11

U08784 U08784 Software Project ManagementSoftware Project Management

lecturer: Timothy Aulecturer: Timothy Auemail: timothykfau@yahoo.comemail: timothykfau@yahoo.com

url: www.geocities/timothykfau/2007/u08784url: www.geocities/timothykfau/2007/u08784

22

What have we learnt last weekWhat have we learnt last week

In this lecture, you will learn :In this lecture, you will learn :• Project Estimation: An Introduction to COCOMO Project Estimation: An Introduction to COCOMO 5a5a

• An Introduction to COCOMO An Introduction to COCOMO (Word document)(Word document) 5b5b

• An Introduction to Estimating An Introduction to Estimating 5c5c

• The COnstructive COst MOdel (COCOMO) The COnstructive COst MOdel (COCOMO) 5d5d

In the second-half lecture,In the second-half lecture,• Week 2 Exercise Ex. COCOMO (Page 153-158) Week 2 Exercise Ex. COCOMO (Page 153-158) • Measure Software Quality (Page 163-175) 6aMeasure Software Quality (Page 163-175) 6a• Estimating Function Point Analysis (Page 186-192) Estimating Function Point Analysis (Page 186-192)

6e6e

33

Lecture 5Lecture 5

In this lecture, you will learn :In this lecture, you will learn :• Risk Management Risk Management 3a3a

• Risk Analysis ReportRisk Analysis Report In the second-half lecture,In the second-half lecture,

• RMMM Report ExampleRMMM Report Example RMMM Report 1 RMMM Report 1 3b3b

RMMM Report 2 RMMM Report 2 3c3c

44

Lecture OutcomesLecture Outcomes You should be able to understand the following upon You should be able to understand the following upon

this lecture:this lecture:• Risk Identification, Risk Analysis, Risk Treatment and Risk Identification, Risk Analysis, Risk Treatment and

Risk MitigationRisk Mitigation• How to prepare a Risk Analysis reportHow to prepare a Risk Analysis report

Project MilestonesProject Milestones• Have done your effort estimation: cost effort & durationHave done your effort estimation: cost effort & duration• Prepare cost justification on your projectPrepare cost justification on your project• Refine your detailed project plan (individual)Refine your detailed project plan (individual)• Prepare risk treatment and mitigation plan for your project Prepare risk treatment and mitigation plan for your project

risks (risk analysis report)risks (risk analysis report)• Draft Quality PlanDraft Quality Plan

55

Risk Analysis and ManagementRisk Analysis and Management

Risk Risk • PM-BOK defines risk asPM-BOK defines risk as

‘‘an uncertain event or condition that, if occurs,, has a an uncertain event or condition that, if occurs,, has a positive or negative effect on project’s objectives’.positive or negative effect on project’s objectives’.

• PRINCE2 defines risk asPRINCE2 defines risk as ‘‘the chance of exposure to the adverse consequences of the chance of exposure to the adverse consequences of

future events.’future events.’

66

Risk Analysis and ManagementRisk Analysis and Management Risk Risk

• concerns future happeningsconcerns future happenings• involves changeinvolves change• involves choicesinvolves choices• involves involves causecause and and effecteffect

Risk concerns future changes and uncertainties and risk management deals Risk concerns future changes and uncertainties and risk management deals with managing uncertainties. with managing uncertainties.

Reactive and Proactive strategiesReactive and Proactive strategies• Risk can be dealt with reactive strategy – Risk can be dealt with reactive strategy – fire fighting modefire fighting mode..• A more intelligent strategy for risk management is to be proactive. A more intelligent strategy for risk management is to be proactive.

A proactive strategy begins long beforeA proactive strategy begins long before Potential risks are identified, their probabilities and impacts are assessed, and Potential risks are identified, their probabilities and impacts are assessed, and they are ranked by importance.they are ranked by importance. Then, the software team establishes a plan for managing the risk. Then, the software team establishes a plan for managing the risk. The primary objective is to avoid risk, but because not all risks can be avoided, the The primary objective is to avoid risk, but because not all risks can be avoided, the

team works to develop a contingency plan that will enable it to respond in a team works to develop a contingency plan that will enable it to respond in a controlled and effective manner.controlled and effective manner.

• In this lecture, we will discuss a proactive strategy for risk management. In this lecture, we will discuss a proactive strategy for risk management.

77

Risk ManagementRisk Management

The risk management provides a systematic decision-The risk management provides a systematic decision-making process to effectively deals with uncertainty making process to effectively deals with uncertainty in accomplishing program objectives.in accomplishing program objectives.• Risk Identification. Risk Identification.

• Risk AnalysisRisk Analysis

• Developing & Implementing Risk Mitigation Plan Developing & Implementing Risk Mitigation Plan

• Risk Monitoring and Tracking & ControlRisk Monitoring and Tracking & Control

88

Risk IdentificationRisk Identification Risk identification can be viewed from five different Risk identification can be viewed from five different

areas:areas:• Project-wise risks Project-wise risks

• restricted or untimely funding, mandated schedules, excessive contractual restricted or untimely funding, mandated schedules, excessive contractual requirements and constraints or political risksrequirements and constraints or political risks ..

• Technical risksTechnical risks• involves the risk of meeting performance requirement or a safety or security involves the risk of meeting performance requirement or a safety or security

requirement and may also include risks in the feasibility of a design concept or requirement and may also include risks in the feasibility of a design concept or the risks associated with using state-of-the-art hardware or softwarethe risks associated with using state-of-the-art hardware or software

• Quality risksQuality risks• occurs when the development practices that were to be used to develop a occurs when the development practices that were to be used to develop a

product are not actually followed. This can result in a product that does not product are not actually followed. This can result in a product that does not satisfy requirements.satisfy requirements.

• Logistics risks Logistics risks • include reliability, maintainability, operability and suitability concernsinclude reliability, maintainability, operability and suitability concerns

• Distribution risks Distribution risks • or operational risks (also called deployment risks) can result in improper installation and or operational risks (also called deployment risks) can result in improper installation and

use of the product, which can, impact its use by customersuse of the product, which can, impact its use by customers

99

Factors affecting Cost and Schedule Factors affecting Cost and Schedule risksrisks

Factors affecting Cost and Schedule risks Factors affecting Cost and Schedule risks • Uncertain requirements. Uncertain requirements.

• The requirements of the project are initially not known or well understood. This can The requirements of the project are initially not known or well understood. This can result in very large cost and schedule estimation errors being built to a project.result in very large cost and schedule estimation errors being built to a project.

• Incorrect cost estimates. Incorrect cost estimates. • Even if requirements are well understood, errors can occur during the estimation process. Even if requirements are well understood, errors can occur during the estimation process.

These can be as simple as data entry errors as complex as using unrealistic factors in the These can be as simple as data entry errors as complex as using unrealistic factors in the estimation model or not compensating for changes.estimation model or not compensating for changes.

• Requirement creeping. Requirement creeping. • Increase in system requirement is not reflected by a corresponding increase in budget or the schedule.Increase in system requirement is not reflected by a corresponding increase in budget or the schedule.

• Schedule compression. Schedule compression. • It is usually brought about by incorrect schedule estimates or commitments before the project starts or by It is usually brought about by incorrect schedule estimates or commitments before the project starts or by

pressure from upper management or the customer. Thus creates schedule risks and usually results in a pressure from upper management or the customer. Thus creates schedule risks and usually results in a non-linear increase in costs drastically!non-linear increase in costs drastically!

• Unreasonable budget. Unreasonable budget. • It might be based on incorrect assumptions or analyze or on a decision that project will be bid for the It might be based on incorrect assumptions or analyze or on a decision that project will be bid for the

price.price.

1010

Factors affecting Requirement risksFactors affecting Requirement risks

Factors affecting Requirement risksFactors affecting Requirement risks• Incorrect cost estimates.Incorrect cost estimates.

• Requirements that attempts to specify user needs and customer expectations that contains errors. Most likely rework will be the Requirements that attempts to specify user needs and customer expectations that contains errors. Most likely rework will be the result.result.

• Incomplete requirements.Incomplete requirements. • Requirements that do not specify desired product features or particular aspects of desired products features. Cost and schedule will Requirements that do not specify desired product features or particular aspects of desired products features. Cost and schedule will

both grow.both grow.

• Inconsistent requirements. Inconsistent requirements. • Requirements that conflicts with other requirements. Rework and loss of quality will be likely the result.Requirements that conflicts with other requirements. Rework and loss of quality will be likely the result.

• Unexpectedly hard requirements.Unexpectedly hard requirements. • Requirements that result in a technically difficult or complex product that is either difficult to design or to implement. Cost, Requirements that result in a technically difficult or complex product that is either difficult to design or to implement. Cost,

schedule and quality are all put into risk.schedule and quality are all put into risk.

• Infeasible requirements. Infeasible requirements. • Requirements that cannot be achieved using current available people, tools or technology.Requirements that cannot be achieved using current available people, tools or technology.

1111

Factors affecting Requirement risksFactors affecting Requirement risks

Factors affecting Requirement risks (continued)Factors affecting Requirement risks (continued)• Unclear requirements. Unclear requirements.

• Requirements that have one ore more semantic interpretation. Rework is likely or customer dissatisfaction.Requirements that have one ore more semantic interpretation. Rework is likely or customer dissatisfaction.

• Unverifiable requirements. Unverifiable requirements. • Requirements that have no finite process exists to verify the products meet the requirements. Effort may be Requirements that have no finite process exists to verify the products meet the requirements. Effort may be

misdirectedmisdirected..

• Untraceable requirements. Untraceable requirements. • Requirements that have no audit trail from the requirements to tested code. Unpredictable effort may be expended.Requirements that have no audit trail from the requirements to tested code. Unpredictable effort may be expended.

• Volatile requirements. Volatile requirements. • Requirements that are constantly changing as some requirements are added, removed, changed or reinterpreted. Cost, Requirements that are constantly changing as some requirements are added, removed, changed or reinterpreted. Cost,

schedule and quality are all likely to impactschedule and quality are all likely to impact

1212

Categories of Risk Categories of Risk

When risks are analyzed, it is important to quantify the level When risks are analyzed, it is important to quantify the level of uncertainty and the degree of loss associated of the risk. of uncertainty and the degree of loss associated of the risk.

To accomplish this, different categories of risks are To accomplish this, different categories of risks are considered:considered:

• Project RisksProject Risks• It threaten the project plan. If the project risks become real, it is likely It threaten the project plan. If the project risks become real, it is likely

that the project schedule will slip and that costs will increase.that the project schedule will slip and that costs will increase.

• Technical RisksTechnical Risks• It threaten the quality and timeliness of the software to be produced. It threaten the quality and timeliness of the software to be produced.

If technical risk becomes a reality, implementation may become If technical risk becomes a reality, implementation may become difficult or impossible.difficult or impossible.

• Business RisksBusiness Risks• It threatens the viability of the software to be built. Business risks It threatens the viability of the software to be built. Business risks

often jeopardize the project or the product. often jeopardize the project or the product.

1313

Risk AnalysisRisk Analysis

How big is the risk?How big is the risk?• There are categories of risk that may affect the There are categories of risk that may affect the

project: project: TechnicalTechnical Project ScheduleProject Schedule CostCost Business Business

1414

Risk AnalysisRisk Analysis

Top TEN Risk ListTop TEN Risk List• The following is a list of risk Top Ten Risk in this week for The following is a list of risk Top Ten Risk in this week for

the period of dd/mm/yyyy to dd/mm/yyyy:the period of dd/mm/yyyy to dd/mm/yyyy: Rank Rank this this weekweek

Rank Rank last last weekweek

Highest Highest RankRank

No. of No. of weeks weeks on liston list

Risk Risk LevelLevel

CategoryCategory ProblemProblem Risk Risk handling handling approachapproach

StatusStatus OwnerOwner

11 33 11 22 HighHigh BusinessBusiness Requirement creepingRequirement creeping

22 22 22 11 HighHigh Project Project Unexpected schedule Unexpected schedule delaydelay

33 11 11 44 HighHigh BusinessBusiness

44 -- -- 22 Medium Medium TechnicalTechnical Development tools Development tools acquisition acquisition

55 44 44 11 MediumMedium TechnicalTechnical Computer network faultComputer network fault

66 77 55 44 MediumMedium CostCost Staff turnoverStaff turnover

77 55 66 33 LowLow BusinessBusiness

88 99 88 33 LowLow TechnicalTechnical

99 -- -- --

1010 -- -- --

1515

Risk AnalysisRisk Analysis

Risk GridRisk Grid

Risk Grid

Lik

elihood

5

4

3

2

1

1 2 3 4

Consequence

Risk Level

H High

M Medium

L Low

1616

Risk AnalysisRisk Analysis

LikelihoodLikelihood• What is the Likelihood that the risk will happen? What is the Likelihood that the risk will happen?

Level Certainty Likelihood

5 Nearly certainty

Cannot mitigate this type of risk. NO known processes or alternative available (>90% chance it will happen)

4 Highly likely Cannot mitigate this risk, but a different approach might (>66.7% chance it will happen)

3 Likely May mitigate this risk but alternative approach(es) MAY BE required (~50% chane it will happen)

2 Low Likelihood

Have usually mitigated this type of risk with minimal oversight in similar cases (<33.3% chance it will happen)

1 Not Likely Will effectively avoid or mitigate this risk based on standard practices (<10% chance it will happen)

1717

Risk AnalysisRisk Analysis

ConsequenceConsequence• Given the risk is realized, what would be the magnitude of the impact?Given the risk is realized, what would be the magnitude of the impact?

Level Technical Schedule Cost

1 Minimal Impact Minimal Impact Minimal Impact

2 Minor performance shortfall, same approach retained

Additional tasks required, able to meet key milestones

Development or acquisition cost slightly increase to 1%

3 Moderate performance shortfall, alternative available

Monitor schedule slippage, will impact to some milestone(s) without workaround

Development or acquisition cost mildly increase to >1% & 5%

4 Unacceptable performance but alternative available

Program critical path impact but workaround available

Development or acquisition cost considerably increase to >5% & 10 %

5 Unacceptable performance and NO alternative exist

No known way to achieve program milestones

Development or acquisition cost significantly increase to > 10 %

1818

Risk EstimationRisk Estimation

Risk ExposureRisk Exposure• RE = Probability x CostRE = Probability x Cost

Growth (%)

Probability Product Size (LOC/FP)

Cost Exposure

Schedule Exposure

Risk Exposure

0-5 40 200 ~ 0 ~ 0

5-10 25 265-285 $100-200 K 0 – 2 weeks

10-15 20 285-300 $200-300K 2 – 3 weeks

15-20 15 300-400 $300-400K 3 – 4 weeks

Distribution of Software Growth and Resulting Exposure

1919

Risk Mitigation, Monitoring and Risk Mitigation, Monitoring and ManagementManagement

All of the above risk analysis activities up to All of the above risk analysis activities up to this point have a common goal this point have a common goal • to assist the project team to develop a strategy for to assist the project team to develop a strategy for

dealing with risk.dealing with risk. An effective strategy must consider the An effective strategy must consider the

following THREE issues:following THREE issues:• Risk avoidance (always the best strategy)Risk avoidance (always the best strategy)• Risk monitoringRisk monitoring• Risk management and contingency plan Risk management and contingency plan

2020

Risk MitigationRisk Mitigation

The risk mitigation plan:The risk mitigation plan:

Risk Mitigation PlanDescription of Potential Risk

Probability (L/M/H)

Potential Implications

Avoidance / Prevention Strategies

Contingency / Recovery Strategies

2121

Risk TreatmentRisk Treatment

Risk treatment: select risk mitigation process. Risk treatment: select risk mitigation process. How How can you reduce the risk?can you reduce the risk?• Risk Avoidance (always the preferred choice)Risk Avoidance (always the preferred choice)• Risk Acceptance (or Assumption)Risk Acceptance (or Assumption)• Problem Control (or Prevention)Problem Control (or Prevention)• Risk TransferRisk Transfer• Research & KnowledgeResearch & Knowledge

2222

Risk TreatmentRisk Treatment

What next?What next?• Assess the New Risk Level if implementedAssess the New Risk Level if implemented

HighHigh MediumMedium LowLow

• Action to be taken if implementedAction to be taken if implemented Change budget to include Mitigation activitiesChange budget to include Mitigation activities Change planning to include Mitigation eventsChange planning to include Mitigation events Change schedule to include Mitigation activitiesChange schedule to include Mitigation activities Communicate changes to stakeholdersCommunicate changes to stakeholders

• Estimating Risk Impacts and Avoidance CostsEstimating Risk Impacts and Avoidance Costs

2323

Risk Analysis DocumentRisk Analysis Document

A sample table of contents of a typical risk analysis A sample table of contents of a typical risk analysis document is as follows:document is as follows:• IntroductionIntroduction• PurposePurpose• Risk ManagementRisk Management• Risk IdentificationRisk Identification• TOP TEN Risk ListTOP TEN Risk List• Risk AnalysisRisk Analysis• Risk Mitigation StrategyRisk Mitigation Strategy• Risk Mitigation PlanRisk Mitigation Plan• ReferenceReference

2424

Risk Analysis DocumentRisk Analysis Document

PurposePurpose• This document describes how we will perform the job of managing This document describes how we will perform the job of managing

risks for risks for <YourProject> System<YourProject> System.. The purpose of this risk mitigation The purpose of this risk mitigation plan is to outline the risks that have been identified by the team as plan is to outline the risks that have been identified by the team as having highest probability to impact our schedule. These risks have having highest probability to impact our schedule. These risks have been categorized as High, Medium and Low. been categorized as High, Medium and Low.

• The risk analysis and mitigation plan contains the following:The risk analysis and mitigation plan contains the following: Risk identification – the project risks, technical risks and cost risks Risk identification – the project risks, technical risks and cost risks

are categorized and listed.are categorized and listed. A risk mitigation strategy and activities for each identified risks are A risk mitigation strategy and activities for each identified risks are

planned planned

2525

The RMMM PlanThe RMMM Plan

The RMMM Plan is an integral part of your project The RMMM Plan is an integral part of your project planplan• A risk management strategy can be included in the A risk management strategy can be included in the

software plan software plan

• Or we can say the risk management steps can be organized Or we can say the risk management steps can be organized into a separate Risk Mitigation, Monitoring and into a separate Risk Mitigation, Monitoring and Management Plan (The RMMM Plan).Management Plan (The RMMM Plan).

• This RMMM Plan documents all works performed as part This RMMM Plan documents all works performed as part of the Risk Analysis and is used by the project manager as of the Risk Analysis and is used by the project manager as part of the overall project plan.part of the overall project plan.