Software Risk Management

l Risk assessment and control

l Jalote-2002, Kemerer-1997

Ali Arya, 2003 Software Project Management, Risk Management Slide 1

Risks
l “Anything worth doing has risks. The challenge
is not to avoid them but to manage them.”
l Risk Management is an attempt to minimize the
chances of failure caused by unplanned events.
l Risks are events or conditions that may occur, and
whose occurrence, if it does take place, has a
harmful or negative effect.
• Defects are not risk. They are almost certain.
• Risks are probabilistic events.

Ali Arya, 2003 Software Project Management, Risk Management Slide 2

Example
l Computer show
• Power failure
• UPS
• Generator
• Power company guaranty
l Risk management entails additional cost.
• If risky event does not happen, the cost is not wasted !
l People tend to ignore risks.

Ali Arya, 2003 Software Project Management, Risk Management Slide 3

Basic Concepts
l Risk exposure (impact/factor)
• RE = P(UO) × L(UO)
• RE: risk exposure
• UO: unsatisfactory outcome
• P(UO) : probability of UO
• L(UO): loss due to UO
l UO is multidimensional, i.e. varies for customers,
users, developers, and managers.

Ali Arya, 2003 Software Project Management, Risk Management Slide 4

RE-based Decision Tree

l Consider different possibilities and calculate RE for each.
l Example: software critical error (CE)
• P(UO) = 0.4
• L(UO) = $20 M

l Two options:
• Hire an independent verification and validation (IV&V ) team ($500K)
• Use development team

l For each:
• Find CE (probability: 0.36 and 0.3)
• Do not find CE (probability: 0.04 and 0.1)
• No CE (probability: 0.6)

Ali Arya, 2003 Software Project Management, Risk Management Slide 5

Risk Management
l Risk Assessment
• Identification
• Analysis
• Prioritization
l Risk Control
• Planning
• Resolution
• Monitoring
• Correction (usually considered part of monitoring)

Ali Arya, 2003 Software Project Management, Risk Management Slide 6

Risk Identification
l Use checklists, comparison, decomposition, …
l Top software risk items
• Personnel shortfalls
• Unrealistic schedules and budgets
• Developing the wrong functions and properties
• Developing the wrong user interface
• Continuing stream of requirements changes
• Shortfalls in externally furnished components
• Shortfalls in externally performed tasks
• Real-time performance shortfalls

Ali Arya, 2003 Software Project Management, Risk Management Slide 7

Analysis and Prioritization

l Risk analysis is to find probabilities and losses
associated with identified risks
l The most effective prioritization technique is RE-
based.
l Making accurate estimations is the main
difficulty of RE-based prioritization.
l Buying information, prototyping, benchmarking
and simulation can be used for analysis.

Ali Arya, 2003 Software Project Management, Risk Management Slide 8

Risk-Management Planning
l Important risks (e.g. with top-10 priorities) have
to be managed through well-defined plans.
• Why, what, when, who, where, how, how much
l Important techniques
• Buying information
• Risk avoidance
• Risk transfer
• Risk reduction
l Plans have to be integrated into main project plan

Ali Arya, 2003 Software Project Management, Risk Management Slide 9

Risk-Management Techniques
l Personnel shortfalls
• Top talents, job matching, team building, training
l Unrealistic schedule and budget
• Detailed estimation, incremental development, reuse
l Developing wrong functionality
• Prototyping, analysis, user participation
l Requirements changes
• High change threshold, information hiding, incremental development
l External jobs
• Benchmarking, inspection, compatibility analysis, preawrd audit
l ...

Ali Arya, 2003 Software Project Management, Risk Management Slide 10

Risk Mitigation
l A risk becomes a problem when “risk factors”
cross a threshold, as defined in plan.
l Action planning
• Prevention
• Immediate response
• e.g. training
l Contingency planning
• Correction
• When needed
• e.g. use of extra resources

Ali Arya, 2003 Software Project Management, Risk Management Slide 11

Risk Resolution and Monitoring

l Implementing the risk management plans and
monitoring the risks
l Top-10 risk item tracking
• Ranking the project’s most significant risk items
• Regular review schedule for higher management
• Summary of top -10 items in project review meetings
• Monitor the planned activities for risk management
• Revise the list in review meetings

Ali Arya, 2003 Software Project Management, Risk Management Slide 12

Invoking Contingency Plans
l Contingency plans are part of management plan
for a risk item.
l When a quantitative risk indicator crosses a
predetermined threshold
l Must have a specific duration
• If problem not solved then project enters crisis mode
• Crisis management must also be planned
• Crisis may result in project redirection or cancellation

Ali Arya, 2003 Software Project Management, Risk Management Slide 13

Crisis Management
l Publicize the problem
l Assign responsibilities
l Update status frequently
l Relax resource constraints
l Burnout mode
l Drop-dead date
l Recovery
• Postmortem
• Rewarding
• Reevaluating cost and schedule

Ali Arya, 2003 Software Project Management, Risk Management Slide 14

Use of COTS
l Commercial Off-The-Shelf products are being
used increasingly.
l Buy-and-integrate risks
• Integration
• Upgrading
• No source code
• Vendors failure or buyout

Ali Arya, 2003 Software Project Management, Risk Management Slide 15