1 / 39

Software Engineering

Software Engineering. Lecture 6: Risk Analysis & Management. Today’s Topics. Reactive vs. proactive strategies Types of software risk Risk identification & projection Risk mitigation, monitoring, management (RMMM) Safety risks and hazards. Characterizing Risk.

perdy
Download Presentation

Software Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Engineering Lecture 6: Risk Analysis & Management

  2. Today’s Topics • Reactive vs. proactive strategies • Types of software risk • Risk identification & projection • Risk mitigation, monitoring, management (RMMM) • Safety risks and hazards

  3. Characterizing Risk • Risk concerns the future What can we do today to avoid problems tomorrow? • Risk involves changeWhat aspects of the problem domain and solution are unstable? • Risk involves choice & uncertaintyWe often make decisions based on incomplete information

  4. Quotes • “..risk, like death and taxes, is one of the few certainties of life” [Charette, 1989] • “While it is futile to try to eliminate risk, and questionable to try to minimize it, it is essential that the risks taken be the right risks.” [Drucker, 1975]

  5. Reactive vs. Proactive Strategies • Reactive • “Indiana Jones school of risk management” • Risk management = Crisis management (“fire-fighting mode”)

  6. Reactive vs. Proactive [2] • Proactive • Identify risks in advance • Assess probability, impact • Prioritize by importance • Explicit risk management plan • “Risk is unavoidable”

  7. Software Risks • uncertainty : The event that characterizes the risk may or may not happen; P never equals 1.0 • loss : If the risk becomes a reality, unwanted consequences or losses will occur • Important to quantify these for each risk analyzed!

  8. Categories of Risk • Project risks • Technical risks • Business risks • Known risks • Predictable risks • Unknown risks

  9. Project Risks • Threaten the project plan • Problems with budget, schedule, personnel, resources, customer, requirements

  10. Technical Risks • Threaten quality and timeliness of software • “Implementation may become difficult or impossible” • Problems with design, implementation, interfacing, verification, maintenance

  11. Technical Risks (2) • Include specification ambiguity, technical uncertainty, technical obsolescence, “leading-edge” technology • “The problem is harder to solve than we thought it would be”

  12. Business Risks • No market for product (market risk) • Product no longer fits in the business plan (strategic risk) • Sales force doesn’t know how to sell the product (sales risk) • Loss of management support (management risk) • Loss of budget, people (resource risk)

  13. Known Risks • Uncovered during plan evaluation • Examples: • Unrealistic delivery date • Lack of documented requirements • Lack of scope • Poor development environment

  14. Predictable Risks • Extrapolate from past experience • Examples: • Staff turnover • Poor customer communication • Dilution of staff effort by maintenance

  15. Unpredictable Risks • Everything else that can’t be anticipated… • Experience in a particular development domain suggests certain risk factors that can and should be applied globally

  16. Risk Identification • Specify threats to the project plan • “Identification is the better part of mitigation” • “If you don’t actively attack the risks, they will attack you” [Gilb, 1988]

  17. Risk Subcategories • Generic risks (affect every software project) • Product-specific risks, specific to: • the particular technology • the specific individuals • the particular environment

  18. Risk Item Checklist • Product size: What risks are associated with overall size of the software? • Business impact: Risks associated with management or market constraints

  19. Risk Checklist [2] • Customer characteristics: risks associated with the sophistication and communication skills of the customers • Process definition: risks associated with the maturity of the development process

  20. Risk Checklist [3] • Development environment: risks associated with the quality of development tools • Technology to be built: risks associated with system complexity and ‘newness’ of the solution • Staff size and experience

  21. Product Size Risks • Estimate LOC or FP • degree of confidence in estimates? • # of programs, files, events? • % deviation from average size?

  22. Size Risks [2] • Size of associated database(s)? • Number of users? • Number of projected requirements changes? • Amount of reused software?

  23. Business Impact Risks • Impact on revenue? • Visibility to management? • Reasonableness of deadlines? • Number of customers? • Consistency of customers?

  24. Business Risks [2] • Interoperability? • User sophistication? • Documentation required? • Government constraints? • Cost of late delivery, defects?

  25. Customer-Related Risks • Customers have different needs and personalities • Customer / supplier relationships vary • Customers are contradictory • “Bad” customers are a significant threat and a substantial risk

  26. Generic Customer Risks • Have you worked with them before? • Do they understand what is needed? • Are they willing to write specs? • Are they willing to attend reviews? • Level of technical understanding? • Do they understand the development process?

  27. Process Risks • Is there a standard development process which is well-documented? • Do staff follow the process? • Do they have adequate training? • Do you track the process with formal reviews and walkthroughs? • Do you use configuration management?

  28. Technology Risks • Is the technology new to you? • New algorithms or I/O? • Interface with new/unproven HW/SW/DB? • Specialized user interface? • New analysis, design, testing methods?

  29. Technology Risks (2) • Unconventional development methods? (e.g., AI) • Excessive performance constraints? • Customer uncertain about feasibility?

  30. Impact Assessment • Four risk types: • Performance Risk, Cost Risk, Support Risk, Schedule Risk • Four impact categories: • Negligible, Marginal, Critical, Catastrophic • Characterization of consequences • (1) errors, (2) failure to achieve outcome

  31. Impact Assessment [From SEPA 5/e]

  32. Assigned using impact assessment table Sample Risk Table [From SEPA 5/e]

  33. Risk and Management Concern [From SEPA 5/e]

  34. Risk Referent Level [From SEPA 5/e]

  35. RMMM Risk Mitigation, Monitoring, andManagement • Mitigation: Reduce probability and/or impact of risks in advance • Monitoring: Watch factors that indicate change in risk probability • Management: Implement contingency plan(s)

  36. RMMM (2) • RMMM adds overhead! • 80/20 rule: 80% of overall risk from 20% of identified factors • RMM Plan • for every risk above a certain threshold, create a risk information sheet (RIS) • track / update RMMM plan regularly

  37. Risk Information Sheet [From SEPA 5/e]

  38. Safety Risks and Hazards • Classic case: control systems • Language systems: critical control or instructional scenarios • Mitigation: • limit scope of software, increase human role • limit scope of human intervention, increase redundant backup systems

  39. Questions?

More Related