11.1.1 Risk, the Cost of Quality and Business Models

The importance of software business models and the cost of quality have already been discussed. In regards to the cost of quality, risk is considered as an element of prevention costs, that is, the costs incurred by an organization to prevent defects in different phases of its software life cycle. With respect to risk management, prevention costs are identification costs, along with the analysis and execution of risk mitigation measures. Table 11.1 describes the different prevention elements.

Risks are at the foundation of all the business models. Software development practices should be chosen in response to the inherent risks of each model. To minimize losses and errors, developers must make a careful selection of software quality assurance (SQA), verification and validation, and risk management practices.

11.1.2 Costs and Benefits of Risk Management

The costs and benefits of risk management can vary greatly: from not managing risks at all to controlling all the project risks. The objective is to strike a balance where risk is minimized at an optimum cost.

All new approaches, like implementing risk management for the first time, will require an initial investment to document the activities of this process, training personnel, and ramping up its use in all projects. The most important investments are made when projects apply the process for mitigating the probability and consequences of risk, for example, with the development of a prototype to better understand the customer requirements or with the additional hiring of an external consultant to conduct a feasibility study.

Risk management offers a structured mechanism to give better visibility to threats perceived by the project team. It also allows for the quantifying of the schedule slippage if some risks materialize. Project performance becomes more predictable and project reviews are more effective. It helps the project manager to plan a contingency budget (e.g., in money and time) to avoid errors made in the past (e.g., overconfidence). Risk management activities should start with the request for information, before an acquisition project is initiated. This technique can also be used to assess the capability of a supplier to deliver a critical component, on time and at the quality level specified.

The advantages associated with the effective use of risk management in projects are [ISO 17 and SEI 10a]:

• – a defined and executed risk management strategy;
• – potential problems, that is, risks that could influence the success of the project are identified;
• – the probability of risk and their consequences are understood;
• – risks are ranked by priority highlighting those that will be tracked closely;
• – appropriate mitigation solutions are developed proactively, taking into account the project context, diminishing crisis situations where risks become problems;
• – mitigation solutions are chosen for risks that have surpassed threshold limits;
• – project risk information is captured, analyzed, and exploited with the objective of improving the risk management procedures and policies.

11.2.1 Risk Management According to ISO 9001

It is important to point out that ISO 9001 uses a risk-based thinking approach, among others [ISO 15]. A risk-based approach allows the organization to identify factors that may create a gap between its processes and its quality management system (QMS) and the expected results. It also allows for the implementation of a preventive process to limit any negative effects and to capitalize on improvement opportunities.

Clause 6.1 describes the actions to address risks and opportunities, the quality objectives of the QMS and their achievement, and modifications to the QMS. It has a number of requirements that are listed in the next text box.

11.2.2 Risk Management According to ISO/IEC/IEEE 12207

The purpose of the risk management process, according to the ISO 12207 [ISO 17] standard, is to identify, analyze, treat, and monitor the risks continually. The risk management process should be a continuous process for systematically addressing risk throughout the life cycle of a system, software product, or service. It can be applied to risks related to the acquisition, development, maintenance, or operation of a system.

As a result of the successful implementation of the risk management process [ISO 17]:

• – risks are identified;
• – risks are analyzed;
• – risk treatment options are identified, prioritized, and selected;
• – appropriate treatment is implemented;
• – risks are evaluated to assess changes in status and progress in treatment.

11.2.3 Risk Management According to ISO/IEC/IEEE 16085

Risk management according to the ISO 16085 [ISO 06a] standard supports the acquisition, supply, development, operation, and maintenance of products and services by providing a series of process requirements that can address a wide variety of risks. The purpose of this standard is to provide suppliers, acquirers, developers, and managers with a single set of process requirements suitable for the management of a broad variety of risks [ISO 06a].

This standard does not describe risk management techniques. It defines a risk management process that can be used with many different techniques. The use of this standard does not require a specific life cycle process. The measurement process, described within ISO 15939 [ISO 17c] and described in an earlier chapter, works closely with the risk management activities described in the ISO 16085 standard to both identify and quantify risks.

The ISO 16085 risk management process, as illustrated in Figure 11.5, is continuously executed during all the activities of the life cycle of the product. It is recommended that this process include the following activities [ISO 06a]:

• – plan and implement risk management;
• – manage the project risk profile;
• – perform risk analysis;
• – perform risk monitoring;
• – perform risk treatment;
• – evaluate the risk management process.

The risk management process is initiated using the information requested by the stakeholders of the technical and management process of an organization (see rectangle number 1 of Figure 11.5) to make decisions that include risks. The risk management process activities are [ISO 06a]:

• – during the execution of the activity entitled “Plan and implement risk management” (rectangle number 2 of Figure 11.5), the policies regarding the general guidelines under which risk management will be conducted, the procedure to be used, the specific techniques to be applied, and other matters relevant to risk planning are defined. The risk management plan (RMP) can include the following topics:

• overview;
• scope;
• reference documents;
• glossary;
• risk management overview: describe the specifics of risk management for this project or organization's situation;
• risk management policies: describe the guidelines by which risk management will be conducted;
• risk management process overview;
• risk management responsibilities: define the parties responsible for performing risk management;
• risk management organization: describe the function or organization assigned responsibility for risk management within the organizational unit;
• risk management orientation and training;
• risk management costs and schedules;
• risk management process description;
• risk management process evaluation;
• risk communication: describe how risk management information will be coordinated and communicated among stakeholders and interested parties (i.e., those who are interested in the performance or success of the project or product but not necessarily of the organization) such as what risks need reporting to which management level;
• RMP change procedures and history.

• – during the execution of the activity entitled “Manage the project risk profile” (rectangle number 3 of Figure 11.5), the context of current and historical risk management as well as the risks states are documented. The risk profile of the overall project is the sum of all the individual risk profiles;
• – information on the project risk profile is constantly updated by the “Perform risk analysis” activity (rectangle number 4 of Figure 11.5) that identifies risks, determines their probability, lists their consequences, assesses the risk of exposure and prepares the risk action requests for risks that cross their established thresholds;
• – the risk mitigation recommendations, the state of other risks, and their mitigation proposals are sent to management to be reviewed (rectangle number 5 of Figure 11.5). Management decides whether to approve that a mitigation of critical risks should be performed. The mitigation plans are then developed. These plans will be included in the project management activities to be coordinated with the other project plans and current activities;
• – all the risks are then monitored until they stop posing a threat. For example, they are removed during the activity entitled “Perform risk monitoring” (rectangle number 6 of Figure 11.5). New potential risks are then investigated;
• – a periodic assessment of the risk management process is necessary to ensure its effectiveness. During the activity entitled “Evaluate the risk management process” (rectangle number 7 of Figure 11.5), information, such as feedback, is documented to improve the process or the organizational or project's capacity to better manage risks. The improvements identified following a risk assessment are then used by the process entitled “Plan and implement risk management” (rectangle number 2 of Figure 11.5).

11.2.4 Risk Management According to the CMMI Model

The CMMI^®-DEV contains many process areas that discuss risks. As illustrated in Figure 4.9, in the staged representation of the CMMI^® model, risks are discussed in two separate process areas of maturity level 2 [SEI 10a]:

• – project planning: one of the project planning practices, SP 2.2, is listed as identifying and analyzing project risks. Four sub-practices are:

• identify risks;
• document risks;
• review and obtain agreement with relevant stakeholders on the completeness and correctness of documented risks;
• revise risks as appropriate.

• The typical outputs of these practices are:

• identified risks;
• risk impacts and probability of occurrence;
• risk priorities.

• The CMMI model also proposes examples of risk identification and analysis tools such as: risk taxonomy for determining the source and categories of risks, checklists, and brainstorming sessions;

• – project monitoring and control: an appreciation of the project progress is obtained allowing corrective actions to be taken when the project performance diverges significantly from its plan. One of the specific practices, SP 1.3, discusses the need to monitor the identified risks. Three sub-practices state that:

• periodically review the documentation of risks in the context of the project's current status and circumstances;
• revise the documentation of risks as additional information becomes available;
• communicate the risk status to relevant stakeholders.

An example work product of this SP is the records of project risk monitoring.

At maturity level 3, the “risk management” process area focuses on the prevention of potential problems before they appear. The purpose of the risk management process area is to identify potential problems before they occur so that risk handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives. This process area includes the following specific objectives and practices [SEI 10a]:

• – SG 1 Prepare for risk management

• SP 1.1 Determine risk sources and categories
• SP 1.2 Define risk parameters
• SP 1.3 Establish a risk management strategy

• – SG 2 Identify and analyze risks

• SP 2.1 Identify risks
• SP 2.1 Evaluate, categorize, and prioritize risks

• – SG 3 Mitigate risks

• SP 3.1 Develop risk mitigation plans
• SP 3.2 Implement risk mitigation plans

We can see that at maturity level 2, two of the process areas, that is, project planning and project monitoring and control, aim at risk identification and mitigation when they appear, whereas at maturity level 3, the risk management process proposes practices to ensure a systematic and continuous predictive practice for the planning, anticipation, and analysis of risk.

CMMI also addresses agile topics [SEI 10a]: some risk activities are already part of agile methodologies, for example, some technical risks can be addressed by early experimentation and experimenting early failures or by executing a spike outside the scope of the current iteration. However, the risk management process suggests a more systematic approach of technical management of risks. Such an approach can be included in agile iterations and meetings, as well as in iteration planning and task assignments.

11.2.5 Risk Management According to PMBOK^® Guide

The Project Management Body of Knowledge (PMBOK^® Guide) of the Project Management Institute [PMI 13] includes nine knowledge areas and the management of project risk is one of them.

Project risk, according to the PMBOK^® Guide, is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives, such as schedule, costs, content, or quality (where the schedule objective is to deliver the product within the agreed upon delay and the cost objective is to deliver the product within the agreed upon budget, etc.) [PMI 13].

Figure 11.6, of the PMBOK^® Guide, describes the difference between the influence of the stakeholders’ risks and uncertainties and the costs of modifications as the project progresses.

The PMBOK^® Guide, proposes that risk management includes six processes [PMI 13]:

1. Plan risk management
   • – The process of defining how to conduct risk management activities for a project.
2. Identify risks
   • – The process of determining which risks may affect the project and documenting their characteristics.
3. Perform qualitative risk analysis
   • – The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
4. Perform quantitative risk analysis
   • – The process of numerically analyzing the effect of identified risks on overall project objectives.
5. Plan risk responses
   • – The process of developing options and actions to enhance opportunities and to reduce threats to project objectives.
6. Control risks
   • – The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.

11.2.6 Risk Management According to ISO 29110

Very Small Entities (VSEs) manage software project risks “in the small.” For example, the projects are executed on short schedules and we may not have had the time to think about risks and the ways to mitigate them. It is therefore necessary to be alert because we need to react very quickly when a risk emerges and rapidly becomes a problem because the schedule of the project is short. In these VSEs, the development teams are very small and when a problem occurs there is often no one available to address it.

Additionally, the VSE may already be in crisis mode and team members may not necessarily have the expertise or authority to address a risk. In VSEs, the authority often resides with the same individual that solves all the problems.

The authors of the VSE standard have included some risk management tasks to help. The following text describes risk management as presented in the Basic profile. The Basic profile refers to VSE who develop one project at a time with only one development team. The Intermediate and Advanced Profiles for VSEs require more involved risk management processes as they develop more than one project at a time with several teams.

The Basic profile of ISO 29110 [ISO 11e] has selected some of the expected outcomes from the ISO 12207 [ISO 17]. One objective of the project management process is “Risks are identified as they develop and during the conduct of the project.” With these objectives in mind, tasks, roles, inputs, and outputs were described in an ISO 29110 management and engineering guide [ISO 11e].

Table 11.2 describes the risk management tasks suggested during the project planning activity of the project. Roles in these activities are: the project manager (PM), the technical lead (TL), and the work team (WT).

Table 11.3 describes the risk management tasks to be done during the project implementation.

Table 11.4 presents the three risk management tasks during the monitoring and control activity of the project (only the elements related to risk management are listed).

Software work products related to these tasks have also been developed. Table 11.5 describes the proposed content of the project plan and of progress reports (only the elements related to risk management are listed).

11.2.7 Risk Management and the SQA According to IEEE 730

We have already discussed that SQA ensures that processes are established, managed, maintained, and applied by skilled and qualified staff and that the activities and tasks performed are commensurate with product risk. Software systems are increasingly developed to perform tasks that can cause harm to living things, physical structures, and the environment. A fundamental principle of this standard is to first understand software product risk and then to ensure that the planned SQA activities are appropriate for the product risk. This means that the breadth and depth of SQA activities defined in the SQA plan are determined by and derived from software product risk.

The risk management descriptions for a project can be documented separately, as part of the project plan or as a section of the SQA plan. What is important is that it be present, complete, and available for reviews and audit. Following is a list of issues that the project manager and the SQA should consider [IEE 14]:

• – prepare the SQA plan and identify the SQA activities and tasks for the project consistent with the software product risks established for the project;
• – the SQA function will analyze product risks, standards, and assumptions that could impact quality and identify specific SQA activities, tasks, and outcomes that could help determine whether those risks are effectively mitigated;
• – analyze the project and adapt the SQA activities to correspond to the risk;
• – identify and track project changes that require further SQA planning, including changes to requirements, resources, schedules, project scope, priorities, and product risk.
• – determine whether the defined software life cycle processes selected by the project team are appropriate, given the product risks.

For IEEE 730, software product risk refers to the inherent risks associated with use of the software product (e.g., safety risk, financial risk, security risk). Software product risk is differentiated from project management risk. Techniques for addressing software product risk are discussed in section 4.6.2 of this standard and in Annex J of this standard [IEE 14]:

• – are potential product risks known and well documented?
• – are potential product risks understood so that SQA activities can be planned in a manner appropriate to the product risk?
• – has the scope of product risk management to be performed been determined?
• – have appropriate product risk management strategies been defined and implemented?
• – will a software integrity/criticality level be established, if appropriate?
• – does the project team have adequate training in product risk management techniques?
• – is the project team planning to adjust their activities and tasks in a manner consistent with product risk?
• – are the breadth and depth of planned SQA activities proportional to product risk?
• – are risks identified and analyzed as they develop?
• – has the priority in which to apply resources to the treatment of these risks been determined?
• – are risk measures appropriately defined, applied, and assessed to determine changes in the status of risk and the progress of the treatment activities?
• – has appropriate treatment been taken to correct or avoid the impact of risk based on its priority, probability, and consequence or on the defined risk threshold?
• – based on product risk, do the project tools, especially those used for the product SQA, require validation before they can be used on this project?
• – have additional project risks appeared that could prevent SQA from accomplishing their project responsibilities?

Finally, we would like to note that high risk industries, such as medical devices, transportation, and nuclear energy have additional risk management recommendations that originate from national monitoring bodies. For example, for medical devices, risk management is not the same as the risk management defined in IEEE 730. Please refer to these additional guidelines when working within these high risk industries.

11.3.1 Risk Evaluation Step

The risk evaluation step consists of three activities: risk identification, risk analysis, and assigning priorities.

11.3.1.2 Risk Analysis Activity

Once the risks are defined and documented, we proceed with the analysis of each risk. The probability of each risk and the impact is identified as well as the possible interactions between risks. The tools and techniques for this activity are: cost models, quality factor analysis (e.g., reliability, availability, security), sensitivity analysis, and decision trees [BOE 91].

Here is a list of questions that can facilitate the analysis:

• – when could the event happen?

• under what circumstances?
• when should you act to avoid or lessen the consequences?
• what could happen afterward?

• – what is the probability of occurrence?
• – what is the consequence?
• – in what way can we quantify the consequence?
• – what can we control or influence?

• the probability of this event occurring?
• the probability of possible results?
• the consequence of the result?

Table 11.7 above indicates how to document a risk analysis. Column P is the probability of the risk occurrence, on a scale of 1 (not very probable) to 5 (almost certain to occur). Alternatively, you can also express the probability by the rating of low, medium or high. Column C describes the consequence if the risk becomes a problem, expressed on a scale of 1 (of little consequence) to 5 (catastrophic consequence), or with a rating of low, medium or high. Column E indicates the exposure to the risk. If numerical values were used to estimate the probability of the risk and its consequence, then the exposure is equal to P × C. If relative interval rating values have been used (e.g., low, medium, high), we can estimate the risk exposure using Table 11.8.

	Consequence
Probability	Low	Medium	High
Low	Low	Low	Medium
Medium	Low	Medium	High
High	Medium	High	High

Source: Adapted from Wiegers (1998) [WIE 98].

Figure 11.8 presents a risk description template originally presented by Wiegers in [WIE 98]. It contains more information than the risk classification grid above. A field entitled “first indicator” documents the trigger that would cause this risk to become a problem. Another field identifies the individual responsible for acting on that risk and another indicates the time when risk mitigation should be completed.

11.3.2 Risk Control Step

The risk control step involves three main activities: RMP, risk resolution, and risk monitoring.

11.3.2.1 RMP activity

Risk management planning is the selection of a risk management technique for each identified risk within the context of the project. The techniques and tools include risk control lists, cost–benefit analysis and the description of the contents of the RMP according to the standard used.

Each risk identified has its own mini action plan. The RMP consists in integrating each mini action plan. Some parts of the RMP may appear in other documents such as the project plan. For a large project, the table of contents of a plan may include the elements listed in the table of contents of ISO 16085 presented above. The RMP, once approved, is baselined and stored in the organizational repository. The RMP and it should follow, like any other document of a project, the organization's configuration management process.

The column “risk mitigation” in Table 11.7 (also called “risk reduction”) indicates, for each negative risk, an approach to avoid the risk, to transfer, check, accept, or monitor the risk. The risk mitigation actions must produce tangible results that will determine whether the risk of exposure changes [SEI 10a]:

• – risk avoidance refers to the elimination of the risk from the project. For example, this can be done by not developing a risk component;
• – risk transfer is to divert to a third party, such as a supplier, the risk and the responsibility of its resolution. Transferring the risk does not eliminate it;
• – risk acceptance means that no action will be taken regarding the risk;
• – risk control means that certain actions are taken, between now and the time when the risk can occur by reducing the probability and/or impact or its consequence;
• – risk monitoring means observing and periodically re-evaluating the risk to detect changes in parameters.

Contingency planning means that preparations are made before the time when the risk can materialize, which define actions to be taken should the risk occur.

It is possible to add additional columns to the grid. For example, one might add the name of the person responsible for a risk to the right of the grid shown in Table 11.9. We could add a column to the right to indicate when the risk mitigation actions should have been established. Finally, we could add a column to show the status of the actions to reduce each risk as follows: P for in progress and C for completed.

Risk						Person	Risk mitigation
identification	Risk				Risk	responsible	completion	Status
number	description	P	C	E	mitigation	for risk	date	(P/C)
1
2
3

For small projects, we could add, as an annex, the form illustrated in Figure 11.9 or the individual risk forms illustrated in Figure 11.8.

11.3.3 Lessons Learned Activity

The elements of the risk management process, as shown in Figure 11.7, can be improved by conducting lessons learned sessions, as discussed in Chapter 5, at the end of a development project to identify weaknesses and propose possible improvements.

When holding a lessons learned session, the project manager and his team could discuss the project risks, the risks identified and described in the project plan and unidentified risks that came up during the project.

Regarding the risks identified (i.e., the known risks) and documented in the project plan, the team could discuss the probabilities, consequences, and mitigation measures that were satisfactory. Otherwise, the team could suggest improvements to the process.

For risks that were not identified (i.e., the unknown risks), were these risks on the list of potential risks of the project management process but were not identified during the development of the project plan? In this case, the project manager should analyze the assumptions he used for the preparation of the project plan and decide whether to amend the risk management tasks of the planning process. If the risks that were not identified were not on the list of potential risks, the project manager should perhaps add them to the list of risks. The new list of risks will be used in a future project.

11.9 Further Reading

1. CHARETTE R. N. Software Engineering Risk Analysis and Management. McGraw-Hill, New York, 1989.
2. CHARETTE R. N. Applications Strategies for Risk Management. McGraw-Hill, New York, 1990.
3. DEMARCO T. and LISTER T. Waltzing with Bears: Managing Risk on Software Projects, Dorset House Publishing, New York, 2003.
4. MCCONNELL S. Rapid Development: Taming Wild Software Schedules. Microsoft Press, Redmond, WA, 1996.
5. HALL E. M. Managing Risk – Methods for Software Systems Development. Addison-Wesley, London, UK, 1998.
6. OULD M. Strategies for Software Engineering: The Management of Risk and Quality. John Wiley & Sons, Ltd, Chichester, UK, 1990.
7. POULIN L. Reducing Risk in Software Process Improvement. Auerbach Publications, Boca Raton, FL, 2005.