Nowadays, software is present everywhere and software projects are becoming complex in terms of scope, time and cost. Associated with such a change increases the potential failure rate of software projects. How can these potential failures be avoided? While a guarantee may not be possible, adequate investments in managing the risk of failure can be provided. A typical textbook definition of software risk management is the identification of risks, analysis of identified risks and establishing plans to address those risks. The important goal of risk management is to avoid the occurrence of such risks. Similar to requirements management, risk management needs to be started early in the development life cycle process.
ISO/IEC 16085:2006 defines risk as a combination of the probability of an event and its consequence. What are the major sources of risks in a software project? An obvious answer to that question today would be the prevailing uncertainty added by time and budget pressures. Inaccurate requirements capture, is another important reason for increased risks in the later stages of the life cycle. Boehm has done some phenomenal work in managing risks in software projects. He essentially identifies ten risk aspects – Personal shortfalls, unrealistic schedules & budgets, development risks (building wrong functions, properties or user interfaces), adding unnecessary features, continuing requirements changes, shortfalls (in externally furnished components & performed tasks), performance shortfalls and technological strains.
So how do you best manage the risks? – Boehm divides the first level of activities into Assessment and Control. Assessment essentially contains identifying the risks, analyzing the identified risks and finally prioritizing the risks. Control aspect deals with planning, resolution of identified risks and monitoring. If you consider the Top 10 items he has identified, requirements mismatches, requirements changes and architecture performance & quality are among the top. Various techniques are discussed in Risk Management literature which is beyond the scope of this blog post. These techniques involve basic ones like maintaining a risk register to decision tree analysis , to risk exposure profiling. Murray Cantor, a Distinguished Engineer at IBM regularly writes about risks in his blog here.
What are some of the generic strategies to managing risks? – The predominant method is to buy more information; for example if you are in the early development cycle, you could always try prototyping to make sure you and your client are on the same page of understanding. This also helps in revealing the possible root causes of risks. Other options are to avoid the risk by de-scoping requirements, transferring it (for example outsourcing the component to an expert vendor or a sub-contractor), have mitigation plans or as the last option, accept the risk and have a Plan B. ISO 31000:2009, a relatively new standard introduced in 2009 related to risk management, provides a generic framework for a risk management process which a team can consider implementing.
How can tools help manage the risks? Risk includes both opportunities and threats - that is a risk can have both a positive and negative effect. Tools help in implementing an integrated risk process that enables maximization of value creation resulting in faster time to markets and improved productivity, at the same time avoiding the threats of cost and time over run and project closures. Tools can help significantly in two ways - conducting the qualitative and quantities risk analysis activities and actually implementing the outcomes for managing risks. Check this case study of Chubb Insurance that manages effectively its risk using IBM Rational Focal Point. And finally here is a developerWorks article on how to calculate your return on investment for software and systems.