Post on 10-Jul-2020
1
Paper 130-29
Risk Management for Software ProjectsTom DeMarco, The Atlantic Systems Guild, Camden, ME
ABSTRACTRisk management is project management for adults. It guides project managers to focus specifically on what can go wrong, instead the more usual "if everything goes as planned" approach. The benefits of risk management include these:
• it enables aggressive risk-taking• it protects management from being blind-sided• it provides minimum cost downside protection
In this keynote, Tom DeMarco lays out the basics of a risk-focused strategy and provides clear guidelines for its implementation.
SUGI 29 Planning, Development and Support
Copyright © 2004 by Tom DeMarco: The Atlantic Systems Guild
Risk Managementfor Software
Projects
SUGI2004: Montreal, May 10, 2004
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
RISK MANAGEMENT . . .RISK MANAGEMENT . . .RISK MANAGEMENT . . .RISK MANAGEMENT . . .RISK MANAGEMENT . . .nothing but the beef:
three reasons why you bother
one key tool
use of monte-carlo simulation
one metric to track (late) risk manifestation
a useful pattern from the past
a scary but wonderful observation
the did-we-really-do-it? test
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
You’re blind-sided by a risk that’s happened a
thousand times before.
You have no infrastructure in place to deal
with a risk when it materializes.
You don’t have a useful (early) transition
indicator.
RISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIES
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
DENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORT
The automated baggage handling system:
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
D.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATH
Baggage Handling Software
.
.
Integration testing
.
Acceptance & signoff
Airport opening
1993 1994 1995
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
You’re blind-sided by a risk that’s happened a
thousand times before.
You have no infrastructure in place to deal
with a risk when it materializes.
You don’t have a useful (early) transition
indicator.
RISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIES
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
1. You have zero chance of
delivering before January of
next year.
2. My best guess is you’ll be
done around April 1st . . .
3. but to be at least 50% sure,
you’d better advertise a date
of May 1 or later.
4. To be 100% safe, you’d have to
allow for delivery as late as
end of next year.
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
RISK DIAGRAM:RISK DIAGRAM:RISK DIAGRAM:RISK DIAGRAM:RISK DIAGRAM:
A risk diagram shows explicitly how uncertain we are about
delivery date (or anything else).
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:
Effort
Size in (for example) Function Points
20,000 FP
52 person months
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
40 52 70
Effort
(Person Months)
SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:
Delivery Date
6/2000 11/2000
9/2000
“The project will take this much time.”
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:
Risk
Modeling
ProcessSources of
UncertaintyResultant
Uncertainty
Delivery Date
Size Inflation
Productivity
Variation
etc.
Flaw in size
estimate
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
Alpha Platform: Project Simulation (500 Runs)
0
1 0
2 0
3 0
4 0
5 0
6 0
7 0
8 0
9 0
1 0 021
-FE
B-0
4
3-JU
N-0
4
15-S
EP
-04
27-D
EC
-04
9-A
PR
-05
21-J
UL
-05
3-N
OV
-05
15-F
EB
-06
27-M
AY
-06
9-S
EP
-06
CA
NC
EL
LE
D
Completion Date
Nu
mb
er o
f In
stan
ces
in R
ange
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
Alpha Platform ProjectEarned Value Demonstrated by Versions Running
-
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
18.00
Jun-01 Dec-01 Jun-02 Dec-02 Jun-03 Dec-03 Jun-04 Dec-04
Calendar Date
Earn
ed V
alu
e (R
un
nin
g) i
n M
illi
on
s
Expected Version AcceptanceDate
Actual Version AcceptanceDate
September 22, 2003
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:
The real reason we need to do risk
management is not to avoid risks,
but to enable aggressive risk-taking.
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
THE FIVE CORE RISKSTHE FIVE CORE RISKSTHE FIVE CORE RISKSTHE FIVE CORE RISKSTHE FIVE CORE RISKS
The following five risks are common to all high-
tech projects:
Size inflation
Original estimate flaw
Personnel turnover
Failure to concur (breakdown among the
interested parties)
Productivity variation
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
1. Is there a census of risks with at least 10-20 risks on it?
2. Is each risk quantified as to probability and cost and
schedule impact?
3. Is there at least one early transition indicator associated
with each risk?
THE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISK
MANAGEMENT” TESTMANAGEMENT” TESTMANAGEMENT” TESTMANAGEMENT” TESTMANAGEMENT” TEST
(in six parts):
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
THE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISK
MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)
4. Does the census include the core risks indicated by
past industry experience?
5. Are risk diagrams used widely to specify both the
causal risks as well as the net result (schedule and
cost) risks?
6. Is the scheduled delivery date significantly different
from the best-case scenario?
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort
SU
GI 29
Plan
nin
g, D
evelop
men
t and
Su
pp
ort