Risk management in Software Risk management in Software EngineeringEngineering

TTerm Papererm Paper

ByBy Praveenkumar SammitaPraveenkumar Sammita

CSC532CSC532

INTRODUCTIONINTRODUCTION

What is Risk?What is Risk?

A Risk is a possibility of suffering harm or A Risk is a possibility of suffering harm or loss or danger.loss or danger.

What is Risk management?What is Risk management?

It’s a software engineering practice with It’s a software engineering practice with processes, methods and tools for processes, methods and tools for managing risks in a project.managing risks in a project.

What is the need for Risk management?What is the need for Risk management?

Software development involvesSoftware development involves New technologyNew technology Challenging or unknown requirementsChallenging or unknown requirements tight schedulestight schedules All these makes the software project prone to several types of All these makes the software project prone to several types of

risk.risk. After the risks are identified, Risk management develops plans for After the risks are identified, Risk management develops plans for

mitigating risk before they sabotage the projects.mitigating risk before they sabotage the projects.

Implementing Risk managementImplementing Risk management

Steps involved in implementing risk managementSteps involved in implementing risk management

Identify new risksIdentify new risks Evaluate new risksEvaluate new risks Classify new risksClassify new risks Prioritize new risksPrioritize new risks Planning Risk mitigationPlanning Risk mitigation Tracking Risks and mitigation plansTracking Risks and mitigation plans Reviewing and adjusting mitigation plansReviewing and adjusting mitigation plans

1010 55 55

Installation of risk managementInstallation of risk management

Identify new risksIdentify new risks

write down the risk and make them visible to all.write down the risk and make them visible to all.

A risk can be caused byA risk can be caused by• Diminished quality of the productDiminished quality of the product• Increased costsIncreased costs• Delayed completionDelayed completion• Total program failureTotal program failure

Don’t depend on managers to recognize and articulate all possible Don’t depend on managers to recognize and articulate all possible problems.problems.

Make a large list of 100 or more analyzed and priority-ordered risk Make a large list of 100 or more analyzed and priority-ordered risk statementsstatements

Evaluate new risksEvaluate new risks

A risk should be quantified by its probability and impact.A risk should be quantified by its probability and impact.

Assess the probability of a future event and estimate its Assess the probability of a future event and estimate its cost.cost.

Don’t make a detailed quantitative assessment of Don’t make a detailed quantitative assessment of probability and impact for one risk.probability and impact for one risk.

An effective way is to avoid early quantification of impact An effective way is to avoid early quantification of impact and probability unless the risk has a significant impact on and probability unless the risk has a significant impact on the program.the program.

Classify new risksClassify new risks

Classify or group risks statements in to categories based Classify or group risks statements in to categories based on shared characteristics can help us solve global risks.on shared characteristics can help us solve global risks.

With a single risk,With a single risk,• A configuration manager might see an aspect that affect A configuration manager might see an aspect that affect

configuration management.configuration management.

• A software engineer might see an aspect that affects A software engineer might see an aspect that affects component quality.component quality.

• A project manager might see an aspect that affects the A project manager might see an aspect that affects the customer.customer.

Prioritize new risksPrioritize new risks

The organization should deal with the most The organization should deal with the most important risks first and should decide how many important risks first and should decide how many of these it has the resources to mitigate.of these it has the resources to mitigate.

A group’s weekly prioritization of the top n risks results in A group’s weekly prioritization of the top n risks results in constant thrashing and some risks move on and off the constant thrashing and some risks move on and off the priority list such that the action on the most important risk priority list such that the action on the most important risk will be taken first to avoid the sabotage of the whole will be taken first to avoid the sabotage of the whole project.project.

Planning Risk mitigationPlanning Risk mitigation

To mitigate a risk, the goal and constraints must To mitigate a risk, the goal and constraints must be known. be known.

We can use problem solving and analytical We can use problem solving and analytical techniques to develop strategies and guide our techniques to develop strategies and guide our actions. Resolution can be a single action item actions. Resolution can be a single action item or a complex, long range prototyping effort. or a complex, long range prototyping effort.

Mitigation plans can be action item lists or the Mitigation plans can be action item lists or the equivalent of task plans. equivalent of task plans.

Tracking risks and mitigation Tracking risks and mitigation plansplans

Documentation of risks like in spreadsheets Documentation of risks like in spreadsheets summarize the project’s risks well.summarize the project’s risks well.

For important risks, we may need backup data.For important risks, we may need backup data.

Complex tracking reports are needed for critical Complex tracking reports are needed for critical risks.risks.

An effective portrayal of risk exposure vs time is An effective portrayal of risk exposure vs time is the mitigation status report, to monitor mitigation the mitigation status report, to monitor mitigation progress on critical risk.progress on critical risk.

Reviewing and adjusting Reviewing and adjusting mitigation plansmitigation plans

Controlling a risk involvesControlling a risk involves

Altering the mitigation strategy when it becomes ineffective.Altering the mitigation strategy when it becomes ineffective.

Taking action on a risk that becomes important enough to require Taking action on a risk that becomes important enough to require mitigation.mitigation.

Taking a preplanned contingency action.Taking a preplanned contingency action.

Dropping to a watch-only mode at a specific threshold.Dropping to a watch-only mode at a specific threshold.

Closing the risk when it no longer exists.Closing the risk when it no longer exists.

Risk and mitigation plan Risk and mitigation plan databasedatabase

Information is only useful if it’s accessible and easy to Information is only useful if it’s accessible and easy to understand.understand.

Its very effective to to use electronic databases to Its very effective to to use electronic databases to implement and support risk management.implement and support risk management.

It requires extra effort and time to set up a database It requires extra effort and time to set up a database when compared to paper-based risk documentation when compared to paper-based risk documentation systems.systems.

Integrating risk data with other types of data such as Integrating risk data with other types of data such as problem and safety reports will present risk data in a problem and safety reports will present risk data in a meaningful way to users.meaningful way to users.

ConclusionConclusion

So, An effective risk management focusses on avoiding So, An effective risk management focusses on avoiding future problems rather than solving the current ones.future problems rather than solving the current ones.

With effective risk management, people recognize and With effective risk management, people recognize and deal with potential problems daily before they occur and deal with potential problems daily before they occur and produce the finest product they can within the budget produce the finest product they can within the budget and schedule constraints.and schedule constraints.

People and workgroups understand that they are People and workgroups understand that they are building just one end product and have a shared vision of building just one end product and have a shared vision of a successful outcome.a successful outcome.

ReferencesReferences

Risk management for software projects. Fairley, R.;Risk management for software projects. Fairley, R.; Software, IEEE , Volume: 11 , Issue: 3 , May 1994 Pages:57 - 67Software, IEEE , Volume: 11 , Issue: 3 , May 1994 Pages:57 - 67

Managing commitments and risks: challenges in distributed agile Managing commitments and risks: challenges in distributed agile development Kontio, J.; Hoglund, M.Ryden,J.; Abrahamsson,P.; development Kontio, J.; Hoglund, M.Ryden,J.; Abrahamsson,P.; Software Engineering, 2004. ICSE 2004. Proceedings. 26th Software Engineering, 2004. ICSE 2004. Proceedings. 26th International Conference on , 23-28 May 2004 Pages:732 - 733International Conference on , 23-28 May 2004 Pages:732 - 733

Putting risk management into practice. Williams, R.C.; Walker, J.A.; Putting risk management into practice. Williams, R.C.; Walker, J.A.; Dorofee, A.J.; Software, IEEE ,Volume: 14 , Issue: 3 , May-June Dorofee, A.J.; Software, IEEE ,Volume: 14 , Issue: 3 , May-June 1997 Pages:75 - 821997 Pages:75 - 82

Thank You!Thank You!

Any Questions?Any Questions?