Risk

If you dont attack risks,

they will attack you.
An Example of Risk
Questions
What risks are there to
software projects?

How can we handle those

risks?
Risk Categories
performance risks
does not meet the requirements

cost risks
over budget

schedule risks
not delivered on time

support risks
maintenance problems
Common Problem Sources
Inherent difficulties in estimation
Ex bad historical data

Bad assumptions during planning

Ex we thought the customer would take less
than two weeks to provide interface feedback
Ex our task network didnt expect coding to
uncover design problems
Ex we didnt schedule time to change the
design and code when the specs change

Unforeseen Events
 Boehm's Top 10 Software Risks
1. Schedules, budgets, process
2. Requirements Changes
3. Personnel Shortfalls
4. Requirements Mismatch
5. Rapid change
6. Architecture, performance, quality,
distribution/mobility
7. External components
7. Legacy Software
9. Externally-performed tasks
10. User interface mismatch
USC Center for Systems & Software Engineering
 customer-furnished items or information
internal and external subcontractor relationships
inter-component or inter-group dependencies
availability of trained, experienced people
reuse from one project to the next
lack of clear product vision
lack of agreement on product requirements
un-prioritized requirements
new market with uncertain needs
new applications with uncertain requirements
rapidly changing requirements
ineffective requirements change management process
inadequate impact analysis of requirements changes
inadequate planning and task identification
inadequate visibility into actual project status
unclear project ownership and decision making
unrealistic commitments made, sometimes for the wrong reasons
managers or customers with unrealistic expectations
staff personality conflicts
poor communication
inadequate training
poor understanding of methods, tools, and techniques
inadequate application domain experience
new technologies or development methods
ineffective, poorly documented, or neglected processes
unavailability of development or testing equipment and facilities
inability to acquire resources with critical skills
turnover of essential personnel http://www.processimpact.com/articles/risk_mgmt.html
unachievable performance requirements
problems with language translations and product internationalization
technical approaches that may not work
IEEE/ISO Std for
Recovering from Risks Gone Bad

There isn't one!!!!

 SEI on Risk
What does success look like?
A successful risk management practice is one in which risks are
continuously identified and analyzed for relative importance. Risks are
mitigated, tracked, and controlled to effectively use program
resources. Problems are prevented before they occur and personnel
consciously focus on what could affect product quality and schedules.

What will risk management do for my business?

There will be a cultural shift from "fire-fighting" and "crisis
management" to proactive decision making that avoids problems
before they arise. Anticipating what might go wrong will become a
part of everyday business, and the management of risks will be as
integral to program management as problem or configuration
management.
SEI Risk Management Principles
1. Global perspective
2. Forward-looking view
3. Open communications
4. Integrated management
5. Continuous process
6. Shared product vision
7. Teamwork

www.sei.cmu.edu/programs/sepm/risk/
Boehms Risk Engineering Tasks

Risk Analysis
Identification
Estimation
Evaluation
Risk Management
Planning
Control
Monitoring
Directing
Staffing
Prioritizing Risks

RE = likelihood x impact

REbefore REafter
RRL =
risk reduction cost

RE = risk exposure
RRL = risk reduction leverage

Software Project Management by Hughes and Cotterell

RRL Example
Problem:
We are building a university financial aid application.
There is a 3% chance that an error in the interface will
occur and result in a $1 million patch.

Solution 1: Requirements Checker:

cost = $20K
error probability reduced to 1%

Solution 2: Interface Testing Tool:

cost = $150K
error probability reduced to .5%

adapted from
Software Engineering : Barry Boehm's Lifetime Contributions
by Richard Shelby
example continued

($1M * 3%) - ($1M * 1%)

RRL(Req Checker) = --------------------------------
$20K
= 1.00

($1M * 3%) - ($1M * .5%)

RRL(Testing Tool) = --------------------------------
$150K
= 0.197
Dealing with Risks

Hazard Prevention
Likelihood Reduction
Risk Avoidance
Risk Transfer
Contingency Planning
Example Risk 1
Lose of Source Code.
Risk of the server crashing?
cost of automated backups.

Risk of hack attack from outside.

cost of firewall software, etc.

Risk of hack attack from inside.

cost of off-site backup system.
 Example Risk 2
Person X is assigned to three tasks
on the critical path!
How do we deal the risk of them getting
sick?
Possible Steps:
1. Analyze the possible impact of a delay
caused by their absence.
2. Determine cost of training another person to
do one or two of those tasks.
What is the risk exposure versus the training
costs?
3. Can there be a different task network or
assignment of personnel?
Example Risk 3
The risk of employee turnover?
What happens if they leave?
How dependant is our schedule on people
with these exact skills?
Will information be lost with the person?

How can we keep them / replace

them?
How costly would it be to raise salaries?
How else could we make them happy?
Costs to hire good replacements?
 Example Risk 4

The Market for our product may change.

What is the likelihood of change? How
acceptable would our product be?

How risky is it to speed production?

Effect of speed on quality?
Costs of extra personnel or overtime pay?

What is the risk of making it a more

general product?
Cost and time of extra features?
Example Risk 5

Risk to Functionality based on

unknown technology?
How likely is it that we dont know enough
to fulfill this particular requirement?
How important is this requirement to
product acceptance?
If someone else knows a lot about this, how
much would it cost to get them here?
Should we try two approaches at the same
time?
Example Risk 6

Risks related to Example Data Access.

Who controls access to the database where
we are supposed to get our sample data?
Is their boss in favor of this project?
Are they nice, or do we need to mow their lawn
before we can see the data?
When can we get the data?
If we cant get data at the beginning, can we use
fake data for a while?
How long can we use fake data?
How will fake data affect quality?
Example Risk 7
To generate additional revenue, we will
release a new version of a financial
analysis product. Since it is currently
written in COBOL, the next version
should be written in COBOL.

Do you see any potential risks?

Risk Analysis Tools
Risk Radar includes 22 standardized reports that
enable project managers to quickly and easily view and
track important risk data. It provides the ability to
establish standard values for categorizing and
prioritizing project risks according to Probability of
Occurrence, Risk Impact and Risk Exposure. And, it
does this all within the familiar Microsoft Access
graphic interface, which enables most users to
immediately apply the benefits of the tool without
costly and time-consuming software training.

www.iceincusa.com/products_tools.htm
Summary
Be proactive, not reactive.

Assess the cost of failure

against the costs of addressing
the risk.

Avoid costly risks or limit the

effect of the risk.
Homework Exercise
For the previous homework's web
based project:
identify 5 risks
estimate the risk exposure for
each risk
how can that team deal with
those risks