1

Paper 130-29

Risk Management for Software ProjectsTom DeMarco, The Atlantic Systems Guild, Camden, ME

ABSTRACTRisk management is project management for adults. It guides project managers to focus specifically on what can go wrong, instead the more usual "if everything goes as planned" approach. The benefits of risk management include these:

• it enables aggressive risk-taking• it protects management from being blind-sided• it provides minimum cost downside protection

In this keynote, Tom DeMarco lays out the basics of a risk-focused strategy and provides clear guidelines for its implementation.

SUGI 29 Planning, Development and Support

Copyright © 2004 by Tom DeMarco: The Atlantic Systems Guild

Risk Managementfor Software

Projects

SUGI2004: Montreal, May 10, 2004

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

RISK MANAGEMENT . . .RISK MANAGEMENT . . .RISK MANAGEMENT . . .RISK MANAGEMENT . . .RISK MANAGEMENT . . .nothing but the beef:

three reasons why you bother

one key tool

use of monte-carlo simulation

one metric to track (late) risk manifestation

a useful pattern from the past

a scary but wonderful observation

the did-we-really-do-it? test

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

You’re blind-sided by a risk that’s happened a

thousand times before.

You have no infrastructure in place to deal

with a risk when it materializes.

You don’t have a useful (early) transition

indicator.

RISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIES

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

DENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORTDENVER INTERNATIONAL AIRPORT

The automated baggage handling system:

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

D.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATHD.I.A. PROJECT: CRITICAL PATH

Baggage Handling Software

.

.

Integration testing

.

Acceptance & signoff

Airport opening

1993 1994 1995

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

You’re blind-sided by a risk that’s happened a

thousand times before.

You have no infrastructure in place to deal

with a risk when it materializes.

You don’t have a useful (early) transition

indicator.

RISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIESRISK MANAGEMENT ATROCITIES

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

1. You have zero chance of

delivering before January of

next year.

2. My best guess is you’ll be

done around April 1st . . .

3. but to be at least 50% sure,

you’d better advertise a date

of May 1 or later.

4. To be 100% safe, you’d have to

allow for delivery as late as

end of next year.

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

RISK DIAGRAM:RISK DIAGRAM:RISK DIAGRAM:RISK DIAGRAM:RISK DIAGRAM:

A risk diagram shows explicitly how uncertain we are about

delivery date (or anything else).

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:

Effort

Size in (for example) Function Points

20,000 FP

52 person months

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

40 52 70

Effort

(Person Months)

SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:SENSIBLE RISK MANAGEMENT:

Delivery Date

6/2000 11/2000

9/2000

“The project will take this much time.”

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:RISK DIAGRAMS IN USE:

Risk

Modeling

ProcessSources of

UncertaintyResultant

Uncertainty

Delivery Date

Size Inflation

Productivity

Variation

etc.

Flaw in size

estimate

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

Alpha Platform: Project Simulation (500 Runs)

0

1 0

2 0

3 0

4 0

5 0

6 0

7 0

8 0

9 0

1 0 021

-FE

B-0

4

3-JU

N-0

4

15-S

EP

-04

27-D

EC

-04

9-A

PR

-05

21-J

UL

-05

3-N

OV

-05

15-F

EB

-06

27-M

AY

-06

9-S

EP

-06

CA

NC

EL

LE

D

Completion Date

Nu

mb

er o

f In

stan

ces

in R

ange

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

Alpha Platform ProjectEarned Value Demonstrated by Versions Running

-

2.00

4.00

6.00

8.00

10.00

12.00

14.00

16.00

18.00

Jun-01 Dec-01 Jun-02 Dec-02 Jun-03 Dec-03 Jun-04 Dec-04

Calendar Date

Earn

ed V

alu

e (R

un

nin

g) i

n M

illi

on

s

Expected Version AcceptanceDate

Actual Version AcceptanceDate

September 22, 2003

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:SCARY BUT WONDERFUL OBSERVATION:

The real reason we need to do risk

management is not to avoid risks,

but to enable aggressive risk-taking.

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

THE FIVE CORE RISKSTHE FIVE CORE RISKSTHE FIVE CORE RISKSTHE FIVE CORE RISKSTHE FIVE CORE RISKS

The following five risks are common to all high-

tech projects:

Size inflation

Original estimate flaw

Personnel turnover

Failure to concur (breakdown among the

interested parties)

Productivity variation

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

1. Is there a census of risks with at least 10-20 risks on it?

2. Is each risk quantified as to probability and cost and

schedule impact?

3. Is there at least one early transition indicator associated

with each risk?

THE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISK

MANAGEMENT” TESTMANAGEMENT” TESTMANAGEMENT” TESTMANAGEMENT” TESTMANAGEMENT” TEST

(in six parts):

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

THE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISKTHE “ARE WE REALLY DOING RISK

MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)MANAGEMENT” TEST (CONTINUED)

4. Does the census include the core risks indicated by

past industry experience?

5. Are risk diagrams used widely to specify both the

causal risks as well as the net result (schedule and

cost) risks?

6. Is the scheduled delivery date significantly different

from the best-case scenario?

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort

SU

GI 29

Plan

nin

g, D

evelop

men

t and

Su

pp

ort