Risk Management for Software
Development
Richard Fairley
Colorado Technical University
Colorado Springs, Colorado, USA
Paul Rook
The Center for Software Reliability
City University, Northampton Square, London, UK
Presented by: Ken Waller
EEL 6883 – Software Engineering
II
Presentation Agenda


Review and Present the Paper
Give my Thoughts on the Paper




Strengths
Weaknesses
Suggestions for Improvements
Question and Answer Session

But feel free to ask questions during the
presentation, as well
Paper Overview







Introduction
Risk Management vs. Project Management
Risk Types
Software Development Processes and their
Relationship to Risk Management
Detailed Discussion of Risk Management
Procedures
Organizational Level Risk Management
Conclusions
Introduction

History





1800’s: Origins stem from the concept of Risk
Exposure (Insurance Industry)
1950’s: Some related topics being taught in
academia (decision theory, probabilistic modeling)
1980’s: Formal Risk Management used in
Petrochemical and Construction Industries
1990’s: Risk Management becomes an element of
Software Engineering
1990’s – Present: Risk Management applied
throughout many diverse industries
Introduction

Definitions:

Risk = Potential Problem


Probability (0.0 – 1.0) (non-inclusive)
Loss (risk impact)



Quantify: Money, human lives, etc.
Qualify: Credibility, trust
Problem = Materialized Risk (reality)

Resources (time, money, personnel) needed to
fix
Introduction

When risk can be quantified:


Risk Exposure = probability * impact
Example:



Probability that SW glitch will cause explosion:
0.3 (30%)
Impact: 5 Human Lives (L)
Exposure: 0.3 * 5L = 1.5L
Introduction

Risks are caused by events:





Single events
Multiple events
Continuous events
Interdependent events
Can be difficult to distinguish cause and
effect
Introduction

Risk Management Overview:




State outcome that you want to avoid
State courses of action that will lead to
avoidance
Find root causes
Start with project targets: cost,
schedule, product (functionality,
performance, quality, etc.)

Risks are associated with targets
Introduction

Risk Management Procedures: Basic Steps
(independent of industry or discipline):

Risk Assessment




Identify Risks
Analyze Risks
Rate/Rank/Prioritize Risks
Risk Control



Abate Risks
Create Risks Mitigation Plans
Apply Plans
Introduction

Risk Management considerations:

Constraints


Estimates




External conditions on project targets
Ranges
Confidence levels
Project Targets (negotiated)
Conditional maximum target
Conditional Maximum Targets
(expanded)


Desire to maximize some project
attribute
Doing so may compromise another
Threshold
(maximum)
Threshold
(maximum)
Threshold
(minimum)
Cost
Schedule Performance
Cost
Schedule Performance
Cost
Schedule Performance
Risk Management vs. Project
Management

Project Management (Classical)



Attempts to manage/control risks in
traditional ways: estimating, planning,
scheduling
“Problem Management”
Reactive: Difficult choices and risk
mitigation plans are made only after
problems arise
Risk Management vs. Project
Management

Risk Management

Attempts to manage/control risks in a more focused manner:

Risk Assessment




Risk Control





Identify what may go wrong
Assign probabilities
Assess negative impact severities
Create plans to reduce probabilities and/or severities
Create plans to resolve risks that surface
Reassess Risks
“True” management of risks
Proactive: Difficult choices and risk mitigation plans are
made before risks surface
Risk Management vs. Project
Management

Risk Management Augments Project
Management




Not the same thing
Not a replacement
Risk Management not a guarantee
Successful projects:


Overcome problems
Do not never encounter problems
Risk Types

Four categories identified:





Contractual/Environmental: Problems with customers or
vendors, hindering organizational policies, etc.
Management/Process: Unclear authorities and
responsibilities, weak or inadequate processes, etc.
Personnel: Lack of skills/training, etc.
Technical: Requirements creep, inadequate testing, etc.
Must be correctly typed so appropriate level can
address them
Risk Types

For Risk Control, two categories

Generic


Common to most/all software projects
Methods to abate/control have been developed, over time



Errors in products handled by V&V, incremental testing
Communication problems handled by documentation, reviews, and
meetings
Project Specific


Associated with a particular project
Covered by the Risk Management Plan, consisting of


Action Plans: Decision to engage in a risk reduction activity
without any further consideration (decision has been made)
Contingency Plans: Initiate risk reduction activity at some future
time, if warranted
Software Development Processes and
their Relationship to Risk
Management


The use of a particular software
development process is an essential risk
reduction technique
To select an appropriate development
process, need to understand:


Available software development
processes
Critical Risk Factors associated with the
project under development
Software Development Process
Models and their Relationship to Risk
Management

Available Software Development Processes:









COTS: Overlooked; requirements match
Waterfall: Single Pass
Risk Reduction/Waterfall: RR, then Waterfall
Capabilities-to-Requirements: Pick COTS, then adjust reqs
Transform: Tool automates generation of code
Evolutionary: Spiral, several passes
Prototyping: Low fidelity system
Incremental: Add capabilities in each build
Design-to-Cost/Schedule: Prune reqs to meet schedule/cost
Software Development Process
Models and their Relationship to Risk
Management

Critical Risk Factors:







Growth: High growth implies risk if using COTS
Available Technologies:
Ill-Defined Requirements: Feedback essential (use
spiral/incremental)
Understanding of Architecture: Low understanding = high
risk of top down approach
Robustness: Require more rigorous process model
Budget/schedule limitations: May be good to use design-tocost/schedule models
High-risk system nucleus: May indicate spiral/incremental
approach
Detailed Discussion of Risk
Management Procedures

Review of Risk Management Procedures:

Risk Assessment




Risk Identification
Risk Analysis
Risk Prioritization
Risk Control



Risk Abatement Strategies
Risk Mitigation Planning
Risk Mitigation
Detailed Discussion of Risk
Management Procedures


Risk Assessment’s Main Goal: Establishing a set of
Risks that potentially threaten a project
Three explicit steps in Risk Assessment:

Risk Identification


Risk Analysis



Find Risks and bring to the attention of management, senior
level personnel, and the customer
Assign quantitative values to risks (impacts, probabilities)
Also perform cost/benefit analysis
Risk Prioritization


Rank risks, from 1..n
Higher the rank, more resources invested (time, money)
Detailed Discussion of Risk
Management Procedures

More on Risk Identification:



Main tool: Expertise and previous experience
Organizations attempt to develop various forms of checklists
to capture previous experience and knowledge
Other tools:





Scenarios
Decompositions
Prototyping
Modeling and Simulation
Identification process needs to involve all levels of business
and technical staff, along with the customer


More/different experience leads to discovery of more risks
Must integrate (overcome) different viewpoints
Detailed Discussion of Risk
Management Procedures

More on Risk Analysis:


Goal: Develop numerical aspects of risks
Analysis Tools & Techniques:




Historical Data
Cost estimation tools (automated – software; manual –
spreadsheets/forms)
Expertise and Past Experiences
Other available Techniques depend upon type of Risk




Technical Risks: Modeling and Simulation, prototyping
Cost Risks: Algorithmic cost models, Monte Carlo Simulations
Schedule Risks: Algorithmic schedule models, Monte Carlo
Simulations
Operational Risks: Performance and Reliability Modeling
Detailed Discussion of Risk
Management Procedures

More on Risk Prioritization:


Not all Risks get included on the final list of
Risks to manage
Main Factor that contributes to the
importance of a Risk (and ultimately a
formal prioritized list) is Risk Exposure
(probability * impact)
Detailed Discussion of Risk
Management Procedures

Risk Control relies on a “Feedback Loop”







Feedback upon whether risks are being managed or not
If not, redirect, re-plan, and “close loop”
Initial Action Plans are executed to reduce risk
Contingency Plans executed upon trigger to attack risks further
Project Manager = “Controller”
Depends upon completion of the Risk Assessment phase
Three explicit steps:

Risk Abatement Strategies:


Risk Mitigation Planning:


Determine strategies
Produce detailed plans, based upon strategies
Risk Mitigation:

Put plans into action and reduce/eliminate risks
Detailed Discussion of Risk
Management Procedures

More on Risk Abatement Strategies:

Must first know where to start expending
resources



Three Basic Strategies Available:




Relies upon analysis/results of Risk Assessment phase
May also rely upon Simulations, Prototypes, Data/History,
Experts/Experience
Risk Avoidance: May involve deletion of requirements or
functionality
Risk Transfer: May involve reallocating requirement or
functionality
Risk Acceptance: Involves further risk control
Must consider cost-benefit analysis
Detailed Discussion of Risk
Management Procedures

More on Risk Mitigation Planning:

Translate strategies into detailed plans



Must take project schedule and resource
consumption into account


Action Plans
Contingency Plans
Consumption of resources to manage one risk may cause
another risk to occur (must iterate)
Funds/resources can be “set aside” for risks
(reserves)
Detailed Discussion of Risk
Management Procedures

More on Risk Mitigation:

Put mitigation plans into effect


Goal is to reach a resolution of the underlying
problem
Must continually track (monitor and report)
the characteristics of risks

Re-assess risks as plans are implemented and
impacts are made (iterate the loop)
Organizational Level Risk
Management

Companies that deal in advanced technologies now mandate
Risk Management Plans



Includes senior technical and executive management, as well as
the customer
Goal is to understand the impacts risks may have on financial
bottom lines
Characteristics of Organizations that employ Risk Management:

Explicit risk management processes defined and followed



Customization for specific project allowed
Communication
Reporting risks to the highest levels of the organization (executives,
VPs, etc.)

Regular reviews
Conclusions


Risk Management has been around (in
various forms) for a long time, and is used in
a vast array of industries
Experience is perhaps the key tool used
during the Risk Management process (finding,
assessing, etc. risks)



Prototyping, simulations can also be used
Explicit steps are defined and well known
Risks must be expected
My Opinions on the Paper

Strengths:



Use of a wide range of types of Figures to
illustrate various points/ideas
Thorough and understandable discussion
Use of many quick “for example…”
My Opinions on the Paper

Weaknesses:

Formatting Issue: No Numbering System Used

For Example:





Is less clear than:


X. Risk Assessment (Risk Identification, Risk Analysis, …)
Risk Identification
Risk Analysis
…
X. Risk Assessment

X.1 Risk Identification

X.2 Risk Analysis

X.3 …
Some content “out of place”


History Lesson in the “Risk Management Procedures” section
Discussion of Development Process relationship to Risk Management in
the “Types of Risks” section
My Opinions on the Paper

Suggestions for Improvement:

Devise and incorporate a formal numbering
systems


Makes clear to readers the organization of the
paper
Reformat the content

Suggests already laid out in this presentation
Questions…?

Thank You!!