risk management introduction -ds- 20031 software risk management an introduction dindin sjahril 2005

Risk Management Introduction -DS- 2003

1

Software Risk Management

an Introduction

Dindin Sjahril 2005


2

Risk Management

“If you don’t actively attack risks, they will attack you” - Tom Gilb

Risk management is still looked upon as bad news - and messengers are still shot

However, risks are problems which haven’t happened yet; the key is ‘yet’


3

Are you a risk taker ?Averse….Neutral…..Takers…

Temperament

Experience

Skill Set

The day of the week


4

Are you a risk taker ?

Who own risk ?

Project Manager

Project Sponsor

Day to day responsibilities

Overall responsibilities

Project deliverables /Realisation of the benefit

Set risk tolerance

Risk project management


5

Types of Risk

Internal Risk Project

Constraining risk

External Risk

Organisation

Socio economy, political, legal, regulatory, Culture , etc

Contract, corporate risk maturity, risk policies. Technology maturity, etc

Resources availibility, Depedencies, technical complecity,Bug rate, etc.

Note to Identify major risk to project delivery, all three area will require examinations


6

Common Projects Risk Unavailability of key staff Reliance on a few key personnel Instability and lack of continuity in

project staffing Lack of staff commitment, low

morale Low productivity Lack of client support Lack of user support Lack of contact person’s

competence Inaccurate metrics Lack of organizational maturity Lack of quantitative historical data Inaccurate cost estimating Excessive schedule pressure Inadequate configuration control Excessive reliance on a single

development improvement

Excessive paperwork Unreliable subproject delivery Creeping user requirements Unnecessary features Large and complex project Immature technology Complex application Large number of complex external

interfaces Incapable project management Project manager unavailable Lack of experience with project’s

platform/environment/methods Lack of experience with the

software product type Lack of experience in the user

environment/operations Lack of senior management

commitment


7

Levels of Risk Management

1. Crisis Management - everything’s broken

2. Fix on failure - something broke? Fix it!

3. Risk mitigation - what will we do when it breaks?


8

Levels of Risk Management

4. Prevention - how keep it from breaking?

5. Eliminate root causes - why could it break?


9

Principles[SEI 2003]

Global perspective Forward-looking view Open communications Integrated management Continuous process Shared product vision Teamwork


10

Risk Assessment & Control

Risk Assessment Identification – what are the risks? Make a list!

(Or borrow one for ideas) Analysis – assess risk likelihood and impact; find

possible alternatives Prioritization – which risks to focus on? Sort risks

by impact ...


11

Risks Criticity


12

Risk Impact/Probability MatrixSeverity / Probability Very High High Medium Low Very Low

Catastrophic High High Moderate Moderate Low

Critical High High Moderate Low None

Marginal Moderate Moderate Low None None

Negligible Moderate Low Low None None


13

Risk Assessment & Control

Risk Control Management planning – mitigation planning,

ensure consistency among plans Resolution – actively manage and resolve each

risk when it occurs Monitoring – track progress toward risk resolution;

and identify new risks


14

Risk Identification

Look for risks In all of the major areas of the project - resources,

tools, process, and product In management areas - cost, schedule, level of

effort In the Classic Mistakes and Fundamentals In every area your customer cares about!


15

Risk Identification

Risk identification has two different meanings: Define what risks might occur (as previously

described), and then analyze them Be able to tell when a risk has taken place (which

sets the stage for risk monitoring and mitigation)


16

Risk Analysis

Risk Exposure (Impact) Calculation Estimate Size of Loss; what is result of risk? Estimate Probability of loss, based on corporate

history, industry norms, or educated guesses Multiply Size & Probability to get task Overrun due

to that risk


17

Risk Analysis

Add task Overrun to the estimated task duration Repeat for every significant risk


18

Risk Exposure Calculation

Suppose a task, “Define requirements for GUI”, has an estimated duration of 30 days.


19

Risk Exposure Calculation

If we know, based on historic data, that there is a 20% chance of this task running over by 10 days, the task overrun is 0.20*10 = 2 days.

Hence in the schedule we should allow 30 + 2 = 32 days for this task, not just 30.


20

Risk Prioritization

Sort risks by descending task overrun This will automatically identify risks with the

highest task overrun Focus on those risks most, since you have

the most to lose if you don’t!


21

Risk Control

Risk Management Planning Risk Resolution Risk Monitoring


22

Risk Management Planning

For each risk, identify how risk is to be identified, managed, monitored, and closed out. Consider: What is the risk, Where and When might the risk occur, Who is responsible for managing that risk, Why does the risk exist, and How will the risk be handled if it occurs?


23

Risk Management Planning

Similar to security analysis: Identify threats Prevent threats Detect threats (not trivial with

information systems!) Mitigate (reduce) the effects of the threats


24

Risk Resolution

Avoid the risk (have someone else do it) Transfer risk to another area (e.g. redesign) Investigate the risk to better understand it (e.g. use

prototype or consultant to clarify) Eliminate the cause of the risk

(defect prevention) ...


25

Risk Resolution

Assume the risk will occur and cope with minor impact

Publicize the risk - well known risks are easier to avoid, and less shocking if they do occur

Control the risk - implement mitigation strategy

Remember the risk - keep lessons learned!


26

Risk Monitoring

Develop and maintain top 10 risk list Conduct postmortems after each major

project event (milestone) - collect and record lessons learned

Assign a risk officer - a devil’s advocate, if you will - to keep pestering with “what if...” situations

Don’t be afraid to discuss risks openly


27

Top 10 Risks List

Develop a list of the ten most serious risks, their status, and mitigation plans

Review and update each week Raises awareness of risks, and helps detect

(identify) them


28

Risk Management Tasks

Develop Risk Management Plan May take from one week to several months,

depending on project size Results in approval of Risk Management Plan


29


Update Risk List at a weekly status meeting Update existing risks, add new ones as needed

Reevaluate Risk Management Plan every 3 months to year, depending on project size


30


Be sure to account for the following ongoing risk management activities: Risk identification (what could happen?) Risk management planning

Risk analysis and prioritization (what would result?) Risk resolution (mitigation strategy) Risk monitoring (has it happened?)


31


For each risk, describe: Risk number, name, and description The Loss Hours, Probability, and Impact of each

risk; sorted by descending Impact How each risk will be: prevented (keep it from

happening), identified (know when it has happened), and mitigated (managed once it has happened)

risk management introduction -ds- 20031 software risk management an introduction dindin sjahril 2005

Documents

risk taker

risk likelihood

risk managementif

risk policies

major risk

risk mitigation

tom gilb risk management

corporate risk maturity