RISK MANAGEMENT IN SOFTWARE
All projects have some degree of risk
Risks are issues that can cause problems
Delay in schedule
Increased project costs
Technical risk example
1. We intend to use Web services, but no team
member has experience with them
2. The team may not have the required Java skills to
execute the job on time because several have not
used Java in a business environment
What is Risk Management?
The total process to identify, control, and
minimize the impact of uncertain events.
In IT, the focus is on availability, reliability,
maintainability & security
In SE, the focus is on quality & productivity
One time, on budget & works
Try to confront risks early in the process rather
than waiting for them to confront us when
building the application
1. at the start of a project,
2. at the beginning of major project phases (such as
requirements, design, coding and deployment),
3. when there are significant changes (for example,
feature changes, target platform changes and
Risk Analysis Methods
1. Identify potential sources of risk
Imagine all wost-case scenarios
2. Analyze each risk
Understand its potential impact on the project
3. Prioritize risks
Focus on the most serious
4. Mitigation strategies
Conquer it (investigate & take action)
Avoid it (change plans so the issue doesn’t occur
5. Develop a plan to retire the risk
6. Review your risk management plan periodically
Progress on plan?
Change to the risk?
How are risks to the project’s success
Can be tricky
Requires imagination – looking at parts of the
process that at first glance do not seem risky
Have a brainstorming session, consider :
Weak areas, such as unknown technology.
Aspects that are critical to project success, such as
the timely delivery of a vendor's database
software, creation of translators or a user
interface that meets the customer's needs.
Problems that have plagued past projects, such as
loss of key staff, missed deadlines or error-prone
Need to describe in as much detail as possible
Vague: “Team member may get sick”
Better: “Sick time will exceed the company norm
by 50% due to high number of young parents on
Do you conquer the risk?
Take an action
Fire young parent employees?
Or avoid the risk?
Change a plan
Budget more time in the schedule?
Mitigating Risk by planning
The team should develop a plan to address each
Assign an individual to carry out the plan
Make plans concrete
Vague: “we will all learn Java”
Concrete: “Tom & Sue will pass level 2 Java Certification
by Dec. 4th by attending SuperJava Course”
Avoidance: “Use C++ instead of Java”
Create a table of identified risks and prioritize
What is the estimated likelihood that the risk will
L: 1-10 with 1 lowest likelihood
What is the estimated impact of the risk?
I:1-10 with 1 lowest impact
What is the estimated cost of managing it?
M:1-10 with 1 lowest cost
Target completion date
Describe the risks fully
Priority depends on factors such as likelihood and
seriousness of impact on project
A high priority task has a low priority number
because people usually refer to their “highest
priority” as number 1
The more expensive it is to deal with a risk, the lower
If it’s a lot of work, may be better off not working on it in
Construct an expensive simulation? Or deal with it when it
Sometimes have to just accept the risk
Lack of Java
9 = 54
(see note 2)
2 = 64
Note 1: The risk is that the team does not have enough skills in Java to handle the programming
required by this project in the time allowed
Note 2: The risk is that although a Web Service technology is a good choice, it is a new technology
and its immaturity may create difficulties
Note 3: Jen, Oscar, and Alf will all pass their level 2 Java cert by X date by taking Y course
Note 4: Jen will install 3 Web services typical of DVD inventory management and run 1,000
typical transactions against these, gathering timing data
Just deal with it?
Not every risk can be dealt with earlier than its
Suppose the team has a week to add significant
functionality to the app
Goal: add the capability to show future investment
growth graphically for a financial app
Little to gain from performing risk analysis and
retirement in this case
With such short lead time, the resource of work time is
better spent just getting to it
The chance that it won’t get done exists, but the time
required for risk analysis my not leave enough time to
do the job
review your risks periodically,
check how well mitigation is progressing.
change risk priorities, as required
Identify new risks.
rerun the complete risk process if the project
has experienced significant changes.
incorporate risk review into other regularly
scheduled project reviews
In your projects
Risk management should be part of your
discussions in your weekly meetings
Identify & mitigate (where possible)