A short report on Risk Management
Where did it start.
Tom McBride
Risk management has always been part of software development. It wasn't always visibly identified but was always there. If there is to have been a book or event that brought sharper focus on risk management it would be the publication in 1989 of "Software Risk Management" edited by Barry W. Boehm for IEEE Press.
Risk management is an explicit knowledge area of "A Guide to the Project Management Body of Knowledge" first published in 1987 and otherwise known as the PMBOK.
Somewhere between 1987 and now, Risk Management gained greater prominence.
What drives it?
Michael Adameitz
All software projects face the problem of quality, schedule, and cost being affected by problems/risks that are unexpected, unplanned or simply ignored. The reasoning behind structured risk management is to deal with as many of the risks as possible in a cost effective way to minimise their impact.
The stages of risk management (identify, analyse, plan, track, control, communicate) allow management, the project team, and the customer to increase their confidence that there will be both no nasty surprises, and that risks will be mitigated effectively.
To be seen a "mature" organisation, formal risk management is becoming increasingly expected - it is part of both SPICE and SW CMM. There is no real excuse for not conducting it in an effective manner.
Economics, politics, & other driving forces.
Michael Adameitz
Risk management can be viewed as a four letter word. There can be economic boundaries from the addition of extra "overhead" activities, and political/cultural boundaries from an unwillingness to acknowledge that a risk exists and must be mitigated.
Somebody has to pay for it: Risk management is not free - you have to invest to get a return. To prevent this budget pressure risk management and mitigation activities need to be factored into the project plans from the very beginning of the project. Benefits are hard to quantify and are not always immediately obvious. Because risk management prevents future problems, the cost savings are also in the future. The ROI from preventing just one costly problem can pay for all risk management activities.
Written risks are harder to ignore: Managers are more likely to act on written or formally documented information than on verbally transmitted concerns. They become extremely interested in tackling a risk once it has been listed an identified in a report. A formally documented system gives visibility of the risks to all people involved in the project. It makes an individual’s commitment to the mitigation of a particular risk obvious to all.
Who is worth listening to?
David Wilson
The gurus of Risk management are Barry Boehm and Warren McFarlan.
What is worth reading
David Wilson
Boehm, B. W. "Software Risk Management: Principles and Practices" IEEE Software January 1991 pp32-41
Boehm, B. W. "Tutorial: Software Risk Management", IEEE CS Press, Los Alamitos, Calif, 1989
Charette, R. N. "Software Engineering Risk Analysis and Management", McGraw Hill, New York, 1989
Fairley R. "Risk management for Software Projects" IEEE Software 11 (3) May 1994 pp57-67
Gilb, T. "Deadline Pressure: How to Cope with Short Deadlines, Low Budgets and Insufficient Staffing Levels" Information Processing, Elsevier Science, Amsterdam, 1986, pp293-299
Capers Jones. "Assessment and Control of Software Risks". Yourdon Press, 1994.
Lawrence H. Putnam, "Industrial Strength Software: Effective Management Using Measurement". IEEE Computer Society Press, 1996
Alka Jarvis & Vern Crandal, "Inroads to Software Quality: "how to" guide and toolkit". Prentice Hall, 1997
Felix Redmill & Chris Dale, "Life Cycle Management for Dependability". Springer, 1997
Stephen Grey, "Practical Risk Assessment for Project Management". Wiley, 1995
Dale Karolak, "Software Engineering Risk Management". IEEE Computer Society Press, 1996
Also related and worth reading (if you haven't already) is
Brooks, F. "The Mythical Man Month" Addison-Wesley, Reading, Mass, 1975
Top Internet sites
The Software Assurance Technology Center (SATC) is part of the Office of Mission Assurance of the Goddard Space Flight Center (GSFC). SATC ... is working to identify tools and metric methodologies to assist project managers in identifying and mitigating risks. See http://satc.gsfc.nasa.gov/SATC/PAPERS/SEL/sel.html
"Chapter 11 Project Risk Management" is a PMBOK (Project Manager Body of Knowledge) Guide Chapters available for download in pdf format. See http://www.pmi.org/pmi/publictn/pmboktoc.htm
"What is Software Risk Management? (And Why Should I Care?)" - is an article available in PDF format which provides an overview of software risk management, including both top-down and bottom-up perspectives; describes a variety of tools available for easy implementation; and highlights positive business results gained from Software Risk Management. See http://www.klci.com/whitepapers/wptoc.htm
Another article is "Assessment and Management of Software Fault Exposure Risk and Quality Throughout the Software Life Cycle (S/W Fault Risk)" from the NASA Jet Propulsion Laboratory. See http://www.ivv.nasa.gov/services/osma/projects/center_initiatives/1998/98jpl1.html
Bell Labs also have a contribution to make with an article on ARMOR (Analyzer for Reducing Module Operational Risk) which is a software risk analysis tool which automatically identifies the operational risks of software program modules. See http://www.bell-labs.com/user/mlyu/armor.html
RELCON AB. http://www.relcon.se/
RELCON AB is an independent and employee owned consultancy, providing services and software in the field of risk and reliability assessment. RELCON’s staff consists of specialists in analysing complex technical and organisational systems with regard to hazards and availability. The methods used have been developed on the basis of many years experience in the industrial sector that has the highest safety requirements of all - nuclear power.
Software Program managers Network http://www.spmn.com
The Mission of the Software Program Managers Network is to enable managers of large-scale, software intensive development or maintenance projects to more effectively manage and succeed by identifying and conveying to them management Best Practices, lessons-learned, and direct support.
What are the Universities doing?
We don't know of any Australian University researching risk management is a topic by itself. Some Universities are teaching risk management as a subject, and others are teaching project management where risk management would be a component.
I suspect some business schools are researching 'risk management' but I am not aware of any specific research agenda on software risk management (but that doesn't mean there isn't any!!).
As regards teaching most seem to teach software risk management as a component of project management or other management topic.
Who has experience
Almost any of the large software consulting houses will have some experience.
A search on the Internet for "Software development risk management" returned some 7000 strikes. Some listed in the first 30 or so looked likely to lead to a consultancy with some claim to competence in the area.
Anderson Consulting http://www.ac.com
Happy to advise on software risk management.
CSA Australasia http://www.csaa.com.au/consult.htm
CSA Australasia offers a number of consulting services across the entire development life cycle covering not only development activities, such as analysis and design, but also the development process and environment.
Coopers Lybrand at http://www.au.coopers.com
Contact Harvey Crapp, Richard Wilkins, or Nicki Burns. Services range from the very specific software development project matters to the more abstract control environment surrounding software development.
IBM has a range of risk management services to offer, from business recovery through to Y2K assessment and scoping to the more standard software development risk assessment and control. Call the switchboard on 132426.
SMS Consulting http://www.sms.com.au
Happy to advise on software risk management.
What are the relevant standards
AS/NZS 4360:1995
Risk management
Amendments: Amdt 1 December 1995 (ISBN 0-7337-0223-6) Price Code X Amdt 2 January 1998 (ISBN 0-7337-1630-X) Price Code X
Provides a generic guide for establishing and implementing the risk management process involving identification, analysis, assessment, treatment and continuous risk monitoring. This Standard may be applied at every stage in the life of an activity, function, project or asset generated by any public, private or community enterprise or group.
Published: 05/11/1995
ISBN: 0-7337-0147-7
Pages: 29
Price: $42.00 (Retail), $33.60 (Member)
Superseded Draft: DR 94351
History
First published as AS/NZS 4360:1995.
Top Tools
Andrew Sands
Risk + is an add on Risk Analysis program for Microsoft Project. When installed it adds a new main menu option and an additional toolbar. For a small review of the product see http://www.projectnet.co.uk/pm/pmt/pmtmara3.htm
Risk Master is a stand alone package which has the ability to plan alternative courses of action when risks occur.
Risk Master is a graphical Risk Analysis tool that addresses the quantitative aspects of Risk Management. For more information and a 30 day trial offer see http://www.agoron.com/~sphygmic/riskmast.htm
For Project Management Guidelines Tips and Tools see http://www.ca.sandia.gov/pubs/PMGHhome/7.html which can lead you to http://www.pmi.org/pmi/mem_prod/prdalpha.htm where a store of other tools and their prices can be found, for example:
Risk+, CS-Solutions. Inc.
@Risk - Risk Analysis, Palisade Corporation
Risk Driver, Decision Products, Inc.
RiskTrak, Risk Services & Technology
@RiskView Distribution Viewing, Palisade Corporation
Risk Spectrum
The analyses involves building models that sometimes become large and involves complex calculations. To manage these models and calculations without powerful, dedicated computer software is inefficient at best, and often impossible.
Risk Spectrum is one of the most wide-spread software tools for fault tree and event tree analysis. In the most demanding type of application, probabilistic safety assessments (PSA's) of nuclear power plants, Risk Spectrum is the most widely used software in the world.
Rob Thomsett spreadsheet.
Rob Thomsett has a spreadsheet in his book "Third Wave Project Management" Prentice Hall, 1989. It works well as a coarse grained analysis tool to tell management whether this project is high, medium, or low risk. The tool deliberately does not make finer distinctions than that.
Basic list
Like project schedules, the first step in controlling risks is to identify them and record them. A basic list of risks on a sheet of paper is a healthy step toward controlling risks.