Simranjeet Kaur1 Fundamentals of Software Risk Management

Simranjeet Kaur2 Why do software projects go wrong? Inadequate understanding of customer needs Poor requirements documents Poor requirements management Poor or no architecture/design Code first and ask questions later Poorly understood legacy design/code No peer reviews to catch problems early Inexperienced or incapable personnel Ineffective testing – misses serious defects …

Simranjeet Kaur3 Software Risk Management Risk Management is a practice with processes, methods, and tools for managing risks in a project.

Simranjeet Kaur4 What is risk? A risk is a possibility of loss. Undesirable outcome. Missed opportunity.

Simranjeet Kaur5 Anatomy of a risk Risk Probability of occurrence Consequence: size of loss

Simranjeet Kaur6 Classification of software risks Software Project Risks –Resource constraints, external interfaces, supplier relationships, nonperforming vendors, internal politics, interteam/intergroup coordination problems, inadequate funding. Software Process Risks –Undocumented software process, lack of effective peer reviews, no defect prevention, poor design process, poor requirements management, ineffective planning. Software Product Risks –Lack of domain expertise, complex design, poorly defined interfaces, poorly understood legacy system(s), vague or incomplete requirements.

Simranjeet Kaur7 The Risk Management Process Identify risks Resolve risks Analyze risks Plan for risks Track risks Learn about risks Risk Knowledge Base

Simranjeet Kaur8 Identification: Discovery Team Brainstorming Risk Knowledge Base Walkthroughs Spurious

Simranjeet Kaur9 Identification: Quantification Risk Exposure = Probability x Consequence

Simranjeet Kaur10 Calculating Risk Exposure FactorPCRE Late delivery from COTS vendor ACME days7 days ACME API integration delay0.615 days9 days Additional unit testing needed; 3% more classes than first estimated days18 days Beta test group reports that they may not be able to fit us into their pipeline until May 1 instead of April days15 days TOTAL RISK EXPOSURE49 days Note: For simplicity, all risk consequences are calendar time delays.

Simranjeet Kaur11 Perceived Probability Almost certainly Highly likely Very good chance Probable Likely Probably We believe Better than even We doubt Improbable Unlikely Probably not Little chance Almost no chance Highly unlikely Chances are slight Adapted from Managing Risk: Methods for Software Systems Development by Elaine M. Hall, Addison-Wesley 1998

Simranjeet Kaur12 Why quantify risk –Allows solution ideas to be evaluated more critically –Encourages design awareness of risk –Allows feedback on risks we missed –Allows feedback on impact of risks we anticipated –Allows us to allocate resources to deal with risks –Allows us to determine whether a risk is acceptable

Simranjeet Kaur13 Identification: Documentation Header Assessment Action Plan Tracking Resolution ProjectName of project DateDate of entry Risk nameName of risk Risk categoryType of risk ProbabilityLikelihood of occurrence ConsequenceSeverity of impact OriginatorWho reported this risk Phase/activityWhere in software process WBS ElementWBS relationship Adapted from Managing Risk: Methods for Software Systems Development by Elaine M. Hall, Addison-Wesley 1998

Simranjeet Kaur14 Identification: Communication Notify all affected stakeholders: Customers Project/Program Manager Fellow Team Members Management Marketing Sales Customer Support Finance Quality Assurance SEPG …

Simranjeet Kaur15 Analysis of risks: Questions –How severe is the consequence? –How likely is the occurrence? –Is the risk exposure acceptable? –How soon must the risk be dealt with? –What is causing the risk? –Are there similarities between risks? –Are there dependency relationships? –What are the risk drivers?

Simranjeet Kaur16 Analysis of risks: Activities Grouping –Eliminate redundant risks; Combine related risks; Link dependent risks Determining risk drivers –Underlying factors that affect severity of consequence –May affect estimation of probability, consequence, risk exposure –Increases understanding of how risks can be mitigated Ranking –Order of likelihood, consequence, exposure, time frame Determining root causes (sources of risk) –Old-fashion root cause analysis, –Identify common root causes

Simranjeet Kaur17 Analysis: Documentation Header Assessment Action Plan Tracking Resolution Adapted from Managing Risk: Methods for Software Systems Development by Elaine M. Hall, Addison-Wesley 1998 StatementBrief description of risk ContextWhen, where, how, why AnalysisImpact on project

Simranjeet Kaur18 Planning: Resolution Strategies Risk Avoidance –Prevent the risk from occurring, reduce probability to zero Risk Protection –Reduce the probability and/or consequence of the risk before it happens Risk Reduction –Reduce the probability and/or consequence of the risk after it happens Risk Research –Obtain more information to eliminate or reduce uncertainty Risk Reserves –Use previously allocated schedule or budget slack Risk Transfer –Rearrange things to shift risk elsewhere (to another group, for example)

Simranjeet Kaur19 Planning: Activities Specify scenarios –How would we be able to tell it is really happening? Define quantified threshold for early warning –What to monitor, when we consider the risk to be happening Develop resolution alternatives –Ways to eliminate, mitigate or handle the risk Select resolution approach –What has the best ROI? Specify risk action plan –Document decisions

Simranjeet Kaur20 Planning/Tracking: Documentation Header Assessment Action Plan Tracking Resolution ScenarioWhat would happen? IndicatorMetric to be monitored Trigger conditionValue indicating risk scenario CheckpointWhen/where to check metric Resolution strategyHow we will handle the risk Action planConcrete action plan

Simranjeet Kaur21 Tracking Monitor risk scenarios –Watch for signs of a risk scenario occurring Compare indicators to trigger conditions –Watch indicator metrics – do they satisfy trigger conditions? Notify stakeholders –Let stakeholders know the risk is happening; execute action plan Collect statistics –Update risk database

Simranjeet Kaur22 Resolution Acknowledge receipt of notification –Let stakeholders know you are “on the ball” –Indicate response time –Determine accountability/ownership Execute action plan –Improvise, adapt, overcome –Wanted: common sense Provide continuous updates –Let stakeholders know your progress in resolving the risk Collect statistics –Update risk database

Simranjeet Kaur23 Resolution: Documentation Header Assessment Action Plan Tracking Resolution Software EngineerSignature Quality EngineerSignature Project ManagerSignature Marketing ManagerSignature

Simranjeet Kaur24 Risk Management Capability 1: Risks ignored or only tracked in an ad-hoc fashion 2: Risks are usually recorded, tracked and handled as they are discovered 3: Risks systematically quantified, analyzed, planned, tracked and resolved 5: Risk statistics used to make organizational/process improvements 4: Quantified analysis used to determine resolution cost/benefit for project

Simranjeet Kaur25 Requirements Capture Design/Select Architecture High-level evolutionary plan Select and plan next step Execute planned step Deliver to real users Evaluate feedback “micro-projects” Evolutionary Delivery Identify Analyze Plan Track Resolve Learn

Simranjeet Kaur26 Learning from risks Post mortem: –What were the unanticipated risks? –What was the actual severity of consequence? –What resolution strategies worked well/not so well? –What types of risks could we prevent or transfer? protect ourselves from or reduce? handle only by allocating reserves? Action: –What are the preventative measures we can take in the future? –What can the SEPG do? –Are there significant vendor/partner performance problems? –What can we share with other project teams?

Simranjeet Kaur27 Risk Management Infrastructure Common Risks Checklists Risk Database With Statistics Standard Risk Template Risk Ranking Template Risk Mgt. Plan Template

Simranjeet Kaur28 Opportunity Management Identify opportunity Take advantage of opportunity Analyze opportunity Plan for opportunity Track opportunity Learn about opportunities Opportunity Knowledge Base

Simranjeet Kaur29 Questions?