Software Development Risk Taxonomoy

Software Development Risk Taxonomy

Complied by Phil Robinson

Lonsdale Systems

www.lonsdalesystems.com


© Lonsdale Systems www.lonsdalesystems.com 2

© Lonsdale Systems 2

Contract

Product

Technology

ProjectEnterprise

Environment

Product Risks related to the software product that is being acquired, developed, configured, tested, deployed and/or retired.

Technology1 Risks related to the technology used to implement the software product or the platforms on which it is deployed.

Project Risks related to a project that supplies, acquires, develops, configures, tests, deploys and/or retires the software product.

Enterprise Risks related to the organisation that is supplying, acquiring, developing, configuring, testing, deploying and/or retiring a software product.

Contract Risks related to legal agreements to supply, acquire, develop, configure, test, deploy and/or retire a software product.

Environment Risks related to the external environment in which enterprises operate and projects are conducted.

1 These risks relate to the technology used to implement a software product or the platforms on which it is deployed. Risks related to the external environment in which enterprises operate and projects are conducted are covered in the Technology risk area.




ComplexitySize

Architecture

ProductType

RequirementsProduct

Quality ofRequirements

Criticality

Stability ofRequirements

Product Quality

Product

Product type Risks inherent to the type of product – embedded software, real-time system, commercial software product,

mobile application or business system.

Size Risks related to the size of the product – extensive functionality2, large volume of code, many components and/or

interfaces large volume of data.

Complexity Risks related to the complexity of the product – complex calculations and algorithms, complex state changes with

many states and/or transitions, complex interfaces or complex databases with many data entities and/or relationships.

Criticality Risks related to the impact of product failures – business operations, financial loss, loss of property, injury and/or loss

of life.

Requirements Risks related to the need for efficiency – fast execution time, short response time, high transaction throughput, high

frequency of database access, fast database access and/or real-time performance requirements.

Risks related to ease of use, human factors and/or quality of user documentation.

Risks related to unauthorized access and/or use.

Risks related to the need for reliability – long time between failures, high availability and/or ease of recovery.

Risks related to the need for the software to fail in a safe manner avoiding damage to property, injury and/or loss of life.

Risks related to the reuse of components - existing components and/or development of new reusable components.

Risks related to the deployment of the product – ease of testing, support and/or maintenance.

Risks related to the need to deploying the product on multiple platforms and/or the future migration of the product to a new platform.

2 Functionality can be measured by the counting the number of requirements, function points, use case points, story points or some similar measure of functionality.



Quality of requirements Risks related to the quality of requirements – incomplete, out of date, inconsistent, incorrect, not feasible, difficult to

modify, not ranked, not traceable, ambiguous, impossible to verify and/or no requirements.

Risks related to incorrect requirements – wrong, undesirable, unneeded and/or ambiguous.

Stability of requirements Risks related to changing requirements – large volume of changes, frequent changes, large volume of new

requirements and/or large number of requirements removed.

Architecture Risks related to complex architectures – large number of sub-systems, components, interfaces and/or platforms.

Risks related to the integration of the product – difficult to integrate, many sub-systems, insufficient time allowed for integration and/or integration of components from different sources.

Risks related to restrictions on the technology used to implement the product – mandatory use of certain platforms, components and/or development environments.

Risks related to feasibility of the architecture, insufficient design detail, no “proof of concept” or prototype and/or use of “bleeding edge” technology.

Risks related to the modification of in-house or third party software.

Risks related to the reuse of in-house or third party software.

Product quality Risks related to the number of known failures.

Risks related to a lack of quality planning, quality control and quality assurance activities.




Performance

Suitability

Maturity

Difficulty

Technology

Volatility

Tools

Technology

TechnologyType

Technology Type Risks inherent to the type of technology used to implement the software product or the platforms on which it is

deployed.

Maturity Risks related to a technology that has been in use for a short period of time.

Performance Risks related to poor performance of hardware, firmware, system software, middleware and/or networks.

Suitability Risks related to unsuitability technology.

Volatility Risks related to technology changes – large number and/or high frequency.

Difficulty Risks related to technology that is difficulty to understanding and/or use.

Tools Risks related to poor technology tools – development environments, testing, modelling and/or other tools.

Risks related to the usability of the tools.

Risks related to the reliability of the tools.

Risks related to the vendor support for the tools.



© Lonsdale S ystems 3

Schedule

Budget

ProjectProcess

ProjectFacilities

Project ProjectManagement

ProjectTeam

ProjectLocations

ExternalInfluences

ProjectType

Project

Project type Risks inherent to the type of project – new development, maintenance, modification, conversion or reengineering.

Project process Risks inherent to the project process – highly formal, excessive “ceremony”, unsuitable, immature, inflexible,

inefficient and/or ineffective.

Risks related to process monitoring, compliance and control.

Risks related to a lack of risk reduction activities.

Risks related to the familiarity and/or training of the project team.

Schedule Risks related to an unrealistic, unachievable schedule and/or a schedule not based on past performance.

Risks related to arbitrarily imposed milestones and deadlines.

Risks related to unrealistic “compression” of the schedule.

Risks related to the inability to revise the schedule.

Budget Risks related to insufficient budget.

Risks related to the inability to revise the budget.

Project management Risks related to poor project planning, monitoring and/or control.

Risks related to a lack of formal project planning techniques and/or methodologies.

Risks related to a lack of clarity in project roles, reporting relationships and/or intensity of politics.



Project team Risks related to a large and/or inexperienced team.

Risks related to a lack of mentoring and/or use of external expertise.

Risks related to inappropriate assignment to roles.

Risks related to staffing shortfalls, lack of staff continuity, staff attrition, and/or staff turnover.

Risks related to a lack of skills and experience with selected technology and/or inability to act in required project roles.

Risks related to poor team cohesion, lack of cooperation, poor communication, low morale and/or excessive politics.

Project locations Risks related to multiple team locations and/or international team locations.

Project facilities Risks related to insufficient non-technical resources and/or facilities.

External influences Risks related to the need for a high level of required interaction between project staff, customers and contractors.

Risks related to externally driven decisions forced onto the project team.




Staff GeneralManagement

Experience

Enterprise

ProcessMaturity

SoftwareProducts

ProjectsTechnologies

Contracts

Enterprise

Software products Risks related to the enterprise’s ability to manage the inherent risks associated with the types of software product it

acquires, develops, configures, tests, deploys and/or retires.

Technologies Risks related to the enterprise’s ability to manage the inherent risks associated with the types of technology it

employs.

Projects Risks related to the enterprise’s ability to manage the inherent risks associated with the types of projects it executes.

Contracts Risks related to the enterprise’s ability to manage the inherent risks associated with the types of contract it enters into.

Experience Risks related to lack of enterprise experience with specific types of software product, technology, project and/or

contract.

Risks related to a lack of enterprise experience with software products that are large, complex, critical, have complex architectures, with inadequate and/or volatile requirements.

Risks related to a lack of enterprise experience with technologies that are immature, suffer from poor performance, are unsuitable, volatile, difficult to use and/or suffer from a lack of suitable tools.

General management Risks related to general (non-project) management – poor skills, poor understanding of technology and projects and/or

a lack of experience.

Risks related to a lack of well-defined performance criteria, measurement and/or reporting mechanisms.

Risks related to management culture, enterprise politics and/or tendencies to “micro” manage.



Staff Risks related to lack of skills and experience in the human resource management area.

Risks related to staff availability, shortfalls, continuity, attrition and/or turnover.

Risks related to staff capability, experience, skills and/or training.

Risks related to a lack of experience with the types of product and/or and technology.

Risks related to enterprise, culture, ethics, morale and/or politics.

Process maturity Risks related to the capability of technical, management and support processes.

Risks related to a lack of resources devoted to process management




PerformanceCriteria

CustomerInteraction

Formality

ContractType

Contract

ContractorInteraction

TechnologyRestrictions

Contract

Contract type Risks inherent to the type of contract – time and materials, fixed price or cost plus.

Risks related to the need for excessive documentation and/or unnecessary activities.

Formality Risks related to the formality of the agreement – informal, semi-formal agreement, commercially or legally

enforceable.

Performance criteria Risks related to progress reporting and/or correction of shortfalls in performance.

Risks related to progress, penalty and/or bonus payments.

Risks related to contractor’s capabilities and/or responsiveness to customer needs.

Customer interaction Risks related to multiple customers and/or locations·

Risks related to customer feedback, communication and/or support.

Risks related to time required for customer approvals.

Contractor interaction Risks related multiple contractors and/or sub-contractors.

Risks related remote and/or offshore contractor locations.

Risks related to the level of required interaction between contractors.

Risks related contractor involvement in critical project activities and decisions.

Technology restrictions Risks related restrictions on use of technology, mandated components, tools or development environment.




Environmental

Social

Political

Legal

Environment

Technology

Environment

Economic

Political Risks related to the adverse effect of proposed laws, legislation and/or regulations.

Risks related to the adverse effect of proposed new or changed trade restrictions, tariffs and/or subsidies.

Risks related to the adverse effect of proposed new or changed privacy laws, data retention restrictions and/or network access restrictions.

Risks related to the adverse effect of proposed new or changed governing bodies and/or need for compliance.

Risks related to the adverse effect of proposed new and/or changed software licensing agreements.

Risks related to the adverse effect of proposed new or changed copyright and/or intellectual property laws.

Economic Risks related to business activity expansion and/or contraction.

Risks related to an adverse rate of inflation and/or deflation.

Risks related to adverse trends in cost of staff, office space, software licences, hardware and/or network access.

Risks related to poor availability of office space, third-party software, hardware and/or network access.

Social Risks related to poor customer, supplier and/or partner relationships.

Risks related to the negative influence of social networks.

Risks related to excessive lifestyle expectations.

Risks related to poor standards of individual ethics and career attitude.

Risks related to poor standards of professional and corporate ethics.

Risks related to adverse influence of national, industry, corporate and team culture.



Technology3 Risks related to fast pace of technological change.

Risks related to adoption of new technologies.

Risks related to premature obsolescence of established technologies.

Risks related to impending obsolescence of technologies approaching the end of their useful life.

Risks related to continued use of legacy technologies.

Risks related to poor vendor and/or community support for new, established and/or legacy technologies.

Legal Risks related to adverse effect of laws, legislation and/or regulations.

Risks related to adverse effect of existing trade restrictions, tariffs and/or subsidies.

Risks related to adverse effect of existing privacy laws, data retention restrictions and/or network access restrictions.

Risks related to adverse effect of existing regulatory bodies and/or need for compliance.

Risks related to adverse effect of existing software licensing agreements.

Risks related to adverse effect of existing copyright and/or intellectual property laws.

Environmental Risks related to adverse effect environmental impact of packaging and/or consumables.

Risks related to handling, disposal and recycling of hazardous material.

Risks related to adverse effect of regulations, taxes and cost related to preserving the natural environment.

Risks related to adverse effect of regulations, taxes and cost related to climate change and carbon reduction.

3 These risks relate to technology in the external environment in which enterprises operate and projects are conducted. Risks related to the technology used to implement a software product or the platforms on which it is deployed are covered in the Technology risk area.



Sources Boehm, Barry W., “Software Risk Management: Principles and Practices,” IEEE Software, January 1991

Boehm, Barry W., Software Cost Estimation With COCOMO II, 2000, Prentice Hall.

Carr, M., Kondra, S., Monarch, I., Ulrich, F., Walker, C., Taxonomy-Based Risk Identification , Software Engineering Institute, 1993.

“Risk Management”, OPEN Process Framework (OPF), http://www.opfro.org.

Pankaj Jalote, CMM in Practice: Processes for Executing Software Projects at Infosys, 2000, Addison-Wesley

ISO/IEEE 12207 standard for Information Technology—Software Life-Cycle Processes, 1995, ISO

Ginsberg, Mark P., Quinn, Lawrence H,, Process Tailoring and the Software Capability Maturity Model, 1995, Software Engineering Institutue (SEI)

Practical Software and Systems Measurement (PSM), Version 4.0c, Department of Defense and US Army.

“PEST Analysis”, Wikipedia, http://en.wikipedia.org/wiki/PEST_analysis

Software Development Risk Taxonomoy

Software

Transcript of Software Development Risk Taxonomoy