risk management introduction -ds- 20031 software risk management an introduction dindin sjahril 2005
Post on 18-Jan-2016
219 Views
Preview:
TRANSCRIPT
Risk Management Introduction -DS- 2003
1
Software Risk Management
an Introduction
Dindin Sjahril 2005
Risk Management Introduction -DS- 2003
2
Risk Management
“If you don’t actively attack risks, they will attack you” - Tom Gilb
Risk management is still looked upon as bad news - and messengers are still shot
However, risks are problems which haven’t happened yet; the key is ‘yet’
Risk Management Introduction -DS- 2003
3
Are you a risk taker ?Averse….Neutral…..Takers…
Temperament
Experience
Skill Set
The day of the week
Risk Management Introduction -DS- 2003
4
Are you a risk taker ?
Who own risk ?
Project Manager
Project Sponsor
Day to day responsibilities
Overall responsibilities
Project deliverables /Realisation of the benefit
Set risk tolerance
Risk project management
Risk Management Introduction -DS- 2003
5
Types of Risk
Internal Risk Project
Constraining risk
External Risk
Organisation
Socio economy, political, legal, regulatory, Culture , etc
Contract, corporate risk maturity, risk policies. Technology maturity, etc
Resources availibility, Depedencies, technical complecity,Bug rate, etc.
Note to Identify major risk to project delivery, all three area will require examinations
Risk Management Introduction -DS- 2003
6
Common Projects Risk Unavailability of key staff Reliance on a few key personnel Instability and lack of continuity in
project staffing Lack of staff commitment, low
morale Low productivity Lack of client support Lack of user support Lack of contact person’s
competence Inaccurate metrics Lack of organizational maturity Lack of quantitative historical data Inaccurate cost estimating Excessive schedule pressure Inadequate configuration control Excessive reliance on a single
development improvement
Excessive paperwork Unreliable subproject delivery Creeping user requirements Unnecessary features Large and complex project Immature technology Complex application Large number of complex external
interfaces Incapable project management Project manager unavailable Lack of experience with project’s
platform/environment/methods Lack of experience with the
software product type Lack of experience in the user
environment/operations Lack of senior management
commitment
Risk Management Introduction -DS- 2003
7
Levels of Risk Management
1. Crisis Management - everything’s broken
2. Fix on failure - something broke? Fix it!
3. Risk mitigation - what will we do when it breaks?
Risk Management Introduction -DS- 2003
8
Levels of Risk Management
4. Prevention - how keep it from breaking?
5. Eliminate root causes - why could it break?
Risk Management Introduction -DS- 2003
9
Principles[SEI 2003]
Global perspective Forward-looking view Open communications Integrated management Continuous process Shared product vision Teamwork
Risk Management Introduction -DS- 2003
10
Risk Assessment & Control
Risk Assessment Identification – what are the risks? Make a list!
(Or borrow one for ideas) Analysis – assess risk likelihood and impact; find
possible alternatives Prioritization – which risks to focus on? Sort risks
by impact ...
Risk Management Introduction -DS- 2003
11
Risks Criticity
Risk Management Introduction -DS- 2003
12
Risk Impact/Probability MatrixSeverity / Probability Very High High Medium Low Very Low
Catastrophic High High Moderate Moderate Low
Critical High High Moderate Low None
Marginal Moderate Moderate Low None None
Negligible Moderate Low Low None None
Risk Management Introduction -DS- 2003
13
Risk Assessment & Control
Risk Control Management planning – mitigation planning,
ensure consistency among plans Resolution – actively manage and resolve each
risk when it occurs Monitoring – track progress toward risk resolution;
and identify new risks
Risk Management Introduction -DS- 2003
14
Risk Identification
Look for risks In all of the major areas of the project - resources,
tools, process, and product In management areas - cost, schedule, level of
effort In the Classic Mistakes and Fundamentals In every area your customer cares about!
Risk Management Introduction -DS- 2003
15
Risk Identification
Risk identification has two different meanings: Define what risks might occur (as previously
described), and then analyze them Be able to tell when a risk has taken place (which
sets the stage for risk monitoring and mitigation)
Risk Management Introduction -DS- 2003
16
Risk Analysis
Risk Exposure (Impact) Calculation Estimate Size of Loss; what is result of risk? Estimate Probability of loss, based on corporate
history, industry norms, or educated guesses Multiply Size & Probability to get task Overrun due
to that risk
Risk Management Introduction -DS- 2003
17
Risk Analysis
Add task Overrun to the estimated task duration Repeat for every significant risk
Risk Management Introduction -DS- 2003
18
Risk Exposure Calculation
Suppose a task, “Define requirements for GUI”, has an estimated duration of 30 days.
Risk Management Introduction -DS- 2003
19
Risk Exposure Calculation
If we know, based on historic data, that there is a 20% chance of this task running over by 10 days, the task overrun is 0.20*10 = 2 days.
Hence in the schedule we should allow 30 + 2 = 32 days for this task, not just 30.
Risk Management Introduction -DS- 2003
20
Risk Prioritization
Sort risks by descending task overrun This will automatically identify risks with the
highest task overrun Focus on those risks most, since you have
the most to lose if you don’t!
Risk Management Introduction -DS- 2003
21
Risk Control
Risk Management Planning Risk Resolution Risk Monitoring
Risk Management Introduction -DS- 2003
22
Risk Management Planning
For each risk, identify how risk is to be identified, managed, monitored, and closed out. Consider: What is the risk, Where and When might the risk occur, Who is responsible for managing that risk, Why does the risk exist, and How will the risk be handled if it occurs?
Risk Management Introduction -DS- 2003
23
Risk Management Planning
Similar to security analysis: Identify threats Prevent threats Detect threats (not trivial with
information systems!) Mitigate (reduce) the effects of the threats
Risk Management Introduction -DS- 2003
24
Risk Resolution
Avoid the risk (have someone else do it) Transfer risk to another area (e.g. redesign) Investigate the risk to better understand it (e.g. use
prototype or consultant to clarify) Eliminate the cause of the risk
(defect prevention) ...
Risk Management Introduction -DS- 2003
25
Risk Resolution
Assume the risk will occur and cope with minor impact
Publicize the risk - well known risks are easier to avoid, and less shocking if they do occur
Control the risk - implement mitigation strategy
Remember the risk - keep lessons learned!
Risk Management Introduction -DS- 2003
26
Risk Monitoring
Develop and maintain top 10 risk list Conduct postmortems after each major
project event (milestone) - collect and record lessons learned
Assign a risk officer - a devil’s advocate, if you will - to keep pestering with “what if...” situations
Don’t be afraid to discuss risks openly
Risk Management Introduction -DS- 2003
27
Top 10 Risks List
Develop a list of the ten most serious risks, their status, and mitigation plans
Review and update each week Raises awareness of risks, and helps detect
(identify) them
Risk Management Introduction -DS- 2003
28
Risk Management Tasks
Develop Risk Management Plan May take from one week to several months,
depending on project size Results in approval of Risk Management Plan
Risk Management Introduction -DS- 2003
29
Risk Management Tasks
Update Risk List at a weekly status meeting Update existing risks, add new ones as needed
Reevaluate Risk Management Plan every 3 months to year, depending on project size
Risk Management Introduction -DS- 2003
30
Risk Management Tasks
Be sure to account for the following ongoing risk management activities: Risk identification (what could happen?) Risk management planning
Risk analysis and prioritization (what would result?) Risk resolution (mitigation strategy) Risk monitoring (has it happened?)
Risk Management Introduction -DS- 2003
31
Risk Management Tasks
For each risk, describe: Risk number, name, and description The Loss Hours, Probability, and Impact of each
risk; sorted by descending Impact How each risk will be: prevented (keep it from
happening), identified (know when it has happened), and mitigated (managed once it has happened)
top related