Risk Management in Software Development: A Primer
Philippe Kruchten, University of British Columbia
Total pages: 64
$29.00
Introduction
A risk is any event or situation that would harm your software development
project in some way. The goal of risk management is to limit the likelihood of
something bad happening to your software project. It's therefore something that
all software project managers should practice. If you were to start your
initiation in risk management with IEEE Std 1540-2001 on Risk Management, or a
Software Engineering Institute (SEI) method, or the Guide to the Project
Management Body of Knowledge, you'd be scared to death. Or you'd think that risk
management is only for large, complex projects with a plethora of staff and lots
of time to waste.
But risk management doesn't have to be complicated, formal, or heavily
bureaucratic. And it's totally appropriate to practice even for the smallest
projects. The recipes to do so are actually very simple, are perfectly aligned
with the standards, and can be executed in a lightweight, nimble fashion,
suitable to the most agile method. The only tool you'll ever need is a
spreadsheet.
I've selected six papers to introduce you to the craft of risk management;
curiously, they're all more than 10 years old. They have stood the test of time,
and there's nothing in them I would change in 2007.
Start with the all-time 1991 classic, "Software Risk Management: Principles and
Practices," in which Barry Boehm defines the key risk management
concepts�impact, exposure, mitigation, and so on. He presents a six-step
strategy and a handful of simple practices, such as monitoring the "top 10
risks." Not quite convinced? Need some reinforcement? Then move on to Dick
Fairley's article. Dick has a simple seven-step approach, not too different from
Boehm's, which he illustrates with an extensive case study. Art Gemmer provides
additional practical advice. In particular, he elaborates on the concepts of
probability and impact, and how to elicit them from your stakeholders and team
members.
The other articles I recommend were all published in the same special issue of
IEEE Software on risk management. The whole issue is probably worth reading,
starting with the introduction by Barry Boehm and Tom DeMarco. But I'll focus on
three of the articles. First, Ray Williams, Julie Walker, and Audrey Dorofee
will guide you step by step on how to establish a risk management process for
your project or organization using the SEI risk paradigm. Their taxonomy of
risks is very useful input to give you ideas about what can go wrong. Tony
Moynihan summarizes how 14 managers in small commercial projects assess the risk
implications of a project's specific context. He also provides a partial
confirmation of the SEI's risk taxonomy. Finally, Edmund Conrow and Patricia
Shishido give us an example from a large defense project.
Now you should be ready to go and implement your own risk management strategy.
You can even revisit the standards with confidence: you're probably compliant.
Wasn't that easy?
Keywords:software engineering; software risk management; software rework; DP
management; risk management; probability; DP management; project management;
software project management; contingency planning; crisis avoidance; risk factor
identification; risk probability calculation
Table of Contents
Software Risk Management: Principles and Practices
Barry W. Boehm, Defense Advanced Research Projects Agency
Identifying and dealing with risks early in development lessens
long-term costs and helps prevent software disasters. It is easy to
begin managing risks in your environment.
Risk Management for Software Projects
Richard Fairley, Software Engineering Management Association
There is little to instruct software project managers on how to
handle risk in a way that ensures the success of contingency
planning and avoids costs. This seven-step procedure describes
how to identify risk factors, calculate their probability and effect
on a project, and plan for and conduct risk management.
Risk Management: Moving Beyond Process
Art Gemmer, Rockwell
Risk management can be more than adept crisis handling or
bureaucratic tracking. When Rockwell shifted the way it thought
and talked about risk, it improved program performance and reviews.
Putting Risk Management into Practice
Ray C. Williams, Julie A. Walker, and Audrey J. Dorofee, Software
Engineering Institute
The authors use an SEI-designed road map as a guide to discussing
effective and ineffective risk management methods based on six
years' experience with software-intensive DoD programs. These
programs followed the SEI approach of continuous and team risk
management, selecting processes and methods that would best fit
their work cultures.
How Experienced Project Managers Assess Risk
Tony Moynihan, Dublin City University
This survey of a homogenous group of project managers revealed
a surprising diversity of risk management concerns.
Implementing Risk Management on Software Intensive Projects
Edmund H. Conrow, Independent Consultant
Patricia S. Shishido, TRW Systems Integration Group
Rising costs, falling performance, and slipping schedules are
common problems on large-scale software projects. The
authors describe key risk issues and how they were mitigated
in one DoD project.
Recommended Resources
