SENG 380:Software Process andManagement
Project Risk ManagementPart1
1
Risk Definition
PM-BOK:
It is a project management standard.
Published by the project management institute
ā¢
in the USA.ā¢
Stands for Project Management Body of Knowledge.
Definition of Risk: āan uncertain event or condition that,
ā¢
if itā¢
occurs has aobjectivesā.
positive or negative effect on a projectās
2
Risk Definition (contād)
PRINCE2:
It is a UK government-sponsored project managementstandard.
It stands PRojects IN Controlled Environments.
ā¢
ā¢
Risk definition: āthe chance of exposure to the adverseā¢
consequences of future eventsā.
3
Risk Key Elements
relates to the future.The future is uncertain.
It
ā
ā¢
ā Some things that seem obvious when the project is over, mightnot have appeared obvious during planning (e.g. technologyused, project estimation).
It
ā
involves a cause and an effect.
Causes:
ā¢
ā¢
ā¢
ā¢
The use of untrained staff.
Poor specifications.An inaccurate estimate of effort.Effects:ā
ā¢
ā¢
Cost over run.
Low productivity. 4
ExerciseMatch the following risk causes to the risk effects.
Causes:a)
b)
c)
d)
Staff inexperience.
Lack of top management commitment.
New technology.
Users uncertain of their requirements.Effects:
I. Testing takes longer than planned.
II. Planned effort and time for activities exceeded.
III. Project scope increases.
IV. Time delays in getting changes to plans agreed.
5
Boundaries of Risk Management
Every plan is based onā
assumptions and riskmanagement tries to plan for and control the situations where those assumptions become incorrect.
Risk planning is carriedat steps: 3 & 6.
outā
6
Risk Categories
Project Risks: are risks that could prevent the achievement ofthe objectives given to the project manager and the projectteam.
ā¢
These objectives are formulatedsuccess.
Project success factors:
toward achieving projectā¢
ā¢
On time.
Within budget.
Required functionality.
Quality.
ā
ā
ā
ā
Project risks can be classified under these four categories.7
ā¢
Risk Categories (contād)
A different way to categorize risks:
A sociotechnical model proposed by Kalle Lyytinen and hisā¢
colleagues [1].
The Lyytinen-Mathiassen-Ropponen risk Framework[1] 'A framework for risk management' journal of informationtechnology,11(4) 8
Risk Categories (contād)
Actors : refers to all people involved in the development the application.
Risk:
ofā¢
ā¢
A high staff turnover, leads to expertise of valueproject being lost.
Technology: encompasses both the technology:
to theā¢
ā¢
Used to implement the application and
That embedded in the delivered products.
ā
ā
Risk:ā¢
Relating to the appropriateness of the technology and
The possible faults in it.9
ā
ā
Risk Categories (contād)
Structure: describes the management structures and systems, including those affecting planning and control.
Risk:
ā¢
ā¢
Responsibility for managing the users involvement atimplementation stage might not be clearly allocated.
theā¢
Tasks: relates to the work planned.
Risk:
ā¢
ā¢
The complexity of work might lead to delays because ofā¢
the additional time required integrate the large numberof components.
10
All boxes are interlinked.Why?
Risks often arise from the relationships between factors.
Example: between technology and people:If thedevelopment technology is novel, and the developers are not experience in its use this could lead to delay of the results.
What is a Novel SW in this case?
ā
ā
ā
ā
Risk Framework
Planning for risk includes these steps:
1.
2.
3.
4.
Risk
Risk
Risk
Risk
identification.
analysis and prioritization.
planning.
monitoring.When risks are identified, plans canremove their effects.
The plans are reassessed to ensure:
be made to reduce orā¢
ā¢
That the original risks are reduced sufficiently and
No new risks are inadvertently introduced.
ā
ā
12
Risk IdentificationThe two main approaches to identify risk are:
The use of checklists.
Brainstorming.
ā
ā
Checklists: are lists of the risks that have been found to occurregularly in software development projects.
Those checklists often suggest some potentialcountermeasures for each risk.
A group of representatives for a project examines identifying risks applicable to their project.
ā¢
a checklistā¢
PRINCE2, recommends that after completing a project, all theproblems that were identified as risks during the project to beadded to an organizational risk checklist to be used with new
ā¢
projects. 13
Software Project Risk Checklist Example
14
Risk Identification (contād)
Brainstorming (thinking ahead):
Representatives of the main stakeholders of the project, arebrought together , in order to use their individual knowledge of
different parts of
ā
the project
to identify the problems that can occur(identify risks).
15
Risk Assessment(Risk analysis and prioritization)
In order to prioritize the risks that were identified, we need way to distinguish:
a
The likely and damaging risks from those identified inprevious step ārisk identificationā.
One way of doing so is to calculate the risk exposure for
theā¢
eachrisk identified, using the following formula:
Risk Exposure (RE)= (potential damage)occurrence)
Ć(probability of
16
Risk Assessment (contād)
Ways of assessing the potential damage and probability ofoccurrence:
In money values and probabilities.
1.
Say a project depended on a data center vulnerable to fire. Itmight be estimated that if fire occurred a new computerconfiguration could be established for $500,000.estimated that there is a 1 in 1000 chance that a
it might also befire will occur.
The risk exposure (RE) in this case would be:
500,000 *0.001=$500
*The higher the RE, the more attention or priority
is given tothe risk 17
Example (True or False):
A risk that has a potential damage of $40,000 and a probability of occurrence of12%will be given a higher priority than a risk having a potential damage of$35,000 and a likelihood of 14%. FalseRisk
Risk
Risk
Exposure= potential damage * probability of occurrence (likelihood)
Exposure for risk1= 40,000 *0.12=$4800
Exposure for risk1= 35,000 *0.14= $4900 this risk exposure is higherso it will be given more priority.
With some risks:
Instead of damages,ā
There could be gains.
Example: a task that is scheduled to take six days is completed in3 days instead.
ā
ā
A project leader may produce a probability chart for the tasks.ā
Probability ChartThe probability completion: shows the probability of completing the task in x days.
The accumulated probability: shows the probability of completing the task on or before the xth day.
ā
ā
Risk Assessment (contād)
2. Relative scales from 0 to 10.
Both risk loss (damage) and the likelihood (probability ofā¢
occurrence) will be assessed using relative scales from 0 to
risk
10.
Then they will be multiplied together to get a notionalā¢
exposure (RE).
Risk in the(RE)
table refers to the Risk Exposure20
Risk Assessment (contād)
3. Qualitative descriptors.
Another approach is to use qualitative descriptions of thepossible impact and the likelihood of each risk.
Qualitative descriptors for the ārisk probabilityrange values.
ā and associated
21
Risk Assessment (contād)
Qualitative descriptors of āimpact on costā and associated rangevalues.
22
Risk Assessment (contād)
Consider R5, which refers to that coding the module would take longer than planned. This
risk has an impact on what?
ā¢
Time (the planned completion date) and cost.ā
What could be a response to such risk?ā¢
Option: Add software developers and split the remaining workbetween them.
ā
ā¢ This may increase the cost but will save the planned completiondate.
Option: reduce time spent on software testing.ā
ā¢ This will save both duration and staff costs but the price could bedecreased quality in the project deliverable.
23
Risk Assessment (contād)
The risk exposure cannot be calculated by multiplying the twofactors when you are using qualitative descriptors.
ā¢
The risk exposure instead is indicated by the position of therisk in a matrix.
The matrices used are called probability impact grids or
ā¢
ā¢
summary risk profiles.
Part of the matrix (some of the cells) is zoned off by atolerance line.
Risks appearing in that zone are given more attention than
ā¢
ā¢
other risks (higher degree of seriousness).
24
Risk Assessment (contād)
Probability Impact Grid
25
Risk Assessment (contād)
There is a need to reassess risk exposure as the projectproceeds.
This mean that some risks could only apply at certain stages.
Example:
Risk: the key users might not be available when needed to supply details for their requirements.
ā
ā
ā
Once the requirement gathering is done.ā
The risk is no longer significant.ā
Risk Planning
After:ā¢
The major risks are identified and
Prioritized.
ā
ā
The task becomes āhow to deal with themā.ā¢
The choices for dealing with them are:ā¢
Risk acceptance.
Risk avoidance.
Risk reduction and
mitigation. Risk transfer.
ā
ā
ā
ā
27
Risk Planning (contād)
Risk Acceptance:ā¢
This is deciding to do nothing about the risk. This meansā
you
ā
will accept its consequences. Why?
In order to concentrate on the more likely or damaging risks.The damage that those risks could cause would be less
āthan the costs needed to actprobability of occurrence.
towards reducing their
28
Risk Planning (contād)
Risk Avoidance:ā¢
Some activities are so prone to accident thatavoid them altogether.
it is best toā
Example to avoid all the problems associated withā
developing software solutionscould be to:
from scratch, a solution
ā¢ Buy an off-the-shelf product.
29
Risk Planning (contād)
Risk Reduction and Mitigation:ā¢
Risk Reduction: attempts to reduce the likelihoodrisk occurring.
of theā
e.g. consider the following risk: developers leaving acompany in the middle of a project for a better paid job.
In order to reduce the probability of such a risk occurring:
the developers could be promised to be paid generous bonuses on successful completion of the project.
30
Risk Planning (contād)
Risk Mitigation: is the action taken to ensureimpact of the risk is reduced when it occurs.
that theā
Taking regular backups of data storage, is it a risk mitigationmeasure or a risk reduction measure?
Since it would reduce the impact of data corruption not itslikelihood of happening, in this sense it is a data mitigationmeasure.
31
Risk Planning (contād)
Risk Transfer:ā¢
In this case the risk is transferred to another
organization.
person orā
Example: a software development task is outsourced for
fixed fee.
aā
Another example
car).
is when you buy insurance( e.g. for aā
32
Risk Management
Contingency Plans:
Although risk reduction measures try to reduce theā¢
probability or the likelihood of risks, they still could happen.
Contingency plan is a planned action to be carried out if a riskā¢
materializes (occurs).
33
Risk Management (contād)
Example:
Consider the following risk:
Staff absence through illness.ā¢
One risk reduction measure taken:
Employers will encourage their employeeslifestyle.
Still, any of the staff members can get sick
to live a healthyā¢
by a flu.ā¢
Such risks that will happen eventually no matter whatprecautions can be taken to reduce their likelihood need acontingency plan.
ā¢
34
Risk Management (contād)
contingency plan in this case can be:
To get other team members to cover on urgent tasks.
What are the factors that will allow the above action
toworthwhile?
A
ā¢
beā¢
Intermediate steps were well documented.
There is a standard methodology for the way that work was carried out for the activity.
ā
ā
Which one of the recommended approaches in the extremeprogramming would provide an alternative way to deal withthe problem of a team member being ill?
ā¢
Pair programming.ā
35
Risk Management (contād)
Deciding on the risk actions:
For each risk you will have a set of countermeasuresreduction actions.
or riskā¢
These risk reduction measures should be cost-effective.
The cost effectiveness of a risk reduction action can be
ā¢
ā¢
assessed by the risk reduction leverage (RRL).
The risk reduction action with a RRL above 1 is worthwhile.ā¢
RRL= (RE before ā RE after)/cost of risk reduction.
36
Risk Management (contād)Say a project depended on a data center vulnerable to fire. It might
ā¢
be estimated that ifcould be establishedthere is a 1% chance
fire occurred a new computer configurationfor $500,000. it might also be estimated thatthat a fire will occur. Installing fire alarms at a
cost of $500 would reduce the chance of fire to 0.5%.
Will the action of installing alarms be worthwhile.We will calculate the RRL for this action and then decide. RE = (potential damage) Ć(probability of occurrence)RE before = $500,000 * 0.01 = $2000RE after= $500,000 * 0.005 = $1000Cost of risk reduction = $500 (cost of installing the fire alarms) RRL= (2000-1000) / 500 = 2Since RRL value > 1 then the action is worthwhile.
ā¢
ā¢
ā¢
ā¢
ā¢
ā¢
ā¢
ā¢
37
Risk Management (contād)
Creating and maintaining the risk register:
A risk register: it contains the findings of project planners ofā¢
what appear to be the most threatening risks to the project.
After work starts on a project more risks will appearbe added to the register.
Risk registers are reviewed and updated regularly.
and willā¢
ā¢
True or false:
The probability and the impact of a risk are likely toduring the course of the project.
changeā¢
38