R i s k

1
R i s k

• If you dont attack risks, they will attack you.

2
An Example of Risk
3
Real Example - Denver Airport

• The airport's computerized baggage system, which
  was supposed to reduce flight delays, shorten
  waiting times at luggage carousels, and save
  airlines in labor costs, turned into an
  unmitigated failure.
• An opening originally scheduled for October 31,
  1993 with a single system for all three
  concourses turned into a February 28, 1995
  opening with separate systems for each concourse,
  with varying degrees of automation.
• The system's 186 million in original
  construction costs grew by 1 million per day
  during months of modifications and repairs.
• Incoming flights never made use of the system,
  and only United, DIA's dominant airline, used it
  for outgoing flights.
• The automated baggage system never worked well,
  and in August 2005, it became public knowledge
  that United would abandon the system, a decision
  that would save them 1 million in monthly
  maintenance costs.
• en.wikipedia.org

4
Questions

• What risks are there to software projects?
• How can we handle those risks?

5
Risk Categories

• performance risk
• does not meet the requirements
• cost risk
• over budget
• schedule risk
• not delivered on time
• support risk
• maintenance problems

6
Common Problem Sources

• Inherent difficulties in estimation
• Ex bad historical data
• Bad assumptions during planning
• Ex our task network didnt expect coding to
  uncover design problems
• Ex we didnt schedule time to change the design
  and code when the specs change
• Ex our programmers arent as knowledgeable as
  we thought they were
• Unforeseen Events

7
Boehms Top Ten - 1991

• Personnel Shortfalls
• Unrealistic time and cost estimates
• Developing the wrong software functions
• Developing the wrong user interface
• Gold plating
• Late changes to requirements
• Shortfalls in external supplied components
• Shortfalls in external performed tasks
• Real-time performance shortfalls
• Development technically too difficult

8
Boehm's Top 10 2002 - Software Risks

• Here are the results of the surveys conducted in
  the year 2002.
• 1. Schedules, budgets, process
• 2. Requirements Changes
• 3. Personnel Shortfalls
• 4. Requirements Mismatch
• 5. Rapid change
• 6. Architecture, performance, quality,
  distribution/mobility
• 7. external components
• 7. Legacy Software
• 9. Externally-performed tasks
• 10. User interface mismatch

USC Center for Systems Software Engineering
9

• customer-furnished items or information
• internal and external subcontractor relationships
  
• inter-component or inter-group dependencies
• availability of trained, experienced people
• reuse from one project to the next
• lack of clear product vision
• lack of agreement on product requirements
• un-prioritized requirements
• new market with uncertain needs
• new applications with uncertain requirements
• rapidly changing requirements
• ineffective requirements change management
  process
• inadequate impact analysis of requirements
  changes
• inadequate planning and task identification
• inadequate visibility into actual project status
• unclear project ownership and decision making
• unrealistic commitments made, sometimes for the
  wrong reasons
• managers or customers with unrealistic
  expectations
• staff personality conflicts

http//www.processimpact.com/articles/risk_mgmt.ht
ml
10
IEEE/ISO Std forRecovering from Risks Gone Bad

• There isn't one!!!!

11
Boehms Risk Engineering Tasks

• Risk Analysis
• Identification
• Estimation
• Evaluation
• Risk Management
• Planning
• Control
• Monitoring
• Directing
• Staffing

12
SEI on Risk

• What does success look like?
• A successful risk management practice is one in
  which risks are continuously identified and
  analyzed for relative importance. Risks are
  mitigated, tracked, and controlled to effectively
  use program resources. Problems are prevented
  before they occur and personnel consciously focus
  on what could affect product quality and
  schedules.
• What will risk management do for my business?
• There will be a cultural shift from
  "fire-fighting" and "crisis management" to
  proactive decision making that avoids problems
  before they arise. Anticipating what might go
  wrong will become a part of everyday business,
  and the management of risks will be as integral
  to program management as problem or configuration
  management.

13
SEI Risk Management Principles

• Global perspective
• Forward-looking view
• Open communications
• Integrated management
• Continuous process
• Shared product vision
• Teamwork
• www.sei.cmu.edu/programs/sepm/risk/

14
Dealing with Risks

• Hazard Prevention
• Likelihood Reduction
• Risk Avoidance
• Risk Transfer
• Contingency Planning

15
Prioritizing Risks

• RE likelihood x impact
• RRL
• RE risk exposure
• RRL risk reduction leverage
• Software Project Management by Hughes and
  Cotterell

REbefore REafter risk reduction cost
16
Example Risk 1

• Lose of Source Code.
• Risk of the server dieing?
• cost of automated backups.
• Risk of hack attack from outside.
• cost of firewall software, etc.
• Risk of hack attack from inside.
• cost of off-site backup system.

17
Example Risk 2

• Person X is assigned to three tasks on the
  critical path!
• How do we deal the risk of them getting sick?
• Possible Steps
• Analyze the possible impact of a delay caused by
  their absence.
• Determine cost of training another person to do
  one or two of those tasks.
• What is the risk exposure versus the training
  costs?
• Can there be a different task network or
  assignment of personnel?

18
Example Risk 3

• The risk of employee turnover?
• What happens if they leave?
• How dependant is our schedule on people with
  these exact skills?
• Will information be lost with the person?
• How can we keep them / replace them?
• How costly would it be to raise salaries?
• How else could we make them happy?
• Costs to hire good replacements?

19
Example Risk 4

• The Market for our product may change.
• What is the likelihood of change? How acceptable
  would our product be?
• How risky is it to speed production?
• Effect of speed on quality?
• Costs of extra personnel or overtime pay?
• What is the risk of making it a more general
  product?
• Cost and time of extra features?

20
Example Risk 5

• Risk to Functionality based on unknown
  technology?
• How likely is it that we dont know enough to
  fulfill this particular requirement?
• How important is this requirement to product
  acceptance?
• If someone else knows a lot about this, how much
  would it cost to get them here?
• Should we try two approaches at the same time?

21
Example Risk 6

• Risks related to Example Data Access.
• Who controls access to the database where we are
  supposed to get our sample data?
• Is their boss in favor of this project?
• Are they nice, or do we need to mow their lawn
  before we can see the data?
• When can we get the data?
• If we cant get data at the beginning, can we use
  fake data for a while?
• How long can we use fake data?
• How will fake data affect quality?

22
Example Risk 7

• To generate additional revenue, we will release a
  new version of a financial analysis product.
  Since it is currently written in COBOL, the next
  version should be written in COBOL.
• Do you see any potential risks?

23
Risk Analysis Tools

• Risk Radar includes 22 standardized
  reports that enable project managers to quickly
  and easily view and track important risk data. It
  provides the ability to establish standard values
  for categorizing and prioritizing project risks
  according to Probability of Occurrence, Risk
  Impact and Risk Exposure.  And, it does this all
  within the familiar Microsoft Access graphic
  interface, which enables most users to
  immediately apply the benefits of the tool
  without costly and time-consuming software
  training.
• www.iceincusa.com/products_tools.htm

24
(No Transcript)
25
Summary

• Be proactive, not reactive.
• Assess the cost of failure against the costs of
  addressing the risk.
• Avoid costly risks or limit the effect of the
  risk.

26
In-Class Exercise

• For Dr. Garrison's web site design project
• identify 5 risks
• estimate the risk exposure for each risk
• how can that team deal with those risks