What is it?
Risk analysis and management are actions that help a software team to understand and manage uncertainty. Many problems can plague a software project. A risk is a potential problem—it might happen, it might not. But, regardless of the outcome, it’s a really good idea to identify it, assess its probability of occurrence, estimate its impact, and establish a contingency plan should the problem actually occur.
Who does it?
Everyone involved in the software process—managers, software engineers, and other stakeholders—participate in risk analysis and management.
Why is it important?
Think about the Boy Scout motto: “Be prepared.” Software is a difficult undertaking. Lots of things can go wrong, and frankly, many often do. It’s for this reason that being prepared—understanding the risks and taking proactive measures to avoid or manage them—is a key element of good software project management.
What are the steps?
Recognizing what can go wrong is the first step, called “risk identification.” Next, each risk is analyzed to determine the likelihood that it will occur and the damage that it will do if it does occur. Once this information is established, risks are ranked, by probability and impact. Finally, a plan is developed to manage those risks that have high probability and high impact.
What is the work product?
A risk mitigation, monitoring, and management (RMMM) plan or a set of risk information sheets is produced.
How do I ensure that I’ve done it right?
The risks that are analyzed and managed should be derived from thorough study of the people, the product, the process, and the project. The RMMM should be revisited as the project proceeds to ensure that risks are kept up to date. Contingency plans for risk management should be realistic.
Seven Principles of Risk Management
The Software Engineering Institute (SEI) (www.sei.cmu.edu) identifies seven principles that “provide a framework to accomplish effective risk management.” They are:
-
Maintain a global perspective—view software risks within the context of a system in which it is a component and the business problem that it is intended to solve
-
Take a forward-looking view—think about the risks that may arise in the future (e.g., due to changes in the software); establish contingency plans so that future events are manageable.
-
Encourage open communication—if someone states a potential risk, don’t discount it. If a risk is proposed in an informal manner, consider it. Encourage all stakeholders and users to suggest risks at any time.
-
Integrate—a consideration of risk must be integrated into the software process.
-
Emphasize a continuous process—the team must be vigilant throughout the software process, modifying identified risks as more information is known and adding new ones as better insight is achieved.
-
Develop a shared product vision—if all stakeholders share the same vision of the software, it is likely that better risk identification and assessment will occur.
-
Encourage teamwork—the talents, skills, and knowledge of all stakeholders should be pooled when risk management activities are conducted.
Risk Identification
Risk identification is a systematic attempt to specify threats to the project plan (estimates, schedule, resource loading, etc.). By identifying known and predictable risks, the project manager takes a first step toward avoiding them when possible and controlling them when necessary.
- Product size—risks associated with the overall size of the software to be built or modified.
- Business impact—risks associated with constraints imposed by management or the marketplace.
- Stakeholder characteristics—risks associated with the sophistication of the stakeholders and the developer’s ability to communicate with stakeholders in
- a timely manner.
- Process definition—risks associated with the degree to which the software process has been defined and is followed by the development organization.
- Development environment—risks associated with the availability and quality of the tools to be used to build the product.
- Technology to be built—risks associated with the complexity of the system to be built and the “newness” of the technology that is packaged by the system.
- Staff size and experience—risks associated with the overall technical and project experience of the software engineers who will do the work.
Reference: Software Engineering A Practitioner's Approach (7th Ed.) ~ Roger S. Pressman