Developed for:CS671 – Software Systems Engineering Process Author: Loren Karl Schwappach, BSEE / BSCE
What is Risk Management? Risk management involves identifying applicable risks , analyzing those risks, managing/mitigating risks, and finally reviewing risks. [Potter02] Careful use of risk management techniques can help prevent problems from occurring and allow anticipation of future problems allowing process improvement to run smoothly [Boehm89, Potter01, Van Scoy92]. 
Six Steps to Risk Management Step 1: Determine the Scope of the RiskStep 2: Select the Team and ModeratorStep 3: Identify RisksStep 4: Analyze RisksStep 5: Plan to Mitigate Risks Step 6: Plan for Periodic Risk ReviewNote: There will be a hands-on example at the end of this presentation if timepermits.
Step 1: Determining the Scope The scope of the list should include the goals and problems that you plan to address in the next six months. [Potter02] The complete list of goals and problems from your action plan are the perfect candidates for determining your risk management scope. However, you should refine the goals/problems into a few that you plan to address in the near term.
 Step 2: Select the Team and Moderator The risk management team should include individuals who have an understanding of the risks that could prevent successful project completion. [Potter02] The team should include the improvement team, stakeholders (software developers, quality analysts, and managers), previous improvement project members, and subject area experts. [Potter02] Try to limit the group size to around nine people to keep the conversations on track. [Potter02] The moderator is responsible for keeping the discussions focused and should be able to explain the risk management process to team members. [Potter02]
Step 3: Identify Risks  Risks: potential problems that are not guaranteed to occur. [Potter02] Start risk identification as a brainstorming session, allowing members to call out problems that could cause the improvement projects to fail. [Potter02] Consider the following: [Potter02] Weak areas such as unknown technology (tools, vendors, methodologies). Critical aspects necessary for the improvement project (timely delivery of training programs, management buy-in, training materials). Previous problems (loss of essential staff, resistance to change, shifts in priority).
Step 4: Analyze Risks Sub-steps to risk analysis: [Potter02] Focus on removing ambiguities (example: “lack of management buy- in” to “manager X may not find any benefit to the new method” and “people might leave” to “subject master X may get pulled off of project) carefully clarifying each risk item. Note: Risk Items column. Enumerate the primary consequence if the risk were to occur. Note: Consequence column. Set priorities by agreeing on how likely a risk item is to occur (scale 1 to 10 (very likely)), and then rate the impact if the risk were to occur (scale 1 to 10 (very large impact)). First select the item that rates the lowest and assign it a 1 and then select the item that rates the highest and assign it a 10. All other items should be rated within these boundaries. The final priority is the product of the two values! Select a few items to manage (top three risks or top 20 percent).
Step 5: Plan to Mitigate  Reduce the likelihood of risk occurring.. One method used is to change the decision that caused the risk. Sometimes this can be done by eliminating the item altogether, however this can sometimes create addition risks. Another method used is to reduce the impact of the risk should it occur. Note: List the actions to reduce the risk likelihood and impact under their respective columns.. Decide which actions to pursue. Focus on actions that reduce likelihood and provide a contingency. Assign responsibility to each risk reduction action. This includes identifying a responsible member and a realistic completion date.
Step 6: Plan for Periodic Risk Review Periodic review provides visibility on the effectiveness of the risk management process. During the reviews determine whether any likelihood or impact numbers need revisiting and if needed repeat the complete risk management process to address any significant changes that occur. Measure the impacts of any risks that occur for future risk management decisions.
Summary Risk Management involves:1: Determining the Scope of the Risk Goals/Problems within next 6 months.2: Selecting the risk management team & moderator Limit to around 9 people from improvement team, stakeholders, previous improvement project members, and subject area experts.3: Identify Risks Brainstorm session considering weak areas, critical aspects and previous problems.4: Analyze Risks Remove ambiguities, enumerate consequences, set priorities, and select few for managing.5: Plan to Mitigate Risks Choose actions that reduce the likelihood and impact of risk occurring, select best actions to pursue and assign responsibility.6: Plan for Periodic Risk Review
References  Image Retrieved from Lawns To Gardens Website on 27 April 2011 athttp://lawnstogardens.wordpress.com/2007/12/09/how-to-develop-a-peak-oil-risk-management-plan/ Image Retrieved from Edge 360 Website on 27 April 2011 at http://www.edge360.com/services/risk-management/ Image Retrieved from eastpennsd.org Website on 27 April 2011 athttp://www.eastpennsd.org/shoemaker/Staff.html Image Retrieved from lovemeow.com Website on 27 April 2011 at http://lovemeow.com/2009/11/video-cat-loves-mouse/ Image Retrieved from Halfiranian.com Website on 27 April 2011 athttp://halfiranian.com/2009/09/01/britains-radical-moment/ Image Retrieved from Julesbright.com Website on 27 April 2011 at http://julesbright.com/ Image Retrieved from Enterprise-PM.com Website on 27 April 2011 at http://www.enterprise-pm.com/pmbasics/risk-management-models
References Continued [Boehm89] Boehm, B. Tutorial: Software Risk Management. New York: IEEE Computer Society,1989[Potter01] Potter, N., and M. Sakry. “Keep Your Project on Track.” Software Development 2001; 9,no. 4.[Potter02] Potter, N., and M. Sakry. “A Consise Action Guide for Software Managers andPractitioners.” Making Process Improvement Work 2002.[Van Scoy92] Van Scoy, Roger L. Software Development Risk: Opportunity, Not Problem. CMU/SEI-92-TR-30, ADA 258743. Pittsburgh: SEI, 1992.
Questions? You may see this information on the class final so be prepared!  Where to go for additional information:Garvey, P., Analytical Methods for Risk Management: A SystemsEngineering Perspective, 2008.
Step 4: Analyze Risks Hands-On Example… Scenario: A System Engineer Firm (Over Priced Solutions Inc.) that develops software for a large TS/SCI satellite agency in partnership with the military and NSA. The Firm has one manager (Jerome Akins) who is not big on wasting time on process improvement efforts and often shifts priorities. One library control expert (Jay Deguzman) that is considering leaving the firm. Two software developers (Mitchell Williams and Ryan Lacroix) that have been with the firm for 20 years and are not interested in learning new tools (specifically the software requirement management tool which has a large learning curve). And, one overly exited project manager (Loren Schwappach). The firm is also expected to hire several new staff members within the next six months.
Step 4: Analyze Risks Hands-On Example… Software Company X – Identified Risks: Lack of management buy-in. People might leave. Software requirement management tool is hard to use. Management changes priorities often. Software requirement management tool may be delivered late. Creation of training materials takes a long time.
Step 4: Analyze Risks Hands-On Example… Risk Items Consequence Likelihood Impact PriorityJerome Akins’ (Manager) buy- Improvement program fails. 10 10 100in for improvement methods diminishes. Jerome Akins’ (Manager) Improvement program looses 9 9 81changes priorities before any credibility. milestones are completed. New Requirements Mitchell Williams and Ryan 9 8 72Management Tool has a huge Lacroix give up on tool in learning curve. frustration. Jay Deguzman (Library Wasted time training new 7 8 56 Control) might leave firm. person. Creation of specialized Improvement implementation 4 5 20 training materials for new delayed. staff takes too long.Requirements management Pass up opportunity to test and 1 1 1tool is delivered to the firm use new tool. late.
Step 5: Plan to Mitigate Hands-On Example… Risk Items Jerome Akins’ Consequence Improvement Like -lih -ood 10 Imp -act 10 Prio -rity 100 Actions to Reduce Likelihood 1. Ensure that the Actions to Reduce Impact 3. Determine Respons ible Action Due 4/27/11 Status Completed(Manager) buy-in program fails. improvement improvements that 1:for improvement program can be made at a Loren methods addresses the project level diminishes. management without major team’s problems funding. and goals. 4. Explain the 2. Establish a problems and goals steering that won’t be committee to addressed because oversee the of reduced improvement funding. effort. Meet Bimonthly. Jerome Akins’ Improvement 9 9 81 1. Present the 2. Determine Action 5/6/11 In Progress(Manager) changes program looses action plan to improvements that 1: priorities before credibility. management and can be made Loren any milestones are obtain agreement regardless of which completed. that priorities project is active. remain unchanged.New Requirements Mitchell 9 8 72 1. Start a pilot 2. Establish a cutoff Action 5/12/11 In Progress Management Tool Williams and project to test the date when firm 1:has a huge learning Ryan Lacroix tool. will give up on tool Mitchell curve. give up on tool and use previous in frustration. methods.
Risk Management Pop Quiz Graded by: Loren K. SchwappachName: __________________________ Date: ______________ Grade: ______Q1 (25pts/100pts): What are the six steps to risk management?__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Q2 (25pts/100pts): Risks are?______________________________________________________________________________________________________________________________________________________________________________________.Q3 (25pts/100pts): The risk management team should include the ___________________, ____________________,_____________________________________, and _________________________________.Q4 (25pts/100pts): Step four of the Risk Management Process involves removing ___________________,enumerating the _____________________________________ if the risk were to occur, setting _______________ foreach risk, and selecting a few _________________________________________________.
Risk Management Risk Analysis for Hands on ExampleRisk Items Consequence Likelihood Impact Priority
Risk Management plan for Risk Mitigation for Hands on ExampleRisk Items Consequence Like -lih -ood Imp -act Prio -rity Actions to Reduce Likelihood Actions to Reduce Impact Respons ible Due Status