What is a Risk?

1. What is a Risk? • It is an unwanted event • negative connotation • It is a potential problem • there is a possibility of occurrence A risk is problem that may occur 0 < (probability of occurring) < 1

2. Handling Risks Risk Identification Risk Prioritization Risk Mitigation Risk Handling Plan Must Take Actions via: - monitoring - adjusting

3. 1. Risk Identification • In software projects, where do we look? • Methodology, Process and Plan (new and unknown) • Product and Artifacts (new and unknown) • Other Resources (people, tools, technology, etc.)

4. Risk Identification (cont.) • Methodology, Process and Plan • specific methodology (estimation, design, prototype, review, etc.) • new and unproven anywhere • lack of experience and understanding (by the team) • excessive optimism ( by the management) • incomplete definition of process (evolutionary, iterative, etc.) • pre and post conditional states (entry and exit criteria) • applicability and rationale of the specific process • execution of methodology and process • not trained to execute • not enforced • overall plan • Completeness (schedule, task assignment, goals, measurements, risks, etc.) • Consistency & Concreteness (conflict, traceability) • Accuracy (mistakes in computation, name, etc.)

5. Risk Identification (cont.) • Product and Artifacts • intermediate artifacts • not well specified (incomplete, extraneous, inconsistent, etc.) • untested (review, formally inspected, executed) • non-utilized (timeliness, understanding) • end product and deliverables • not well defined (top cause for project failure) • continuous scope creek • aggressive or unclear targets (ease of use, robust system, dates, cost, etc.) Note

6. Risk Identification (cont.) • Resources • People • skill and experience • Availability/total loss • morale and team work • Tools • availability • new and untried • Time • excessively optimistic • miscalculation • Finance • under-funded • timeliness of fund

7. 2. Risk Prioritization (Evaluation) What do we do with the identified list of risks ? • Risk Prioritization is the orderingof risk items • Simple categorization (“ordered” ) • high • medium • low • Based on what ? • Cost of Recovery (estimated), if and when the risk materializes into a problem • high cost of recovery == high priority risk item • medium cost of recovery == medium priority risk item • low cost of recovery == low priority risk item • Sometimes it may be probability of recovery (e.g. unique skill that can’t be found no matter the cost)

8. Risk Prioritization (cont.) • Upping the Measurement Scale – from “ordered” to “numerical intervals” • still based on Cost of Recovery • n equal increments • estimated & convenient numbers for the increments • (largest cost - smallest cost)/n to get the n increments • ordered • 1, 2, 3, ------,10 where 10 is the highest cost (or highest priority) • priority 7 > priority 5 • priority 8 is 5 units higher in priority than priority 3 • priority 6 is twice as high in priority as priority 3

9. Risk Prioritization (cont.) • Include probabilityof occurrence • assess the probability of a risk item turning into a problem (this is an estimate based on some criteria) • define a risk value, RV, as product of probability of occurrence and the cost of recovery • RV(j) = p(j) * RC(j) • p(j) is the probability of risk item j turning into a problem • RC(j) is the recovery cost of item j should it turn into a problem • prioritize the risk items by their risk values, RV’s.

10. 3. Risk Mitigation • Risk mitigation is the “reduction or containment” of risk • there may be several approaches to mitigation • each with different associated cost • each with different potential of success

11. Risk Mitigation (cont.) • Identify the mitigation approaches via considering • increase or change resource (people, time, funding, etc.) • improve or modify process and methodology • reduce or modify product deliverables ( number of, content features, etc.) • List and characterize the “reasonable” mitigation approaches

12. Risk Mitigation (cont.)“factors to consider” • Cost factors • Probability of success • Possible other (e.g. compare cost of mitigation versus cost of recovery)

13. Attach Cost Factor to Mitigation • Assess the required cost for each of the mitigation approaches • Rank the mitigation approaches by costs • assess which mitigation approach(es) to utilize • pick the least costapproach • fold in probability of success(or failure) for each approach • mitigation value cost = probability of failure * mitigation cost • pick the mitigation approach with the lowest mitigation valuecost

14. Example For Risk item j, there may be several mitigation alternatives Mitigation Alternatives Cost of Mitigation Probability of Failure Mitigation Value Cost Pick the lowest $60,000 .25 $15,000 alternative 1 $42,750 alternative 2 $95,000 .45 alternative 3 $125,000 .3 $37,500

15. With Cost Constraint(Allocate by risk priority) Available Budget ($500,00) Prioritized Risk Item Cost of Mitigation for “best” approach Risk 1 $ 180,000 $ 320,000 Risk 2 $ 105,000 $ 215,000 Risk 3 $ 130,000 $ 85,000 Risk 4 $ 95,000 Not Enough Budget

16. Allocation Methodology • Allocate sequentially until funds run out • Allocate via maximizing the “total” risk value • Allocate via maximizing the total number of risk items • etc.

17. 4. Risk Handling Plan • There must be a risk mitigation plan • prioritized risk items • chosen mitigation approach • expected risk mitigation (removal) date • dependency for the mitigation • person responsible • etc.