Risk Management

advertisement
Software Project Risk
Management
1
Risk Management
• The future can never be predicted with 100%
accuracy.
• Failure to plan for risks leads to crisis
management or firefighting
– Cultivates as dangerous “hero” culture
– A very poor management practice (why?)
• The lure of crisis management
– Attention and visibility
– Access to resources
– Rewards
2
Objective of Risk Management
• The objective is to plan and manage the
project in such a way that whatever happens,
whatever outcomes are achieved, the
stakeholders still “win”
– That is, value is still obtained
• Example: Failed system development can provide value
in learning early on that a system as designed is not
worth pursuing which helps avoid costly commitment
to a system that eventually will not be
adopted/accepted/used
3
What is a Risk?
• Risk is the potential of loss
– Always has two components
• Likelihood of loss
• Size of loss
– Must account for both!
• Risk Exposure = Prob(Loss)* Size(Loss)
– A probability of occurrence of that event.
– Impact of the event occurring
– a quantitative measure of risk
4
What is a Risk? - 2
• Project risk
– Risk of not achieving a defined project goal
(schedule, quality, cost, …)
• The challenge is to manage project risk, not
eliminate it (impossible!)
• Note: Risks change throughout the life of a
project
5
Opportunity
• The flip-side of risk is opportunity
– The potential for gain
• Often where there is risk there is opportunity
– Without risk there is usually no value
– Need to accept risk as a inherent part of the development
process because we seek value
• Need to consider opportunity when considering risk
6
Risk Management
• Risk management is the act or practice of
dealing with risk.
• Risk management is proactive rather than
reactive.
• Risk management is not a separate activity
– an aspect of sound project management.
– this implies that, when you make any decision,
you account for its risk considerations
7
Successful Risk Management
• Depends upon:
– Commitment by stakeholders
– Stakeholder responsibility
– Planning for risk management
– Creation of a risk management plan
– Committing resources to risk management
– Top 10 risk list
• Determine a manageable number of risks
8
Resources for Risk Management
• When looking at the resources to commit to
risk management, one needs to consider the
project size and the impacts of the risks.
• Recommendation: about 5% of total project
resources on risk management activities.
9
Risk Management Planning
• Risk management planning is a continuous
and ongoing process.
• Develop a plan for risk identification.
• Determine the resources available for risks.
– What is available beyond the ordinary?
– This is a good time for out of the box thinking
• Establish a methodology for accounting for
risk in every decision with significant impact
10
A Simplified Risk Management Process
•
•
•
•
•
Risk identification
Risk analysis/evaluation
Risk planning strategies
Risk monitoring and control
Risk response
11
Risk Identification
• Proactively identify risks!
• Tools for identifying risks
– Brainstorming
– Nominal Group Technique
•
•
•
•
•
•
•
Each member identifies their ideas
Each member writes their idea on the board
The group discusses each idea
Each individual ranks each of the ideas
The group then ranks all the ideas
Each individual ranks all the ideas again
Rankings are summarized
12
Risk Identification
– Strength, Weakness, Opportunities, Threats
(SWOT analysis)
– Cause and effect diagrams
– Past Projects experiences (lessons learned)
13
Possible Risks
•
•
•
•
•
•
•
•
•
Creeping user requirements
Excessive schedule pressure
Low quality
Cost overruns
Poor estimates
Low customer satisfaction
Long schedules
Inadequate planning or managing to plan
Project member shortfalls
14
Qualitative Risk Analysis
• Probability and Impact
– Impacts a software Project Manager is most likely
to face:
• Costs
• Schedule
• Quality
– Probability is most often determined by expert
opinion and historical data
• Simple “red-yellow-green” or 1-5 scale assessment
15
Quantitative Risk Analysis
• Discrete probability distributions
– Coin toss
• Continuous probability distributions
– Normal distribution or bell shaped curve
• Running simulations
– Using PERT/GANTT charts to study the impact.
• does not identify risks; helps understand the impact
• Betting analogies
– “How much would you be willing to bet on a
successful outcome?”
16
Risk Response Planning
• Who is going to detect when the risk occurs?
• Who has the responsibility to respond and
communicate?
• What is the response?
17
Risk Strategies
• Factors impacting the strategy
– Impact of the risk
– Project constraints
– Tolerances
• Strategy
– Accept or Ignore
• Provide reserves
– Contingency plans
• Natural disaster/backup plans/plan-B’s
18
Risk Strategies
– Avoidance, eliminate the risk
– Mitigate, lessen the impact of the risk
• Performance impact, provide extra hardware, de-scope
– Transfer the risk
• Offsite backup planning
• Server farms
• Outside management
19
Risk Monitoring and Control
• Risk monitoring
– Determine who is responsible for monitoring
– How are risks monitored?
• Project tracking, resources, quality, etc
– Communicating the status of identified risks
• Reviews and Audits
• Once a risk is identified as occurring
– Communicate
– Take action
20
Risk Response and Evaluation
• Trigger the defined risk response plan
– Identify the risk owner
– Assign resources
– Understand the impacts
• PERTs, Dependencies
• Communicate
• Evaluate once action is taken
– Is more action needed?
– What additional risks are triggered?
21
Common Software Project Risks
– Requirements:
• Feature creep
• Developer gold plating
– Quality
• Low quality
• Squeeze on testing time
– Over optimism
•
•
•
•
•
Schedules
Tools
Capability
Re-use or acquisition
Quality
Common Software Project Risks
– Resources
• Not enough
• Weak personnel
• Contractor issues
– Customer
• Customer developer friction
• Customer acceptance
23
Group Exercise
• Create a formal, documented risk management plan for your
project.
• Do the following:
– Risk identification
• Discuss at least three serious risks
– Risk analysis/evaluation
• Assess the risks identified (qualitatively or quantitatively)
– Risk planning strategies
• What can you do to manage these risks?
– Risk monitoring and control
• How will you manage these risks during the remainder of the project?
– Risk response
• What will you do if a risk becomes actual (i.e. exposed)?
both for the development and the eventual operation of your
system.
24
Download