Daddy's Technology Notes

Read, think, and write down the notes.

Wednesday, October 05, 2005

Risk Management

Notes for Chapter 5 of "Rapid Development" by Steve McConnell

1. Elements of risk management

Task of risk management is to identify, address, and eliminate sources of risk before they threat the software project completion.

5 levels of risk management:

  1. Crisis management;
  2. Fix on failure;
  3. Risk mitigation;
  4. Prevention;
  5. Elimination of root causes

The purpose of risk management is to address the software schedule risk at level 4 and 5, instead of 1 to 3, in which you have already lost the battle.

Risk management is composed of 2 elements:

  1. Risk assessment

    • Risk identification: produce a list of potential risks;
    • Risk analysis: the likihood and impact of the risks, and the risk levels of alternative practices;
    • Risk prioritization: a list of risks prioritized by impact, a basis for risk control.

  2. Risk control

    • Risk management planning: a consistent plan to handle each significant risk
    • Risk resolution: execution of the plan
    • Risk minitoring: monitor the progress toward resolving each risk item, and identify new risk and feed them back to risk management process.

2. Risk identification

3 general risks the software development may face are the classic mistakes listed in common risks, the ignorance of development fundamentals, and lack of risk management.

Most common risks:

  1. Feature creep
  2. Requirements or developer gold-plating
  3. Shortchanged quality
  4. Overly optimistic schedules
  5. Inadequate design
  6. Silver bullet syndrome
  7. Research oriented development
  8. Weak personnel
  9. Contractor failure
  10. Friction between developers and customers

There are also some other risks, for example, the development team has less power on the schedule, resources, and product definition, no effective top management sponsor, layoffs, market changes, budget cut, tools, etc.

3. Risk analysis

Risk analysis is based on risk exposure or risk impact, which equals to the probability of the unexpected loss X the size of loss. Example:

  1. Overly optimistic schule with 25% probability to extend 4 weeks, the impact is 0.25 *4 = 1.
  2. New requirement with 50% probability to extend 2 weeks, the impact is 0.5*2=1.

They are of the same risk.

  1. Estimate the size of loss: drill down the detail loss and combine them together;
  2. Estimate the probability: typically ask the person familiar with the system to estimate the probability, or use group delphi meeting.

4. Risk prioritization

Use the risk impact or exposure to set the priority of the risks, focus on the top 20% risks.

On other hand, some risks rarely happen, if it happens, the loss is big, therefore need to bring those risks to the top as well.

5. Risk control

Riskmanagement plan:

  • Who, what, when, where, why, and how for each risk management;
  • How to monitor the risk, the status;
  • Identifiy the emerging risks after this closes out.

Risk resolution

  • Avoid the risk;
  • Transfer the risk from one to another part;
  • Buy(investigate) information about the risk;
  • Eliminate the root cause of the risk;
  • Assume the risk;
  • Publicize the risk;
  • Control the risk: develop contingency plan to handle it if you can't resolve it;
  • Remember the risk;

Risk monitoring

  • Top 10 risk list;
  • Interim postmortems;
  • Risk officer

6. Risk, high risk, and gambling

posted by Doudou @ 10:04 AM

0 Comments:

Post a Comment

<< Home