Software Risk Management an Introduction

1
Software Risk Managementan Introduction

• Dindin Sjahril 2005

2
Risk Management

• If you dont actively attack risks, they will
  attack you - Tom Gilb
• Risk management is still looked upon as bad news
  - and messengers are still shot
• However, risks are problems which havent
  happened yet the key is yet

3
Are you a risk taker ?
Averse. Neutral.. Takers
Experience
Temperament
Skill Set
The day of the week
4
Are you a risk taker ?
Project deliverables / Realisation of the benefit

• Who own risk ?

Project Sponsor
Overall responsibilities
Set risk tolerance
Project Manager
Risk project management
Day to day responsibilities
5
Types of Risk
Socio economy, political, legal, regulatory,
Culture , etc
External Risk
Constraining risk
Internal Risk Project
Resources availibility, Depedencies, technical
complecity, Bug rate, etc.
Organisation
Contract, corporate risk maturity, risk policies.
Technology maturity, etc
Note to Identify major risk to project delivery,
all three area will require examinations
6
Common Projects Risk

• Excessive paperwork
• Unreliable subproject delivery
• Creeping user requirements
• Unnecessary features
• Large and complex project
• Immature technology
• Complex application
• Large number of complex external interfaces
• Incapable project management
• Project manager unavailable
• Lack of experience with projects
  platform/environment/methods
• Lack of experience with the software product type
  
• Lack of experience in the user environment/operati
  ons
• Lack of senior management commitment

• Unavailability of key staff
• Reliance on a few key personnel
• Instability and lack of continuity in project
  staffing
• Lack of staff commitment, low morale
• Low productivity
• Lack of client support
• Lack of user support
• Lack of contact persons competence
• Inaccurate metrics
• Lack of organizational maturity
• Lack of quantitative historical data
• Inaccurate cost estimating
• Excessive schedule pressure
• Inadequate configuration control
• Excessive reliance on a single development
  improvement

7
Levels of Risk Management

• 1. Crisis Management - everythings broken
• 2. Fix on failure - something broke? Fix it!
• 3. Risk mitigation - what will we do when it
  breaks?

8
Levels of Risk Management

• 4. Prevention - how keep it from breaking?
• 5. Eliminate root causes - why could it break?

9
PrinciplesSEI 2003

• Global perspective
• Forward-looking view
• Open communications
• Integrated management
• Continuous process
• Shared product vision
• Teamwork

10
Risk Assessment Control

• Risk Assessment
• Identification what are the risks? Make a list!
  (Or borrow one for ideas)
• Analysis assess risk likelihood and impact
  find possible alternatives
• Prioritization which risks to focus on? Sort
  risks by impact
• ...

11
Risks Criticity
12
Risk Impact/Probability Matrix
Severity / Probability Very High High Medium Low Very Low
Catastrophic High High Moderate Moderate Low
Critical High High Moderate Low None
Marginal Moderate Moderate Low None None
Negligible Moderate Low Low None None
13
Risk Assessment Control

• Risk Control
• Management planning mitigation planning, ensure
  consistency among plans
• Resolution actively manage and resolve each
  risk when it occurs
• Monitoring track progress toward risk
  resolution and identify new risks

14
Risk Identification

• Look for risks
• In all of the major areas of the project -
  resources, tools, process, and product
• In management areas - cost, schedule, level of
  effort
• In the Classic Mistakes and Fundamentals
• In every area your customer cares about!

15
Risk Identification

• Risk identification has two different meanings
• Define what risks might occur (as previously
  described), and then analyze them
• Be able to tell when a risk has taken place
  (which sets the stage for risk monitoring and
  mitigation)

16
Risk Analysis

• Risk Exposure (Impact) Calculation
• Estimate Size of Loss what is result of risk?
• Estimate Probability of loss, based on corporate
  history, industry norms, or educated guesses
• Multiply Size Probability to get task Overrun
  due to that risk

17
Risk Analysis

• Add task Overrun to the estimated task duration
• Repeat for every significant risk

18
Risk Exposure Calculation

• Suppose a task, Define requirements for GUI,
  has an estimated duration of 30 days.

19
Risk Exposure Calculation

• If we know, based on historic data, that there is
  a 20 chance of this task running over by 10
  days, the task overrun is 0.2010 2 days.
• Hence in the schedule we should allow 30 2 32
  days for this task, not just 30.

20
Risk Prioritization

• Sort risks by descending task overrun
• This will automatically identify risks with the
  highest task overrun
• Focus on those risks most, since you have the
  most to lose if you dont!

21
Risk Control

• Risk Management Planning
• Risk Resolution
• Risk Monitoring

22
Risk Management Planning

• For each risk, identify how risk is to be
  identified, managed, monitored, and closed out.
  Consider
• What is the risk,
• Where and When might the risk occur,
• Who is responsible for managing that risk,
• Why does the risk exist, and
• How will the risk be handled if it occurs?

23
Risk Management Planning

• Similar to security analysis
• Identify threats
• Prevent threats
• Detect threats (not trivial with information
  systems!)
• Mitigate (reduce) the effects of the threats

24
Risk Resolution

• Avoid the risk (have someone else do it)
• Transfer risk to another area (e.g. redesign)
• Investigate the risk to better understand it
  (e.g. use prototype or consultant to clarify)
• Eliminate the cause of the risk (defect
  prevention)
• ...

25
Risk Resolution

• Assume the risk will occur and cope with minor
  impact
• Publicize the risk - well known risks are easier
  to avoid, and less shocking if they do occur
• Control the risk - implement mitigation strategy
• Remember the risk - keep lessons learned!

26
Risk Monitoring

• Develop and maintain top 10 risk list
• Conduct postmortems after each major project
  event (milestone) - collect and record lessons
  learned
• Assign a risk officer - a devils advocate, if
  you will - to keep pestering with what if...
  situations
• Dont be afraid to discuss risks openly

27
Top 10 Risks List

• Develop a list of the ten most serious risks,
  their status, and mitigation plans
• Review and update each week
• Raises awareness of risks, and helps detect
  (identify) them

28
Risk Management Tasks

• Develop Risk Management Plan
• May take from one week to several months,
  depending on project size
• Results in approval of Risk Management Plan

29
Risk Management Tasks

• Update Risk List at a weekly status meeting
• Update existing risks, add new ones as needed
• Reevaluate Risk Management Plan every 3 months to
  year, depending on project size

30
Risk Management Tasks

• Be sure to account for the following ongoing risk
  management activities
• Risk identification (what could happen?)
• Risk management planning
• Risk analysis and prioritization (what would
  result?)
• Risk resolution (mitigation strategy)
• Risk monitoring (has it happened?)

31
Risk Management Tasks

• For each risk, describe
• Risk number, name, and description
• The Loss Hours, Probability, and Impact of each
  risk sorted by descending Impact
• How each risk will be prevented (keep it from
  happening), identified (know when it has
  happened), and mitigated (managed once it has
  happened)