Risk Management for Software Development Richard Fairley Colorado Technical University Colorado Springs, Colorado, USA Paul Rook The Center for Software Reliability City University, Northampton Square, London, UK

1
Risk Management for Software DevelopmentRichard
FairleyColorado Technical UniversityColorado
Springs, Colorado, USAPaul RookThe Center for
Software ReliabilityCity University, Northampton
Square, London, UK

• Presented by Ken Waller
• EEL 6883 Software Engineering II

2
Presentation Agenda

• Review and Present the Paper
• Give my Thoughts on the Paper
• Strengths
• Weaknesses
• Suggestions for Improvements
• Question and Answer Session
• But feel free to ask questions during the
  presentation, as well

3
Paper Overview

• Introduction
• Risk Management vs. Project Management
• Risk Types
• Software Development Processes and their
  Relationship to Risk Management
• Detailed Discussion of Risk Management Procedures
• Organizational Level Risk Management
• Conclusions

4
Introduction

• History
• 1800s Origins stem from the concept of Risk
  Exposure (Insurance Industry)
• 1950s Some related topics being taught in
  academia (decision theory, probabilistic
  modeling)
• 1980s Formal Risk Management used in
  Petrochemical and Construction Industries
• 1990s Risk Management becomes an element of
  Software Engineering
• 1990s Present Risk Management applied
  throughout many diverse industries

5
Introduction

• Definitions
• Risk Potential Problem
• Probability (0.0 1.0) (non-inclusive)
• Loss (risk impact)
• Quantify Money, human lives, etc.
• Qualify Credibility, trust
• Problem Materialized Risk (reality)
• Resources (time, money, personnel) needed to fix

6
Introduction

• When risk can be quantified
• Risk Exposure probability impact
• Example
• Probability that SW glitch will cause explosion
  0.3 (30)
• Impact 5 Human Lives (L)
• Exposure 0.3 5L 1.5L

7
Introduction

• Risks are caused by events
• Single events
• Multiple events
• Continuous events
• Interdependent events
• Can be difficult to distinguish cause and effect

8
Introduction

• Risk Management Overview
• State outcome that you want to avoid
• State courses of action that will lead to
  avoidance
• Find root causes
• Start with project targets cost, schedule,
  product (functionality, performance, quality,
  etc.)
• Risks are associated with targets

9
Introduction

• Risk Management Procedures Basic Steps
  (independent of industry or discipline)
• Risk Assessment
• Identify Risks
• Analyze Risks
• Rate/Rank/Prioritize Risks
• Risk Control
• Abate Risks
• Create Risks Mitigation Plans
• Apply Plans

10
Introduction

• Risk Management considerations
• Constraints
• External conditions on project targets
• Estimates
• Ranges
• Confidence levels
• Project Targets (negotiated)
• Conditional maximum target

11
Conditional Maximum Targets (expanded)

• Desire to maximize some project attribute
• Doing so may compromise another

12
Risk Management vs. Project Management

• Project Management (Classical)
• Attempts to manage/control risks in traditional
  ways estimating, planning, scheduling
• Problem Management
• Reactive Difficult choices and risk mitigation
  plans are made only after problems arise

13
Risk Management vs. Project Management

• Risk Management
• Attempts to manage/control risks in a more
  focused manner
• Risk Assessment
• Identify what may go wrong
• Assign probabilities
• Assess negative impact severities
• Risk Control
• Create plans to reduce probabilities and/or
  severities
• Create plans to resolve risks that surface
• Reassess Risks
• True management of risks
• Proactive Difficult choices and risk mitigation
  plans are made before risks surface

14
Risk Management vs. Project Management

• Risk Management Augments Project Management
• Not the same thing
• Not a replacement
• Risk Management not a guarantee
• Successful projects
• Overcome problems
• Do not never encounter problems

15
Risk Types

• Four categories identified
• Contractual/Environmental Problems with
  customers or vendors, hindering organizational
  policies, etc.
• Management/Process Unclear authorities and
  responsibilities, weak or inadequate processes,
  etc.
• Personnel Lack of skills/training, etc.
• Technical Requirements creep, inadequate
  testing, etc.
• Must be correctly typed so appropriate level can
  address them

16
Risk Types

• For Risk Control, two categories
• Generic
• Common to most/all software projects
• Methods to abate/control have been developed,
  over time
• Errors in products handled by VV, incremental
  testing
• Communication problems handled by documentation,
  reviews, and meetings
• Project Specific
• Associated with a particular project
• Covered by the Risk Management Plan, consisting
  of
• Action Plans Decision to engage in a risk
  reduction activity without any further
  consideration (decision has been made)
• Contingency Plans Initiate risk reduction
  activity at some future time, if warranted

17
Software Development Processes and their
Relationship to Risk Management

• The use of a particular software development
  process is an essential risk reduction technique
• To select an appropriate development process,
  need to understand
• Available software development processes
• Critical Risk Factors associated with the project
  under development

18
Software Development Process Models and their
Relationship to Risk Management

• Available Software Development Processes
• COTS Overlooked requirements match
• Waterfall Single Pass
• Risk Reduction/Waterfall RR, then Waterfall
• Capabilities-to-Requirements Pick COTS, then
  adjust reqs
• Transform Tool automates generation of code
• Evolutionary Spiral, several passes
• Prototyping Low fidelity system
• Incremental Add capabilities in each build
• Design-to-Cost/Schedule Prune reqs to meet
  schedule/cost

19
Software Development Process Models and their
Relationship to Risk Management

• Critical Risk Factors
• Growth High growth implies risk if using COTS
• Available Technologies
• Ill-Defined Requirements Feedback essential (use
  spiral/incremental)
• Understanding of Architecture Low understanding
  high risk of top down approach
• Robustness Require more rigorous process model
• Budget/schedule limitations May be good to use
  design-to-cost/schedule models
• High-risk system nucleus May indicate
  spiral/incremental approach

20
Detailed Discussion of Risk Management Procedures

• Review of Risk Management Procedures
• Risk Assessment
• Risk Identification
• Risk Analysis
• Risk Prioritization
• Risk Control
• Risk Abatement Strategies
• Risk Mitigation Planning
• Risk Mitigation

21
Detailed Discussion of Risk Management Procedures

• Risk Assessments Main Goal Establishing a set
  of Risks that potentially threaten a project
• Three explicit steps in Risk Assessment
• Risk Identification
• Find Risks and bring to the attention of
  management, senior level personnel, and the
  customer
• Risk Analysis
• Assign quantitative values to risks (impacts,
  probabilities)
• Also perform cost/benefit analysis
• Risk Prioritization
• Rank risks, from 1..n
• Higher the rank, more resources invested (time,
  money)

22
Detailed Discussion of Risk Management Procedures

• More on Risk Identification
• Main tool Expertise and previous experience
• Organizations attempt to develop various forms of
  checklists to capture previous experience and
  knowledge
• Other tools
• Scenarios
• Decompositions
• Prototyping
• Modeling and Simulation
• Identification process needs to involve all
  levels of business and technical staff, along
  with the customer
• More/different experience leads to discovery of
  more risks
• Must integrate (overcome) different viewpoints

23
Detailed Discussion of Risk Management Procedures

• More on Risk Analysis
• Goal Develop numerical aspects of risks
• Analysis Tools Techniques
• Historical Data
• Cost estimation tools (automated software
  manual spreadsheets/forms)
• Expertise and Past Experiences
• Other available Techniques depend upon type of
  Risk
• Technical Risks Modeling and Simulation,
  prototyping
• Cost Risks Algorithmic cost models, Monte Carlo
  Simulations
• Schedule Risks Algorithmic schedule models,
  Monte Carlo Simulations
• Operational Risks Performance and Reliability
  Modeling

24
Detailed Discussion of Risk Management Procedures

• More on Risk Prioritization
• Not all Risks get included on the final list of
  Risks to manage
• Main Factor that contributes to the importance of
  a Risk (and ultimately a formal prioritized list)
  is Risk Exposure (probability impact)

25
Detailed Discussion of Risk Management Procedures

• Risk Control relies on a Feedback Loop
• Feedback upon whether risks are being managed or
  not
• If not, redirect, re-plan, and close loop
• Initial Action Plans are executed to reduce risk
• Contingency Plans executed upon trigger to attack
  risks further
• Project Manager Controller
• Depends upon completion of the Risk Assessment
  phase
• Three explicit steps
• Risk Abatement Strategies
• Determine strategies
• Risk Mitigation Planning
• Produce detailed plans, based upon strategies
• Risk Mitigation
• Put plans into action and reduce/eliminate risks

26
Detailed Discussion of Risk Management Procedures

• More on Risk Abatement Strategies
• Must first know where to start expending
  resources
• Relies upon analysis/results of Risk Assessment
  phase
• May also rely upon Simulations, Prototypes,
  Data/History, Experts/Experience
• Three Basic Strategies Available
• Risk Avoidance May involve deletion of
  requirements or functionality
• Risk Transfer May involve reallocating
  requirement or functionality
• Risk Acceptance Involves further risk control
• Must consider cost-benefit analysis

27
Detailed Discussion of Risk Management Procedures

• More on Risk Mitigation Planning
• Translate strategies into detailed plans
• Action Plans
• Contingency Plans
• Must take project schedule and resource
  consumption into account
• Consumption of resources to manage one risk may
  cause another risk to occur (must iterate)
• Funds/resources can be set aside for risks
  (reserves)

28
Detailed Discussion of Risk Management Procedures

• More on Risk Mitigation
• Put mitigation plans into effect
• Goal is to reach a resolution of the underlying
  problem
• Must continually track (monitor and report) the
  characteristics of risks
• Re-assess risks as plans are implemented and
  impacts are made (iterate the loop)

29
Organizational Level Risk Management

• Companies that deal in advanced technologies now
  mandate Risk Management Plans
• Includes senior technical and executive
  management, as well as the customer
• Goal is to understand the impacts risks may have
  on financial bottom lines
• Characteristics of Organizations that employ Risk
  Management
• Explicit risk management processes defined and
  followed
• Customization for specific project allowed
• Communication
• Reporting risks to the highest levels of the
  organization (executives, VPs, etc.)
• Regular reviews

30
Conclusions

• Risk Management has been around (in various
  forms) for a long time, and is used in a vast
  array of industries
• Experience is perhaps the key tool used during
  the Risk Management process (finding, assessing,
  etc. risks)
• Prototyping, simulations can also be used
• Explicit steps are defined and well known
• Risks must be expected

31
My Opinions on the Paper

• Strengths
• Use of a wide range of types of Figures to
  illustrate various points/ideas
• Thorough and understandable discussion
• Use of many quick for example

32
My Opinions on the Paper

• Weaknesses
• Formatting Issue No Numbering System Used
• For Example
• X. Risk Assessment (Risk Identification, Risk
  Analysis, )
• Risk Identification
• Risk Analysis
• Is less clear than
• X. Risk Assessment
• X.1 Risk Identification
• X.2 Risk Analysis
• X.3
• Some content out of place
• History Lesson in the Risk Management
  Procedures section
• Discussion of Development Process relationship to
  Risk Management in the Types of Risks section

33
My Opinions on the Paper

• Suggestions for Improvement
• Devise and incorporate a formal numbering systems
• Makes clear to readers the organization of the
  paper
• Reformat the content
• Suggests already laid out in this presentation

34
Questions?

• Thank You!!