Basics of Software Risk Management
Views (Total / Last 10 Days):
What is risk management? The easiest explanation would be
the possibility of loss. The loss can be either a bad outcome or a lost
opportunity. The negative image of the word "risk" is sometimes the
problem with risk management. Of course, unless there is a potential for loss,
there is no risk.
Risk management is the sum of all proactive activities
within a program intended to accommodate the possibility of failures.
|How we can learn from past experiences|
We cannot always predict the future problems in our
projects, however, we can learn from our previous mistakes, specially if they
have been documented to enable us to minimize loss and threats to future
projects. This will necessarily improve the company’s business success and
reduce the chaos and confusion that reduces the quality of the work.
The following are suggested actions. You can document the
results of even informal risks, maintain records of the mitigation strategies,
note the best practices/approaches, which worked well, and periodically conduct
reviews to identify the unanticipated problems that come up.
|Uncertainty leading to Risks|
We often pretend to have things under our control, specially
the ones that are very uncertain in nature. It is the unknown that can hurt us
most. We need to skillfully spot this situation as posing potential risks and
initially document them in the risk management plan. At the beginning of the
project, the impact of this situation is hardly felt as we do not feel the losses.
With the passage of time and the lack of vision and proper
customer involvement, the potential threat to the project will surely rise.
Uncertainty is an unavoidable characteristic of most software projects; however,
reducing uncertainty has a cost.
It is mandatory to balance such costs against the potential
cost we could incur if the risk is not addressed at all. We cannot avoid
projects that incur a high risk factor. However, proactive risk management is
necessary in such cases. Risk management makes sure we go into such projects as
guarded as possible, so we know what kinds of things and where things could go
wrong. Then we have done our part to make sure those factors do not work as
hurdles in the final outcome of the project.
Why Should We Manage Risks formally and how does it
In a typical contractual environment a lot is at stake. We
just cannot have costs spiraling up and missing deadlines. A team approach
allows the various project stakeholders to collectively address their shared
risks and to assign responsibility for risk mitigation to the most appropriate
individuals. Formation of a formal risk management team gives one a structured
method and more visibility into threats and one can make sure one is always
focused on controlling the most severest of risks first. Risk team members can
pool their experience and identify opportunities to control most common risks
through documentation and constant process improvement. This ensures that one
can ensure that the risk management actions will be planned, prioritized,
initiated and completed in a timely and effective manner. The risk Team should
always build a checklist of risk items and mitigation strategies from multiple
projects that can help future projects look for the loopholes. Constantly
sharing what does and does not work to control risks across multiple projects
helps projects avoid repeating the mistakes of the past.
|Who is a Risk Manager?|
“Often, we see the experienced project manager will use risk
management as a method for raising the awareness of conditions that could cause
losses so that the project does not begin with a fuzzy vision and not much of
The role of a Risk Manager, which is found in relatively
large projects, will be to capture and formalize risk management activities and
results. He becomes the main spokesperson for the program for risks for major
reviews and reports.
The basic structure recommended for risk management consists
of a Risk Manager who is responsible for the definition, structure,
implementation and coordination of a risk management approach consistent with
the program, system engineering, test, manufacturing and verification plans.
It is the Risk Manager's job to coordinate the risk
management activities within the prime's organization and with all
subcontractors. The Risk Manager assists the Program Manager.
The Risk Manager also maintains the status of the risk list
and provides any risk training required for the proposal. He also develops work
schedules to overcome any shortcomings of the RFP with respect to risk and
provides whatever level of draft that is required by the RFP for the Risk
Management Program Plan.
|Ownership in Risk Management |
A very important aspect of ownership is a very clear and
mutual understanding of the responsibilities among the different stakeholders
of a contract every risk identified in a program. Each risk should have an organization
tagged for ownership and a position holder should be tagged as managerial lead
for its resolution.
One of the major problems is that Project Managers worldwide
do not have access to data involved in risk management. Data is buried within
projects and just not available. The SERR (Software Engineering Risk Repository)
is the arm of the SEI for accessing data from an informative database. This is
planned on a world wide on line service where information on risk management
will be collected and made available through databases, interviews,
questionnaires and case studies. The goal will be to provide a mechanism
whereby transfer and evaluation of risk management processes can be interpreted
|Simple Steps to Reduce Risks |
Identify, Analyze, Plan, Implement, Track, Control,
Communicate and Document.
|What is Continuous Risk Management (CRM)?|
CRM is a principle whereby risks are managed in a project
throughout its lifetime. Continuous Risk Management is simply an area of good
project management. It should be a normal aspect of the project manager's daily
|Types of Risks|
There are some risks that are just in-built in the venture.
Thus, an RFP for such a project has in-built risks no matter which contractor
undertakes the development.
These are the risks inherent in the proposed approach.
These are the risks that impose an impact on program governance
and performance. Risks that impact on program performance generally flow from
issues of organizational culture, competence, experience, and skills of the
Schedule risks are due to lack of being able to deliver
within a scheduled time with the resources allocated.
Cost risk is when there is a funding problem for completing
the job within the scheduled time. This can be for various reasons like low
bids, lack of understanding the customer’s requirements, wrong allocation of
resources and bad management decisions in terms of accuracy of estimates.
There are times when the non-performance of systems lead to
problems. This is a type of performance risk.
We are aware of the fact that most systems cost more to
sustain than to develop. The supportability risk is that an otherwise
acceptable system will just cost too much to operate and maintain over its life
cycle in terms of time and personnel.
A development effort always entails a measure of risk
because such an effort always involves aspects that are new to the performing
organization. Multiple risks situations are major challenges and are the most
interesting from a management perspective.
One of the first risk situations facing such a team is that
it invariably requires additional staffing. When new people are hired, some of
the negative aspects are that the collective awareness of the nuances of the
program is diluted and people start making decisions with less than complete
understanding of the nuances of the program, the company or the customer. The
only and simple solution is to communicate clearly and have regular staff
meetings. It is also recommended that each new employee get a thorough
introduction to the roles.
|Risk Management Tools and Techniques|
The goal of brainstorming is to obtain a comprehensive list
of project risks. Risks are then identified and categorized by type of risk and
their definitions are sharpened.
A facilitator uses a technique to solicit ideas about the
important project risks. The responses are summarized and then re-circulated to
the experts for further comment.
Interviewing experienced project participants, stakeholders,
and subject matter experts can identify risks.
Root Cause Identification
This is an enquiry to the essential causes of a project’s
risks. Effective risk responses can be developed if the root cause of the risk
SWOT Analysis (Strength, Weakness, Opportunities and
This technique ensures examination of the project from each
of the SWOT perspectives to increase the breadth of considered risks.
Risk Identification checklists can be developed based on
historical information and knowledge that has been accumulated from previous
similar projects and from other sources of information.
Assumption analysis is a tool that explores the validity of
assumptions as they apply to the project. It identifies risks to the project
from inaccuracy, inconsistency or incompleteness assumptions.
Diagrammatic Techniques used are the following.
System or Process Flow charts shows how various elements of
a system interrelate and the mechanism of causation.
Influence Diagrams are graphical representations of
situations showing casual influences, time ordering of events and other
relationships among variables and outcomes.
Cause and Effect Diagrams also known as Ishikawa or fishbone
diagrams are useful for identifying causes of risks.
|Developing Risk Management Plans and Outputs|
This plan describes how risk management will be structured
and performed on the project. It also becomes a subset of the Project Management
Plan. It includes the following.
Methodology: Defines the approaches, tools and data sources
that may be used to perform risk management on the project.
Roles and Responsibilities. Defines the lead, support and
risk management team membership for each type of activity in the risk
management plan and then assigns people to these roles and clarifies their
Budgeting: Assigns resources and estimates costs needed for
risk management for inclusion in the project cost baseline.
Timing: Defines when and how often the risk management
process will be performed throughout the project life cycle and establishes
risk management activities to be included in the project schedule.
Risk Categories: Provides a structure that ensures a
comprehensive process of systematically identifying risk to a consistent level
of detail and contributes to the effectiveness and quality of Risk
Identification. A risk breakdown structure is one approach to providing such a
Definitions of Risk Probability and Impact: The quality and credibility
of the Risk Analysis process requires that different levels of the risk
probabilities and impacts be defined. General definitions and probability
levels and impact levels are tailored to the individual project during the Risk
Management Planning process for use in the Qualitative Risk analysis process.
Revised Stakeholders Tolerance: Stakeholders tolerance may
be revised in the risk management planning process as they apply to the
Reporting Formats: Describes the content and format of the
risk register as well as any other risk reports required. Delivers how the
outcomes of risk management processes will be documented, analyzed and
Tracking: Documents whether and how risk management
processes will be audited.
|The Role of the Human Element |
Risk management is not necessarily human-centered. All
programs experience some degree of risk and associated failure simply because
of misdirected, naïve, lazy and dishonest behaviors on the part of its
principals. There is not too much that can be done about the majority of such
factors from the perspective of risk management except be responsible with our
ability to be our own enemy.
We can say in conclusion that, like any other control,
proper and timely Risk Management control can provide enormous advantages to an
organization by cutting down on costs and ensuring proper delivery as per
schedule. At the very onset there has to be a budget and time set-aside for
this. It is often a major expense for the performing organization, so clear
understanding of the return on investment must be declared and this is possible
through a well understood, planned, and structured process. Systems are
becoming more complex and today's judgment, thorough knowledge, expertise and
experience shall not always suffice, but a systematic approach with different
methodologies is the approach to mitigate risks.