Embed Size (px)
Citation preview
Risk Management
Andrea Polini
Software Project ManagementMSc in Computer Science
University of Camerino
A.Y. 2016/2017
Andrea Polini Risk Management SPM – A.Y. 2016/2017 1 / 31
General Information
Risks
First, risk concerns future happenings. Today and yesterday arebeyond active concern, as we are already reaping what was previouslysowed by our past actions. The question is, can we, therefore, by changingour actions today, create an opportunity for a different and hopefully bettersituation for ourselves tomorrow? This means, second, that risk involveschange, such as in changes of mind, opinion, actions, or places. . . .[Third,] risk involves choice, and the uncertainty that choice itself entails.Thus paradoxically, risk, like death and taxes, is one of the few certaintiesof life. R. Charette
Andrea Polini Risk Management SPM – A.Y. 2016/2017 2 / 31
General Information
Risk Management
Risk management is one of the most important activity in projectplanning. It has to do with
anticipating risks that might affect the project schedule, budget, orquality of the the software being developed (identify cause-effectrelations)taking actions to “handle” the risksdocumenting the risks in the plan
Effective risk management makes it easier to cope with problems andto ensure that these do not lead to unacceptable effects. Indeed everyplan is based on assumptions and risk management tries to plan forand control the situations where those assumptions become incorrect
Andrea Polini Risk Management SPM – A.Y. 2016/2017 3 / 31
General Information
Examples
Causes:staff inexperiencelack of top management commitmentnew technologyusers uncertain of requirements
Effects:testing takes longer than plannedplanned effort and time for activities exceededproject scope increasestime delays in getting changes to plans agreed
Andrea Polini Risk Management SPM – A.Y. 2016/2017 4 / 31
General Information
Risk categories
Project risks: affect the project schedule or resourcesStaff turnover: experienced staff will leave the project before it is finischedManagement change: There will be a change of organizational mgmt with differentprioritiesRequirements change: There will be a larger number of changes to therequirements than anticipated
Product risks: affect the quality of the of the software being developedSpecification delays: Specification od essential interfaces are not available onscheduleCASE tool underperformance: CASE tools which support the project do not performas anticiapted
Business risks: affect the business perspectives for the organization developingor procuring the software
Technology change: The underlying technology on which the system is built issuperseded by new technologyProduct competition: A competitive product is marketed before the system iscompleted
Clearly there is not a clear cut among the different categories
Andrea Polini Risk Management SPM – A.Y. 2016/2017 5 / 31
General Information
Socio-technical view
Actors: all the people involved in the development of the softwareStructure: management structure and systemsTechnology: refers both to the technology to support themanufacturing and to the one included in the product itselfTasks: relates to the plan of the activities
Andrea Polini Risk Management SPM – A.Y. 2016/2017 6 / 31
General Information
Risk Management Process
Risk identificationRisk Analysis and PrioritizationRisk PlanningRisk Monitoring
Andrea Polini Risk Management SPM – A.Y. 2016/2017 7 / 31
General Information
Risk identification
Two main techniques:checklistsbrainstorming
Andrea Polini Risk Management SPM – A.Y. 2016/2017 8 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
ChecklistBarry Boehn proposed the following list of 10 most recurring risks for software dev.:
Risk Risk reduction techniquesPersonnel shortfalls Staffing with top talent; job matching; teambuilding; training and ca-
reer development; early scheduling of key personnelUnrealistic time and costestimates
Multiple estimation techniques; design to cost; incremental develop.;recording and analysis of previous project; standardiz. of methods
Developing the wrongsoftware functions
Improved software evaluation; formal specification; user surveys;prototyping; early user manuals
Developing the wronguser interface
Prototyping; task analysis; user involvement
Gold plating Requirements scrubbing; prototyping; cost-benefit analysis; designto cost
Late changes to require-ments
Stringent change control procedures; high change thresh-old;incremental development
Shortfalls in externallysupplied components
Benchmarking; inspections; formal specifications; contractual agree-ments; quality assurance procedures and certification
Shortfalls in externallyperformed tasks
Quality assurance procedures; competitive design or prototyping;contract incentives
Real-time performanceshortfalls
Simulation; benchmarking; prototyping; tuning; technical analysis
Development techni-cally too difficult
Technical analysis; cost-benefit analysis; prototyping; staff trainingand development
Andrea Polini Risk Management SPM – A.Y. 2016/2017 9 / 31
General Information
BrainstormingRepresentatives of the main stakeholders meet together, and on the base of theirindividual knowlwedge identify problems that might occurClassification of risks can help:
Technology riskse.g.: Reused software components contain bugs
People riskse.g.: impossible to recruit staff with the skills required
Organizational riskse.g.: change in management, organizational financial problems and budget cut
Tools riskse.g.: Code generated by tools are inefficient
Requirements riskse.g.: Customers fail to understand the impact of requirements changes
Estimation riskse.g.: size of software is understimated, time for development is understimated
Andrea Polini Risk Management SPM – A.Y. 2016/2017 10 / 31
General Information
BrainstormingRepresentatives of the main stakeholders meet together, and on the base of theirindividual knowlwedge identify problems that might occurClassification of risks can help:
Technology riskse.g.: Reused software components contain bugs
People riskse.g.: impossible to recruit staff with the skills required
Organizational riskse.g.: change in management, organizational financial problems and budget cut
Tools riskse.g.: Code generated by tools are inefficient
Requirements riskse.g.: Customers fail to understand the impact of requirements changes
Estimation riskse.g.: size of software is understimated, time for development is understimated
Andrea Polini Risk Management SPM – A.Y. 2016/2017 10 / 31
General Information
Questions to drive brainstorming
1 Have top software and customer managers formally committed to support the project?2 Are end users enthusiastically committed to the project and the system/ product to be built?3 Are requirements fully understood by the software engineering team and its customers?4 Have customers been involved fully in the definition of requirements?5 Do end users have realistic expectations?6 Is the project scope stable?7 Does the software engineering team have the right mix of skills?8 Are project requirements stable?9 Does the project team have experience with the technology to be implemented?
10 Is the number of people on the project team adequate to do the job?11 Do all customer/user constituencies agree on the importance of the project and on the
requirements for the system/product to be built?
If any one of these questions is answered negatively, mitigation,monitoring, and management steps should be instituted without fail.
Andrea Polini Risk Management SPM – A.Y. 2016/2017 11 / 31
General Information
Risk Analysis
List of risks could easily become unmanageable→ it is necessary todistinguish likely and damaging risks
Risk ExposureIt tries to provide an economical impact (time, money, . . . ) for a risk:
risk exposure = potential damage × probability of occurrencee.g. recruiting staff from competitors to cover required skills
Calculated on the base of an accumulated probability
Top tenBoehm suggests to derive and consider only the 10 top mostdangerous risks
Andrea Polini Risk Management SPM – A.Y. 2016/2017 12 / 31
General Information
4× 4 approach
A common way of categorizing risks is using a 4 × 4 matrix
Columns: probability that the risk will concretizeLow: Less then 10% chance of happeningModerate: 10% - 29%Significant: 30% - 50%High: Greated then 50% chance of happening
Rows: impact produced on the project if the risk become concreteInsignificant: Less then 10% above budgetTolerable: within 10% and 19%Serious: within 20% and 29%Catastrophic: More then 30% above budget
The project manager select a number between 2 and 8. To be taken into account thesum of indexes for an identified risk should be greater then the defined value.
Risk analysis should be continuously reconsidered and some of the risks will vanishafter a while
Andrea Polini Risk Management SPM – A.Y. 2016/2017 13 / 31
General Information
4× 4 approach
A common way of categorizing risks is using a 4 × 4 matrix
Columns: probability that the risk will concretizeLow: Less then 10% chance of happeningModerate: 10% - 29%Significant: 30% - 50%High: Greated then 50% chance of happening
Rows: impact produced on the project if the risk become concreteInsignificant: Less then 10% above budgetTolerable: within 10% and 19%Serious: within 20% and 29%Catastrophic: More then 30% above budget
The project manager select a number between 2 and 8. To be taken into account thesum of indexes for an identified risk should be greater then the defined value.
Risk analysis should be continuously reconsidered and some of the risks will vanishafter a while
Andrea Polini Risk Management SPM – A.Y. 2016/2017 13 / 31
General Information
Risk Planning
Risk Planning has to do with the definition of strategies to manage theidentified risks. In particular the following choices are possible:
risk acceptance: do-nothingrisk avoidance: when possible put in place actions so that the riskcondition cannot occurrisk reduction and mitigationrisk transfer: transfer the risk to another person or organization(e.g.: outsourcing)
Andrea Polini Risk Management SPM – A.Y. 2016/2017 14 / 31
General Information
Reduction
Reduction: put in place actions to reduce the probability that the risk conditionoccurse.g.: data lost→ make a back-up copy
Deciding on risk reduction actions
Counter-measure to reduce risks are take when they are cost effective
Risk Reduction Leverage = (REbefore − REafter )/ cost of risk reduction
The ratio should be grater than 1
Andrea Polini Risk Management SPM – A.Y. 2016/2017 15 / 31
General Information
Mitigation
Mitigation: put in place actions so that the impact is reducede.g.: back-up copies to reduce the impact of possible data corruption
Examples of mitigation strategies:
Risk StrategyStaff illness Reorganize team so that there is more overlap of work and people
therefore understand each other’s jobsRequirementschanges
Derive traceability information to more easily assess the impact ofchanges
Organizational re-structuring
Prepare a briefing document for senior Mgmt showing how theproject is making a very impoprtant contribution to the goals of thebusiness
Understimated de-velopment time
Investigate use of COTS and/or program generator
Andrea Polini Risk Management SPM – A.Y. 2016/2017 16 / 31
General Information
Mitigation
Mitigation: put in place actions so that the impact is reducede.g.: back-up copies to reduce the impact of possible data corruption
Examples of mitigation strategies:
Risk StrategyStaff illness Reorganize team so that there is more overlap of work and people
therefore understand each other’s jobsRequirementschanges
Derive traceability information to more easily assess the impact ofchanges
Organizational re-structuring
Prepare a briefing document for senior Mgmt showing how theproject is making a very impoprtant contribution to the goals of thebusiness
Understimated de-velopment time
Investigate use of COTS and/or program generator
Andrea Polini Risk Management SPM – A.Y. 2016/2017 16 / 31
General Information
Mitigation
Mitigation: put in place actions so that the impact is reducede.g.: back-up copies to reduce the impact of possible data corruption
Examples of mitigation strategies:
Risk StrategyStaff illness Reorganize team so that there is more overlap of work and people
therefore understand each other’s jobsRequirementschanges
Derive traceability information to more easily assess the impact ofchanges
Organizational re-structuring
Prepare a briefing document for senior Mgmt showing how theproject is making a very impoprtant contribution to the goals of thebusiness
Understimated de-velopment time
Investigate use of COTS and/or program generator
Andrea Polini Risk Management SPM – A.Y. 2016/2017 16 / 31
General Information
Mitigation
Mitigation: put in place actions so that the impact is reducede.g.: back-up copies to reduce the impact of possible data corruption
Examples of mitigation strategies:
Risk StrategyStaff illness Reorganize team so that there is more overlap of work and people
therefore understand each other’s jobsRequirementschanges
Derive traceability information to more easily assess the impact ofchanges
Organizational re-structuring
Prepare a briefing document for senior Mgmt showing how theproject is making a very impoprtant contribution to the goals of thebusiness
Understimated de-velopment time
Investigate use of COTS and/or program generator
Andrea Polini Risk Management SPM – A.Y. 2016/2017 16 / 31
General Information
Mitigation
Mitigation: put in place actions so that the impact is reducede.g.: back-up copies to reduce the impact of possible data corruption
Examples of mitigation strategies:
Risk StrategyStaff illness Reorganize team so that there is more overlap of work and people
therefore understand each other’s jobsRequirementschanges
Derive traceability information to more easily assess the impact ofchanges
Organizational re-structuring
Prepare a briefing document for senior Mgmt showing how theproject is making a very impoprtant contribution to the goals of thebusiness
Understimated de-velopment time
Investigate use of COTS and/or program generator
Andrea Polini Risk Management SPM – A.Y. 2016/2017 16 / 31
General Information
Contingency Plan
A contingency plan reports the actions to take in order to cope with theconcrete emergence of a risk. It is generally developed for risks with aparticularly high impact
Andrea Polini Risk Management SPM – A.Y. 2016/2017 17 / 31
General Information
Risk Mgmt - Risk register
Andrea Polini Risk Management SPM – A.Y. 2016/2017 18 / 31
General Information
Risk Monitoring
Monitoring requires to regularly assess each of the identified risks to decide whetheror not the risk is becoming more or less probable and whether the effects of the riskhave changed. Often factors are difficult to observe directly, so look for otherindicators.
Example of possible general indicators:
Risk type Potential IndicatorTechnology Late delivery of hardware or support software, many reported tech-
nology problemsPeople Poor staff morale, poor relationships amongst team members, job
availabilityOrganizational Organisational gossip, lack of action by senior managementTools Reluctance by team members to use tools, complaints about CASE
tools, demandes for higher-powered workstationsRequirements Many requirements change requests, customer complaintsEstimation Failure to meet agreed schedule, failure to clear reported defects
Andrea Polini Risk Management SPM – A.Y. 2016/2017 19 / 31
General Information
Evaluating risks to the schedule
PERT - Program Evaluation and Review TechniqueThis is a technique that takes into account the uncertainties in theduration of the activities within a project in order to define the schedule
An interesting drawback of using method like PERT is that in practicethere is a tendency for developers to work on the schedule even if theycould end the activity before
Andrea Polini Risk Management SPM – A.Y. 2016/2017 20 / 31
General Information
PERT
The PERT strategy requires three different estimation for each activityin order to derive the an estimation for the expected duration (te):
Most likely time (m)Optimist time (a)Pessimistic time (b)
The expected duration is then computed as:
te = a+4m+b6
Andrea Polini Risk Management SPM – A.Y. 2016/2017 21 / 31
General Information
Example
Let’s reconsider the example of a set of activities on which precedencerelation is defined as follows:
Activity Duration (weeks) PrecedentsA Hardware selection 6B System Configuration 4C Install Hardware 3 AD Data Migration 4 BE Draft Office Procedures 3 BF Recruit Staff 10G User Training 3 E,FH Install and Test System 2 C,D
Andrea Polini Risk Management SPM – A.Y. 2016/2017 22 / 31
General Information
Example - PERT version
Now let’s add information to apply the PERT approach:
Andrea Polini Risk Management SPM – A.Y. 2016/2017 23 / 31
General Information
PERT network
The following PERT network results from the considered data after a“forward pass” step:
Now we say “we expect to complete the project by . . . ”
Andrea Polini Risk Management SPM – A.Y. 2016/2017 24 / 31
General Information
Activity standard deviation
Probability TheoryWhat is a Random variable?What is a distribution function for a Random variable?What is the expectation for a Random Variable?What is the standard deviation?
Computing the standard deviation (s) it is possible to derive aquantitative measure of uncertainty. This is given by the formula:
s = b−a6
s can be used as a ranking measure of the degree of uncertainty orrisk for each activity
Andrea Polini Risk Management SPM – A.Y. 2016/2017 25 / 31
General Information
Example - Standard deviations
Now let’s add information for the s values:
s can be used to rank activities according to their degree of risk. In ourcase activity F needs particular attention while C should cause littleconcern
Andrea Polini Risk Management SPM – A.Y. 2016/2017 26 / 31
General Information
Uncertainties in meeting targets
PERT diagrams include information permitting to derive the likelihoodof meeting a target date. This is related to the inclusion of standarddeviation values in the network.
Assessment can be done using a three step procedure:calculate the standard deviation of each project eventcalculate the z value for each event that has a target dateconvert z values to a probabilities
Andrea Polini Risk Management SPM – A.Y. 2016/2017 27 / 31
General Information
PERT Network with s values
The following PERT network results from the data after a forward passfor s values:
Andrea Polini Risk Management SPM – A.Y. 2016/2017 28 / 31
General Information
z
The z value is calculated for each node that has a target date. It iscalculated using the formula:
z = T−tes
Given the value of z there exist graphs that permit to tranform it in aprobability of not meeting the target date
Andrea Polini Risk Management SPM – A.Y. 2016/2017 29 / 31
General Information
Critical chain
Distribution from van Genuchten studies. In complex projects it generally results that -confirmation of the “Parkinson’s Law”:
30% is the probability that acivities are finished on time
9% is the probability that activities are finished one week early
17% is the probability that activities are finished one week late
The critical chain concept tries to solve the issue, considering as target date the one inwhich it is estimated that the probability to finish the activity is 50%
The approach assumes that the the probability profile is based on a normaldistribution
Activities are moved ahead to end of the period (latest start).
people are not distracted or moved on other activities
a project buffer is inserted at the end of the project.
It will last 50% of the removed comfort zones
Andrea Polini Risk Management SPM – A.Y. 2016/2017 30 / 31
General Information
Resources
Study material can be found here:
Bob Hughes and Mike CotterellSoftware Project Management, 5th Ed.McGraw-Hill, 2009
Chapter 7 - Risk Management
Ian SommervilleSoftware Engineering 10thEd .Addison Wesley 2016.
Sect. 5.4 - Risk Management (introducotry notions)
Andrea Polini Risk Management SPM – A.Y. 2016/2017 31 / 31
