Chapter 5. Risk Management

Contents

5.1 Elements of Risk Management

5.2 Risk Identification

5.3 Risk Analysis

5.4 Risk Prioritization

5.5 Risk Control

5.6 Risk, High Risk, and Gambling

Related Topics

Rapid-development strategy: Chapter 2

Classic mistakes: Chapter 3

Software-development fundamentals: Chapter 4

Summary of requirements scrubbing: Chapter 32

Summary of top-10 risks list: Chapter 41

IF YOU WANT A SAFE BET, GO TO LAS VEGAS and play the slot machines. The casinos have figured the odds carefully and determined that they can make a profit even when the slots pay out 97 percent of the money they take in. Odds are that if you spend a day pumping $1000 in quarters into the slot machines, you'll get back $970. If you don't like slot machines, you can play blackjack and count cards to tilt the odds slightly in your favor. (Just don't get caught counting!)

If Las Vegas sounds too tame for you, software might be just the right gamble. Software projects include a glut of risks that would give Vegas oddsmakers nightmares—shifting user requirements, poor schedule estimates, unreliable contractors, management inexperience, personnel problems, bleeding-edge technology failures, changing government regulations, and performance shortfalls—just to name a few. The odds of a large project finishing on time are close to zero. The odds of a large project being canceled are an even-money bet (Jones 1991).

In 1988, Peat Marwick found that about 35 percent of 600 firms surveyed had at least one runaway software project (Rothfeder 1988). The damage done by runaway projects makes the Las Vegas prize fights look as tame as having high tea with the queen. Allstate set out in 1982 to automate all of its office operations. They set a 5-year timetable and an $8 million budget. Six years and $15 million later, Allstate set a new deadline and readjusted its sights on a new budget of $100 million. In 1988, Westpac Banking Corporation decided to redefine its information systems. It set out on a 5-year, $85 million project. Three years later, after spending $150 million with little to show for it, Westpac cut its losses, canceled the project, and eliminated 500 development jobs (Glass 1992). Even Vegas prize fights don't get this bloody.

image with no caption

There are a multitude of risk-management practices that can prevent disasters such as these, and you can learn most of them more easily than you could learn to count cards at blackjack. Of course many people who play blackjack don't bother learning to count cards, and many people who manage software projects don't bother learning much about risk management. But the unalterable fact is this: if you don't manage risks, you will not achieve rapid development. As Tom Gilb says, "If you don't actively attack the risks, they will actively attack you."

Risk management does involve a few disadvantages. Projects that manage risks effectively are a lot less exciting to work on than projects that don't. You'll miss the adrenaline rush of telling your boss the day that the project is due that it's going to be 3 months late because of a problem that you've never mentioned before. You won't get to be a hero for working nights and weekends 6 months in a row. For a lot of us, those are disadvantages we can live with.

Risk management in software is a fairly new topic, but already too much information exists to cover it thoroughly in one chapter. The discussion in this chapter focuses on schedule risks and ignores cost and product risks except when they affect the schedule. This chapter also focuses on practical aspects of schedule risk management. Risk-management theory is interesting and important, but it's less directly useful so I have mostly ignored it, instead describing where to find more information in the further-reading section at the end of the chapter.

Case Study: Lack of Contractor Risk Management

"I got approval to do Square-Plan 2.5," Kim told Eddie. Kim and Eddie were project managers at Square-Tech, a shrink-wrap software company. "I've got 4 months to deliver the update, and I think it's going to be a blast." Kim had delivered her last project, Square-Calc 3.0, very late. Eddie had done well on his last one, Square-Plan 2.0, and Kim was eager to demonstrate that the difference had just been that her product was a lot more complicated than Eddie's.

"I wouldn't get too excited just yet," Eddie told her. "I've seen the specification for 2.5, and I think you've got at least 6 months of work with the current team. Are you still planning to use the 2.0 team?"

"Yeah, I am. And I've got a plan to shrink the schedule to 4 months. I read an article on outsourcing last week, and I've found a contractor who will handle the graphics updates at his site. That will reduce the schedule by 2 months."

"Well, I hope you know what you're doing," Eddie said. "I've seen a lot of people get burned by contractors. What's your risk-management plan?"

"I've picked a reputable contractor," Kim said. "I checked his references, and I'm sure he'll do a good job. I'll just keep an eye on him. This is a risky business, and some risk is inescapable. When I've got this much work to do, I'm not going to waste my time on useless management overhead."

Eddie thought she should be more careful, but he and Kim had been over this ground before. He had learned not to argue with her when she had already decided what to do. "Good luck," he said.

Kim met with the contractor right away and gave him the specification for the graphics updates. The contractor, Chip, said that the specifications all made sense and that he would get on it right away.

Six weeks later, Kim called Chip to check on his progress. "Everything's going great," he said. "I've been working on a high-priority project for another company, so I haven't made as much progress as I'd like. But I've still got 3 1/2 months to do 2 months of work, so I don't see any problems."

"That sounds fine," Kim responded. "Let me know if you need anything. I'll be back in touch in another 6 weeks, and then we can talk about integration."

Six weeks later, Kim called again to check on progress. "The last project took me longer than I expected," Chip said. "I've gotten into the graphics updates, and I've been working like crazy, but now that I've taken a closer look at it, I think there's at least a good 3 months of work on this job."

Kim almost choked. That would make the total development time 6 months instead of 4 months. "Three months? Are you kidding? I need to have that code in 2 weeks to begin integration. You were supposed to be almost done by now!"

"I'm sorry," Chip said. "But it's not my fault. There's more work here than you guys estimated. I'll finish it as fast as I can."

Chip delivered the software in 3 months, but the project took another month after that because of integration problems with the in-house team's code. In the end, the development time totaled 7 months rather than the planned 4 months. Kim concluded that Eddie had sandbagged her by palming off a project that he wouldn't have been able to handle.

Elements of Risk Management

The job of software risk management is to identify, address, and eliminate sources of risk before they become threats to successful completion of a software project. You can address risks at any of several levels. Table 5-1 describes some different levels of risk management.

Table 5-1. Levels of Risk Management

Source: Adapted from A Manager's Guide to Software Engineering (Pressman 1993).

  1. Crisis management—Fire fighting; address risks only after they have become problems.

  2. Fix on failure—Detect and react to risks quickly, but only after they have occurred.

  3. Risk mitigation—Plan ahead of time to provide resources to cover risks if they occur, but do nothing to eliminate them in the first place.

  4. Prevention—Implement and execute a plan as part of the software project to identify risks and prevent them from becoming problems.

  5. Elimination of root causes—Identify and eliminate factors that make it possible for risks to exist at all.

The purpose of this chapter is to describe how to address software schedule risks at levels 4 and 5 rather than at levels 1 through 3. If you're addressing risks at level 1, 2, or 3, you've already lost the schedule battle.

Generally, risk management is made up of risk assessment and risk control. These, in turn, are made up of several subcategories as shown in Figure 5-1. These are outlined in the following subsections.

Risk management is composed of risk assessment and control. Source: Software Risk Management (Boehm 1989).

Figure 5-1. Risk management is composed of risk assessment and control. Source: Software Risk Management (Boehm 1989).

Risk Assessment

Risk assessment is made up of risk identification, risk analysis, and risk prioritization:

  • Risk identification produces a list of risks that have the potential to disrupt the project's schedule.

  • Risk analysis assesses the likelihood and impact of each risk and the risk levels of alternative practices.

  • Risk prioritization produces a list of risks prioritized by impact. This list serves as a basis for risk control.

Risk Control

Risk control is made up of risk-management planning, risk resolution, and risk monitoring:

  • Risk-management planning produces a plan for dealing with each significant risk. It also makes sure that the risk-management plans for each of the individual risks are consistent with each other and with the overall project plan.

  • Risk resolution is the execution of the plan for dealing with each significant risk.

  • Risk monitoring is the activity of monitoring progress toward resolving each risk item. Risk monitoring can also include the ongoing activity of identifying new risks and feeding them back into the risk-management process.

The subsections in the following section explain each of these aspects of risk management as they apply to managing software schedule risks.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.125.219