CHAPTER FIVE

1
Planning for software project risk
 Risk is uncertainty that can have a negative or positive
effect on meeting project objectives.

 Negative risk is “the possibility of loss or injury.”

 Negative risk involves understanding potential problems

that might occur in the project and how they might
impede project success.

 Negative risk management is like a form of insurance.

2
PLANNING FOR SOFTWARE (CONT…)
 Positive risk are risks that result in good things
happening; sometimes called opportunities.
Risk factors
 Lack of top management commitment to the project
 Failure to gain user commitment
 Misunderstanding the requirement
 Lack of adequate user involvement

3
PLANNING FOR SOFTWARE (CONT…)

 Failure to manage end user expectation

 Changing scope and objectives
 Lack of required knowledge/skill in the project
personnel
 New technology
 Insufficient / inappropriate staffing
 Conflict between user departments

4
TYPES OF RISK
Pure risks: These risks have no upside, only a downside.
Pure risks include things like loss of life or limb, fire,
flood, and other bad stuff that
nobody likes.
Business risks: These risks are the calculated risks you are
concerned with in project management. A perfect
example of a business risk is using a worker with less
experience in order to save money on the project’s
budget.

5
TYPES OF RISK(CONT…)
 The risk is that the worker will screw up and your project
will be doomed. The reward is that the worker will cost
less than the more experienced worker and save the
project some cash. An additional reward is that by
challenging this employee you will encourage his or her
growth and buy in on the project. This worker is more
likely to be of greater value to you in future projects.

6
RISK MANAGEMENT
 Risk Management: is a systematic process of
identifying, analyzing and responding to project risk.
 Is concerned with identifying risks and drawing up plans
to minimize their effect on a project.
The goal of project risk management is to minimize
potential negative risks while maximizing potential
positive risks.
A person’s willingness to accept risks is called his or her
utility function.

7
1. RISK PLANNING

 Risk planning is a plan that documents the procedures

for managing risk throughout a project.
 Deciding how to approach and plan the risk management
activities for the project.
 Planning is critical to establish the importance of risk
management, allocating proper resources and time to risk
management and establish the basis for evaluating risk.

8
RISK PLANNING(CONT…)
 Stakeholders must committed to process of identifying,
analyzing and responding to threats and opportunities.
 In addition to commitment, risk planning also focuses on
preparation.
 It is important that resources, processes, and tools be in
place to adequately plan the activities for project risk
management.
 Systematic preparation and planning can help minimize
adverse effects on the project while taking advantage of
9
opportunities as they arise
2. RISK IDENTIFICATION
 Risk Identification is the process of understanding what
potential events might hurt(harm) or enhance a particular
project.
 A risk is any event that could prevent the project from
progressing as planned, or from successful completion.
 Risks can be identified from a number of different
sources.
 Others will be identified during the project lifecycle,
and a risk can be identified by anyone associated with
the project.
10
 Some risk will be inherent to the project itself, while
others will be the result of external influences that are
completely outside the control of the project team.
 Risk identification consists of determining which risks
are likely to affect the project and documenting the
characteristics of each.

11
RISK IDENTIFICATION TOOLS AND TECHNIQUES

 Brainstorming is a technique by which a group attempts

to generate ideas or find a solution for a specific problem
by amassing ideas spontaneously and without judgment.
An experienced facilitator should run the brainstorming
session.
Be careful not to overuse or misuse brainstorming.
 Delphi technique is a technique that allows stakeholders
to anonymously offer their input into identifying risks.
They can send their suggestions via e-mail to one person
who will then consolidate the information into one
document without naming the source of
12
the information.
RISK IDENTIFICATION TOOLS AND TECHNIQUES

 Interviewing is a fact-finding technique for collecting

information in face-to-face, phone, e-mail, or instant-
messaging discussions.
Interviewing people with similar project experience is an
important tool for identifying potential risks.
 SWOT analysis (strengths, weaknesses, opportunities,

and threats) can also be used during risk identification.

Helps identify the broad negative and positive risks that
apply to a project.
13
RISK REGISTER
 A risk register: is A document that contains the
results of various risk management processes and that
is often displayed in a table or spreadsheet format.
 A tool for documenting potential risk events and
related information.
Risk Register Contents
 An identification number for each risk event.
 A rank for each risk event.
 The name of each risk event.
 A description of each risk event. 14
RISK REGISTER CONTENTS…

The category under which each risk event falls.

 The root cause of each risk
Triggers for each risk; triggers are indicators or
symptoms of actual risk events.
Potential responses to each risk.
The risk owner or person who will own or take
responsibility for each risk.
 The probability and impact of each risk occurring.
The status of each risk. 15
3. QUALITATIVE RISK ANALYSIS
Assess the likelihood and impact of identified risks to
determine their magnitude and priority.
Example

Sample Qualitative Risk

Impact Matrix

Risk Probability Impact Risk

Risk Score
Server crashes Low Medium Low

Lack of developers High Medium High

Firmware changes Low Medium Low 16

4. QUANTITATIVE RISK ANALYSIS
 Numerically estimating the effects of risk on project
management.
Example

Sample Qualitative Risk

Impact Matrix
Risk Probability Impact Risk
Risk Score
Server crashes .1 $5000 $500

Lack of developers .9 $80000 $72000

Firmware changes .2 10day 2days

17
5. RISK RESPONSE
 After identifying and quantifying risks, you must decide
how to respond to them.
 Risk response is steps taken to enhance an opportunities
and reducing threats to meeting project objectives.
 The risk response plan is a document that details the
identified risks within a project, their impact, and their
associated costs, and then identifies how the project team
will respond to the risks.

18
 Four main response strategies for negative risks:

 Risk avoidance -Often the most desirable risk response is to

just avoid the risk. This means getting creative in the project
scheduling, assigning senior developers to key activities, or
creating other workarounds so that the risk doesn’t come in to
play. You’ve done risk avoidance if you’ve done any of the
following:
 Changed a project plan to avoid risk interruption
 Hired experts to consult the project team during the
development Process
 Spent additional time with the project stakeholders to clarify
all project objectives and requirements

19
Four main response strategies for negative risks

 Risk transference -Shift the impact of a risk to a third party

(like a subcontractor). It does not eliminate it, it simply shifts
responsibility.
You’ve used transference if you’ve ever done any of the
following:
 Purchased insurance, such as errors and omissions insurance
 Hired experts to complete a portion of the project work
 Demanded warranties from vendors
 Brought in consultants to test units and builds of your
software

20
Four main response strategies for negative risks

 Risk mitigation -Take steps to reduce the probability and/or

impact of a risk.
You’ve used mitigation if you’ve ever done the following:
 Added extra testing, verification, or customer approval
activities to ensure that the software conforms to
requirements
 Reduced the number of processes, activities, or interactions
within a smaller project to streamline and focus project
management activities on accomplishing specific project
tasks

21
 Cont…

 Risk acceptance– Simply accept that this is a risk.

22
 FOUR MAIN RESPONSE STRATEGIES FOR
POSITIVE RISKS

 Exploit: This strategy seeks to eliminate the

uncertainty with an opportunity by changing a project
objective to ensure it happens.
 Share: Allocating ownership of the positive risk event
to a third party who is best able to capture the
opportunity for the project.
 Enhance: Increasing the probability and/or positive
impact of an opportunity
 Acceptance: Simply accept that this is a risk

23
RESIDUAL AND SECONDARY RISKS
 It’s also important to identify residual and secondary
risks.
 Residual risks are risks that remain after all of the
response strategies have been implemented.
 Secondary risks are a direct result of implementing a
risk response.

24
6. RISK MONITORING AND CONTROL
 Involves executing the risk management process to
respond to risk events.
 Workarounds are unplanned responses to risk events
that must be done when there are no contingency plans.

25