SE 477 Software and Systems Project Management

About This Presentation

Title:

SE 477 Software and Systems Project Management

Description:

Used throughout project: it's fast, relatively easy, and cost-effective ... Fair coin flip: 0.5 probability of getting heads, 0.5 probability of getting tails ... – PowerPoint PPT presentation

Number of Views:25

Avg rating:3.0/5.0

Slides: 72

Provided by: DennisL65

more less

Transcript and Presenter's Notes

Title: SE 477 Software and Systems Project Management

1
SE 477 Software and Systems Project Management

Dennis Mumaugh, Instructor
dmumaugh_at_cdm.depaul.edu
Office OHare, Room 113
Office Hours Wednesday, 430-600

2
Administrivia

Comments and feedback
Assignment 3
Develop a risk management plan for the software
development infra-structure (Identify risks
estimate risk probability and impact identify
potential for risk mitigation identify potential
risk responses)
Build a Risk Register
Policies to implement
Risk audit (what to look for and want to check)

3
Assignment 2 Feedback

I want to see your own work, not extracts from
web pages.
You should summarize ideas and thoughts and not
extract them from the web readings and include
them in your paper. Especially without
attribution.
I want to see your thoughts and ideas and not
those of another author.
If you do include other people's work in your
paper you must show this with quotes and
citations.
Note to cheaters if you cut and paste, make sure
you use a consistent format. Otherwise it becomes
very obvious what you are doing!
References must include author, title, etc.
Include a date (of publication or retrieval).
If the citation is a web page it must include
visible URLs (not a hidden hyperlink). Difficult
if the document is printed to see the citation.
Citations of Google and Wikipedia must specify
full URL.

4
SE 477 Class 7
Topic Controlling risk

Project Risk ManagementQualitative Risk Analysis
Analyzing project risk
Inputs to qualitative risk analysis
Tool and techniques
Risk probability and impact assessment
Probability and impact matrix
Output from qualitative risk analysis
Updating the risk register

Project Risk ManagementRisk Response Planning,
risk avoidance, mitigation, and contingency
planning
Changing the risk profile
Strategies for negative risks
Strategies for positive risks
Planning for contingency
Contingency planning
Risk response planning outputs
Project Risk ManagementRisk Monitoring

5
Thought for the day
6
Last time

Project Risk Management I
Risk the Risk Management Model
Risk Management Planning
Input, tools, and output of risk management
planning
Risk management plan
Risk categories
Risk Breakdown Structure (RBS)
Risk probability and impact
Risk Identification, quantification and
prioritization
Where to find risks
Risk identification tools and techniques
Assumptions analysis
Diagramming techniques
Risk identification output the risk register

7
Today

Reading
Software Risk Management Not Just for the Big
Manufacturers? (January 1997). MDDI (Discusses
SERIM)
PMP Study Guide Chapter 5
Kerzner Chapter 17
Taylor Chapter 7
Taylor (Survival Guide) Chapter 13

8
Risk Management Paradigm
9
How risk averse are you?

Risk averse people
I like being dependable and Im usually punctual.
I am not likely to take chances.
I am responsible and prefer to work efficiently.
I am more service oriented than self oriented.
I value institutions and observe traditions.

Risk seeking people
I like action, and I act impulsively at times.
I seek excitement for the thrill of the
experience.
I am resourceful and prefer not to plan or
prepare.
I am more self oriented than service oriented.
I like to anticipate another persons position.

Risk neutral people
I trust my intuition, and I am comfortable with
unknown.
I think about the future and have long-range
objectives.
I am naturally curious and often ask, Why?
I enjoy generating new ideas.
I work best when I am inspired.

10
Elements of Risk Analysis
What are the risks involved in getting to work?
Reduce the occurrence and/or impact of the risk.
Identify new risks as they occur report on all
known risks.
11
Risk Management

Risk assessment
Objectives
Analyze risk in a cost-efficient manner
Determine source of risk
Determine risk exposure
Determine time frame for action
Determine highest-severity risks

12
Assessing Project Risk-I

Have top software and customer managers formally
committed to support the project?
Are end-users enthusiastically committed to the
project and the system/product to be built?
Are requirements fully understood by the software
engineering team and their customers?
Have customers been involved fully in the
definition of requirements?
Do end-users have realistic expectations?

13
Assessing Project Risk-II

Is project scope stable?
Does the software engineering team have the right
mix of skills?
Are project requirements stable?
Does the project team have experience with the
technology to be implemented?
Is the number of people on the project team
adequate to do the job?
Do all customer/user constituencies agree on the
importance of the project and on the requirements
for the system/product to be built?

14
Risk Management

Reactive Risk Management
project team reacts to risks when they occur
mitigationplan for additional resources in
anticipation of fire fighting
fix on failureresource are found and applied
when the risk strikes
crisis managementfailure does not respond to
applied resources and project is in jeopardy

Proactive Risk Management
formal risk analysis is performed
organization corrects the root causes of risk
TQM concepts and statistical SQA
examining risk sources that lie beyond the bounds
of the software
developing the skill to manage change

15
Proactive Risk Strategies

Begins long before technical work is initiated.
Potential risks are identified.
Probability and impact of risks are assessed.
Risks prioritized by importance.
Software team establishes a plan to manage the
risk.

16
Project Risk Management II

Qualitative Risk Analysis
Risk Response Planning
Risk Monitoring

17
Qualitative Risk Analysis
18
Introduction

Qualitative risk analysis is concerned with
prioritizing identified risks
Priority is determined by estimating a risks
probability of occurrence and its impact on the
project
Helps determine if it is necessary to perform
quantitative risk analysis, a more complex
analysis process
Used throughout project its fast, relatively
easy, and cost-effective

19
Inputs to qualitative risk analysis

Organizational process assets
Historical information from previous projects
Includes formal or informal lessons learned as
well as closure documentation and/or post mortems
Project scope statement
Identifies initially-defined risks
Risk management plan
Provides framework within which to perform risk
analysis
Risk register
Provides a comprehensive enumeration and
description of all project risks

20
Tools and Techniques
21
Risk Projection

Risk projection, also called risk estimation,
attempts to rate each risk in two ways
the likelihood and probability.
the consequences of the problems associated with
the risk, should it occur.
The project manager performs the following risk
projection activities
Establish a scale that reflects the perceived
likelihood of the risk.
Delineate the consequences of the risk.
Estimate the impact of the risk on the project.
Note the overall accuracy of the risk projection.

22
Risk Prioritization

How to prioritize risks?
One way to prioritize risks is to estimate the
probability of its occurrence and its
consequences (loss) when it does occur.
The expected value of the loss for the risk can
be used for prioritization. This expected value
is called risk exposure. If Pr is the probability
of a risk R occurring and Lr is the total loss
incurred if the risk materializes, then risk
exposure RE, for the risk is given by the
following equation
REr Pr X Lr

23
Risk Analysis

Determine impact of each risk
Risk Exposure (RE)
a.k.a. Risk Impact
RE Probability of loss size of loss
Ex risk is Facilities not ready on time
Probability is 25, size is 4 weeks, RE is 1 week
Ex risk is Inadequate design redesign
required
Probability is 15, size is 10 weeks, RE is 1.5
weeks
Statistically are expected values
Sum all REs to get expected overrun
Which is pre risk management

24
Risk Analysis

Estimating size of loss
Loss is easier to see than probability
You can break this down into chunks (like WBS)
Estimating probability of loss
Use team member estimates and have a
risk-estimate review
Use Delphi or group-consensus techniques
Use gambling analogy how much would you bet
Use adjective calibration highly likely,
probably, improbable, unlikely, highly unlikely

25
Risk Prioritization

Remember the 80-20 rule
Often want larger-loss risks higher
Or higher probability items
Possibly group related risks
Helps identify which risks to ignore
Those at the bottom

26
Risk probability and impact assessment

First, assess the probability that the identified
risk will occur
Second, determine the impacts of the risk on
project objectives time, scope, quality, and
cost
Assessment helps determine which risks require
aggressive management
Probabilities and impacts are defined in the risk
management plan under the heading definitions of
risk probability and impact

27
Probability

Probability is the likelihood that an event will
occur
Fair coin flip 0.5 probability of getting heads,
0.5 probability of getting tails
Sum of probabilities of all outcomes adds up to
1.0
For any event e, the probability p that e will
occur is 0.0 pe 1.0
The complementary probability that e will not
occur is just 1.0 - pe
Risk probability is the probability that the risk
event will occur sometime during the life of the
project and is most often determined through
expert judgment
Expert judgment is, in reality, just an educated
guess, due to uniqueness of each project
Ways to improve the utility of risk probabilities
Develop consistent decision criteria for
determining probabilities
Involve as many experts as you can

28
Quantifying risk probability

Most probability estimates come from experts as
subjective ratings low, medium, high, etc.
Present estimator with cardinal (numeric) scale
so that a more precise estimate can be obtained
Need a quantified risk value for use in the
probability and impact matrix

29
Impact

Impact is the amount of pain or gain the risk
event poses to the various project objectives
cost, time, scope, and quality
Like probability, risk impact may be
characterized on a subjective scale (low, medium,
high)
Like probability, a cardinal (numeric) scale of
impact is needed for the probability and impact
matrix
Employ consistent decision criteria when using a
subjective scale
Establish a consistent means of determining what
moves a borderline impact into one impact
category or another
Following slide shows the (negative) impact scale
from the PMBOK Guide, Third Edition

30
Quantifying impact
31
1
2
1
2
1
2
1
2
Potential consequence of 1. of undetected
software errors or faults, 2. if desired outcome
is not achieved.
32
Assessing probability and impact

Probability and impact values are defined in
order to readily place a value on a risk event
Use predefined probability and impact values as a
starting point for a project and customize them
as needed for the organization
Use brainstorming or the Delphi technique to
establish or refine the probability and impact
values
During Qualitative Risk Analysis process,
determine and assess probability and impact for
every risk identified during the Risk
Identification process
Document probability and impact and any
assumptions used to arrive at these values

33
Probability and impact matrix

Risk probability and impact values are nice, but
what we need is a single value to characterize
the combined effects of these two risk
influences the risk rating
This is what a probability and impact matrix
does it assigns an overall risk rating to each
risk
The combination of probability and impact results
in an ordinal (order-based) risk rating usually
expressed as low, medium, or high
The PMBOK Guide also assigns a color code to each
rating low risks are green, medium risks are
yellow, and high risks are red
A risk with high probability and high impact (and
hence, high risk rating) warrants further
analysis and a formal response plan in the Risk
Response Planning process

34
Probability and impact matrix from PMBOK Guide,
Third Edition
35
Example MMS integration problems

The project management team has identified a
potential problem with integrating the Membership
Management System with the smart card reader
software
Heres what the team has discovered
Five different experts agreed that the overall
impact of the integration problem could result in
a 5-10 delay in the project schedule
From the table in slide 21, we see a 5-10 time
impact corresponds to a Moderate impact with a
value of 0.20
The experts came to a consensus that there is a
somewhat better than even chance that the problem
will occur. The probability values the team got
were 0.6, 0.5, 0.5, 0.75, 0.5
If we take our 0.20 impact value and use it as
the entry point into the probability and impact
matrix on slide 24, we find that the risk rating
for this event ranges from 0.10 to a bit more
than 0.14, within the medium (yellow) range

36
Other qualitative risk analysis tools

Risk data quality assessment
Low-quality data renders qualitative risk
analysis almost useless
Quality assessment examines
Quality of data used
Availability of data for identified risks
How well the risk is understood
Reliability and integrity of data
Accuracy of data
Risk categorizations
Entries in the RBS can help identify the project
phase and determine the elements of the project
that are affected by risk

37
Other qualitative risk analysis tools

Risk urgency assessment
Do not try to deal with all risks at the same
time
Analogous to rolling wave planning determine how
soon potential risks might occur
Develop risk response plan for those risks that
might occur soon
For greater efficiency and effectiveness, only
the top ten risks should be actively managed
Maintain a watch list of the remaining risks to
replace those on the top 10 list that are
mitigated, controlled, eliminated, or that don't
materialize

38
Outputs
39
Updates to the risk register

Update risk register with the following
information
Risk ranking of identified risks. Order the
identified risks by risk rating
Risks grouped by categories. Identify low,
medium, and high risk groups to allow easier
risk urgency assessment and planning
List of risks requiring near-term responses
List of risks for additional analysis and
response
Watch list of low-priority risks. Low-priority
risks can still impact a projectmonitor them
Qualitative Risk Analysis trends. Look for
patterns that might help in response planning

40
Risk Response Planning
41
Introduction

Risk response planning is concerned with
developing options and possible reactions to
mitigate threats and exploit opportunities
discovered during the risk analysis processes
The severity of the risk dictates the level of
risk response planning that should be performed
A risk with low severity is not worth the time it
takes to develop a detailed risk response plan
Risk responses should be cost effective
If the response cost is more than the cost of the
risk, formulate a less-costly risk response

42
Introduction

Risk responses must be timely
An untimely risk response itself becomes a risk
Risk responses must be agreed to by all the
project stakeholders
Risk responses must be assigned to an individual
(the risk owner) who is responsible for
monitoring the risk and executing the risk
response plan if needed

43
Tools and Techniques
44
Strategies for negative risks or threats

Avoidance
Risk avoidance evades a risk, eliminates the
cause of the risk event, or changes the project
plan to protect the project objectives from the
risk event
Risk avoidance eradicates the risk by removing
the risk or its cause
Risk avoidance is most suitable in the early
stages of a project, through improved
communications, additional resources, or
more-clearly defined scope
Example Risk of interfacing MMS to external art
museum membership systems can be avoided by
eliminating requirement to do so

45
Strategies for negative risks or threats

Risk transfer
Risk transfer moves the risk and the consequences
of that risk to a third party
Responsibility for the management of that risk
now rests with another party
Risk transfer comes in many forms but is most
effective for financial risks
Example Insurance is one form of risk transfer

46
Strategies for negative risks or threats

Contracting
Contracting is another form of risk transfer
The contractor accepts certain aspects of the
risk and responsibility for the cost of failure
Types of contracts
Fixed-price contract. Contractor increases cost
of the contract to compensate for the level of
risk they are accepting
Cost reimbursable contract. Contractor receives
compensation for additional costs. Majority of
the risk remains with the buyer

47
Risk Mitigation, Monitoring, and Management

Mitigationhow can we avoid the risk?
Monitoringwhat factors can we track that will
enable us to determine if the risk is becoming
more or less likely?
Managementwhat contingency plans do we have if
the risk becomes a reality?

48
Strategies for negative risks or threats

Mitigation
Risk mitigation attempts to reduce the
probability of a risk event and/or its impacts to
an acceptable level
Risk mitigation takes the viewpoint that fixing a
problem earlier in a project is less costly than
fixing it later
Examples Performing more tests, using simpler
processes, perform simulations, choose vendors
for reliability over cost

49
Strategies for positive risks or opportunities

Exploitation
Exploitation involves looking for opportunities
for positive impacts
Example Reduce project duration by using more
experienced resources on critical tasks
Sharing
Sharing is the positive analog to transferring
Sharing assigns risk to a third-party owner who
is better able to use the opportunity the risk
presents
Example Form a joint venture between a technical
software company and marketing and sales firm

50
Contingency planning

Contingency planning involves planning
alternatives to deal with the risks should they
occur
Contingency planning
Does not seek to reduce the probability or impact
of risks
Accepts that the risk may occur and plans ways to
respond to the risk
A contingency plan is executed when the risk
event occurs
Contingency plans must be in place well before
the time the risk may occur

51
Contingency planning tools

Contingency allowances (or reserves). Contingency
allowances provide a pool of funds, time, or
resources that are held for use in response to an
unavoidable risk event
Example Including contingency time in case of
loss of key personnel
Fallback plans. Fallback (or Plan B) plans are
developed for risks with high impact or for risks
with strategies that may in themselves be risky
Fallback plans may be used to address secondary
risks
Example Use of a relational database plus
object-oriented interface in place of pure O-O
database

52
Sidebar Residual and secondary risks

Secondary risks arise as a result of implementing
a risk responsethey are the risks inherent in
the response
Identify and plan responses for secondary risks
using tools such as fallback plans
Example O-O/RDB expert consultant becomes ill
Residual risks are those that cannot be
effectively dealt with within the rest of the
risk plan
Example Some risk may remain as a result of
other response plans. Residual risks are usually
dealt with through contingency reserves
Example Developer skills risks (resource
planning risk) associated with alternate database
solution

53
Outputs
54
Risk response planning outputs

Risk register updates
List of identified risks, including
Descriptions
WBS element or area of the project impacted
Categories (RBS)
Root causes
Project objectives impacted by the risk impacts
Risk owners and their responsibilities
Risk triggersprecursors to risk event
Response plans and strategies

55
Risk response planning outputs

Cost and schedule activities needed to implement
risk responses
Contingency plans
Contingency reserves for cost, time, and
resources
Fallback plans
List of residual and secondary risks
Probabilistic analysis of the project and other
outputs of the qualitative (and quantitative)
risk analysis processes

56
RMMM Plan Template

Introduction
Scope and purpose of document
Overview of major risks
Responsibilities
Management
Technical staff
Project Risk Table
Description of all risks above cut-off
Factors influencing probability and impact

Risk mitigation, monitoring, management
Risk n
Mitigation
General strategy
Specific steps to mitigate the risk
Monitoring
Factors to be monitored
Monitoring approach
Management
Contingency Plan
Special Considerations
RMMM Plan Iteration schedule
Summary.

57
Risk Monitoring
58
Basic principles

Risks must be managed. Risk must always be one of
the principle concerns of the project management
team
Risks must be reported
Risks should be an agenda item in weekly team
meetings
Risks should be included in the project status
report
Weekly project review should review all risks
Team meeting
Should briefly review all outstanding risks
Should estimate whether each risks probability
has increased, has decreased, or is unchanged
Risk owners should report on their assigned risks

59
Basic principles

In the project status report, list all risks for
which the degree of risk has changed
Weekly project review
Review all risks, even those that have been
eliminated
Goal is to uncover new risks or identify those
that have been reincarnated
Reviewing risks in weekly team meetings keeps the
team and risk owners aware and sensitized to
risks
Including risks in the project status report
prepares management for the time(s) when risks
happen

60
Seven Principles

Maintain a global perspectiveview software risks
within the context of system and the business
problem
Take a forward-looking viewthink about the risks
that may arise in the future establish
contingency plans
Encourage open communicationif someone states a
potential risk, dont discount it.
Integratea consideration of risk must be
integrated into the software process
Emphasize a continuous processthe team must be
vigilant throughout the software process,
modifying identified risks as more information is
known and adding new ones as better insight is
achieved.
Develop a shared product visionif all
stakeholders share the same vision of the
software, it likely that better risk
identification and assessment will occur.
Encourage teamworkthe talents, skills and
knowledge of all stakeholders should be pooled

61
Software Engineering Risk Model (SERIM)
62
Software Engineering Risk Model (SERIM)

Applicable for small and medium sized
organizations.
Primarily qualitative with quantitative analysis.
Applicable to full life-cycle including
maintenance phase.
Maintainable during project development.
Compatible with any development model, such as
spiral, waterfall, joint application design,
recent application design, incremental, or
prototyping.
SERIM uses risk questions to derive numerical
probabilities for a set of risk factors and
analyses them using a simple spreadsheet.

63
SERIM Terminology

Risk Elements Technical, Cost, Scheduling
problems.
Risk Factors - more specific subcategories of the
three general risk elements (for example
organizational risk). A risk factor can be
related to one or more risk elements.
SERIM identifies ten primary risk factors of
organization, estimation, monitoring,
development, tools, risk culture, usability,
correctness, reliability, and personnel.
Each software risk factor can have an influence
on each risk element. That influence can be
categorized as low, medium, or high.

64
SERIM Terminology
The impact of each risk factor on each risk
element.
The effect of risk factors on each risk
categories.
65
Risk questions

One approach to assessing risk is to use risk
questions to measure risk factors.
Answers to the questions can be recorded in a
yes-or-no format (0 or 1) or as a numerical range
of possible responses.
Response ranges can use any numerical value from
0 through 1. For example, a response range could
be defined as none 0, little 0.2, some 0.5,
most 0.8, and all 1.0.

The relationship of risk questions to risk
factors and risk elements.
66
Organizational questions
O1. Are you using or do you plan to use
experienced software managers? O2. Has your
company been producing software similar to this
in the past? O3. Is there a documented
organizational structure either in place or
planned? O4. Is the organizational structure
stable? O5. What is the confidence level of your
management team? O6. Does good communication
exist between different organizations supporting
the development of the software project? O7. Are
software configuration management functions being
performed? O8. Are software quality functions
being performed?
Scores
Devise a numerical range of responses For
example in question O1 1 Mgrs with little or no
SE experience. 0.5 Mix of experienced and
non-experienced managers. 0 Only experienced
managers.
67
Calculating P(An) Example Organizational success
2. Calculate Imp / Impact Total.
3. Calculate of Impact X success.
1. Sum the impacts.
68
Quantitative Risk Analysis

The probability of a successful project P(A) is
derived using the following equation where E
the number of risk elements.
This equation assumes that all risk elements are
equal in weight. P(A) is the probability of a
successful project.
If different risk elements have different impacts
(weights), then P(A) w1P(A1) w2P(A2)
w3P(A3),
where w1 is a positive number and w1 w2
w3 1.

69
Example

5 risk elements at the following probabilities
for successA1 0.9, A2 0.75, A3 0.85, A4
0.6, A5 0.95
Risk elements weighted as
w1 0.2, w2 0.4, w3 0.1, w4 0.1, w5 0.2
Probability for successP(A) (0.90.2)
(0.750.4) (0.850.1) (0.60.1)
(0.950.2)
P(A) 0.815
Question Should we proceed??????

70
Next Class