1. Developed for:
CS671 – Software Systems Engineering Process
Author:
Loren Karl Schwappach, BSEE / BSCE
2. What is Risk Management?
Risk management involves identifying applicable risks , analyzing
those risks, managing/mitigating risks, and finally reviewing risks.
[Potter02]
Careful use of risk management techniques can help prevent problems
from occurring and allow anticipation of future problems allowing
process improvement to run smoothly [Boehm89, Potter01, Van
Scoy92].
[1]
3. Six Steps to Risk Management
Step 1: Determine the Scope of the Risk
Step 2: Select the Team and Moderator
Step 3: Identify Risks
Step 4: Analyze Risks
Step 5: Plan to Mitigate Risks [2]
Step 6: Plan for Periodic Risk Review
Note: There will be a hands-on example at the end of this presentation if time
permits.
4. Step 1: Determining the Scope
The scope of the list should include the goals and problems that you
plan to address in the next six months. [Potter02]
The complete list of goals and problems from your action plan are the
perfect candidates for determining your risk management scope.
However, you should refine the goals/problems into a few that you
plan to address in the near term.
5. [3]
Step 2: Select the Team and Moderator
The risk management team should include individuals who have an
understanding of the risks that could prevent successful project
completion. [Potter02]
The team should include the improvement team, stakeholders
(software developers, quality analysts, and managers), previous
improvement project members, and subject area experts. [Potter02]
Try to limit the group size to around nine people to keep the
conversations on track. [Potter02]
The moderator is responsible for keeping the discussions focused and
should be able to explain the risk management process to team
members. [Potter02]
6. Step 3: Identify Risks
[4]
Risks: potential problems that are not guaranteed to occur. [Potter02]
Start risk identification as a brainstorming session, allowing members to
call out problems that could cause the improvement projects to fail.
[Potter02]
Consider the following: [Potter02]
Weak areas such as unknown technology (tools, vendors, methodologies).
Critical aspects necessary for the improvement project (timely delivery of
training programs, management buy-in, training materials).
Previous problems (loss of essential staff, resistance to change, shifts in
priority).
7. Step 4: Analyze Risks
[5]
Sub-steps to risk analysis: [Potter02]
Focus on removing ambiguities (example: “lack of management buy-
in” to “manager X may not find any benefit to the new method” and
“people might leave” to “subject master X may get pulled off of
project) carefully clarifying each risk item. Note: Risk Items column.
Enumerate the primary consequence if the risk were to occur. Note:
Consequence column.
Set priorities by agreeing on how likely a risk item is to occur (scale 1
to 10 (very likely)), and then rate the impact if the risk were to occur
(scale 1 to 10 (very large impact)). First select the item that rates the
lowest and assign it a 1 and then select the item that rates the highest
and assign it a 10. All other items should be rated within these
boundaries. The final priority is the product of the two values!
Select a few items to manage (top three risks or top 20 percent).
8. Step 5: Plan to Mitigate
[6]
Reduce the likelihood of risk occurring..
One method used is to change the decision that caused the risk.
Sometimes this can be done by eliminating the item altogether,
however this can sometimes create addition risks.
Another method used is to reduce the impact of the risk should it
occur.
Note: List the actions to reduce the risk likelihood and impact
under their respective columns..
Decide which actions to pursue. Focus on actions that reduce likelihood
and provide a contingency.
Assign responsibility to each risk reduction action. This includes
identifying a responsible member and a realistic completion date.
9. Step 6: Plan for Periodic Risk Review
Periodic review provides visibility on the effectiveness of the
risk management process.
During the reviews determine whether any likelihood or
impact numbers need revisiting and if needed repeat the
complete risk management process to address any significant
changes that occur.
Measure the impacts of any risks that occur for future risk
management decisions.
10. Summary
Risk Management involves:
1: Determining the Scope of the Risk
Goals/Problems within next 6 months.
2: Selecting the risk management team & moderator
Limit to around 9 people from improvement team, stakeholders, previous
improvement project members, and subject area experts.
3: Identify Risks
Brainstorm session considering weak areas, critical aspects and previous problems.
4: Analyze Risks
Remove ambiguities, enumerate consequences, set priorities, and select few for
managing.
5: Plan to Mitigate Risks
Choose actions that reduce the likelihood and impact of risk occurring, select best
actions to pursue and assign responsibility.
6: Plan for Periodic Risk Review
11. References
[1] Image Retrieved from Lawns To Gardens Website on 27 April 2011 at
http://lawnstogardens.wordpress.com/2007/12/09/how-to-develop-a-peak-oil-risk-management-plan/
[2] Image Retrieved from Edge 360 Website on 27 April 2011 at http://www.edge360.com/services/risk-
management/
[3] Image Retrieved from eastpennsd.org Website on 27 April 2011 at
http://www.eastpennsd.org/shoemaker/Staff.html
[4] Image Retrieved from lovemeow.com Website on 27 April 2011 at http://lovemeow.com/2009/11/video-
cat-loves-mouse/
[5] Image Retrieved from Halfiranian.com Website on 27 April 2011 at
http://halfiranian.com/2009/09/01/britains-radical-moment/
[6] Image Retrieved from Julesbright.com Website on 27 April 2011 at http://julesbright.com/
[7] Image Retrieved from Enterprise-PM.com Website on 27 April 2011 at http://www.enterprise-
pm.com/pmbasics/risk-management-models
12. References Continued
[Boehm89] Boehm, B. Tutorial: Software Risk Management. New York: IEEE Computer Society,
1989
[Potter01] Potter, N., and M. Sakry. “Keep Your Project on Track.” Software Development 2001; 9,
no. 4.
[Potter02] Potter, N., and M. Sakry. “A Consise Action Guide for Software Managers and
Practitioners.” Making Process Improvement Work 2002.
[Van Scoy92] Van Scoy, Roger L. Software Development Risk: Opportunity, Not Problem. CMU/SEI-
92-TR-30, ADA 258743. Pittsburgh: SEI, 1992.
13. Questions?
You may see this information on the class final so be prepared!
[7]
Where to go for additional information:
Garvey, P., Analytical Methods for Risk Management: A Systems
Engineering Perspective, 2008.
15. Step 4: Analyze Risks
Hands-On Example…
Scenario: A System Engineer Firm (Over Priced Solutions Inc.) that
develops software for a large TS/SCI satellite agency in partnership
with the military and NSA.
The Firm has one manager (Jerome Akins) who is not big on wasting
time on process improvement efforts and often shifts priorities. One
library control expert (Jay Deguzman) that is considering leaving the
firm. Two software developers (Mitchell Williams and Ryan Lacroix)
that have been with the firm for 20 years and are not interested in
learning new tools (specifically the software requirement management tool
which has a large learning curve). And, one overly exited project
manager (Loren Schwappach). The firm is also expected to hire several
new staff members within the next six months.
16. Step 4: Analyze Risks
Hands-On Example…
Software Company X – Identified Risks:
Lack of management buy-in.
People might leave.
Software requirement management tool is hard to use.
Management changes priorities often.
Software requirement management tool may be delivered late.
Creation of training materials takes a long time.
17. Step 4: Analyze Risks
Hands-On Example…
Risk Items
Consequence Likelihood Impact Priority
Jerome Akins’ (Manager) buy- Improvement program fails. 10 10 100
in for improvement methods
diminishes.
Jerome Akins’ (Manager) Improvement program looses 9 9 81
changes priorities before any credibility.
milestones are completed.
New Requirements Mitchell Williams and Ryan 9 8 72
Management Tool has a huge Lacroix give up on tool in
learning curve. frustration.
Jay Deguzman (Library Wasted time training new 7 8 56
Control) might leave firm. person.
Creation of specialized Improvement implementation 4 5 20
training materials for new delayed.
staff takes too long.
Requirements management Pass up opportunity to test and 1 1 1
tool is delivered to the firm use new tool.
late.
18. Step 5: Plan to Mitigate
Hands-On Example…
Risk Items
Jerome Akins’
Consequence
Improvement
Like
-lih
-ood
10
Imp
-act
10
Prio
-rity
100
Actions to
Reduce
Likelihood
1. Ensure that the
Actions to Reduce
Impact
3. Determine
Respons
ible
Action
Due
4/27/11
Status
Completed
(Manager) buy-in program fails. improvement improvements that 1:
for improvement program can be made at a Loren
methods addresses the project level
diminishes. management without major
team’s problems funding.
and goals. 4. Explain the
2. Establish a problems and goals
steering that won’t be
committee to addressed because
oversee the of reduced
improvement funding.
effort.
Meet Bimonthly.
Jerome Akins’ Improvement 9 9 81 1. Present the 2. Determine Action 5/6/11 In Progress
(Manager) changes program looses action plan to improvements that 1:
priorities before credibility. management and can be made Loren
any milestones are obtain agreement regardless of which
completed. that priorities project is active.
remain
unchanged.
New Requirements Mitchell 9 8 72 1. Start a pilot 2. Establish a cutoff Action 5/12/11 In Progress
Management Tool Williams and project to test the date when firm 1:
has a huge learning Ryan Lacroix tool. will give up on tool Mitchell
curve. give up on tool and use previous
in frustration. methods.
20. Risk Management
Pop Quiz
Graded by: Loren K. Schwappach
Name: __________________________
Date: ______________ Grade: ______
Q1 (25pts/100pts): What are the six steps to risk management?
______________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q2 (25pts/100pts): Risks are?
___________________________________________________________________________________________________
___________________________________________________________________________________.
Q3 (25pts/100pts): The risk management team should include the ___________________, ____________________,
_____________________________________, and _________________________________.
Q4 (25pts/100pts): Step four of the Risk Management Process involves removing ___________________,
enumerating the _____________________________________ if the risk were to occur, setting _______________ for
each risk, and selecting a few _________________________________________________.
21. Risk Management Risk Analysis
for Hands on Example
Risk Items
Consequence Likelihood Impact Priority
22. Risk Management plan for Risk Mitigation
for Hands on Example
Risk Items Consequence Like
-lih
-ood
Imp
-act
Prio
-rity
Actions to
Reduce
Likelihood
Actions to Reduce
Impact
Respons
ible
Due Status