Академический Документы
Профессиональный Документы
Культура Документы
Management:
Principles and
Practices
BARRY W. BOEHM,
Defense Advanced Research Projects Agency
BASIC CONCEPTS
Webster’s dictionary defines “risk” as
“the possibility of loss or injury.” This def-
inition can be translated into the funda- FIGURE 1 DECISION TREE FOR WHFTHER TO PERFORM INOEPENDENTVALIOATIONANOVERIFICATIONTO ELIMINA-
mental concept of risk management: risk CRITICALERRORS IN A WTELLITEEXPERIMENT PROGRAM. UUO] IS THE LOSS ASSOCIATE0 W K H AN UNSATlSFAl
exposure, sometimes also called “risk im- TORY OUTCOME, P[UOl IS THE PROBABILITYOFTHE UNSATISFACTORYOUTCOME, AN0 CE IS A CRKICAL ERROR
IEEE S O F T W A R E 33
Checklists
Decomposition
Performance d ek
34 JANUARY 1991
weekly, monthly, or milestone project re- four significant subsets of risk-manage- ity table in Table 2 for assessing the prob-
view and followed up appropriately with ment techniques: risk-identification ability that a project will overrun its bud-
reassessment of the risk item or corrective checkhsts, risk prioritization, risk-man- get. Table 2 is one of several such check-
action. agement planning, and risk monitoring. lists in a n excellent US Air Force
In addition, risk management provides Other techques have been covered else- handbook’ on software risk abatement.
an improved way to address and organize where.’~~ Using the checklist, you can rate a
the life cycle. Risk-driven approaches, like project’s status for the individualattributes
the spiral model of the software process: Risk-identificationchecklists. Table 1 shows associated with its requirements, person-
avoid many of the difficulties encountered a top-level risk-identification checklist nel, reusable software, tools, and support
with previous process models like the wa- with the top 10 primary sources of risk on environment (in Table 2 , the environ-
terfall model and the evolutionary devel- software projects, based on a survey ofsev- ment’s availabilityor the risk that the envi-
opment model. Such risk-driven ap- era1 experienced project managers. Man- ronment will not be available when
proaches also show how and where to agers and system engineers can use the needed). These ratings will support a
incorporate new software technologies checklist on projects to help identify and probability-range estimation of whether
like rapid prototyping, fourth-generation resolve the most serious risk items on the the project has a relativelylow (0.0 to 0.3),
languages, and commercial softwareprod- project. It also provides a corresponding medium (0.4 to 0.6), or high (0.7 to 1.0)
ucts into the life cycle. set of risk-management techniques that probability of o v e e g its budget.
have been most successfulto date in avoid- Most of the cnncal nsk items in the
SIX STEPS ing or resolving the source of risk. checklist have to do with shortfalls in do-
Ifyou focus on item 2 of the top-10 list main understanding and in properly scop-
Figure 2 summarized the major steps in Table 1 (unrealistic schedules and bud- ing the job to be done - areas that are
and techniques involved in software risk gets), you can then move on to an example generally underemphasized in computer-
management. This overviewarticle covers of a next-level checklist: the risk-probabil- science literature and education. Recent
Personnel shortfalls Staffingwith top talent, job matching, team building, key personnel agreements,cross training
Unrealisticschedules Detailed multisource cost and schedule estimation, design to cost, incremental development,
and budgets softwarereuse, requirements scrubbing.
Developing the wrong Organization analysis, mission analysis, operations-conceptformulation,user surveys and user
functions and properties participation, prototyping, early users’manuals, off-nominal performance analysis,
quality-factor analysis.
Developing the wrong Prototyping, scenarios, task analysis, user participation.
user interface
Gold-plating Requirements scrubbing,prototyping, cost-benefit analysis, designing to cost.
Continuing stream High change threshold, information hiding, incremental development (deferringchanges
of requirements changes to later increments).
Shortfalls in externally Benchmarking,inspections, reference checking, compatibilityanalysis.
furnished components
Shortfallsin extemally Reference checking, preaward audits, award-fee contracts, competitive design or prototyping,
performed tasks team-building.
Real-nme performance Simulation, benchmarking, modeling, prototyping, instrumentation, tuning.
shortfalls
Straining computer-science Technical analysis, cost-benefit analysis, prototyping, reference checking.
capabilities
IEEE SOFTWARE 35
-
Probability
Cost drivers Improbable(0.0-0.3) Probable (0.4-0.6) Frequent (0.7-1.O)
Requirements
Size Small, noncomplex, or easily Medium to moderate Large, highly complex, or not
decomposed complexity, decomposable decomposable
Resource constraints Little or no hardware-imposed Some hardware-imposed Significanthardware-imposed
constraints constraints const"
Application Nonreal-time, little system Embedded, some system Real-time, embedded, strong
interdependency interdependencies interdependency
Technology Mature, existent, in-house Existent, some in-house New or new application, little
experience experience experience
Requirementsstability Little or no change to Some change in baseline Rapidly changing,
established baseline expected or no baseline
Personnel
Availability In place, little turnover Available, some turnover Not available, high turnover
expected expected expected
Mix Good mix of software Some disciplines Some disciplines
disciplines inappropriatelyrepresented not represented
Experience High experienceratio Average experienceratio Low experienceratio
Management environment Strong personnel Good personnel Weak personnel
management approach management approach management approach
Reusable software
Availability Compatiblewith need dates Delivery dates in question Incompatiblewith need dates
Modifications Little or no change Some change Extensivechanges
Language Compatiblewith system and Partial compatibilitywith Incompatiblewith system or
maintenance requirements requirements maintenance requirements
Rights Compatiblewith maintenance Partial compatibilitywith Incompatiblewith maintenance
and competitionrequirements maintenance, some competition concept, noncompetitive
Certification Verified performance, Some application-compatible Unverified, little test data
application compatible test data available available
Tools and environment
Facilities Little or no modification Some modifications,existent Major modifications, nonexistent
Availability In place, meets need dates Some compatibilitywithneed Nonexistent, does not meet
dates need dates
Rights Compatiblewith maintenance Partial compatibilitywith Incompatiblewith maintenance
and development plans maintenance and and development plans
development plans
Configurationmanagement Fully controlled Some controls No controls
initiatives, lke the Software Engineering all the various risk-identification check- associated risk-analysis activities become
Institute's masters curriculum in software lists, plus the other risk-identification essential.
engineering, are providing better cover- techtuques in decision-driver analysis, as- The most effective techtuque for risk
age in these areas. The SEI is also initiat- sumption analysis, and decomposition, prioritization involves the risk-exposure
ing a major new program in software risk one very real risk is that the project will quantity described earlier. It lets you rank
management. identify so many riskitems that the project the risk items identified and determine
could spend years just investigating them. which are most important to address.
Risk adysis and prioritizcltion After using This is where risk prioritization and its One difficulty with the risk-exposure
36 JANUARY 1991
Unsatisfactory Probability of Loss caused by Risk exposure
outcome unsatisfactoryoutcome unsatisfactoryoutcome
quantity, as with most other decision-anal- (data-reduction errors), but the fact that low-profile item like item H (user-inter-
ysis quantities, is the problem of m a h g these errors are recoverable and not mis- face shortfalls) becomes a relatively high-
accurate input estimates of the probability sion-critical leads to a low loss factor and a priority risk item because its combination
and loss associated with an unsatisfactory resulting low RE of 7. Similarly, item I of moderately high probability and loss
outcome. Checkhsts like that in Table 2 (insufficient memory) has a high potential factorsyield a RE of 30.
provide some help in assessing the proba- loss, but its low probability leads to a low + The RE quantities also provide a
bility of occurrence of a given risk item, RE of 7. On the other hand, a relatively basis for prioritizing verification and vali-
but it is clear from Table 2 that its proba-
bility ranges do not support precise prob-
ability estimation.
Full risk-analysis efforts involving pro-
totyping, benchmarking, and simulation
generally provide better probability and
loss estimates, but they may be more ex-
pensive and time-consuming than the sit-
uation warrants. Other techniques, llke
betting analogies and group-consensus
techruques, can improve risk-probability
estimation, but for risk prioritization you
can often take a simpler course: assessing
the risk probabilities and losses on a rela-
tive scale of 0 to 10.
Table 3 and Figure 3 illustrate h s risk-
prioritization process by using some po-
tential riskitems from the satellite-experi-
ment project as examples. Table 3
summarizes several unsatisfactory out-
comes with their corresponding ratings
for P(UO), L(UO), and their resulting
risk-exposure estimates. Figure 3 plots
each unsatisfactory outcome with respect
to a set ofconstant risk-exposure contours.
Three key points emerge from Table 3
and Figure 3:
+ Projects often focus on factors hav-
ing either a h g h P(U0) or a high L(UO), FIGURE 3. RISKEXPOSUREFACTORS A N 0 CONTOURS FOR THE SATELLITE€XPERIMENTSOFTWARE. RE IS THE RISK
but these may not be the key factors with a EXPOSURE, P(UO] THE PROBABILITY OF AN UNSATISFACTORY OUTCOME, A N 0 L[UO] THE L E S ASSOCIATED WITH
high risk-exposure combination. One of THAT UNSATISFACTORY OUTCOME. THE GRAPH P O N E M A P THE TEMS FROM TABLE 3 WHOSE RISK EXPOSURE
IEEE S O F T W A R E 37
1. Obkctives (the "why)
+ Determine, reduce level of risk of the softwore huh-tolerance features causing unacceptableperformance,
+ Create o descriptionof and o development plon for a set of lowrisk fault-tolerancefeatures.
2. Deliverobles and milestones (the "what" and "when").
+By Week 3.
1. Evoluationof fault-toleranceoptions
2. Assessment of reusable components
3. Droft wokload characterization
4. Evaluation plon for prototype exercise simulation, benchmarking, modeling,
5. Description of prototype prototyping, instrumentation, and tuning.
+By Week 7.
6. Operational prototype with key foult-tolerancefeatures. Assume, for example, that a prototype of
7 Workload simulabn representative safety features is the most
8. Instrumentation and data reduction capabilities. cost-effective way to determine and re-
9. Draft description, plan forfault+hrance features. duce their effects on system performance.
+By Week 10
10. Evaulationand iteration of prototype
T h e next step in risk-management
1 1. Revised description, plan for fault-tolerancefeatures planning is to develop risk-management
3. Responsiblities (the "who" and "where") plans for each risk item. Figure 4 shows
+System engineer: GSmith the plan for prototyping the fault-toler-
Tasks 1,3,4,9,11. Support of tasks 5, 10 ance features and determining their effects
+lead programmer: [.lee
Tasks 5,6,7,10. Support of tasks 1,3 on performance. The plan is organized
+ Progrommer:J.Wilson around a standard format for software
Tasks 2,8. Support of tosb 5,6,7,10 plans, oriented around answering the
4. Approach (the "how") standard questions of why, what, when,
+ Desigttwchedule prototyping effort who, where, how, and how much. Ths
+Driven by hypothesesabout fault-toleranceperformonte effects
+Use real-time operating system, add prototype fault-tolerancefeatures plan organization lets the plans be concise
+ Evaluote performancewith respectto representaiiveworkload (fitting on one page), action-oriented, easy
+Refine prototype based on resultsobserved to understand, and easy to monitor.
5. Resources (the "how much") T h e final step in risk-management
S6OK -full-time system engineer, led programmer, progmmmer
(IO week;)*(3 stfl*SZk/staffweek) planning is to integrate the risk-manage-
SO- hree dedicatedwokstahons (from project pwl) ment plans for each risk item with each
SO -two target processors (from propct pool) other and with the overall project plan.
SO -one test coprocessor (from project pwl) Each of the other high-priority or uncer-
$1 OK -contingencies
$70K -total tain risk items will have a risk-manage-
ment plan; it may turn out, for example,
that the fault-tolerance features pro-
X I R E 4. RISK-MANAGEMENT PLAN FOR FAULT-TOLERANCEPROTOTYPING totyped for this risk item could also be
useful as part of the strategy to reduce the
uncertainty in items A and B (software er-
rors killing the experiment and losing ex-
ition and related test activities by giving tolerance versus performance, a good waj periment-critical data). Also, for the over-
ich error clas a significance weight. Fre- to buy information is to invest in a proto- all project plan, the need for a 10-week
uently, all errors are treated with equal type, to better understand the perfor- prototype-development and -exercise pe-
eight, putting too much testing effort mance effects of the various fault-toler- riod must be factored into the overall
it0 finding relatively trivial errors. ance features. schedule, to keep the overall schedule re-
4 There is often a good deal of uncer- alistic.
inty in estimating the probability or loss Risk-management planning. Once you d e
sociated with an unsatisfactoryoutcome. tennine a project's major risk items anc Risk resolution and momtoring. Once you
The assessmentsare frequently subjective their relative priorities, you need to estab- have established a good set of risk-man-
id are often the product of surveyingsev- lish a set of risk-control functions to bring agement plans, the risk-resolution process
.al domain experts.) The amount of un- the risk items under control. The first stei consists of implementing whatever proto-
:rtainty is itself a major source of risk, in thls process is to develop a set of risk- types, simulations, benchmarks, surveys,
hich needs to be reduced as early as pos- management plans that lay out the activi- or other risk-reduction techniques are
ble. The primary example in Table 3 and ties necessary to bring the risk items undei called for in the plans. Risk monitoring
igure 3 is the uncertainty in item C about control. ensures that this is a closed-loop process
hether the fault-tolerance features are One aid in doing thls is the top-I( by tracking risk-reduction progress and
ling to cause an unacceptable degrada- checklist in Figure 3 that identifies t h e applying whatever corrective action is
3n in real-time performance. If P(U0) is most successful risk-management tech- necessary to keep the risk-resolution pro-
ted at 4, this item has only a moderate niques for the most common risk items. A cess on track.
E of 28, but if P(U0) is 8, the RE has a an example, item 9 (real-time perfor- Risk management provides managers
ip-priority rating of 56. mance shortfalls)in Table I covers the un- with a very effective technique for keeping
One of the best ways to reduce h s certainty in performance effect of thc on top of projects under their control:
urce of risk is to buy information about fault-tolerance features. The correspond- Pmjkt top-1 0 rirk-item walking. This tech-
Le actual situation. For the issue of fault ing risk-management techmques include nique concentrates management atten-
~
38 JANUARY 1991
tion on the hgh-risk, high-leverage, criti- the top 10 risk items. (The number could chosen, including possible actions by the
cal success factors rather than swamping be seven or 12 without loss of intent.) The project manager’s boss.
management reviews with lots of low-pri- summary should include each risk item’s The number 2 risk item in Table 4,
ority detail. As a manager, I have found current top-10 r&g, its rank at the pre- target hardware deliverydelays,is also one
that h s type of risk-item-oriented review vious review, how often it has been on the for which the project manager’s boss may
saves a lot of time, reduces management top-10 list, and a sumnary of progress in be able to expedite a solution -by cutting
surprises, and gets you focused on the resolving the risk item since the previous through corporate-procurement red tape,
high-leverage issues where you can make a review. for example, or by escalatingvendor-delay
difference as a manager. + Focusing the project-review meet- issues with the vendor’s higher manage-
Top-10 risk-item tracking involves the ing on dealing with any problems in re- ment.
followingsteps: solving the risk items. As Table 4 shows, some risk items are
+ R a h g the project’s most signifi- Table 4 shows how a top-10 list could moving down in priority or going off the
cant risk items. have worked for the satellite-experiment list, while others are escalating or coming
+ Establishing a regular schedule for project, as of month 3 of the project. The onto the list. The ones moving down the
higher management reviews of the project’s top risk item in month 3 is a crit- list-like the design-verification and -Val-
project’s progress. The review should be ical staffing problem. Highlighting it in idation staffing, fault-tolerance pro-
chaired by the equivalent of the project the monthly review meeting would stimu- totyping, and user-interface prototyping
manager’s boss. For large projects (more late a discussion by the project team and - still need to be monitored but &e-
than 20 people), the reviews should be the boss of the staffing options: Make the quently do not need special management
held monthly. In the project itself, the unavailable key person available, reshuffle action. The ones moving up or onto the
project manager would review them more project personnel, or look for new people list - like the data-bus design changes
kequently. witlun or outside the organization. This and the testbed-interface definitions -
+ Beginning each project-review should result in an assignment of action are generally the ones needing higher
meeting with a summary of progress on items to follow through on the options management attention to help get them
IEEE S O F T W A R E
management plan as an elaboration of the
“why, what, when, who, where, how, how
Risk-management driven much” framework of Figure 4. %le this
evaluation criteria, activities plan is primarily the customer’s responsi-
Developmh p h ’ ’ “ bility, it is very useful to involve the devel-
Development risk-management plan oper community in its preparation as well.
Risk-item evaluation information Such a plan addresses not only the de-
t Risk-management tailored document plan
velopment risks that have been the prime
I Evaluation, I
source selection topic of this article but also operations and
maintenance risks. These include such
Implement Monitor development plan, Update, implement: items as staffing and training of mainte-
Life-cytle plan development Development plan
Life-cycle
nance personnel, discontinuities in the
risk-management plan, Development risk-management plan
risk-management plan switch from the old to the new system,
I I r I
undefined responsibilities for operations
t and maintenance facilities and functions,
4 1
Acceptance, installation I and insufficient budget for planned life-
cycle improvements or for corrective,
Operations and maintenance 1 adaptive, and perfective maintenance.
Figure 5 also shows the importance of
proposed developer risk-management
FIGURE 5 FRAMEWORK FOR LIFE-CYCLE RISK MANAGEMENT plans in competitive source evaluation and
selection. Emphasizing the realism and ef-
fectiveness of a bidder’s risk-management
plan increases the probability that the
resolved quickly. ment practices and risk-driven process customer will select a bidder that clearly
As tlus example shows, the top-1 0 risk- models. understands the project’s critical success
item list is a very effective way to focus A good way to begin is to establish a factors and that has established a develop-
higher management attention onto the top-IO risk-item tracking process. It is easy ment approach that satisfactorily ad-
project’s critical successfactors.It also uses and inexpensive to implement, provides dresses them. (If the developer is a non-
management’s time very efficiently,unlike early improvements, and b e p s establish- competitive internal organization, it is
typical monthly reviews, which spend ing a familiarity with the other risk-man- equally important for the internal
most of their time on things the hgher agement principles and practices. Another customer to require and review a devel-
manager can’t do anythmg about. Also, if good way to gain familiariq7 is via books oper risk-management plan.)
the hgher manager surfaces an additional like my recent tutorial on risk manage-
concern, it is easy to add it to the top-10
risk item list to be hghlighted in future
reviews.
ment,3 which contains the Air Force risk-
alsatenient pamphlet’ and other useful ar-
ticles, and Robert Charette’s recent good
T e most important thing for a project
to do is to get focused on its critical
success factors.
book on risk management.’ For various reasons, including the in-
IMPLEMENTINGRISK MANAGEMENT An effective next step is to identifjr an fluence of previous document-driven
appropriate initial project in which to i n - management pdelines, projects get fo-
Implementing risk management in- plement a top-level life-cycle risk-mnan- cused on activities that are not critical for
volves inserting the risk-management agement plan. Once the organization has their success. These frequently include
principles and practices into your existing accuniulated some risk-nlanagement ex- writing boilerplate documents, exploring
life-cycle management practices. Full im- perience on this initial project, successive intriguing but peripheral techcal issues,
plementation of risk management in- steps can deepen the sophistication ofthe playing politics, and tqmg to sell the “ul-
volves the use of risk-driven sofiware-pro- risk-management techniques and broaden timate” system.
cess models &e the spiral model, where their application to wider classes of proj- In the process, critical success factors
risk considerations determine the overall ects. get neglected, the project fails, and no-
sequence of life-cycle activities, the use of Figure 5 provides a scheme for iniple- body wins.
prototypes and other risk-resolution tech- menting a top-level life-cycle risk-rnan- The key contribution of software risk
niques, and the degree of detail of plans agement plan. It is presented in the context management is to create tlus focus on crit-
and specifications. However, the best im- of a contractualsoftware acquisition,but you ical success factors - and to provide the
plementation strategy is an incremental can tailor it to the needs of an intemal devel- techques that let the project deal with
one, which lets an organization’s culture opment organizationas well. them. The risk-assessment and risk-con-
adjust gradually to risk-oriented manage- You can organize the life-cycle risk- trol techques presented here provide the
~~
___.
40 JANUARY 1991
foundation layer of capabilities needed to
implement the risk-oriented approach.
However, risk management is not a
The Premier Electronics Industry
cookbook approach. To handle all the Conference of the Northwest
complex people-oriented and technology- October 1-3, 1991 in Portland, Oregon
driven success factors in projects, a great
measure of hunian judgement is required.
Good people, with good skills and
good judgment, are what make projects
work. Risk management can provide you Northcon is bringing this CompTehenSjve
with some of the skills, an emphasis on electronics mference andexhibitkm to
getting good people, and a good concep- & d d , Oregon, w h ” e t h a n S m
tual framework for sharpening your electronicsengineekgprofessionals-
judgement. I hope you can find these use- design, test and mufacmng engineers,
ful on j7our next project. + specliers,#wrchasirgspecialists,
engimngmanagmt R & D d
corporatepersonnel, quality speciaikts
and corporate exeahves - wit gather to
leam about the latest electronicsproducts
and technology.
REFERENCES
1. J. Rothfeder, “It’s Late, Costly, and hcompe-
tent - But Tiy Firing a Computer System,”
Papets forpresentationin the technical
Bu.ri7zes.r Week,Nov. 7 , 1988, pp. 164-165. sessions sye requested in five areas:
2. B.W Boehm, “A Spiral Model of Software
Development and Enhancement,” Cmputm,
1. D e s l ~ e s ~ t i o ~ m t
hfay 1988,pp.61-72. 2. ComputerHar&ar&We
3 , B.U! Boehm, Software Risk Management, CS Advances
Press, Los Alamitos, Calif., 1989. 3. Research and Develqm”
4. R.N. Charette, Sojinare Engineering Risk Anal-
p r and .\.fa??agemmt,McGraw-Hill, New
4. Quality and Reliability is a joint v e n m of:
York, 1989. 5. Regulations and EnM;rc;nment
5 . “Software Risk Abatement,” AFSC/.4FIdC
pamphlet 800-48,US Air Force Systems Com-
mand, Andrews .4FB, Md., 1988.
For a pqmr to be consider&, a lcKxF
w d s u m t y must be subm’ttedthat Pdandandseafie
sectionsof the
states thectyective of t h e w , the new
Institute of ELecaical
conbihtim, and the ccmcluionthat MI and Electronics
Barry W. Boehm is dircctor be made. Reviouslypublishedmterials Er&een, IEEE
of the Defense Advanced Re- are not acceptable.
search Project Agency‘s Infor-
mation Science and Technol-
ogy Office, the us Abstracts must be mailed or faxed no later
government’slargest com- than Much 15, 1991 to be considwed for
puter/communications re- evaluation.
search organization. In his
previous position as chief sci-
cndst for TRLV”‘Defense Rease w h t abstracts to:
Systems Group, he was in- Jon S. ports
volved in applying risk-management principles to large TechnicalRograms Chair
projects, including the National Aeronautics and Spacc
r\dnunistration’s space station, the Federal .biation do NC e0
hdininistration+Advanced Automanon System, and 8110AirportBoulevard cascade chapter d
the Dcfmsc Dept.i Sa;rtc$c Defcnse I~utiative. LosArgeles, C4 900453194 the Electronics
Boehm received a BA in mathematics from Har- Representatives
vard Univcrsity and an ALA and PhD in mathematiis
(soo)87i-2668(x Assodation. ERA
from UCL.L (213)215-3976, ext. 251
F M : (213)641-51 17
,Address questions ahout this arnclc to the author
at D . W A ISTO, 1400 ililson Blvd.. Arlington,
22?09-?108.