Risk Assessment

1
Risk Assessment

• CSSE 372 - Software Project Management
• Don Bagert, Rose-Hulman Institute of Technology
• January 5, 2006
• Thanks to Mark Ardis for most of the slides
  included.

2
Outline

• Overview
• Identification
• Estimation
• Mitigation
• Monitoring

3
Overview

• Definition from Wikipedia
• Risk is the potential harm that may arise from
  some present process or from some future event.
  In everyday usage, "risk" is often used
  synonymously with "probability", but in
  professional risk assessments, risk combines the
  probability of a negative event occurring with
  how harmful that event would be.
• (from http//en.wikipedia.org/wiki/Risk)
• Note that lack of knowledge, whether of internal
  processes or external events, often contributes
  to risk

4
Risk Identification
5
Risk Checklist Areas

• Product Size
• Business Impact
• Customer-related
• Process
• Technology
• Development Environment
• Staff Size and Experience

6
Product Size

• Estimated size of the product in LOC or function
  points?
• Degree of confidence in estimated size estimate?
• Number of users of the product?
• Number of projected changes to the requirements
  for the product? Before delivery? after delivery?

7
Business Impact

• Affect of this product on company revenue?
• Number of customers who will use this product?
• Number of other products/systems with which this
  product must be interoperable?

8
Customer-related

• Does the customer have a solid idea of what is
  required? Has the customer spent the time to
  write it down?
• Is the customer willing to participate in
  reviews?
• Is the customer technically sophisticated in the
  product area?

9
Process

• Are staff members "signed-up" to the software
  process as it is documented and willing to use
  it?
• Is the software process used for other projects?
• Are formal technical reviews conducted regularly?

10
Technology

• Are specific methods used for software analysis?
• Are configuration management software tools used
  to control and track change activity throughout
  the software process?
• Are metrics collected for all software projects?

11
Development Environment

• Are compilers or code generators available and
  appropriate for the product to be built?
• Are all software tools integrated with one
  another?
• Have members of the project team received
  training in each of the tools?

12
Staff Size and Experience

• Do the people have the right combination of
  skills?
• Are enough people available?
• Are staff committed for entire duration of the
  project?
• Will some project staff be working only part time
  on this project?
• Have staff received necessary training?

13
Risk Estimation
14
Risk Estimation Process

• List all possible risks
• Assign a probability to each (low, medium, high)
• Assign an impact to each (low, medium, high)
• Sort by probability and impact

15
Sorted Risks
High Probability
Yellow
Red
Red
Criticality 2
Criticality 3
Criticality 4
Moderate Probability
Green
Red
Yellow
Criticality 3
Criticality 4
Criticality 5
Low Probability
Green
Green
Yellow
Criticality 6
Criticality 4
Criticality 5
Low Impact
Moderate Impact
High Impact
16
Risk Mitigation
17
Risk Mitigation Process

• Develop a strategy for each risk
• May require some creativity
• May use successful strategies from past
• Apply each strategy
• Monitor for changes

18
Mitigation Strategies (1/2)

• Preventative
• Avoid the risk
• Transfer the risk to another part of system
• Buy information about the risk
• Eliminate the root cause of the risk

19
Mitigation Strategies (2/2)

• Corrective
• Assume the risk
• Publicize the risk
• Control the risk
• Remember the risk

20
Risk Monitoring
21
Risk Monitoring Strategies

• Keep Risk Checklists
• Conduct Interim Retrospectives i.e. revisit risks
  regularly
• Assign Role of Risk Monitor