RISK MANAGEMENT

Software Risks

Software risks are potential issues that could negatively affect the successful completion or quality of
a software project. These risks can lead to cost overruns, schedule delays, or even project failure if
not properly managed.

Types of Software Risks

1. Schedule Risks: These risks pertain to the possibility of not being able to deliver the project
on time. Causes can include underestimation of tasks, dependency delays, and resource
allocation issues.

2. Budget Risks: These risks are associated with the potential for the project to exceed its
allocated budget. This can be due to inaccurate cost estimation, unexpected expenses, or
scope creep.

3. Operational Risks: These risks involve the day-to-day operations of the software. They can
include system downtime, performance issues, or problems with third-party services.

4. Technical Risks: These risks are related to technology and can include issues such as software
bugs, technical debt, integration issues, or the adoption of new or unproven technologies.

5. Programmatic Risks: These risks are associated with management and external factors such
as organizational changes, market conditions, or regulatory issues.

Reactive Risk

Reactive risks are unforeseen risks that were not identified or planned for during the risk
management process. These risks occur unexpectedly during the execution of a project and require
immediate attention and response.

Reactive Risk Management Strategies

1. Crisis Management: This involves immediate action to mitigate the impact of the risk. It
often requires quick decision-making and flexibility.

2. Problem Solving: Once the immediate crisis is managed, problem-solving strategies are used
to identify the root cause of the risk and implement a long-term solution.

3. Learning and Adapting: After the risk has been addressed, it’s important to learn from the
experience. This could involve updating risk management plans, improving processes, or
providing additional training to staff.

4. Communication: Throughout the process, clear and effective communication is crucial. All
stakeholders should be kept informed about the risk and the steps being taken to manage it.

5. Stopping small threats from magnifying

Proactive risks are potential risks that have been identified and planned for in advance during the risk
management process. These risks are anticipated based on past experiences, industry knowledge, or
project-specific factors.

Proactive Risk Management Strategies

1. Risk Identification: This involves identifying potential risks that could impact the project. This
can be done through techniques such as brainstorming, historical data analysis, and expert
judgment.

2. Risk Assessment: Once risks are identified, they are assessed based on their potential impact
and likelihood of occurrence. This helps in prioritizing the risks.

3. Analysing risks to determine the best treatment for each

4. Risk Mitigation: This involves developing a plan to avoid, reduce, or transfer the risks. The
mitigation strategies should be cost-effective and aligned with the project objectives.

5. Risk Monitoring: This involves tracking identified risks, monitoring residual risks, identifying
new risks, and executing the risk mitigation plan.

Risk Identification

Risk identification is the first step in the risk management process. It involves recognizing potential
risks that could impact the project’s objectives. This process is proactive and aims to foresee the
problems before they occur. The goal is to identify as many risks as possible.

Risk Item Checklist

A risk item checklist is a tool used in the risk identification process. It is a structured document that
lists common potential risks associated with a project. The checklist is used to systematically check
for the presence of these risks in the current project.

1. Product Size Risks: These risks are associated with the overall size of the software product.
Larger products may have more complex architectures and more potential for errors.

2. Business Impact Risks: These risks consider the potential impact on the business. This could
include financial loss, damage to reputation, or loss of customers.

3. Customer Characteristics Risks: These risks are related to the end-users of the software. This
could include user experience, training requirements, or user resistance to change.

4. Process Definition Risks: These risks are associated with the defined software development
process. This could include lack of process definition, non-compliance with the process, or
ineffective process control.

5. Development Environment Risks: These risks are related to the environment in which the
software is being developed. This could include issues with development tools, system
downtime, or lack of resources.
 6. Technology to be Built Risks: These risks are associated with the technology being used in
the software. This could include new or unproven technology, lack of expertise with the
technology, or issues with technology integration.

7. Staff Size and Experience Risks: These risks are related to the project team. This could
include lack of sufficient staff, lack of necessary skills or experience, or high staff turnover.

8. Risk Components and Drivers: These are the factors that contribute to the occurrence of a
risk. They can be internal (like lack of resources) or external (like market conditions).

9. Performance Risks: These risks are associated with the performance of the software. This
could include speed, reliability, or scalability issues.

10. Cost Risks: These risks are related to the financial aspects of the project. This could include
budget overruns, inaccurate cost estimation, or unexpected costs.

11. Support Risks: These risks are related to the support and maintenance of the software. This
could include lack of documentation, lack of training for support staff, or lack of user
support.

12. Schedule Risks: These risks are related to the project timeline. This could include delays,
unrealistic schedules, or dependency issues.

As the project progresses, new risks may emerge. Keep updating the checklist with these new risks so
it can be used for future projects.

Risk Projection

Risk projection, also known as risk estimation, involves predicting the potential impact and likelihood
of identified risks. It helps in understanding the severity of the risk and aids in decision-making for
risk mitigation strategies.

Risk Projection Activities

1. Estimating Impact: Determine the potential impact of the risk on the project objectives. This
could be in terms of cost, time, quality, or scope.

2. Estimating Probability: Assess the likelihood of the risk occurring. This could be based on
historical data, expert judgment, or statistical analysis.

Developing a Risk Table

A risk table, also known as a risk matrix, is a tool used to visually represent the risks in terms of their
probability and impact. Here’s how to develop one:

1. Identify and list all the potential risks.

2. Determine Probability and Impact for each risk

3. Plot each risk on the table with probability on one axis and impact on the other.

4. The risks in the high impact-high probability quadrant are the highest priority.
Steps to Determine the Overall Consequences of a Risk

1. Identify the Risk: Understand the nature of the risk and how it could affect the project.
2. Estimate the Impact: Determine the potential impact of the risk on the project objectives.
3. Estimate the Probability: Assess the likelihood of the risk occurring.
4. Calculate Risk Exposure: Multiply the impact and probability to get a quantitative measure of
the risk.

RE = P x C

5. Consider Risk Tolerance: Evaluate the risk in the context of the project’s risk tolerance. Some
projects may be able to tolerate higher risks than others.
6. Develop Mitigation Strategies: Based on the overall consequences, develop strategies to
avoid, reduce, or transfer the risk.

Risk Refinement

Risk refinement is the process of breaking down a general risk into more specific risks. This helps in
understanding the risk better and developing more effective mitigation strategies. The process
involves identifying the conditions that could lead to the risk, the transition that occurs when the risk
is realized, and the consequences of the risk.

Condition-Transition-Consequence Model

This model is used to refine risks and understand them better:

1. Condition: This is the state that could lead to a risk. It’s the set of circumstances that, if they
occur, could trigger the risk. Conditions can be internal (like lack of resources) or external
(like market conditions).

 Technical Conditions: These are related to the technology used in the project. This could
include software bugs, integration issues, or the adoption of new or unproven
technologies.
 Organizational Conditions: These are related to the organization and its processes. This
could include changes in management, lack of resources, or ineffective processes.
 Project Conditions: These are specific to the project. This could include unrealistic
schedules, scope creep, or high complexity.
 External Conditions: These are outside the control of the project team. This could include
market conditions, regulatory changes, or economic factors

2. Transition: This is the event or change that occurs when the condition leads to the risk being
realized. It’s the point at which the potential risk becomes an actual risk.

3. Consequence: This is the outcome or impact of the risk. It’s the negative effect on the
project objectives, such as cost overruns, schedule delays, or reduced quality.

RMMM stands for Risk Mitigation, Monitoring, and Management Plan.

Provides a framework for identifying risks, implementing mitigation measures, and monitoring their
effectiveness.

Ensures that risks are addressed comprehensively and systematically throughout the project
lifecycle.

Components of RMMM:

 Risk Mitigation: Focuses on activities to avoid or minimize potential problems. It involves

 Risk Monitoring: Involves ongoing tracking of identified risks to ensure they are managed
effectively. Objectives include verifying if predicted risks occur, ensuring the application of
risk avoidance measures, collecting data for future analysis, and linking problems to specific
risks.

 Risk Management and Planning: Assumes that mitigation efforts fail and a risk materializes,
causing significant issues. This involves the project manager's response to the reality of the
risk, including managing its impact and resolving associated problems.

All risk-related activities, including identification, analysis, mitigation strategies, monitoring, and
management, are documented in a Risk Information Sheet (RIS).

The RIS is managed using a database system for easier information management, including creation,
priority ordering, searching, and analysis.

Drawbacks of RMMM

While RMMM is a valuable tool for managing project risks, it does have some drawbacks:

1. Time-Consuming: Developing and implementing an RMMM plan can be time-consuming.

2. Requires Expertise: Effective risk management requires a deep understanding of the project
and its environment.

3. Not Foolproof: Even with an RMMM plan in place, some risks may still be overlooked or
misjudged.

4. Can Lead to Overcaution: Too much focus on risk management can lead to excessive caution,
stifling innovation and progress.