A risk analysis and management is the possibility that an undesirable event (called the risk event) could happen. Risks involve both uncertainty (events that are guaranteed to happen are not risks) and loss (events that don’t negatively affect the project are not risks).
Proactive risk management is the process of trying to minimize the possible bad effects of risk events happening.
There is disagreement about what risks should be managed. Some experts suggest that only risks that are unique to the current project should be considered in risk analysis and management.
Their view is that the management of risks common to most projects should be incorporated into the software process.
Risk Identification
This is the process of identifying possible risks. Risks can be classified as affecting the project plan (project risks), affecting the quality (technical risks), or affecting the viability of the product (business risks).
Some experts exclude events that are common to all projects from consideration for risk management. These experts consider those common events as part of standard project planning.
| Risk | Project | Technical | Business | Common | Special |
| Hardware not available | X | X | |||
| Requirements incomplete | X | X | |||
| Use of specialized methodologies | X | X | |||
| Problems achieving required reliability | X | X | |||
| Retention of key people | X | X | |||
| Underestimating required effort | X | X | |||
| The single potential customer goes bankrupt |
X | X |
Risk Estimation
Risk estimation involves two tasks in rating a risk. The first task is estimating the probability of the occurrence of a risk, called the risk probability, and the second task is estimating the cost of the risk event happening, often called the risk impact. Estimating the risk probability will be hard.
Known risks are much easier to manage, and they become part of the software process. The new risks that are unique to the current project are those most important to manage. The cost of the risk may be easier to determine from previous experience with project failures.
Risk Exposure
Risk exposure is the expected value of the risk event. This is calculated by multiplying the risk probability by the cost of the risk event.
Risk Decision Tree
A technique that can be used to visualize the risks of alternatives is to build a risk decision tree. The top level branch splits based on the alternatives available. The next split is based on the probabilities of events happening.
Each leaf node has the risk exposure for that event. The sum of the risk exposures for all leafs under the top level split gives the total risk exposure for that choice.
Risk Management Plans
A risk analysis and management plan must include an identifier, a description of the risk, an estimate of risk probability, an estimate of risk impact, a list of mitigation strategies, contingency plans, risk triggers (to determine when contingency plans should be activated), and responsible individuals. Additional fields might include current and/or past status of related metrics.
| Read More Topics |
| Software Metrics |
| Software project management |
| User interface design |
| Interactions Between IPv4 and the Datalink Layer |
