Software Engineering Lecture 6: Risk Analysis & Management
Today’s Topics l Reactive vs. proactive strategies l Types of software risk l Risk identification & projection l Risk mitigation, monitoring, management (RMMM) l Safety risks and hazards
Characterizing Risk l Risk concerns the future What can we do today to avoid problems tomorrow? l Risk involves change What aspects of the problem domain and solution are unstable? l Risk involves choice & uncertainty We often make decisions based on incomplete information
Quotes l “..risk, like death and taxes, is one of the few certainties of life” [Charette, 1989] l “While it is futile to try to eliminate risk, and questionable to try to minimize it, it is essential that the risks taken be the right risks.” [Drucker, 1975]
Reactive vs. Proactive Strategies l Reactive “Indiana Jones school of risk management” Risk management = Crisis management (“fire-fighting mode”)
Reactive vs. Proactive [2] l Proactive Identify risks in advance Assess probability, impact Prioritize by importance Explicit risk management plan “Risk is unavoidable”
Software Risks l uncertainty : The event that characterizes the risk may or may not happen; P never equals 1.0 l loss : If the risk becomes a reality, unwanted consequences or losses will occur l Important to quantify these for each risk analyzed!
Categories of Risk l Project risks l Technical risks l Business risks l Known risks l Predictable risks l Unknown risks
Project Risks l Threaten the project plan l Problems with budget, schedule, personnel, resources, customer, requirements
Technical Risks l Threaten quality and timeliness of software l “Implementation may become difficult or impossible” l Problems with design, implementation, interfacing, verification, maintenance
Technical Risks (2) l Include specification ambiguity, technical uncertainty, technical obsolescence, “leading- edge” technology l “The problem is harder to solve than we thought it would be”
Business Risks l No market for product (market risk) l Product no longer fits in the business plan (strategic risk) l Sales force doesn’t know how to sell the product (sales risk) l Loss of management support (management risk) l Loss of budget, people (resource risk)
Known Risks l Uncovered during plan evaluation l Examples: Unrealistic delivery date Lack of documented requirements Lack of scope Poor development environment
Predictable Risks l Extrapolate from past experience l Examples: Staff turnover Poor customer communication Dilution of staff effort by maintenance
Unpredictable Risks l Everything else that can’t be anticipated… l Experience in a particular development domain suggests certain risk factors that can and should be applied globally
Risk Identification l Specify threats to the project plan l “Identification is the better part of mitigation” l “If you don’t actively attack the risks, they will attack you” [Gilb, 1988]
Risk Subcategories l Generic risks (affect every software project) l Product-specific risks, specific to: the particular technology the specific individuals the particular environment
Risk Item Checklist l Product size: What risks are associated with overall size of the software? l Business impact: Risks associated with management or market constraints
Risk Checklist [2] l Customer characteristics: risks associated with the sophistication and communication skills of the customers l Process definition: risks associated with the maturity of the development process
Risk Checklist [3] l Development environment: risks associated with the quality of development tools l Technology to be built: risks associated with system complexity and ‘newness’ of the solution l Staff size and experience
Product Size Risks l Estimate LOC or FP degree of confidence in estimates? # of programs, files, events? % deviation from average size?
Size Risks [2] l Size of associated database(s)? l Number of users? l Number of projected requirements changes? l Amount of reused software?
Business Impact Risks l Impact on revenue? l Visibility to management? l Reasonableness of deadlines? l Number of customers? l Consistency of customers?
Business Risks [2] l Interoperability? l User sophistication? l Documentation required? l Government constraints? l Cost of late delivery, defects?
Customer-Related Risks l Customers have different needs and personalities l Customer / supplier relationships vary l Customers are contradictory l “Bad” customers are a significant threat and a substantial risk
Generic Customer Risks l Have you worked with them before? l Do they understand what is needed? l Are they willing to write specs? l Are they willing to attend reviews? l Level of technical understanding? l Do they understand the development process?
Process Risks l Is there a standard development process which is well-documented? l Do staff follow the process? l Do they have adequate training? l Do you track the process with formal reviews and walkthroughs? l Do you use configuration management?
Technology Risks l Is the technology new to you? l New algorithms or I/O? l Interface with new/unproven HW/SW/DB? l Specialized user interface? l New analysis, design, testing methods?
Technology Risks (2) l Unconventional development methods? (e.g., AI) l Excessive performance constraints? l Customer uncertain about feasibility?
Impact Assessment l Four risk types: Performance Risk, Cost Risk, Support Risk, Schedule Risk l Four impact categories: Negligible, Marginal, Critical, Catastrophic l Characterization of consequences (1) errors, (2) failure to achieve outcome
[From SEPA 5/e] Impact Assessment
Sample Risk Table [From SEPA 5/e] Assigned using impact assessment table
Risk and Management Concern [From SEPA 5/e]
Risk Referent Level [From SEPA 5/e]
RMMM Risk Mitigation, Monitoring, and Management Mitigation: Reduce probability and/or impact of risks in advance Monitoring: Watch factors that indicate change in risk probability Management: Implement contingency plan(s)
RMMM (2) l RMMM adds overhead! l 80/20 rule: 80% of overall risk from 20% of identified factors l RMM Plan for every risk above a certain threshold, create a risk information sheet (RIS) track / update RMMM plan regularly
Risk Information Sheet [From SEPA 5/e]
Safety Risks and Hazards l Classic case: control systems l Language systems: critical control or instructional scenarios l Mitigation: limit scope of software, increase human role limit scope of human intervention, increase redundant backup systems
Questions?