Risk Estimation Identification Assessment Review Risk Control Planning Supervision 1 Definition The SEI Definition The SEI uses the Webster's definition of risk: "Risk is the P ossibility of Suffering loss" http://www.sei.cmu.edu/programs/sepm/risk/ SAR Def inition: "Risk: Contingency or proximity of harm " The phrase: "Risk in Itself is not bad; Risk is essential to progress, and failu re is Often a key part of learning. But we must learn to balance the possible ne gative Consequences of Risk Against the Potential Benefits of Its Associated opp ortunity." [Van Scoy, Roger L. Software Development Risk: Opportunity, Not Probl em. Software Engineering Institute, CMU/SEI-92-TR-30, ADA 258 743, September 199 2] 2 1. Risk management: definition and classification The objectives of risk management are to identify, control and eliminate sources of danger before they begin to affect the fulfillment of the objectives of the project. The risk always involves: Uncertainty: the event that characterizes the risk may or may not occur. Potential loss: if the risk becomes a Indeed, unintended consequences occur or losses. To quantify the level of uncert ainty and the extent of losses associated with each risk are considered differen t categories of risks: risks of the project: They affect the timing, cost and qu ality of the project. Identify potential problems of budget, schedule, personnel , resources, customer ... Technical risks: They threaten the quality and the tim ing of the software (product) to be produced. Identify potential problems of tec hnical uncertainty, ambiguity in the specification, design, implementation, tech nical obsolescence or cutting-edge technology, interface, testing and maintenanc e, ... 3 1. Risk management: definition and classification Business Risks: Threaten the viability of the software. The main risks of business are: market r isk: very good product. strategic risk: risk that does not fit product sales: so me sellable product risk budget: off-budget product You can make another categorization of the risks in terms of their ease of detec tion: Known risks are those that can be predicted after an evaluation of the pro ject plan, the technical environment and other reliable sources of information. Predictable risks: are extrapolated from the experience of previous projects. Un predictable risks: they may occur, but it is extremely difficult to identify in advance. Source: [ Pressman01, pag. 98] 4 2. Risk management: activities The ongoing management of risks can increase its efficiency: continuously assess what can go wrong to determine what risks are important Implement strategies to ensure effective solving strategies Elements of Risk Management: Risk Estimatio n: potential may affect project planning. Risk Analysis: Measuring the probabili ty and impact of each risk, and risk levels of alternative methods. Risk assessm ent risk list sorted by their impact and likelihood of occurrence. Risk Control: treat each significant risk. Risk Monitoring: check the progress of risk contro l and identification of new risks. 5 Risk identification: Risk List Planning for risk management: plan for 2.1 Management of risk: risk assessment Hazards Identification It is a systematic attempt to estimate potential risks to the project plan. The uncertainties on different characteristics of the project are transformed in to risk that can be described and measured. A method for identifying risks is to create a checklist of risk elements that may contain two types of risks: produc t-specific risks: to identify reviews the project plan and the statement of the scope of the software. Generic risks: They are common to all software projects. To identify you create the following subcategories: Product Size Business Impact of Customer Characteristics Process Definition technology development environme nt to build size and experience of staff. 6 2.1 Management of risk: risk assessment Hazards Identification (Continued) CHECKLIST OF ELEMENTS OF RISK set of issues that are relevant to each risk facto r. Example: Checklist of known risk factors for the potential risk on the alloca tion of staff of a PDS: Do you have the best staff? Do staff have a proper skill set? Is there enough st aff? Are you committed to staff throughout the project? Are there members of the project will work only part time? Do staff have created the right expectations about the work they will perform? Did you receive the appropriate training of pe rsonnel? Is it low enough staff rotation to allow for continuity? ........ 7 2.1. Risk management: risk assessment Risk Analysis The process of examining the risks in detail to determine their extent, their re lationships and their importance. The core activities are: Assessment: better un derstanding of risk. Quantified, if possible, the following concepts: Impact: loss resulting risk. Consequences of the problems associated with risk. The factors affecting the imp act are: Nature: potential problems that may occur if this happens. Scope: Combi ne the severity with global distribution. Duration: Combine the time you will fe el its impact and duration. Probability: probability of risk. Time frame: The length of time that is possible to mitigate the risk. Classification: classifies the risks to understan d their nature and develop mitigation plans. 8 2.1 Management of risk: risk assessment Risk Analysis (continued) T R A T O U IB Im pact VALUE RÃtico atastrófico C C M M u arginal Im probable probable Probable C orto M al f term term term L argo SC R IP D E N C IO A. Loss System C oste> 50% R recuperation of the operational capacity C oste> 10 % (<50%) C oste <10%> 70% etween 30% and 70% <30% 30 days 1-4 m onths M ore than 4 m this Probability M arch tim Risk assessment is the process of putting the risks in terms of their importance in determining what must be solved before and which ones to assign more resourc es. Risks can be ordered by the magnitude of risk exposure: [ri, li, xi] ri: li Risk: risk probability xi: magnitude of the impact of risk conditions and priori ties may change throughout the project so the analysis and prioritization should be done on an ongoing basis using the information available at the time. (Feedb ack, feedback) 9 2.2 Management of risk: risk control Planning and supervision of risks RISK 1 â ¢ risk analysis data [r1, l1, x1] â ¢ ris k management steps 1. . No Data RISK risk analysis [rn, ln, xn] â ¢ risk managemen t steps n PGSR The risk monitoring is: Detect the occurrence of a risk that has been planned En sure that risk management steps are implemented 10 Tools http://www.decisionmetrics.net 11 Tools http://www.palisade-europe.com/ 12 REFERENCES Boehm, BW, Software Risk Management: Principles and Practices, IEEE Software, 32 -41, January 1991. Charette, R., Softwae Engineering Risk analysis and managemen t, McGraw-Hill, 1989 Karolak, D.W. Risk Management Software Engineering, IEEE Computer Society Press, USA 1996 McConnell, S., development and management of IT projects, Mc Graw Hill 1997. Pre ssman, RS, Software Engineering, A Practical Approach, Mc Graw Hill, 2001. 13 Exercise List the possible risks that can be deduced from the following statement. Classi fy as the project, technical or business. Arrange in order of likelihood and imp act of risks. Graph the relationship between the risks. Lastly, set action proto cols should happen. A company with less than three years in the ICT sector decides to tackle a proje ct of digital signatures for the administration of Andalusia. Decides to develop ment with Java. Just version 1.5 virtual machine. The company has five experts i n Java, 3 Means and 8 without knowledge of Java. The planning has been for 6 mon ths with a stress of 400 td. The development manager has decided to use a new co mpiler, Eclipse for multiplatform environments versatility that is new to the de velopment team. 14