Basics of Software Risk Management
Published: 22 Jan 2007
In this article Arindam discusses the basics of Software Risk Management.
by Arindam Ghosh
Average Rating: 
Views (Total / Last 10 Days): 45090/ 99


What is risk management? The easiest explanation would be the possibility of loss. The loss can be either a bad outcome or a lost opportunity. The negative image of the word "risk" is sometimes the problem with risk management. Of course, unless there is a potential for loss, there is no risk.

Risk management is the sum of all proactive activities within a program intended to accommodate the possibility of failures.

How we can learn from past experiences

We cannot always predict the future problems in our projects, however, we can learn from our previous mistakes, specially if they have been documented to enable us to minimize loss and threats to future projects. This will necessarily improve the company’s business success and reduce the chaos and confusion that reduces the quality of the work.

The following are suggested actions. You can document the results of even informal risks, maintain records of the mitigation strategies, note the best practices/approaches, which worked well, and periodically conduct reviews to identify the unanticipated problems that come up.

Uncertainty leading to Risks

We often pretend to have things under our control, specially the ones that are very uncertain in nature. It is the unknown that can hurt us most. We need to skillfully spot this situation as posing potential risks and initially document them in the risk management plan. At the beginning of the project, the impact of this situation is hardly felt as we do not feel the losses.

With the passage of time and the lack of vision and proper customer involvement, the potential threat to the project will surely rise. Uncertainty is an unavoidable characteristic of most software projects; however, reducing uncertainty has a cost.

It is mandatory to balance such costs against the potential cost we could incur if the risk is not addressed at all. We cannot avoid projects that incur a high risk factor. However, proactive risk management is necessary in such cases. Risk management makes sure we go into such projects as guarded as possible, so we know what kinds of things and where things could go wrong. Then we have done our part to make sure those factors do not work as hurdles in the final outcome of the project.

Why Should We Manage Risks formally and how does it help us?

In a typical contractual environment a lot is at stake. We just cannot have costs spiraling up and missing deadlines. A team approach allows the various project stakeholders to collectively address their shared risks and to assign responsibility for risk mitigation to the most appropriate individuals. Formation of a formal risk management team gives one a structured method and more visibility into threats and one can make sure one is always focused on controlling the most severest of risks first. Risk team members can pool their experience and identify opportunities to control most common risks through documentation and constant process improvement. This ensures that one can ensure that the risk management actions will be planned, prioritized, initiated and completed in a timely and effective manner. The risk Team should always build a checklist of risk items and mitigation strategies from multiple projects that can help future projects look for the loopholes. Constantly sharing what does and does not work to control risks across multiple projects helps projects avoid repeating the mistakes of the past.


Who is a Risk Manager?

“Often, we see the experienced project manager will use risk management as a method for raising the awareness of conditions that could cause losses so that the project does not begin with a fuzzy vision and not much of customer involvement.”

The role of a Risk Manager, which is found in relatively large projects, will be to capture and formalize risk management activities and results. He becomes the main spokesperson for the program for risks for major reviews and reports.

The basic structure recommended for risk management consists of a Risk Manager who is responsible for the definition, structure, implementation and coordination of a risk management approach consistent with the program, system engineering, test, manufacturing and verification plans.

It is the Risk Manager's job to coordinate the risk management activities within the prime's organization and with all subcontractors. The Risk Manager assists the Program Manager.

The Risk Manager also maintains the status of the risk list and provides any risk training required for the proposal. He also develops work schedules to overcome any shortcomings of the RFP with respect to risk and provides whatever level of draft that is required by the RFP for the Risk Management Program Plan.

Ownership in Risk Management

A very important aspect of ownership is a very clear and mutual understanding of the responsibilities among the different stakeholders of a contract every risk identified in a program. Each risk should have an organization tagged for ownership and a position holder should be tagged as managerial lead for its resolution.

One of the major problems is that Project Managers worldwide do not have access to data involved in risk management. Data is buried within projects and just not available. The SERR (Software Engineering Risk Repository) is the arm of the SEI for accessing data from an informative database. This is planned on a world wide on line service where information on risk management will be collected and made available through databases, interviews, questionnaires and case studies. The goal will be to provide a mechanism whereby transfer and evaluation of risk management processes can be interpreted and communicated.

Simple Steps to Reduce Risks

Identify, Analyze, Plan, Implement, Track, Control, Communicate and Document.

What is Continuous Risk Management (CRM)?

CRM is a principle whereby risks are managed in a project throughout its lifetime. Continuous Risk Management is simply an area of good project management. It should be a normal aspect of the project manager's daily work.

Types of Risks

Proposal Risks

There are some risks that are just in-built in the venture. Thus, an RFP for such a project has in-built risks no matter which contractor undertakes the development.

Performance Risks

These are the risks inherent in the proposed approach.


Programmatic Risks

These are the risks that impose an impact on program governance and performance. Risks that impact on program performance generally flow from issues of organizational culture, competence, experience, and skills of the management team.

Schedule Risks

Schedule risks are due to lack of being able to deliver within a scheduled time with the resources allocated.

Cost Risks

Cost risk is when there is a funding problem for completing the job within the scheduled time. This can be for various reasons like low bids, lack of understanding the customer’s requirements, wrong allocation of resources and bad management decisions in terms of accuracy of estimates.


There are times when the non-performance of systems lead to problems. This is a type of performance risk.


We are aware of the fact that most systems cost more to sustain than to develop. The supportability risk is that an otherwise acceptable system will just cost too much to operate and maintain over its life cycle in terms of time and personnel.

Development Risks

A development effort always entails a measure of risk because such an effort always involves aspects that are new to the performing organization. Multiple risks situations are major challenges and are the most interesting from a management perspective.


One of the first risk situations facing such a team is that it invariably requires additional staffing. When new people are hired, some of the negative aspects are that the collective awareness of the nuances of the program is diluted and people start making decisions with less than complete understanding of the nuances of the program, the company or the customer. The only and simple solution is to communicate clearly and have regular staff meetings. It is also recommended that each new employee get a thorough introduction to the roles.

Risk Management Tools and Techniques


The goal of brainstorming is to obtain a comprehensive list of project risks. Risks are then identified and categorized by type of risk and their definitions are sharpened.

Delphi Technique

A facilitator uses a technique to solicit ideas about the important project risks. The responses are summarized and then re-circulated to the experts for further comment.


Interviewing experienced project participants, stakeholders, and subject matter experts can identify risks.

Root Cause Identification

This is an enquiry to the essential causes of a project’s risks. Effective risk responses can be developed if the root cause of the risk is addressed.

SWOT Analysis (Strength, Weakness, Opportunities and Threats Analysis)

This technique ensures examination of the project from each of the SWOT perspectives to increase the breadth of considered risks.

Checklist Analysis

Risk Identification checklists can be developed based on historical information and knowledge that has been accumulated from previous similar projects and from other sources of information.

Assumption Analysis

Assumption analysis is a tool that explores the validity of assumptions as they apply to the project. It identifies risks to the project from inaccuracy, inconsistency or incompleteness assumptions.

Diagrammatic Techniques used are the following.

System or Process Flow charts shows how various elements of a system interrelate and the mechanism of causation.

Influence Diagrams are graphical representations of situations showing casual influences, time ordering of events and other relationships among variables and outcomes.

Cause and Effect Diagrams also known as Ishikawa or fishbone diagrams are useful for identifying causes of risks.

Developing Risk Management Plans and Outputs

This plan describes how risk management will be structured and performed on the project. It also becomes a subset of the Project Management Plan. It includes the following.

Methodology: Defines the approaches, tools and data sources that may be used to perform risk management on the project.

Roles and Responsibilities. Defines the lead, support and risk management team membership for each type of activity in the risk management plan and then assigns people to these roles and clarifies their responsibilities.

Budgeting: Assigns resources and estimates costs needed for risk management for inclusion in the project cost baseline.

Timing: Defines when and how often the risk management process will be performed throughout the project life cycle and establishes risk management activities to be included in the project schedule.

Risk Categories: Provides a structure that ensures a comprehensive process of systematically identifying risk to a consistent level of detail and contributes to the effectiveness and quality of Risk Identification. A risk breakdown structure is one approach to providing such a structure.

Definitions of Risk Probability and Impact: The quality and credibility of the Risk Analysis process requires that different levels of the risk probabilities and impacts be defined. General definitions and probability levels and impact levels are tailored to the individual project during the Risk Management Planning process for use in the Qualitative Risk analysis process.

Revised Stakeholders Tolerance: Stakeholders tolerance may be revised in the risk management planning process as they apply to the specific project.

Reporting Formats: Describes the content and format of the risk register as well as any other risk reports required. Delivers how the outcomes of risk management processes will be documented, analyzed and communicated.

Tracking: Documents whether and how risk management processes will be audited.

The Role of the Human Element

Risk management is not necessarily human-centered. All programs experience some degree of risk and associated failure simply because of misdirected, naïve, lazy and dishonest behaviors on the part of its principals. There is not too much that can be done about the majority of such factors from the perspective of risk management except be responsible with our ability to be our own enemy.



We can say in conclusion that, like any other control, proper and timely Risk Management control can provide enormous advantages to an organization by cutting down on costs and ensuring proper delivery as per schedule. At the very onset there has to be a budget and time set-aside for this. It is often a major expense for the performing organization, so clear understanding of the return on investment must be declared and this is possible through a well understood, planned, and structured process. Systems are becoming more complex and today's judgment, thorough knowledge, expertise and experience shall not always suffice, but a systematic approach with different methodologies is the approach to mitigate risks.

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2022  |  Page Processed at 2022-06-24 10:37:58 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search