Copy of the slides: (will also be put on the esse3 website)

Exercise We are working for the Ministry of Innovation and Technologies and we are asked to start an initiative (project or operational work?) to favour the introduction of new technologies in the families …write the scope statement

Risk Management "No-one ever got fired for buying IBM", Modern proverb (now somewhat outmoded)

Risk management Two definitions of risk: ° Risk is the possibility of suffering loss °Risk management collects techniques, know-how and process to help identify, assess, manage, and monitor risks

Risk Management … is used in several fields: -Finance -Insurance -Engineering (safety critical, security, …) -… … and various techniques (FMEA, FTA, simulation, …) have been defined and adopted to assess it.

Risk in Project Management ° Project Risk is an event or condition that, if it occurs has positive or negative influence on an objective  Negative outcome: menace  Positive outcome: opportunity

Risk and (Software) Project Management Various standards recognize the importance of risk in software development: °ISO/IEC (Information Technology - Software life cycle processes) °UNI EN (Guidelines for the application of ISO 9001 to software development and maintenance) °UNI ISO (Guidelines for managing projects)

(Some) Goals of Risk Management Activities °Understanding whether a project is worth taking °Help defining a budget for the project °Increase chances of ending the project successfully, by ensuring that:  within scope  within quality, budget, and time constraints

Why isn’t risk taken care of? °Lack of domain understanding °Optimism (at the start, anyway) °Too much commitment early on °Premature coding °Gold-plating °Missed warning signals °Legal implications °Changes in project direction °Poor risk management

The Risk Management Process °Composed of four steps:  Risk Management Planning (kind of encompasses all the activities mentioned below)  Risk Identification  Risk Assessment  Qualitative Risk Assessment  Quantitative Risk Assessment  Risk Response Planning  Risk Monitoring and Control

The Risk Management Process °It runs in parallel to the other PM activities. °It encompasses the various phases of the init-plan- execute-monitor cycle Initiating Planning Executing Closing Monitoring & Controlling

The Risk Management Process We will now have a look at the various phases of the process:  Risk Management Planning  Risk Identification  Risk Assessment  Qualitative Risk Assessment  Quantitative Risk Assessment  Risk Response Planning  Risk Monitoring and Control

Risk Management Planning Goal: describing how risk management will be structured and performed on the project. Output: a document (or set of documents and templates) The Risk Management Planning document is a subset of the project management plan.

Risk Management Planning: Structure Divided in the following parts: -Methodology -Roles and Responsibilities -Budgeting -Timing -Risk categories -Definition of risk probability and impact -Reporting Formats -Tracking

Risk Management Planning: Structure Methodology: defines the approaches, tools, and data sources that may be used to perform risk management on the project Roles and responsibilities: defines the lead, support, and risk team membership for each type of activity in the risk management plan, assigns people to these roles, and clarifies their responsibilities.

Risk Management Planning: Structure ° Budgeting: assigns resources and estimates needed for risk management ° Timing: defines how often the risk management process will be perfomed throughout the project life cycle, and establishes risk management activities to be included in the project schedule

Risk Management Planning: Structure ° Risk categories: provides a structure that ensures a comprehensive process of identifying risks (e.g. RBS - risk breakdown structures) to help the risk identification phase ° Risk probability and impact: defines the risk probabilities and levels of impact to help standardize collection of data during the qualitative and quantitative assessment phase

Risk Management Planning: Structure ° Reporting formats: content and format of the risk register as well as any risk report required ° Tracking: defines how risk activities will be recorded for the benefits of the current project, future needs, and lesson learned. Documents whether and how risk management process will be audited.

RBS Example

Other ways of classifying Risks °Software Project Management risk areas (Sommerville):  Project risks affect schedule or resources;  Product risks affect the quality or performance of the software being developed;  Business risks affect the organisation developing or procuring the software °Also:  Internal (can be controlled by the PM)  External (outside the scope of the PM)

Software risks

Risk Identification Goal: understanding what are the risk that could potentially influence the project

Risk Identification Sources: -External data (financial data, …) -Internal data (company’s data, company’s standards, …) -Project Team -Experts -..

Risk Identification Techniques -Information gathering -Brainstorming, Delphi technique, interview, SWOT (Strength, Weaknesses, Opportunities, and Threats analysis) - Checklist analysis -Diagramming techniques -Cause and Effect analysis -Flow charts

Risk Identification Basically two steps: 1.Identify risks 2.For each risk: -Describe the risk -Describe the potential responses (countermeasures) -Risk category -Other characteristics: -Probability -When it can occur -Frequency -Consequences

Frequency Impact

Cause-Effect Diagram Known under various different names: °Cause-Effect diagram °Fishbone Diagram °Ishikawa (Kaoru Ishikawa - who invented in the sixties)

Cause-Effect Diagram (Ishikawa) Major Defect Environment MaterialMethod Personnel Machine Energy

Cause-Effect Diagram (Ishikawa) °Usually most effective when done in groups °Start from the right °The "Four-M" categories are typically used as a starting point: "Materials", "Machines", "Manpower", and "Methods”. °The subdivision into ever increasing specificity continues as long as the problem areas can be further subdivided. °The practical maximum depth of this tree is usually about four or five levels. °When the fishbone is complete, one has a rather complete picture of all the possibilities about what could be the root cause for the designated problem.

Boehm’s Top 10 Risks & Countermeasures (1/4) ° Personnel Shortfalls  Staffing with top talent; job matching; team-building; morale building; cross-training; pre-scheduling key people. ° Unrealistic Schedules and Budgets  Detailed, multi-source cost & schedule estimation; design to cost; incremental development; software reuse; req. scrubbing.

Boehm’s Top 10 Risks & Countermeasures (2/4) ° Developing the wrong software functions  Organizational analysis; mission analysis; operational concept formulation; user surveys; prototyping; early users’ manuals. ° Developing the wrong user interface  Prototyping; scenarios; task analysis. ° Gold-plating  Requirements scrubbing; prototyping; cost-benefit analysis; design to cost

Boehm’s Top 10 Risks & Countermeasures (3/4) ° Continuing stream of requirements changes  High change threshold; information-hiding; incremental development (defer changes to later increments). ° Shortfalls in externally-performed tasks  Reference-checking; pre-award audits; award-fee contracts; competitive design or prototyping; team-building. ° Shortfalls in externally-furnished components  Benchmarking; inspections; reference checking; compatibility analysis.

Boehm’s Top 10 Risks & Countermeasures (4/4) ° Real-time performance shortfalls  Simulation; benchmarking; modeling; prototyping; instrumentation; tuning. ° Straining computer science capabilities  Technical analysis; cost-benefit analysis; prototyping; ref. checking.

Risk Identification: Output Risk register. It contains: °List of identified risks °List of potential responses °Other information about risks (actually more information will be added to the risk register, as we continue with the description of the risk management activities)

Exercise °Define the risk register of the exercise proposed at the beginning of the lesson