Copy of the slides: http://sra.itc.

it/people/adolfo/spm (will also be put on the esse3 website)

Exercise
We are working for the Ministry of Innovation and Technologies and we are asked to start an initiative (project or operational work?) to favour the introduction of new technologies in the families
write the scope statement

Risk Management

"No-one ever got fired for buying IBM", Modern proverb (now somewhat outmoded)

Risk management
Two definitions of risk:
Risk is the possibility of suffering loss Risk management collects techniques, know-how and process to help identify, assess, manage, and monitor risks

Risk Management
is used in several fields: - Finance - Insurance - Engineering (safety critical, security, ) -
and various techniques (FMEA, FTA, simulation, ) have been defined and adopted to assess it.

Risk in Project Management

Project Risk is an event or condition that, if it occurs has positive or negative influence on an objective
Negative outcome: menace Positive outcome: opportunity

Risk and (Software) Project Management

Various standards recognize the importance of risk in software development: ISO/IEC 12207 (Information Technology - Software life cycle processes) UNI EN 29000-3 (Guidelines for the application of ISO 9001 to software development and maintenance) UNI ISO 10006 (Guidelines for managing projects)

(Some) Goals of Risk Management Activities

Understanding whether a project is worth taking Help defining a budget for the project Increase chances of ending the project successfully, by ensuring that:
within scope within quality, budget, and time constraints

Why isnt risk taken care of?

Lack of domain understanding Optimism (at the start, anyway) Too much commitment early on Premature coding Gold-plating Missed warning signals Legal implications Changes in project direction Poor risk management

The Risk Management Process

Composed of four steps:
Risk Management Planning (kind of encompasses all the activities mentioned below) Risk Identification Risk Assessment
Qualitative Risk Assessment Quantitative Risk Assessment

Risk Response Planning Risk Monitoring and Control

The Risk Management Process

It runs in parallel to the other PM activities. It encompasses the various phases of the init-planexecute-monitor cycle

Monitoring & Controlling Planning

Initiating

Closing

Executing

The Risk Management Process

We will now have a look at the various phases of the process:
Risk Management Planning Risk Identification Risk Assessment
Qualitative Risk Assessment Quantitative Risk Assessment

Risk Response Planning Risk Monitoring and Control

Risk Management Planning

Goal: describing how risk management will be structured and performed on the project. Output: a document (or set of documents and templates)

The Risk Management Planning document is a subset of the project management plan.

Risk Management Planning: Structure

Divided in the following parts: - Methodology - Roles and Responsibilities - Budgeting - Timing - Risk categories - Definition of risk probability and impact - Reporting Formats - Tracking

Risk Management Planning: Structure

Methodology: defines the approaches, tools, and data sources that may be used to perform risk management on the project Roles and responsibilities: defines the lead, support, and risk team membership for each type of activity in the risk management plan, assigns people to these roles, and clarifies their responsibilities.

Risk Management Planning: Structure

Budgeting: assigns resources and estimates needed for risk management Timing: defines how often the risk management process will be perfomed throughout the project life cycle, and establishes risk management activities to be included in the project schedule

Risk Management Planning: Structure

Risk categories: provides a structure that ensures a comprehensive process of identifying risks (e.g. RBS - risk breakdown structures) to help the risk identification phase Risk probability and impact: defines the risk probabilities and levels of impact to help standardize collection of data during the qualitative and quantitative assessment phase

Risk Management Planning: Structure

Reporting formats: content and format of the risk register as well as any risk report required Tracking: defines how risk activities will be recorded for the benefits of the current project, future needs, and lesson learned. Documents whether and how risk management process will be audited.

RBS Example

Other ways of classifying Risks

Software Project Management risk areas (Sommerville):
Project risks affect schedule or resources; Product risks affect the quality or performance of the software being developed; Business risks affect the organisation developing or procuring the software

Also:
Internal (can be controlled by the PM) External (outside the scope of the PM)

Software risks
Risk Staff turnover Management change Hardware unavailability Requirements change Specification delays Size underestimate CASE tool underperformance T echnology change Product competition Affects Project Project Project Project and product Project and product Project and product Product Business Business Description Experienced staff will leave the project before it is finished. There will be a change of organisational management with different priorities. Hardware that is essential for the project will not be delivered on schedule. There will be a larger number of changes to the requirements than anticipated. Specifications of essential interfaces are not available on schedule The size of the system has been underestimated. CASE tools which support the project do not perform as anticipated The underlying technology on which the system is built is superseded by new technology. A competitive product is marketed before the system is completed.

Risk Identification
Goal: understanding what are the risk that could potentially influence the project

Risk Identification
Sources: - External data (financial data, ) - Internal data (companys data, companys standards, ) - Project Team - Experts - ..

Risk Identification
Techniques - Information gathering
- Brainstorming, Delphi technique, interview, SWOT (Strength, Weaknesses, Opportunities, and Threats analysis)

- Checklist analysis - Diagramming techniques

- Cause and Effect analysis - Flow charts

Risk Identification
Basically two steps: 1. Identify risks 2. For each risk:
Describe the risk Describe the potential responses (countermeasures) Risk category Other characteristics:
Probability When it can occur Frequency Consequences

Frequency

Impact

Cause-Effect Diagram
Known under various different names: Cause-Effect diagram Fishbone Diagram Ishikawa (Kaoru Ishikawa - who invented in the sixties)

Cause-Effect Diagram (Ishikawa)

Machine

Method

Material Major Defect

Energy

Personnel

Environment

Cause-Effect Diagram (Ishikawa)

Usually most effective when done in groups Start from the right The "Four-M" categories are typically used as a starting point: "Materials", "Machines", "Manpower", and "Methods. The subdivision into ever increasing specificity continues as long as the problem areas can be further subdivided. The practical maximum depth of this tree is usually about four or five levels. When the fishbone is complete, one has a rather complete picture of all the possibilities about what could be the root cause for the designated problem.

Boehms Top 10 Risks & Countermeasures (1/4)

Personnel Shortfalls
Staffing with top talent; job matching; team-building; morale building; cross-training; pre-scheduling key people.

Unrealistic Schedules and Budgets

Detailed, multi-source cost & schedule estimation; design to cost; incremental development; software reuse; req. scrubbing.

Boehms Top 10 Risks & Countermeasures (2/4)

Developing the wrong software functions
Organizational analysis; mission analysis; operational concept formulation; user surveys; prototyping; early users manuals.

Developing the wrong user interface

Prototyping; scenarios; task analysis.

Gold-plating
Requirements scrubbing; prototyping; cost-benefit analysis; design to cost

Boehms Top 10 Risks & Countermeasures (3/4)

Continuing stream of requirements changes
High change threshold; information-hiding; incremental development (defer changes to later increments).

Shortfalls in externally-performed tasks

Reference-checking; pre-award audits; award-fee contracts; competitive design or prototyping; team-building.

Shortfalls in externally-furnished components

Benchmarking; inspections; reference checking; compatibility analysis.

Boehms Top 10 Risks & Countermeasures (4/4)

Real-time performance shortfalls
Simulation; benchmarking; modeling; prototyping; instrumentation; tuning.

Straining computer science capabilities

Technical analysis; cost-benefit analysis; prototyping; ref. checking.

Risk Identification: Output

Risk register. It contains: List of identified risks List of potential responses Other information about risks
(actually more information will be added to the risk register, as we continue with the description of the risk management activities)

Exercise
Define the risk register of the exercise proposed at the beginning of the lesson