SOFTWARE PROJECT

MANAGEMENT
RISK MANAGEMENT

1
 INTRODUCTION
• What is a risk?
-factor or aspect which are likely to have an
impact on the projects performance
- Uncertainties which affect the project
performance: budget, schedule, quality

2
 Risk tolerance or Risk utility
• Different organizations or individuals have
different tolerances to risks.
• Three types of tolerance:
o Risk averse-lower tolerance for risk; less
satisfaction for risk
o Risk neutral-achieves a balance between risk and
payoff.
o Risk seeking-high tolerance for risk; high
satisfaction for risk.
3
 Types of Risk
• Schedule Risks
• Schedule compression (customer, marketing, etc.)
• Cost Risks
• Unreasonable budgets
• Requirements Risks
• Incorrect
• Incomplete
• Unclear or inconsistent
• Volatile
• Operational Risks
• Assumptions Risks
• Decisions risks
4
 Risk Management
• Any project involves certain risks
• Purpose of risk management
- Ensure that the impact of risk on project’s performance is
minimized
- Deals with identifying the undesirable events that can occur,
the probability of their occurring, and the loss if an
undesirable event does occur
- Risk mgt can have positive impact on selecting projects,
developing realistic schedule and cost estimates.
- So, risk management revolves around risk assessment and risk
control

5
 Risk Management

Risk Identification

Risk Assesment Risk Analysis

Risk Prioritization

Risk Management
Risk Management Planning

Risk Control Risk Resolution

Risk Monitoring

6
 Risk Identification
• Produces a list of risks with potential to disrupt your project
• Sub-activities of risk identification:
- Brainstorming
o Generate ideas by a group
o Aggregate and categorize the ides to make them more manageable
o Disadvantage includes:
 Fear of social disapproval
 Effect of authority hierarchy
 Domination by vocal individuals
- Delphi technique or non-consultative group consensus
- interview
- Checklist
- Decision driven analysis
- Assumption analysis
- Decomposition analysis

7
 Risk Identification-Check List
• Common risks encountered by previous
projects
1. Personnel shortfalls
2. Unrealistic schedules and budget
3. Developing the wrong software functions
4. Developing the wrong user interface

8
 Risk Identification-Check List
5. Gold plating – refers to adding features that
are only marginally useful. It consumes
resources and time
6. Stream of requirements changes
7. Dependency on externally furnished
components
8. Dependency on technology

9
 Risk Identification-Decision Analysis

• Analyze all decisions taken

o Look for decisions derived by non-technical or
non- management reasons
o Such decisions might be driven by politics,
marketing or the desire for short term gain

10
Risk Identification-Assumption Analysis

• Look for optimistic assumptions such as:

- Nothing goes wrong
- No team member will quit
- People will put in extra hours if required
- External components will be delivered on time

11
Risk Identification-Decomposition Analysis

• 20% of the modules cause 80% of the problem

• Analyze the modules of the project

12
 Risk Analysis
• Two types:
- Qualitative risk analysis
- Quantitative risk analysis

13
 Qualitative Risk Analysis
• Involves assessing the likelihood and impact of
identified risks to determine their magnitude and
priority
• Uses probability/impact matrix
• Estimating size of loss
• Loss is easier to see than probability
• Estimating probability of loss
• Is subjective
• Use team members estimate and have a risk-estimate review
• Use Delphi or group-consensus techniques
• Some use numbers for probability/impact; some use low, medium
and high

14
 Risk Prioritization
• Determine impact of each risk based on analysis
• One approach for prioritization is RE
• Risk Exposure (RE)
• Is expected value of loss due to a particular risk
• RE = Probability of loss * size of loss
• Eg.: risk is “Facilities not ready on time”
– Probability is 25%, size is 4 weeks, RE is 1 week
• Eg.: risk is “Inadequate design – redesign required”
– Probability is 15%, size is 10 weeks, RE is 1.5 weeks
• The higher RE, the higher the priority

15
 Risk Control
• Unlike risk assessment, risk control involves
active measures taken by PM to minimize impact
• Has three sub-activities:
- Risk management planning
- Risk resolution
- Risk monitoring

16
 Risk Management Planning
• Plans are developed for each risk
• The plan for a particular risk needn’t be extensive or
elaborate
• The plan has five components:
- Why it is important and why should it be managed?
- What should be delivered?
- Who is responsible for risk management activities
- How the risk be abated/minimized?
- How many resources are needed?
17
 Risk Management Planning
• Involves defining strategies for risks
• Risk management planning strategies:
o Risk avoidance
- Don’t do it
- Ex: shifting the site of a building to earthquake free zone if location is a
risk
o Risk reduction
o Risk transference
• Causing another party to accept, typically by contract or hedging
• Ex: Insurance, outsourcing
o Risk retention/acceptance
- Accept its occurrence
- Don’t do anything about it

18
 Risk resolution and Monitoring
• Risk resolution is essentially risk management
planning implementation, i.e, activities to
implement each strategy.
• For each risk, specify its risk monitoring- how
the measures described in resolution are
executed.

19
 Risk Control Example
• Suppose wrong product development is identified as a risk. Identify
its strategy, resolution and monitoring
• Solution:
o Risk Management planning strategy: reduction
o Risk resolution
- elicit as much requirement as possible
- clarify vague requirements
- prepare prototype
o Risk Monitoring
- development team leader monitors changes according to the new
understanding
- PM checks whether the new requirements are addressed

20
 Quantitative Risk Analysis
• Often follows qualitative risk analysis, yet both processes
can be done together or separately.
• Provides high level information in terms of the
probabilities of achieving certain project objectives
• Involves decision tree, simulation and sensitivity analysis
• Decision tree analysis
- A diagramming technique used to help select the best
course of action in situation in which feature outcomes
are uncertain.
- Expected monetary value(EMV) is its common tool

21
 Quantitative (Cont.)
• EMV =
is sum of the product of a risk event
probability and the risk event monetary value.
• The higher EMV, the better
• Illustrate by example

22
 Risk Management Document Template
1. Introduction
2. Roles and responsibilities
3. Risk assessment
3.1 Risk identification
3.2 Risk analysis and prioritization
4. Risk Control
4.1 Planning strategies
4.2 Resolution
4.3 Monitoring
23
 Assignment II
• Prepare RMD for your project
• Due date: Two weeks

24