Each software projects have significant numbers of uncertainties from various constraints such as scope, schedule, and budget estimation. Inability to control these uncertainties imposes potential risks not only during the development phase but throughout the life cycle of the project and may lead to project failure. Many projects fail either because simple problems were reported too late or because the wrong problem was addressed. Software risk management is an effective tool to increase the likelihood of project success.
It is used to plan and control the risks that may arise during and after software development. This research paper aims to explain the need of risk assessment and management on software development projects. The author included some approaches, tools and strategies in doing risk management. Categories and Subject Descriptors Software Engineering : Project Management – risk management General Term Risk Management Keywords Software development, Risk management approaches, Risk management tools, Risk management strategies 1.
Software development is a special kind of engineering activity because of the involved knowledge and technology, so it is common to say that risks have an extremely high influence on the success of software development projects. There are numerous kinds of risks that can cause software development project failure. It is official to clearly define risk categories that could apply to a wide area of software development projects. The essence of risk classification is not in precisely defining risk categories, but in identifying and describing as many risks as possible on the project.
Due to that, it is suggested that risks on software development projects should be classified according to the main impact areas. For most software development projects, we can define five main risk impact areas. 2. 1 The use of new and unproven technologies The majority of software development projects is connected with the application of new technologies. The improper use of new technologies usually leads to project failure. In order to implement new technology, a development team should have sufficient knowledge about it to minimize the risk connected with the use of these technologies.
The software development team should have sufficient knowledge to be able to exploit efficiently the features of the new technology. The knowledge about the involved technologies is a precondition for a successful software development project. 2. 2 Software system requirements Software requirements are a common term for all users’ needs regarding software system functionality and quality of service. It is often very hard to develop the right software solution that absolutely meets users’ expectations.
In order to develop a software solution according to user expectations, a software development team should discover a whole set of user requirements. These requirements, that must guide the entire development process, can be divided into functional and non- functional. Functional requirements define behavior of the software solution, while non-functional requirements define qualities and constraints to which the software solution must conform. The process of the identification and definition of acquirement is long and complicated. It is common that requirements change during the development of the software project.
The change of requirements is a major problem in software development because the change of one or few requirements could impact the complete software solution and lead to the failure of a software development project. Therefore, it is absolutely necessary to find the right requirements and to manage the change of requirements during a software development project. 2. 3 Software system architecture Software architecture could be described as a set of significant decisions about the organization and components of a software solution.
Software architecture must be defined in the early development phases in order to build a quality software solution. It is possible that software architecture defined in the early development phases does not satisfy all of the requirements set on a software solution. The software architecture can be verified only with a software prototype, which can be realized only in later development phases. Due to the importance of software architecture, many development processes focus directly on software architecture in order to lid a quality software solution according to the defined requirements. . 4 Software system performance The performance of a software solution could be tested only on a real and realized software solution. Thus, it is necessary to make predictions about software system performance in the early development phases. These predictions are very important because it is possible to develop a software solution that satisfies functional requirements, but it is too slow to fulfill performance requirements. As a result, development team members, with experience in given technologies, should do performance predictions and assumptions. 5 Organizational and non-functional area The risks connected with this area could be described as organizational problems and problems related to the project resources and schedule. Organizational problems may affect the realization of a software solution since only the efficient organization of software development leads to a successful software development project. A defined project schedule could become a risk because there are many unwanted events that could cause a delay in software realization.
It is a management problem to define a project schedule in order to satisfy both customers and developers. In order to fulfill defined project deadlines, resources given to the project should be sufficient. This means that every software development project should have enough project members with the right competencies and all the required resources for the planned completion. 3. RISK MANAGEMENT Software risk management is defined as practice for managing risks that occur in a software development project.
There are two approaches to software risk management that can be identified, traditional and risk-oriented. The traditional approach is reactive in nature and deals with problems generic to all software projects systemically and project pacific problems as they arise. The later approach, however, is proactive as it seeks to Identify and manage unique aspects of a specific project before they impact the Figure 1: Approaches to Risk Management 4. Software Engineering Institute (SEE)’s Software Risk Management (SRAM) Methodologies See’s SRAM methodologies risk management framework for software risk management is supported by three groups of practices: 1 . Software Risk Evaluation (SERE) 2. Continuous Risk Management (CRM) 3. Team Risk Management (TRIM) The goal of this framework is to enable engineers, managers, and other decision Akers to identify, sufficiently early, the risks associated with software acquisition, development, integration, and deployment so that appropriate management and mitigation strategies can be developed on a timely basis.
The developed software risk methodologies have three fundamentally different, albeit complementary, objectives: 1 . Risk prevention 2. Risk mitigation and correction 3. Ensuring safe system failure The following seven risk management principles are instrumental in the quest to achieve these three objectives: 1 . Shared product vision sharing product vision based upon common purpose, shared ownership, and elective commitment focusing on results 2. Teamwork working cooperatively to achieve a common goal pooling talent, skills, and knowledge 3.
Global perspective viewing software development within the context of the larger system-level definition, design, and development recognizing both the potential value of opportunity and the potential impact of adverse effects, such as cost overrun, time delay, or failure to meet product specifications 4. Forward-looking view thinking toward tomorrow, identifying uncertainties, anticipating potential outcomes managing project resources and activities while anticipating uncertainties 5.
Open communication encouraging the free flow of information between all project levels enabling formal, informal, and impromptu communication using consensus-based process that values the individual voice (bringing unique knowledge and insight to identifying and managing risk) 6. Integrated management making risk management an integral and vital part of project management adapting risk management methods and tools to a project’s infrastructure and culture 7. Continuous process maintaining constant vigilance identifying and managing risks routinely throughout all phases of the project’s fife cycle 4. Capability Maturity Model Integration (COMIC) COMIC in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. COMIC was developed by a group of experts from industry, government, and the Software Engineering Institute (SEE). COMIC currently addresses three areas of interest: 1 . Product and service development – COMIC for Development (COMIC-DIVE), 2. Service establishment, management, and delivery – COMIC for Services (COMIC-C.V.), and 3. Product and service acquisition – COMIC for Acquisition (COMIC-AC).
Risk Management (RISK) is a project management process area at maturity level 3. Its purpose is to identify potential problems before they occur so that risk-handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives. May initially focus simply on risk identification for awareness, and react to the realization of these risks as they occur. The Risk Management process area describes an evolution of these specific practices to systematically plan, anticipate, and mitigate risks to proactively minimize their impact on the project. 4.
Other Approaches Khmer and Conclaves present a model of risk management process (Grips-Model), that covers all the stages of the soft- ware development process. The Grips-Model was proposed with basis on the literature and from the experience of managers and senior software engineers of Brazilian software factories. A large number of processes have been generated in recent years to address the need for more effective risk management. According to Higher and Haines, the need to manage risk increases with system complexity. As the complexity of the system increases, both technical and non-technical (cost and schedule) risks increase.
There is, therefore, an increasing need for more systematic methods and tools to supplement individual knowledge, Judgment, and experience. Human traits ( without tools ), they argue, are often sufficient only at addressing less complex risks. They also note that many managers believe that they are managing risk in its multifaceted dimensions while the fact of the matter is that they are merely managing cost and schedule along with isolated cases of technical risk. While agile methodologies have gained considerable industry attention, there exists little evidence that the practices they recommended reduce risks. RISK MANAGEMENT TOOLS The following are some of the tools in risk management: 5. 1 Risk Proposed in 1996 by Professor Jerky Kenton. When he was a Researcher at the University of Maryland (SIMD). It is a comprehensive risk management method based on theoretical principles with a comprehensive process definition that supports risk management activities. 5. 1. 1 The Risk Process Main characteristics of a Risk process: – full operational definition of the process – risk management, scope, focus, authority and specific step for identifying and defining the goals of the project 5. 1. Risk Elements in Risk reoccurred defined together – a Risk factor: a characteristic that affects the probability of a negative event occurring. Risk event: a stochastic phenomenon that represents an occurrence of a negative incident. Risk outcome: represents the situation after the risk event has occurred and before any corrective action. Risk reaction: a possible action as a response to risk event and resulting risk outcome. Risk effect set: the final impact off risk event to the project. Considering the impact of reaction, it describes characteristics which were affected.
Figure 2: The Risk Process 5. . 3 steps in Risk 1. Risk management mandate definition – the scope and frequency of RUM are defined. – all relevant stakeholders are recognized. – output is the risk management mandate (why, what, when, who, how and for whom) 2. Goal review – the stated goals of the project are reviewed and refined, and implicit goals and constraints are defined explicitly. – stakeholders’ associations with the goals are analyzed. – output is explicit goal definitions 3. Risk identification – potential threats to the project are identified using multiple approaches. Output is a list of “raw’ risks 4. Risk analysis risks are classified and consolidated. – risk scenarios for main risk events are completed. – risk effects for all risk scenarios are estimated. – probabilities and utility losses of risk scenarios are estimated. – output is a completed risk analysis graph for all analyzed risks and ranked risk scenarios 5. Risk control planning – the most important risks are selected for risk control planning. – risk controlling actions for those important risks are proposed. – risk controlling actions are selected to be implemented. – output is selected risk controlling actions 6.
Risk control – risk controlling actions are implemented. Output is reduced risks 7. Risk monitoring – the risk situation is monitored. – output is risk status information 5. 2 Risk Guide Risk Guide, implemented at the Polytechnics Agendas, is an Internet application and can be accessed simply by a web browser. It makes it applicable in distributed software projects. It supports risk reviews, indications, snapshots and reports to publish assessment results. Multiple project members can post risk indications simultaneously and those are then automatically lined up in the risk repository.
The tool can support multiple projects at a time with independent risk identification and assessment processes. The system offers a knowledge base of checklists and the lists of common risks or complete list of schedule risks. Three techniques to identify risks are supported: automatic generation of risk indications based on the answers to a questionnaire, explicit selection off risk from a list of risks, supplying a new definition of a specific risk identified by intuition and/or engineering Judgment.
The tool supports management of checklists and lists of risks. Once the analysis is completed, the resulting list of the most important risks can be published in a risk assessment report. Figure 3: Example of Risk Assessment Report 5. 3 Risk Radar Enterprise (ERE) ERE, by American Systems, is a commercial web-based application for enterprise- wide project risk management using MS Access database. It enables management and communication of project costs, schedule, technical and performance risk within a common enterprise framework.
The vendor claims that ERE gives managers and their teams the visibility they need to proactively identify, analyze, track, control, mitigate, and report risk. It is said to support guidance from the PM MAMBO and SEE COMIC. Figure 4: Example of ERE Risk State Screen 6. RISK MANAGEMENT STRATEGIES These strategies are defined in order to support various types of software development projects according to the amount of risk influence. Based on the amount of risk on a software development project, the author define three risk management strategies. . 1 Careful risk management strategy This risk management strategy should be used on a software development project with high acceptable risks, new technology and inexperienced people. Careful risk management strategy could be described as high priority risk management. Risks on software development projects, with an implemented careful risk management treated, should be taken with utmost importance. This requires rigorous risk analysis on multiple levels. Risks should be analyzed and traced on individual, team and organizational levels.
In order to identify important risks as soon as possible and on a wide problem area, every project team member should be involved in risk management. This requires constant planning and project supervision, but with this approach, risks will be mitigated in the early phases of software development, when the cost of a software development project is still small. Figure 1 . Careful risk management strategy activities 6. Typical risk management strategy This risk management strategy should be used on software development projects with a certain level of known technology and mostly experienced people.
The level of acceptable risks for this strategy is medium, I. E. There are risks, which could be considered as too harmful, and projects with those risks would be canceled. With this strategy, risks should be identified in steps according to project progress. The main difference between careful and typical strategy is in risk importance because the typical risk management strategy assumes that most of the risks on the project are easily addressed, while the careful risk management strategy assumes a high number of dangerous risks.
This strategy is intended for software development projects connected with mostly known technologies because this strategy should handle sporadically materialized risks. Figure 2. Typical risk management strategy activities 6. 3 Flexible risk management strategy This strategy assumes a small number of acceptable risks, which are mostly transferred to other organizations. Flexible strategy requires a relatively informal risk definition, with risk mitigation and contingency plans defined only for a few important risks.
This is defined in order to minimize the amount of work required for risk management because there is a small level of risk influence in mature and experienced software development organizations. This strategy is based on comparing currently identified risks to previously encountered ones and risk management should be practiced mostly on the organizational level. There is no risk interpretation and ranking policy connected with the flexible risk management strategy, mostly because of the small risk influence and importance on formally defined software development projects.