380 likes | 559 Views
S E N G 380:S o f t w a r e P r ocess and Ma n a g eme n t. P r oject. R isk Man a g em e n t P ar t 1. 1. Ri s k D e fini t ion. P M - B O K:. I t i s a p r oj ec t mana g e m e n t s t anda r d. Publish e d b y t he p r o jec t m a na g e m e n t i n s t i t u t e. •.
E N D
SENG 380:Software Process and Management Project RiskManagement Part1 1
Risk Definition PM-BOK: Itisa project management standard. Published bythe project managementinstitute • in the USA. • Standsfor Project Management Bodyof Knowledge. Definitionof Risk:‘an uncertain event or condition that, • if it • occurs has a objectives’. positive or negative effect on a project’s 2
Risk Definition (cont’d) PRINCE2: Itisa UK government-sponsored projectmanagement standard. ItstandsPRojects INControlled Environments. • • Risk definition:‘the chance of exposure to the adverse • consequences of future events’. 3
Risk Key Elements relates tothe future. The future is uncertain. It – • Some things thatseemobvious whenthe project is over,might not have appeared obvious during planning(e.g.technology used,project estimation). – It – involves acauseand an effect. Causes: • • • • The use ofuntrainedstaff. Poor specifications. Aninaccurateestimate ofeffort. Effects: – • • Costover run. Low productivity. 4
Exercise Match the following risk causes to the risk effects. Causes: a) b) c) d) Staffinexperience. Lack oftopmanagement commitment. New technology. Users uncertain oftheir requirements. Effects: I. Testingtakes longer than planned. II.Plannedeffortandtimeforactivitiesexceeded. III.Projectscopeincreases. IV.Timedelays ingettingchangesto plans agreed. 5
Boundaries of Risk Management Everyplan is based on ● assumptions and risk managementtriestoplan for and control the situationswhere those assumptionsbecome incorrect. Risk planningis carried atsteps:3&6. out ● 6
Risk Categories Project Risks:are risks thatcouldprevent the achievement of the objectivesgiven tothe projectmanager and the project team. • These objectives are formulated success. Project success factors: toward achieving project • • Ontime. Within budget. Requiredfunctionality. Quality. – – – – Project riskscanbe classified underthese fourcategories. 7 •
RiskCategories (cont’d) A different way tocategorize risks: Asociotechnical model proposed by Kalle Lyytinen and his • colleagues [1]. TheLyytinen-Mathiassen-RopponenriskFramework [1]'A framework forrisk management' journal ofinformation technology,11(4) 8
RiskCategories (cont’d) Actors : refers toall people involved in the development the application. Risk: of • • A high staffturnover, leads toexpertise of value projectbeing lost. Technology:encompasses both thetechnology: to the • • Usedto implement the applicationand That embeddedinthe deliveredproducts. – – Risk: • Relatingto the appropriateness ofthe technologyand The possible faults init. 9 – –
RiskCategories (cont’d) Structure: describes the managementstructures and systems, includingthose affectingplanningand control. Risk: • • Responsibility for managingthe usersinvolvementat implementationstage mightnot be clearlyallocated. the • Tasks: relatestothe work planned. Risk: • • The complexity of work mightlead todelays because of • the additional time requiredintegrate the large number of components. 10
All boxesare interlinked. Why? Risks often arise from the relationships between factors. Example: between technology and people:If the developmenttechnology is novel, and the developersare not experience in itsuse this couldlead todelayof the results. Whatis a Novel SW in this case? ● ● ● ●
Risk Framework Planning for risk includes these steps: 1. 2. 3. 4. Risk Risk Risk Risk identification. analysis and prioritization. planning. monitoring. When risks are identified, plans can remove their effects. The plansare reassessed toensure: be made to reduce or • • Thatthe original risks are reducedsufficientlyand Nonew risks are inadvertentlyintroduced. – – 12
Risk Identification The two main approaches toidentify risk are: The useofchecklists. Brainstorming. – – Checklists: are lists of the risksthathave been found tooccur regularly in software development projects. Those checklists often suggest some potential countermeasures for each risk. A groupof representativesfor a projectexamines identifyingrisksapplicable totheir project. • a checklist • PRINCE2,recommendsthat after completinga project,all the problemsthat were identified as risksduringthe projecttobe added toan organizational risk checklisttobe used with new • projects. 13
Software Project Risk Checklist Example 14
RiskIdentification (cont’d) Brainstorming (thinkingahead): Representativesof the mainstakeholders of the project, are broughttogether , in order touse their individualknowledge of different parts of ➔ the project toidentify the problems that can occur (identify risks). 15
Risk Assessment (Risk analysis and prioritization) In ordertoprioritize the risks that were identified,we need way to distinguish: a The likely and damagingrisks from those identified in previous step “risk identification”. One way of doingsois tocalculate the riskexposurefor the • each risk identified, usingthe followingformula: Risk Exposure(RE)= (potential damage) occurrence) ×(probability of 16
Risk Assessment(cont’d) Ways of assessing thepotentialdamageand probabilityof occurrence: Inmoneyvaluesandprobabilities. 1. Say a projectdepended on a data center vulnerable tofire.It mightbe estimated that if fire occurred a new computer configurationcouldbe established for $500,000. estimated thatthere is a1 in1000chance thata it might also be fire will occur. The risk exposure (RE)in this case would be: 500,000*0.001=$500 *The highertheRE, the more attentionorpriority is givento the risk 17
Example(TrueorFalse): Ariskthat hasa potentialdamage of$40,000anda probability of occurrence of 12%willbe givenahigherprioritythana risk havingapotential damage of $35,000anda likelihood of14%.False Risk Risk Risk Exposure=potentialdamage *probability ofoccurrence (likelihood) Exposure forrisk1= 40,000 *0.12=$4800 Exposure forrisk1= 35,000 *0.14= $4900 thisriskexposure is higher soitwillbe givenmore priority.
Withsomerisks: Insteadof damages, ● There couldbe gains. Example:a taskthatis scheduledto takesixdays is completed in 3days instead. ● ● Aproject leadermay producea probabilitychartfor the tasks. ● ProbabilityChart The probabilitycompletion:shows the probabilityofcompleting the task inx days. The accumulated probability:shows the probabilityofcompleting the task onor before thexthday. ● ●
Risk Assessment(cont’d) 2.Relativescalesfrom0to10. Both risk loss (damage) andthe likelihood (probability of • occurrence) willbe assessed usingrelative scalesfrom 0to risk 10. Then they will be multiplied together to get a notional • exposure (RE). Riskinthe (RE) table refers tothe Risk Exposure 20
Risk Assessment(cont’d) 3.Qualitativedescriptors. Anotherapproach istouse qualitative descriptions of the possible impact and the likelihood of each risk. Qualitative descriptorsforthe “risk probability rangevalues. ”and associated 21
Risk Assessment (cont’d) Qualitative descriptorsof “impact oncost”and associated range values. 22
RiskAssessment(cont’d) ConsiderR5, whichrefers tothat coding the module would takelongerthan planned. This risk has animpact on what? • Time (the plannedcompletiondate) andcost. – What could be a response tosuchrisk? • Option: Addsoftware developersand split the remainingwork betweenthem. – • Thismay increasethecostbut will save the planned completion date. Option: reducetimespent onsoftwaretesting. – • Thiswill save bothdurationandstaffcostsbut the pricecould be decreasedquality inthe project deliverable. 23
Risk Assessment(cont’d) The risk exposurecannotbe calculatedbymultiplying the two factors when you are usingqualitativedescriptors. • The risk exposureinstead isindicated by the position of the risk in a matrix. The matricesused are called probabilityimpactgridsor • • summaryriskprofiles. Part of the matrix(some of the cells) iszoned off by a tolerance line. Risks appearingin thatzone are givenmoreattentionthan • • otherrisks(higherdegreeofseriousness). 24
Risk Assessment (cont’d) Probability Impact Grid 25
Risk Assessment(cont’d) There is a need toreassess risk exposure as the project proceeds. Thismean thatsome riskscould only apply atcertainstages. Example: Risk: thekey users mightnotbe availablewhen needed to supplydetailsfor their requirements. ● ● ● Once the requirementgathering isdone. ● Theriskisnolongersignificant. –
Risk Planning After: • The majorrisks are identifiedand Prioritized. – – The taskbecomes “howto dealwiththem”. • Thechoices fordealing with them are: • Riskacceptance. Riskavoidance. Riskreductionandmitigation. Risktransfer. – – – – 27
Risk Planning (cont’d) Risk Acceptance: • Thisis decidingtodonothing abouttherisk. This means – you – will acceptitsconsequences.Why? In order toconcentrate on the more likely or damagingrisks. The damage thatthose riskscouldcause wouldbe less – than the costsneeded toact probability of occurrence. towards reducing their 28
Risk Planning (cont’d) Risk Avoidance: • Some activities are soprone toaccident that avoid them altogether. it isbestto – Exampletoavoid all the problemsassociated with – developing software solutions could be to: from scratch, a solution • Buy anoff-the-shelfproduct. 29
Risk Planning (cont’d) Risk Reductionand Mitigation: • RiskReduction:attemptstoreducethelikelihood risk occurring. ofthe – e.g.consider the following risk:developers leavinga company in the middle of a projectfor a better paidjob. In ordertoreduce the probabilityof such a risk occurring: the developers couldbe promised tobe paidgenerous bonuseson successful completion of the project. 30
Risk Planning (cont’d) Risk Mitigation: is the action taken to ensure impactof the risk is reduced when it occurs. that the – Taking regularbackupsof data storage,is it a risk mitigation measure orarisk reductionmeasure? Sinceitwouldreducetheimpactof data corruption not its likelihoodof happening, in this sense it isadatamitigation measure. 31
Risk Planning (cont’d) Risk Transfer: • In this case the riskistransferred toanother organization. person or – Example: a software development taskisoutsourced for fixed fee. a – Another example car). iswhen you buy insurance( e.g. for a – 32
Risk Management Contingency Plans: Althoughrisk reduction measurestry toreduce the • probability or the likelihood of risks, they still couldhappen. Contingency plan isa planned action to be carried out if a risk • materializes (occurs). 33
Risk Management (cont’d) Example: Considerthe following risk: Staff absence throughillness. • Onerisk reductionmeasure taken: Employers will encourage their employees lifestyle. Still,any of the staff members can getsick tolive a healthy • by a flu. • Such risksthatwillhappen eventually nomatter what precautions canbe taken toreduce theirlikelihoodneed a contingency plan. • 34
Risk Management(cont’d) contingencyplan inthis casecanbe: Toget other team memberstocover on urgenttasks. Whatare the factorsthatwillallowthe above action to worthwhile? A • be • Intermediate steps were well documented. There isastandardmethodologyfor the waythatworkwas carried out for the activity. – – Which one of the recommended approaches in the extreme programmingwouldprovide an alternative way todealwith the problem of a team member beingill? • Pair programming. – 35
Risk Management(cont’d) Deciding on the risk actions: For each risk you willhaveaset of countermeasures reduction actions. or risk • These risk reduction measures shouldbecost-effective. Thecosteffectivenessof a risk reduction action can be • • assessed by the risk reduction leverage(RRL). The risk reduction action withaRRLabove 1is worthwhile. • RRL= (RE before – RE after)/costofrisk reduction. 36
Risk Management(cont’d) Sayaprojectdependedonadatacentervulnerabletofire.Itmight • beestimatedthatif couldbeestablished thereisa1%chance fireoccurredanewcomputerconfiguration for$500,000.itmightalsobeestimatedthat thatafirewilloccur.Installingfirealarms at a costof$500 wouldreduce thechanceoffire to0.5%. Willtheactionofinstalling alarmsbeworthwhile. WewillcalculatetheRRLfor thisaction andthendecide. RE= (potentialdamage) ×(probabilityofoccurrence) REbefore =$500,000 *0.01= $2000 REafter=$500,000 *0.005 =$1000 Costof riskreduction=$500 (costofinstallingthefirealarms) RRL= (2000-1000)/500 =2 SinceRRL value > 1 thenthe actionis worthwhile. • • • • • • • • 37
Risk Management(cont’d) Creatingandmaintaining the risk register: A risk register:itcontainsthe findingsof projectplanners of • what appear tobe the mostthreateningrisks totheproject. Afterwork startson a project more risks will appear be added tothe register. Risk registersare reviewed and updated regularly. and will • • True orfalse: The probability and the impact of a risk are likely to duringthe course of the project. change • 38