Risk ManagementCIS 375Bruce R. MaximUM-Dearborn

What is Risk?Risks are potential problems that may affect successful completion of a software project. Risks involve uncertainty and potential losses. Risk analysis and management are intended to help a software team understand and manage uncertainty during the development process.

Risk StrategiesReactive strategiesvery common, also known as fire fightingproject team sets resources aside to deal with problemsteam does nothing until a risk becomes a problemProactive strategiesrisk management begins long before technical work starts, risks are identified and prioritized by importanceteam builds a plan to avoid risks if they can or to minimize risks if they turn into problems

Software Risks - 1Project risksthreaten the project planTechnical risksthreaten product quality and the timeliness of the schedule Business risksthreaten the viability of the software to be built (market risks, strategic risks, management risks, budget risks)

Software Risks - 2Known riskspredictable from careful evaluation of current project plan and those extrapolated from past project experienceUnknown riskssome problems will simply occur without warning

Risk AnalysisRisk identificationRisk projectionimpact of risks/likelihood of risk actually happeningRisk assessmentwhat will change if risk becomes problemRisk management

Risk IdentificationProduct-specific risksthe project plan and software statement of scope are examined to identify any special characteristics of the product that may threaten the project planGeneric risksare potential threats to every software productproduct sizecustomer characteristicsdevelopment environmenttechnology to be built

Risk ProjectionThe risk drivers affecting each risk component are classified according to their impact categorypotential consequences of each undetected software fault or unachieved project outcome are described

Risk ImpactRisk componentsperformancecostsupportscheduleRisk impactnegligiblemarginalcriticalcatastrophic

Risk EstimationEstablish a scale indicating perceived likelihood of risk occurringDetermine consequences.Estimate impact of consequences on project (for each risk).Note overall accuracy of risk projection (to avoid misunderstandings).

Risk Table Construction - 1List all risks in the first column of the tableClassify each risk and enter the category label in column twoDetermine a probability for each risk and enter it into column threeEnter the severity of each risk (negligible, marginal, critical, catastrophic) in column four.

Risk Table Construction - 2Sort the table by probability and impact valueDetermine the criteria for deciding where the sorted table will be divided into the first priority concerns and the second priority concernsFirst priority concerns must be managed (a fifth column can be added to contain a pointer into the RMMM document)

Risk Assessment - 1Define referent levels for each project risk that can cause project termination performance degradationcost overrunsupport difficultyschedule slippageAttempt to develop a relationship between each risk triple (risk, probability, impact) and each of the reference levels.

Risk Assessment - 2Predict the set of referent points that define a region of termination, bounded by a curve or areas of uncertainty.Try to predict how combinations of risks will affect a referent level

Project Termination

Risk RefinementProcess of restating the risks as a set of more detailed risks that will be easier to mitigate, monitor, and manage.CTC (condition-transition-consequence) format may be a good representation for the detailed risks (e.g. given that then there is a concern that (possibly) ).

RMMM - 1Risk mitigationproactive planning for risk avoidanceRisk monitoringassessing whether predicted risks occur or notensuring risk aversion steps are being properly appliedcollect information for future risk analysisdetermining which risks caused which problems

RMMM - 2Risk Managementcontingency planningactions to be taken in the event that mitigation steps have failed and the risk has become a live problem

Risk Mitigation ExampleRisk: loss of key team membersDetermine causes of job turnover.Eliminate causes before project starts.After project starts, assume turnover is going to occur and work to ensure continuity.Make sure teams are organized and distribute information widely.Define documentation standards and be sure documents are produced in a timely manner.Conduct peer review of all work.Define backup staff.

Risk Information SheetsAlternative to RMMM plan in which each risk is documented individually.Often risk information sheets (RIS) are maintained using a database system. RIS componentsrisk id, date, probability, impact, descriptionrefinement, mitigation/monitoringmanagement/contingency/trigger statusoriginator, assigned staff member

Safety and HazardsRisks are also associated with software failures that occur in the field after the development project has ended.Computers control many mission critical applications today (weapons systems, flight control, industrial processes, etc.).Software safety and hazard analysis are quality assurance activities that are of particular concern for these types of applications