Software Project Risk Management 1 Risk Management • The future can never be predicted with 100% accuracy. • Failure to plan for risks leads to crisis management or firefighting – Cultivates as dangerous “hero” culture – A very poor management practice (why?) • The lure of crisis management – Attention and visibility – Access to resources – Rewards 2 Objective of Risk Management • The objective is to plan and manage the project in such a way that whatever happens, whatever outcomes are achieved, the stakeholders still “win” – That is, value is still obtained • Example: Failed system development can provide value in learning early on that a system as designed is not worth pursuing which helps avoid costly commitment to a system that eventually will not be adopted/accepted/used 3 What is a Risk? • Risk is the potential of loss – Always has two components • Likelihood of loss • Size of loss – Must account for both! • Risk Exposure = Prob(Loss)* Size(Loss) – A probability of occurrence of that event. – Impact of the event occurring – a quantitative measure of risk 4 What is a Risk? - 2 • Project risk – Risk of not achieving a defined project goal (schedule, quality, cost, …) • The challenge is to manage project risk, not eliminate it (impossible!) • Note: Risks change throughout the life of a project 5 Opportunity • The flip-side of risk is opportunity – The potential for gain • Often where there is risk there is opportunity – Without risk there is usually no value – Need to accept risk as a inherent part of the development process because we seek value • Need to consider opportunity when considering risk 6 Risk Management • Risk management is the act or practice of dealing with risk. • Risk management is proactive rather than reactive. • Risk management is not a separate activity – an aspect of sound project management. – this implies that, when you make any decision, you account for its risk considerations 7 Successful Risk Management • Depends upon: – Commitment by stakeholders – Stakeholder responsibility – Planning for risk management – Creation of a risk management plan – Committing resources to risk management – Top 10 risk list • Determine a manageable number of risks 8 Resources for Risk Management • When looking at the resources to commit to risk management, one needs to consider the project size and the impacts of the risks. • Recommendation: about 5% of total project resources on risk management activities. 9 Risk Management Planning • Risk management planning is a continuous and ongoing process. • Develop a plan for risk identification. • Determine the resources available for risks. – What is available beyond the ordinary? – This is a good time for out of the box thinking • Establish a methodology for accounting for risk in every decision with significant impact 10 A Simplified Risk Management Process • • • • • Risk identification Risk analysis/evaluation Risk planning strategies Risk monitoring and control Risk response 11 Risk Identification • Proactively identify risks! • Tools for identifying risks – Brainstorming – Nominal Group Technique • • • • • • • Each member identifies their ideas Each member writes their idea on the board The group discusses each idea Each individual ranks each of the ideas The group then ranks all the ideas Each individual ranks all the ideas again Rankings are summarized 12 Risk Identification – Strength, Weakness, Opportunities, Threats (SWOT analysis) – Cause and effect diagrams – Past Projects experiences (lessons learned) 13 Possible Risks • • • • • • • • • Creeping user requirements Excessive schedule pressure Low quality Cost overruns Poor estimates Low customer satisfaction Long schedules Inadequate planning or managing to plan Project member shortfalls 14 Qualitative Risk Analysis • Probability and Impact – Impacts a software Project Manager is most likely to face: • Costs • Schedule • Quality – Probability is most often determined by expert opinion and historical data • Simple “red-yellow-green” or 1-5 scale assessment 15 Quantitative Risk Analysis • Discrete probability distributions – Coin toss • Continuous probability distributions – Normal distribution or bell shaped curve • Running simulations – Using PERT/GANTT charts to study the impact. • does not identify risks; helps understand the impact • Betting analogies – “How much would you be willing to bet on a successful outcome?” 16 Risk Response Planning • Who is going to detect when the risk occurs? • Who has the responsibility to respond and communicate? • What is the response? 17 Risk Strategies • Factors impacting the strategy – Impact of the risk – Project constraints – Tolerances • Strategy – Accept or Ignore • Provide reserves – Contingency plans • Natural disaster/backup plans/plan-B’s 18 Risk Strategies – Avoidance, eliminate the risk – Mitigate, lessen the impact of the risk • Performance impact, provide extra hardware, de-scope – Transfer the risk • Offsite backup planning • Server farms • Outside management 19 Risk Monitoring and Control • Risk monitoring – Determine who is responsible for monitoring – How are risks monitored? • Project tracking, resources, quality, etc – Communicating the status of identified risks • Reviews and Audits • Once a risk is identified as occurring – Communicate – Take action 20 Risk Response and Evaluation • Trigger the defined risk response plan – Identify the risk owner – Assign resources – Understand the impacts • PERTs, Dependencies • Communicate • Evaluate once action is taken – Is more action needed? – What additional risks are triggered? 21 Common Software Project Risks – Requirements: • Feature creep • Developer gold plating – Quality • Low quality • Squeeze on testing time – Over optimism • • • • • Schedules Tools Capability Re-use or acquisition Quality Common Software Project Risks – Resources • Not enough • Weak personnel • Contractor issues – Customer • Customer developer friction • Customer acceptance 23 Group Exercise • Create a formal, documented risk management plan for your project. • Do the following: – Risk identification • Discuss at least three serious risks – Risk analysis/evaluation • Assess the risks identified (qualitatively or quantitatively) – Risk planning strategies • What can you do to manage these risks? – Risk monitoring and control • How will you manage these risks during the remainder of the project? – Risk response • What will you do if a risk becomes actual (i.e. exposed)? both for the development and the eventual operation of your system. 24