(IJACSA) International Journal of Advanced Computer Science and Applications

Vol. IX, No.IV, 2018

Principles and Practices of Software Risk

Management
Zawar Hussain
Department of Software Engineering
Azib Mahmood University of Management and technology
Department of Software Engineering Lahore, Pakistan
University of Management and technology F2019108002@umt.edu.pk
Lahore, Pakistan
F2019108002@umt.edu.pk

Abstract— In this paper, risk management principles are analyzing those risks, and building up plans to mitigate those
presented; we also elaborate the notable risk management risks [2].
approaches, and compress some imperative ideas of each In the first section, there is a little bit of introduction, further
approach. Each approach include the fundamental strides of risk there is brief description of Risk, Risk Management and Risk
management, for example, identify the risk, examining or
analyzing the risk, prioritizing, planning, risk mitigation or risk
Management in Software Engineering is defined. After that
resolution and at last controlling risk. The approaches depend on Risk management approaches are provided as they fully
seven management principles and that principles are explained explain the risk management practices. In the fourth section
further. Risk based approaches and their practices for Software principles are explained. At last there is a conclusion of the
Risk Management are discussed. Software Risk Management paper and future work.
approaches assumes imperative part of the whole life cycle of
software acquisition, improvement and maintenance of software.
Approaches that are developed for maintaining the product are II. WHAT IS RISK?
essential for overseeing software successfully.
According to dictionary of Merriam Webster, word Risk has
been defined as the loss or kind of damage. In Latin this has
Keywords— Risk, Risk Management, Software been defined as “to cut-off”. [18] In another place Risk has
risk management, Risk Management principles,
been defined in terms of Unpredictability.
Risk Management practices.
The word risk is utilized all around in various relevant areas.
I. INTRODUCTION For instance, it is utilized as a part of the budgetary area to
mean the likelihood of acquiring money related misfortune.
For a long time, risk management has been well known inside
Moreover, in therapeutic division representing likelihood of
different customary areas, for example, Business,
physical misfortune. For software market, Risk no doubt is a
Manufacturing, medical services, warfare, human sciences,
serious problem which is causing serious threats to the success
and so forth. It has been thought to be an empowering
of all projects.
influence of risk-taking. [22] Risk management helps
developers to identify the risk in an efficient way. It allow the
Risk is characterized as “Hazard, danger; exposure to
development team to see analyze the severity of risk and helps
mischance or peril”. Risk is defined as: “Occurrence of loss,
to remove it. By distinguishing furthermore, controlling the
disadvantage or destruction”. Zarderi et al (2009). Risk is
risks, one may improve and make extra bold choices when
concerned with vulnerability. This normally incorporates
going up against complex testing projects or while
vulnerability about the happening of known events, yet also
investigating new obscure grounds. As of late, it has turned
events that are not first distinguished as affecting the project.
out to be perceived as a best practice in the software Industry.
In this way, Risk management is an advancing and learning
Reasons are numerous. Some of them are expanded Business
process, adjusting to new and varying information as the task
unpredictably, continually evolving innovations, enhanced
goes on. Hell et al (1998)
consumer loyalty, globalization, significant effect on business
Some standard definitions of risk presented in the literature are
disturbance [1].
as follows:
Software’s are being compiled all over the world. It has
“A possible future event that, if it occurs, will
become the largest production in all industries. Billion dollars
lead to an undesirable outcome” (Leishman and
worth software’s are being made around the world in every
VanBuren, 2003).
year and most of them are used again by changing a bit in
them and are sold again. Risk Management is a speculation;
“Risk is a combination of an abnormal event or
that is, there are expenditures related to identifying risk,
failure, and the consequences of that event or

1|Page
www.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications
failure to a system’s operators, users, or
environment. A risk can range from catastrophic
(loss of an entire system, loss of life, or
permanent disability) to negligible (no system
damage or injury)” (Glutch, 1994).
“Risk refers to a possibility of loss, the loss
itself, or any characteristic, object, or action
that is associated with that possibility” (Kontio,
2001). [4]
A. What is Risk Management?
[8] Organizing risk in the production of any software has
become a need, rather than a choice.[9] Risk management is
characterized as how we can distinguish, evaluate, and
organize dangers and afterward manage these dangers
appropriately to dodge or moderate them. [4] Basically, there
is an approach to manage risk is risk management. In other
terms, it is related to all exercises that are carried out to
diminish the vulnerabilities related to specific events or tasks.
(Different techniques for risk management :a review). [16]
One of the positive ways to deal with system failure is risk
management.
[4] The fundamental principle of risk management is to know
every single conceivable risk to software, evaluate their
seriousness, and significance, and after that decide
determination steps relying upon the idea of the risks. The
thought is to limit any unanticipated and surprising issues
emerging throughout the software by legitimately getting
ready for outcomes. Proper Planning leads to minimize
uncertainties. [17] Risk management basically is taking
appropriate decisions by predicting future and gravity of
collision.
B. Risk Management in Software Engineering:
For a long time risk management has its presence in software.
But a few years back it has become an important part of
software industry. In beginning of this century, the software
development project directed risk management utilizing
diverse specially appointed methodologies, without following
any orderly procedures. [21] Risk management is used as
remembrance, estimations and ordering of risk in software
engineering. Be that as it may, with the expanding intricacy of
development of software, enterprises have understood the
significance of risk administration, since it helps in
diminishing the vulnerabilities associated with creating
software, and diminishing the odds of the product breakdown.
[20] Risk plays an vital role in software engineering. While
creating a project if you face a risk whose priority is high its
reward will also be high.
www.thesai.org
Vol. IX, No.IV, 2018
In every company, all the members need to be sure of the
techniques and the methods they are going to apply for risk
management (Smith and Pichler, 2005)
Mentioned below are some kinds of risks which occur[4]:
 If risk happens, it could affect your project in certain
ways. Like: income, piece of overall industry, and
client generosity.
 The seriousness of misfortune.
 The period of the risk.
SRM is a process which includes different procedures,
strategies and instruments for risk in any project. The
objective of Risk Management is to identify the risks which
occur in previous projects and plan their resolving or
mitigation in a way so that they cannot occur again. While
doing this we should keep in mind the future of our project.
Moreover, this process needs to be started from the beginning
of the project to the end of the project [2].
III. RISK MANAGEMENT APPROACHES
In previous times, different SRM approaches have
been anticipated. The majority of them evaluate
risk amid every one of the periods of
development of software, by coordinating risk
management practices alongside the process of
software development. Subsequently, restricted
procedure has been taken after risk management
model in them [3]. Mentioned below are the
approaches:
 Boehm’s Risk management model
 SEI’s Software Risk management Model
IV. PRACTICES
From a long time risk identification and mitigation have been
under study. A lot researcher presents their view about it. It
has been studied in industry as well as in universities at high
level. [23]
[4] In figure 1, Risk management practices are shown, which
consists of two foremost steps with three secondary steps,
which are risk assessment and risk control.
Risk assessment is foremost steps of risk management. This
includes following steps:
 Risk Identification
 Risk Analysis
 Risk Prioritization
Risk Identification: is known as the process in which we find
out the possible risks which could affect our project’s success.
[10] Risks remain un seen at all levels, thus including clients
and other active members is vital for development group with
a specific end goal to recognize and oversee potential risks
proactively. [4] Risk identification have further four steps
which are considered important in order to identify risk. These
steps are:
1. Checklists
2|Page
 (IJACSA) International Journal of Advanced Computer Science and Applications
Vol. IX, No.IV, 2018

2. Examination of decision drivers 5. Staffing

3. Assumption Analysis
4. Decomposition
Risk Analysis: is the process which shows the possibility and
distinction of loss identified by risk identification. [11]The
way towards analyzing distinguished risks is proceeding with
process, which evaluate the probability of risk events and their
effect.[4] It also shows the complex risks from the identified
list. Risk analysis have further five steps which are mentioned
below:
1. Performance models
2. Cost models
3. Network analysis
4. Statistical decision analysis
5. Quality factor analysis
Risk prioritization:[4] is the process in which all the
identified and analyzed risks are displayed in a order. [14]
This step is used to indicate the order in which
the risks are to be managed. The risk with high
priority is on the top of the list and the risk with low priority is
at the bottom of the list. These priorities are based on the how
much a risk can affect the project success. Risk prioritization
have further three steps. Which are?
1. Risk exposure
2. Risk leverage
3. Compound risk reduction
Risk Monitoring: is the process in which the whole software
is being watched at every step. Whether all the occurring risks
are removed or resolved? What is the progress of the
software? Does it facing any other problems? Is the
management working properly on it? All such things are
watched by this process. It consists of:
1. Milestone tracking
2. Top 10 tracking
3. Risk assessment
4. Corrective action
Moreover, the efficient way of handing and managing the
process is explained by risk management. Spiral model of the
project which is an approach of risk-driven approaches works
efficient enough and skips all the problems occurred in old
working models just like waterfall model and evolutionary
development model. This kind of approaches further explains
that how and where to combine latest technologies: e.g.
fourth-generation languages, commercial software product,
etc. into the process.

The other part of risk management is risk control which

includes:
 Risk Management Planning
 Risk Resolution
 Risk Monitoring

Risk Management Planning: [12] after determination of risk

priorities, there is a need to build up an agreement for the risk
needed treatment to lessen or limit the likelihood of risk
events and additionally the effects of risks. [4]Risk
Management plan allows you to handle all kinds of risk. It
includes some plans in itself which cooperate with each other
and as a whole. The plans it includes are:
1. Buying Information
2. Risk avoidance
3. Risk transfer
4. Risk Reduction
5. Risk element planning Figure 1. Software Risk Management Process by
6. Risk plan integration Boehm

Risk Resolution: is the process in which all the risks [5] In 1990, SEI built up the Risk Program to enhance the risk
identified are removed from the software or managed in an management in software frameworks. In spite of the fact that
efficient way so that they cannot occur again. This process around then risk management had been widely tended in
contains the following steps: different controls, minute had been expounded on software
1. Prototypes risk management. [4] Risk assessment describes different
2. Simulations kinds of models. In this paper, the models which are explained
3. Benchmarks are prescribed by Software Engineering Institute (SEI) as
4. Analysis displayed in figure 2:

3|Page
www.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications
Vol. IX, No.IV, 2018

Identify: In order to build a successful software and remove

risk from it you have to identify it before it exist and make
trouble to the success of your product. Every head in a team
need to make a system which allows people to check the
progress of the project at every stage. This is an efficient way
to determine risk. [19] Identification of risk can be made
easier by making a list of risks.

Analyze: Analyzing is the second step in risk management. It

confirms the presence of risk in software after identifying it. It
is a process in which risk are watched and assembled in a
queue according to their priority and are managed in an
efficient way. Software Risk Evaluation (SRE) team checks on
risks in all aspects regarding project’s budget, plan, progress
and its quality.

Plan: Planning is a phase where you take some decisions

about present and future of your product. In planning you
decide about the identified risks, make a queue for it in order
to prioritize it and plans to resolve these risks or remove them.
The best practice of planning is to think about future of your
product when you make a decision today.
Track: Tracking is a process in which you look after for the
identified risks. You checks on the activity in order to resolve
those risk or to remove them to protect the success of your
product.
Figure 2. Software Risk Management Cycle by SEI
[7] SEI’s goal includes the enhancement of procedure for
obtaining advancement of software concentrated frameworks,
Specifically, points are: empower collection, improvement
chiefs, architects to settle on effective choices (by
distinguishing hazard preliminary progress toward becoming
issues) delivering risk in a good, less important route and form
exclusive risk in a savvy way.

Control: [13] Risk control pass to the exercises that diminish

both the occurrence and seriousness of the misfortune. [4]
This part of process depends on procedure to control actions
applied for resolving or removing identified risks. It also
controls the overall procedure of the software. All then events
occurred during the making of the software is controlled by
this section. Operations performed in this section are written
in the risk management plan.
Communicate: This is one the important section of the whole
process. Without good communication no team can make
successful software. This takes part from beginning to end of
the project. Whether asking for customer demands or telling
your team to do some job, good communication is necessary.
V. PRINCIPLES
[15] For successful risk management, principles give direction
on justification for overseeing risk and attributes. They outline
plan and arrangement of association’s risk management
administration system which helps with evaluating adequacy
and nature of risk management. [6] Developed software risk
methods have three different, unique, compatible goals. Which
are mentioned below?
1. Risk prevention
2. Risk mitigation and correction
3. Ensuring safe system failure
Mentioned below are seven principles which are necessary in
order to attain those goals:

i. Product Vision
The basic purpose of product vision is to concentrate on final
product. It depends on common purposes, proprietorship and
mutual understanding.

ii. Teamwork
Teamwork means you should have a team which can
collaborate with each other in order to attain goals. In order to
fulfill this principle good communication skills are necessary.

4|Page
www.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications
iii. Global perspective
In this principle, harmful reactions like increase in budget,
delay in project time due to some consequences, unable to
meeting desired goals are included.
iv. Future View
This principle predicts the risks which could occur in near
future. It allows us to have knowledge about them, detect
them, manage them or remove them as soon as we can.
v. Communication skills
This principle allows your team to show yourself in market. If
your team has good communication skills, it will leave a good
impact in market. Moreover, this decreases the possibility of
risk. If you have good communication skills you can
communicate with your stakeholders in meetings and get the
details of their product in an efficient way.
vi. Integrated management
This principle makes your team work in an efficient way. It
allows you to work in a professional way. It demands from
you to use risk management techniques and instruments in
your process which decreases the occurrence of risk.
vii. Continuity
This final principle checks occurring risks regularly in the
process of software, identify them, resolve them or remove
them. So that they cannot occur again and become an hurdle in
software’s success.
VI. CONCLUSION
The extreme significant part for any software project is to
directing a great deal on its decisive success components. Due
to certain reasons, problems which occur in projects executed
in past are also considered to be occurred in present. But this
does not affect the success at that level. On the other hand,
there are certain things we can work on to make the software
more efficient and successful. Which includes, defining and
prioritizing the projects most occurring risks, taking advices of
the higher management on project’s working and other
important matters. In this article, we talk about the principles
and practices of risk management along with identifying risk
and to resolve or removing it in an efficient way. In the end,
for future research, it is remarkable to discover a technique
that goes for improving risk management in the different
software development systems. It is concluded that a lot of
work has been done by researchers but there is a lot to be
needed.
References
[1] Kajko-Mattsson, M., & Nyfjord, J. (2008). State of Software Risk
Management Practice. IAENG international journal of Computer
Science, 35(4).
www.thesai.org
Vol. IX, No.IV, 2018
[2] Chowdhury, A. A. M., & Arefeen, S. (2011). Software risk
management: importance and practices. IJCIT, ISSN, 2078-5828.
[3] Banff, A., Kumar, V., & Kumar, U. DIFFERENT TECHNIQUES
FOR RISK MANAGEMENT IN SOFTWARE ENGINEERING: A
REVIEW.
[4] Boehm, B. W. (1991). Software risk management: principles and
practices. IEEE software, 8(1), 32-41.
[5] Williams, R. C., Walker, J. A., & Dorofee, A. J. (1997). Putting risk
management into practice. IEEE software, 14(3), 75-82.
[6] Rathod, V., Chim, M., & Chawan, P. (2012). An Overview of
Software Risk Management Principles. International Journal of
Advanced Research in Computer Engineering & Technology
(IJARCET), 1(3),pp-51.
[7] Higuera, R. P., & Haimes, Y. Y. (1996). Software Risk
Management (No. CMU/SEI-96-TR-012). CARNEGIE-MELLON
UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST.
[8] Tao, Y. (2008, November). A study of software development project
risk management. In Future Information Technology and
Management Engineering, 2008. FITME'08. International
Seminar on (pp. 309-312). IEEE.
[9] Hubbard, D. W. (2009). The failure of risk management: Why it's
broken and how to fix it. John Wiley & Sons.
[10] Hashimi, H., Hafez, A., & Beraka, M. (2012, December). A novel
view of risk management in software development life cycle.
In Pervasive Systems, Algorithms and Networks (ISPAN), 2012 12th
International Symposium on (pp. 128-134). IEEE.
[11] K. Gallagher, "Software Development Risk Management," CSCI 510
Professor Report, August 6th, 2002.
[12] J. Ward, "Software Project Risk Management: Keep It Simple to
Enhance Project Success," Proc. International Conference on Software
Quality, 2004.
[13] Rejda, G. E. (2011). Principles of risk management and
insurance. Pearson Education India.
[14] Wallmüller, E. (2002). Risk management for IT and software
projects. Business continuity, 165-178.
[15] Gallagher J.(2015). Practice Risk management’s Standard of Practice-
An Overview of ISO 31000. Arthur J. Gallagher & Co.
[16] Nidhi Sehrawat et al, International Journal of Computer Science and
Mobile Computing, Vol.3 Issue.10, October- 2014, pg. 845-849
[17] Higuera, R. P., & Haimes, Y. Y. (1996). Software Risk Management (No.
CMU/SEI-96-TR-012). CARNEGIE-MELLON UNIV PITTSBURGH PA
SOFTWARE ENGINEERING INST.
[18] Luko, S. N. (2013). Risk management principles and guidelines. Quality
Engineering, 25(4), 451-454.
5|Page
 (IJACSA) International Journal of Advanced Computer Science and Applications
Vol. IX, No.IV, 2018

[19] Neves, S. M., & Silva, C. E. S. D. (2016). Risk management applied to

software development projects in incubated technology-based companies: [22] Singh, B., Sharma, K. D., & Chandra, S. (2012). A new model for
literature review, classification, and analysis. Gestão & Produção, 23(4), 798- software risk management. International Journal of Computer Technology and
814. Applications, 3(3), 953-956.

[20] Westfall, L. (2000, January). Software risk management. In ASQ World [23] Shahzad, B., & Al-Mudimigh, A. S. (2010, July). Risk identification,
Conference on Quality and Improvement Proceedings (p. 32). American mitigation and avoidance model for handling software risk. In Computational
Society for Quality. Intelligence, Communication Systems and Networks (CICSyN), 2010 Second
International Conference on (pp. 191-196). IEEE.
[21] Pandey, P. K. D. (2015). Development of risk management model for
secure software product. South Asia Journal of Multidisciplinary Studies,
1(3).

6|Page
www.thesai.org