible risks are more difcult to deal with; these may be:
Unpredictable. We know the risks can occur but have no basis upon
which to estimate their probability of occurrence
Example: Loss of a key project resource
Beyond our control. These risks may be unprecedented or
exceptionally unpredictable
Example: Terrorist acts or natural events
Note: These types of risks are handled through business
continuity practices
May 4, 2015
SE 477: Lecture 6
19 of 115
Definitions
Risk management is a systematic approach to reducing the
harm due to risks, making a project less vulnerable to
challenge or failure (e.g., cost or schedule overruns, scope
decrease, quality reduction) and its resulting product more
robust
May 4, 2015
SE 477: Lecture 6
20 of 115
Risk definition
According to the PMBOK Guide:
Project risk is an uncertain event or condition that, if it occurs, has a
positive or negative impact on at least one project objective, such as
time, cost, scope, or quality
A risk may have one or more causes and, if it occurs, one or more
impacts
Not all risks are bad: Risks can present opportunities as well as threats
to a project
Risk originates in the uncertainty associated with any project
remember, projects are unique
Project Risks
What can go wrong?
What is the likelihood?
What will the damage be?
What can we do about it?
May 4, 2015
SE 477: Lecture 6
21 of 115
Risk
Assessment
Risk
Prioritization
Risk
Management
Risk
Management Planning
Risk Control
Risk
Resolution
Risk
Monitoring
Boehm, 1991
May 4, 2015
SE 477: Lecture 6
22 of 115
May 4, 2015
SE 477: Lecture 6
23 of 115
SE 477: Lecture 6
24 of 115
Risk Identification
Qualitative Risk
Analysis
Quantitative Risk
Analysis
Risk Control
Risk Monitoring
Risk Response
Planning
May 4, 2015
SE 477: Lecture 6
25 of 115
May 4, 2015
SE 477: Lecture 6
26 of 115
Introduction
Risk Management Planning addresses how to approach,
plan, and execute all of the project risk management
activities
May 4, 2015
SE 477: Lecture 6
27 of 115
May 4, 2015
SE 477: Lecture 6
28 of 115
Most critical environmental factors are the risk tolerance levels of the
organization and the stakeholders
Risk tolerance expresses an inherent trade-off decision between
benefits and cost
Stakeholders will take a risk if the benefits to be gained outweigh
what could be lost
Conversely, stakeholder will avoid taking a risk because the cost
or impact is too great for the amount of benefit that can be
derived
May 4, 2015
SE 477: Lecture 6
29 of 115
Organization may already have policies and guidelines that define its
risk tolerance
May 4, 2015
SE 477: Lecture 6
30 of 115
May 4, 2015
SE 477: Lecture 6
31 of 115
Planning meetings are the main tool for risk management planning
Attendees should include the project manager, members of the
project management team, and stakeholders who can contribute
risk-related information
Meetings will involve analysis of risk for the project, risk tolerance of
the organization, and calibrating risk to the project and organization
The risk management plan is the only output from the risk
management planning process
Risk management plan is detailed on following slides
May 4, 2015
SE 477: Lecture 6
32 of 115
May 4, 2015
SE 477: Lecture 6
33 of 115
May 4, 2015
SE 477: Lecture 6
34 of 115
Risk categories
Risk categories are identified during risk management
planning
Risk categories systematically classify risks and provide a
context for understanding those risks
Used in successor process, Risk Identification
Starting point list of risk categories:
Technical, quality, or performance risks
Project management risks
Organizational risks
External risks
May 4, 2015
SE 477: Lecture 6
35 of 115
Risk categories
Technical/quality/performance risks
Unproven or complex technology
Changes to technology anticipated during the course of
the project
Unrealistic quality goals
Unrealistic performance goals
Project management risks
Improper schedule and resource planning
Poor project planning
Improper or poor project management disciplines or
methodologies
May 4, 2015
SE 477: Lecture 6
36 of 115
Risk categories
Organizational risks
May 4, 2015
SE 477: Lecture 6
37 of 115
Risk categories
External risks
May 4, 2015
SE 477: Lecture 6
38 of 115
Project
Technical
Project
Management
Organizational
External
Unproven
Technology
Schedule
Planning
Project
Schedules
Laws &
Regulations
Technology
Changes
Resource
Planning
Unrealistic
Objectives
Weather
Complex
Technology
Project
Disciplines
Lack of Funding
Labor Issues
Quality
Cost Estimates
Management
Catastrophic Risk
Performance
Budgets
May 4, 2015
SE 477: Lecture 6
39 of 115
May 4, 2015
SE 477: Lecture 6
40 of 115
changes
Project plan
Project management
processes
Technical issues
Personnel issues
May 4, 2015
Hardware
Contracts
Political concerns
Business risk
Legal risk
Environmental risk
SE 477: Lecture 6
41 of 115
SE 477: Lecture 6
42 of 115
May 4, 2015
SE 477: Lecture 6
43 of 115
SE 477: Lecture 6
44 of 115
May 4, 2015
SE 477: Lecture 6
45 of 115
* Managing Risk: Methods for Software Systems Development. Elaine M. Hall, Addison-Wesley, 1998
May 4, 2015
SE 477: Lecture 6
46 of 115
May 4, 2015
SE 477: Lecture 6
47 of 115
May 4, 2015
SE 477: Lecture 6
48 of 115
May 4, 2015
SE 477: Lecture 6
49 of 115
May 4, 2015
SE 477: Lecture 6
50 of 115
Fishbone Diagram
Moderator
Ensure Key
Particpants
are Present
Planning
Familiar with
Process
Select
Trained
Moderator
Moderator
Determine
Particpants
Checklist
Follow-up &
Completion
Determine
Number of Sessions
Ensure Procedures
are Followed
Determine if
Overtime is
Needed
Schedule Meetings
Effective
Inspection
Inspection
Package
List of Major
Items for Discussion
at Inspection
Inspectors
Review
Resolve
All Major
Defects
Determine
Defect
Origin
Minor Error
Log
Defect
Recording
Ensure
Coverage
Preparation
May 4, 2015
Inspection Meeting
SE 477: Lecture 6
51 of 115
Cause-and-effect diagram
May 4, 2015
SE 477: Lecture 6
52 of 115
System or process
flowcharts
Risk owner
notifies PM of
event or risk
trigger
Preparation
symbol
Risk response
plan
executed?
N
Response plan
reviewed for
effectiveness
Process
symbol
Y
High risk
score?
Assign resources/
implement response
plan
Monitor response
plan execution
May 4, 2015
SE 477: Lecture 6
Termination
symbol
Document
results
53 of 115
Influence diagrams
Primarily used to show the
causal influences among
project variables
May also show the
sequencing of events
Used to visually depict
risks (or decisions),
uncertainties or impacts,
and how they influence
each other
Recall our triple
Constraint diagram from
Lecture 1
May 4, 2015
Scope
Quality
Cost
SE 477: Lecture 6
Time
54 of 115
May 4, 2015
SE 477: Lecture 6
55 of 115
or modified.
Business impact risks associated with constraints imposed by
management or the marketplace.
Customer characteristics risks associated with the sophistication of the
customer and the developer's ability to communicate with the customer in a
timely manner.
Process definition risks associated with the degree to which the software
process has been defined and is followed by the development organization.
Development environment risks associated with the availability and quality
of the tools to be used to build the product.
Technology to be built risks associated with the complexity of the system
to be built and the "newness" of the technology that is packaged by the
system.
Staff size and experience risks associated with the overall technical and
project experience of the software engineers who will do the work.
May 4, 2015
SE 477: Lecture 6
56 of 115
May 4, 2015
SE 477: Lecture 6
57 of 115
May 4, 2015
SE 477: Lecture 6
58 of 115
May 4, 2015
SE 477: Lecture 6
59 of 115
Process Risks
An ill defined software process and/or an ad hoc approach to analysis,
design, and testing can introduce risk.
The following are sample questions that should be asked to identify
process risk:
Do you have a consistent repeatable process that is actually used?
Do you train all developers in the process?
Are formal technical reviews part of this process?
Do you have a mechanism for managing change? (i.e. formal RFC
system + configuration management).
Do you have specific methods that you use for each phase of the
process?
Is the process supported by tools?
Do you manage the process through use of metrics?
Risks should be investigated if the answer to any of these questions is
NO.
May 4, 2015
SE 477: Lecture 6
60 of 115
Technology Risks
Pushing the limits of technology is challenging & exciting, yet very risky.
Questions to identify risk include:
Is the technology to be built new to your organization?
Do the requirements require the creation of new algorithms?
Does the software interface with new or unproven hardware or
unproven vendor products?
Do the requirements require the creation of components that are
unlike anything your organization has previously built?
Do requirements demand the use of new analysis, design, or testing
methods?
Do requirements put excessive performance constraints on the
product?
Risks should be investigated if the answer to any of these questions is
YES.
May 4, 2015
SE 477: Lecture 6
61 of 115
Development Risks
The software engineering environment supports the project
SE 477: Lecture 6
62 of 115
May 4, 2015
SE 477: Lecture 6
63 of 115
SE 477: Lecture 6
64 of 115
May 4, 2015
SE 477: Lecture 6
65 of 115
May 4, 2015
SE 477: Lecture 6
66 of 115
May 4, 2015
SE 477: Lecture 6
67 of 115
track
RISK
identify
plan
analyze
May 4, 2015
SE 477: Lecture 6
68 of 115
SE 477: Lecture 6
69 of 115
SE 477: Lecture 6
70 of 115
Risk Management
Risk assessment
Objectives
Analyze risk in a cost-efficient manner
Determine source of risk
Determine risk exposure
Determine time frame for action
Determine highest-severity risks
May 4, 2015
SE 477: Lecture 6
71 of 115
May 4, 2015
SE 477: Lecture 6
72 of 115
Risk Management
Reactive Risk Management
project team reacts to risks
when they occur
mitigation plan for additional
resources in anticipation of
fire fighting
fix on failure resources are
found and applied when the
risk strikes
crisis management failure
does not respond to applied
resources and project is in
jeopardy
May 4, 2015
SE 477: Lecture 6
73 of 115
May 4, 2015
SE 477: Lecture 6
74 of 115
May 4, 2015
SE 477: Lecture 6
75 of 115
Risk register
May 4, 2015
SE 477: Lecture 6
76 of 115
Risk Projection
Risk projection, also called risk
estimation, attempts to rate each risk
in two ways
May 4, 2015
SE 477: Lecture 6
77 of 115
Risk Analysis
Determine impact of each risk
Risk Exposure (RE)
May 4, 2015
SE 477: Lecture 6
78 of 115
Risk Analysis
Estimating size of loss (impact)
Loss is easier to see than probability
You can break this down into chunks (like WBS)
Estimating probability of loss
Use team member estimates and have a risk-estimate review
Use Delphi or group-consensus techniques
Use gambling analogy how much would you bet
Use adjective calibration: highly likely, probably, improbable,
unlikely, highly unlikely
Risk Prioritization
Remember the 80-20 rule
Often want larger-loss risks higher Or higher probability items
Possibly group related risks
Helps identify which risks to ignore Those at the bottom
May 4, 2015
SE 477: Lecture 6
79 of 115
May 4, 2015
SE 477: Lecture 6
80 of 115
May 4, 2015
SE 477: Lecture 6
81 of 115
May 4, 2015
SE 477: Lecture 6
82 of 115
Probability
Probability is the likelihood that an event will occur
Risk probability is the probability that the risk event will occur sometime
during the life of the project and is most often determined through expert
judgment
Ways to improve the utility of risk probabilities
Develop consistent decision criteria for determining probabilities
Involve as many experts as you can
May 4, 2015
SE 477: Lecture 6
83 of 115
May 4, 2015
SE 477: Lecture 6
84 of 115
May 4, 2015
SE 477: Lecture 6
85 of 115
Impact
Impact is the amount of pain or gain the risk event poses to
the various project objectives: cost, time, scope, and quality
Like probability, risk impact may be characterized on a
subjective scale (low, medium, high)
Like probability, a cardinal (numeric) scale of impact is
needed for the probability and impact matrix
Employ consistent decision criteria when using a subjective
scale
Establish a consistent means of determining what moves
a borderline impact into one impact category or another
Following slide shows the (negative) impact scale from the
PMBOK Guide, Third Edition
May 4, 2015
SE 477: Lecture 6
86 of 115
Quantifying impact
May 4, 2015
SE 477: Lecture 6
87 of 115
Risk Prioritization
How to prioritize risks?
One way to prioritize risks is to estimate the probability of its
occurrence and its consequences (loss) when it does occur.
The expected value of the loss for the risk can be used for
prioritization. This expected value is called risk exposure. If
Pr is the probability of a risk R occurring and Lr is the total
loss incurred if the risk materializes, then risk exposure RE,
for the risk is given by the following equation:
REr = Pr X Lr
May 4, 2015
SE 477: Lecture 6
88 of 115
May 4, 2015
SE 477: Lecture 6
89 of 115
May 4, 2015
SE 477: Lecture 6
90 of 115
May 4, 2015
SE 477: Lecture 6
91 of 115
SE 477: Lecture 6
92 of 115
May 4, 2015
SE 477: Lecture 6
93 of 115
SE 477: Lecture 6
94 of 115
May 4, 2015
SE 477: Lecture 6
95 of 115
May 4, 2015
SE 477: Lecture 6
96 of 115
May 4, 2015
SE 477: Lecture 6
97 of 115
May 4, 2015
SE 477: Lecture 6
98 of 115
May 4, 2015
SE 477: Lecture 6
99 of 115
May 4, 2015
SE 477: Lecture 6
100 of 115
May 4, 2015
SE 477: Lecture 6
101 of 115
May 4, 2015
SE 477: Lecture 6
102 of 115
May 4, 2015
SE 477: Lecture 6
103 of 115
May 4, 2015
SE 477: Lecture 6
104 of 115
May 4, 2015
SE 477: Lecture 6
105 of 115
May 4, 2015
SE 477: Lecture 6
106 of 115
Identify and plan responses for secondary risks using tools such as
fallback plans
Example: O-O/RDB expert consultant becomes ill
May 4, 2015
SE 477: Lecture 6
107 of 115
May 4, 2015
SE 477: Lecture 6
108 of 115
May 4, 2015
SE 477: Lecture 6
109 of 115
Risk Monitoring
May 4, 2015
SE 477: Lecture 6
110 of 115
Basic principles
Risks must be managed. Risk must always be one of the principle
concerns of the project management team
Team meeting
May 4, 2015
SE 477: Lecture 6
111 of 115
Basic principles
In the project status report, list all risks for which the degree of risk has
changed
Reviewing risks in weekly team meetings keeps the team and risk
owners aware and sensitized to risks
Including risks in the project status report prepares management for the
time(s) when risks happen
May 4, 2015
SE 477: Lecture 6
112 of 115
Seven Principles
Maintain a global perspective view software risks within the context
of system and the business problem
Take a forward-looking view think about the risks that may arise in
the future; establish contingency plans
May 4, 2015
SE 477: Lecture 6
113 of 115
Next Class
Topic:
Project Processes:
Execution;
Project closeout.
Reading:
May 4, 2015
SE 477: Lecture 6
114 of 115
Journal Exercises
What was the Challenger Disaster? See:
http://en.wikipedia.org/wiki/Space_Shuttle_Challenger_disaster
Read especially the commentary by Richard Feynman
[http://history.nasa.gov/rogersrep/v2appf.htm] and Roger Boisjoly
What effect would a better risk management program have had?
Discuss SERIM. [No, it is not an Italian vending machine company with
a good cup of coffee.] What is it good for? How does it work?
See separate power point slides SERIM.ppt
http://condor.depaul.edu/dmumaugh/se477/lectures/SERIM.ppt
May 4, 2015
SE 477: Lecture 6
115 of 115