Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Management: Achieving Higher Maturity & Capability Levels through the LEGO Approach

475 views

Published on

A common challenge in life is to evaluate and deal with risks. Even though Risk management is fundamental to any activity, it is too often evaluated and managed from a qualitative rather than a quantitative perspective. In order to improve, too often organizations are seeking compliance against a single model/approach, forgetting that most often ‘one model doesn’t fit all’ and that the target process model is the organizational one, strengthened by external best practices. An approach to process improvement that takes this into consideration is LEGO (Living EnGineering prOcess). LEGO extracts the most useful Elements of Interest (EoI) from several types of maturity models into an organizational Business Process Model (BPM) in order to facilitate to the achievement of higher organizational maturity and capability levels, that’s the definitive intended target to be improved. This paper applies the LEGO approach to Risk Management, analyzing several Risk Management Maturity Models and unifying their practices in order to come up with a more comprehensive process model on risk management integrating multiple views.

Published in: Services
  • Be the first to comment

  • Be the first to like this

Risk Management: Achieving Higher Maturity & Capability Levels through the LEGO Approach

  1. 1. www.eng.it 26°International Workshop on Software Measurement (IWSM) and 11th International Conference on Software Process and Product Measurement (MENSURA) Berlin (Germany) - October 5-7, 2016 Luigi Buglione Alain Abran Christiane Gresse von Wangenheim Fergal McCaffery Jean C.R. Hauck Achieving Higher Maturity & Capability Levels through the LEGO Approach Risk Management
  2. 2. www.eng.it2 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Goals of the presentation 1. Discuss the impact an organization can suffer or achieve from the way risk is managed 2. Look at the ‘big picture’ in order to convert Risks into Critical Success Factors (CSFs) when dealing with risky events looking at best practices from several frameworks on Risk Management 3. Present a LEGO (Living EnGineering prOcess) example with the Risk Management process Risk Mgmt and LEGO
  3. 3. www.eng.it3 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck ETS - GELOG At a glance www.etsmtl.ca
  4. 4. www.eng.it4 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck DKIT At a glance Dundalk Institute of Technology is a 90 acre campus situated between Dublin and Belfast (each approximately 50 miles away). The Institute consists of 4 Schools: 1. Business & Humanities 2. Informatics & Creative Arts 3. Engineering 4. Health & ScienceThe Regulated Software Research Group is part of LERO (the Irish Software Engineering Research Centre) at the School of Informatics & Creative Media
  5. 5. www.eng.it5 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck UFSC At a glance Federal University of Santa Catarina Florianópolis/Brazil [http://www.ufsc.br] • 25,737 Undergraduate students • 8,543 Graduate students • 34,280 Students INCoD an institute for excellence in research, validation and dissemination to support digital convergence. [http://www.incod.ufsc.br] The Software Quality Group focuses on scientific research, development and transfer of SE models, methods & tools. [http://www.gqs.ufsc.br] [http://www.youtube.com/watch?v=V6E1Z5DEuvk]
  6. 6. www.eng.it6 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Engineering At a glance www.eng.it ISSRE 2014 – Naples (Italy), Nov 5, 2014
  7. 7. www.eng.it7 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Risk Mgmt and LEGO Let’s Social...ize! If you want to share comments/notes/pics…  @IWSMMensura  @lbu_measure  #LEGO  #MCM  #Risk  #RiskManagement …
  8. 8. www.eng.it8 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Agenda • Introduction – A couple of examples about (non) Risk Management… – Some questions… • MCMs (Maturity & Capability Models) – Representations & Dimensions – Why do we need to choose a MCM? – Coverage & classification of MCMs • MCMs & Risk Management in Horizontal MCMs (H-MCMs) – CMMI-DEV/SVC and ISO 15504-2 – Other Sources • LEGO and Risk Management – The LEGO approach – Applying LEGO to Risk Management Elements of Interest (EoI) – Suggested Improvements • Conclusions & Prospects • Q & A Risk Mgmt and LEGO
  9. 9. www.eng.it9 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Example: latest earthquake in Italy (Sept 2016)Introduction • 6.2 Richter scale • 290+ people died • 2000+ people without home right now • Did somebody consider such risk in the past within Italy? How was risk managed? Did the Government invest over this past few years in reducing the chances of such events happening? Amatrice
  10. 10. www.eng.it10 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Example: Apple ‘Antenna Gate’ (2010)Introduction • At the iPhone 4 launch (June 2010) [https://en.wikipedia.org/wiki/IPhone_4#Antenna] • Placed in the wrong place, the signal was lower and the iPhone less performant • The ‘AntennaGate’ was estimated to impact for 20% of Apple sales for iPhone 4 (http://fortune.com/2010/09/08/antennagate-cost-apple-20-of-sales/) • Did (Apple) they managed such risk during the Design phase? How? How much?
  11. 11. www.eng.it11 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Some (important) questions...Introduction What is risk and what is a damage? E.g...what are the differences between CMMI and SPICE manage risks? Are there further frameworks helping to better deal with risks? Do we have a risk catalogue? How much value could we achieve converting risks into a CSF?
  12. 12. www.eng.it12 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Agenda • Introduction – A couple of examples about (non) Risk Management… – Some questions… • MCMs (Maturity & Capability Models) – Representations & Dimensions – Why do we need to choose a MCM? – Coverage & classification of MCMs • MCMs & Risk Management in Horizontal MCMs (H-MCMs) – CMMI-DEV/SVC and ISO 15504-2 – Other Sources • LEGO and Risk Management – The LEGO approach – Applying LEGO to Risk Management Elements of Interest (EoI) – Suggested Improvements • Conclusions & Prospects • Q & A Risk Mgmt and LEGO
  13. 13. www.eng.it13 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Why do we need choosing a MCMs?MCMs
  14. 14. www.eng.it14 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Representations - StagedMCMs • ML: 5 • PA: 24 • N.min PA : ML1 (0) • N.max PA : ML3 (13) ML Focus Id. PA Title 5 Optimizing OPM Organizational Performance Management CAR Causal Analysis & Resolution 4 Predictable OPP Organizational Process Performance QPM Quantitative Project Management 3 Defined RD Requirement Development TS Technical Solution PI Product Integration VAL Validation VER Verification OPD Organizational Process Definition OPF Organizational Process Focus OT Organizational Training IPM Integrated Project Management RSKM Risk Management DAR Decision Analysis & Resolution 2 Managed REQM Requirement Management PP Project Planning PMC Project Monitoring & Control SAM Supplier Agreement Management MA Measurement & Analysis PPQA Process & Product Quality Assurance
  15. 15. www.eng.it15 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Representations - ContinuousMCMs • PA categories: 4 • PA: 24  22 • N.min PA per Category : Process Management (5) • N.max PA per Category: Project Management (7) Process Categories Maturity Levels Process Management Project Management Engineering Support Optimizing OPM CAR Predictable OPP QPM Defined OPF OPD OT IPM RKSM RD TS PI VER VAL DAR Managed PP PMC SAM REQM CM MA PPQA Initial Ad-hoc processes
  16. 16. www.eng.it16 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Representations – Continuous (example)MCMs Special cause (GP.2.2 @ OT) Common cause (GP.2.9 @ +PA) • Source: SQI Appraisall Assistant - http://goo.gl/i6IvI
  17. 17. www.eng.it17 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck MCMs Classifying MCMs by Dimension • Horizontal: MMs going through the whole supply chain  SwEng: ISO 15504, CMMI, FAA i-CMM, … • Vertical: MMs focusing on a single perspective/group of processes  Test Mgmt: TMM, TPI, …  Project Mgmt: PM-MM, OPM3, …  Requirement Mgmt: .... • Diagonal: MMs focused on Organizational/Support processes  People CMM, TSP, PSP, …Risk Management Source:BuglioneL.,AnEcologicalViewonProcessImprovement:SomeThoughtsfor ImprovingProcessAppraisals,4WCSQ,4thWorldCongressonSoftwareQuality, WashingtonD.C.(USA),15-18September2008
  18. 18. www.eng.it18 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Agenda • Introduction – A couple of examples about (non) Risk Management… – Some questions… • MCMs (Maturity & Capability Models) – Representations & Dimensions – Why do we need to choose a MCM? – Coverage & classification of MCMs • MCMs & Risk Management in Horizontal MCMs (H-MCMs) – CMMI-DEV/SVC and ISO 15504-2 – Other Sources • LEGO and Risk Management – The LEGO approach – Applying LEGO to Risk Management Elements of Interest (EoI) – Suggested Improvements • Conclusions & Prospects • Q & A Risk Mgmt and LEGO
  19. 19. www.eng.it19 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck CMMI-DEV and ISO 15504 – Risk Mgmt ref’sMCMs and Risk Mgmt Model CMMI-DEV/SVC ISO 15504-12207 Domain Sw-SE Sw-SE PRM (source) CMMI-DEV v1.3 ISO 12207 PRM (# Processes) 22 47 Process Categories RSKM (Risk Management) – ML3 (Staged representation) MAN.5 (Risk Management) Risk Mgmt-related process(es) SCAMPI v1.3 ISO 15504-2 ISO 15504-5 PAM ext. Appraisals PP-SP-2.2 (Identify Project Risks) PMC-SP-1.3 (Monitor Project Risks) ACQ.1, ACQ.3, ACQ.4, OPE.1, ENG.1, ENG.2, SUP.10, MAN.3, MAN.5, PIM.3, PA2.1, PA4.1, GP5.1.4, GP5.2.2. related BP (Base Practices) PAM Risk-related issues Sw-SE Sw-SE
  20. 20. www.eng.it20 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck MCMs and Risk Mgmt Model/ Framework Repr. Type ML (#) Architect- Type Comments/Notes Project Risk Maturity Model (PRMM) Staged 4 [1-4] Level-based • 6 perspectives IACCM CMM Staged 5 [1-5] Level-based • 9 dimensions (#7: Risk Management) MMGRseg Continuous 5 [1-5] Level-based • Aligned with ISO/IEC 27005 [32]; 43 Control Objectives into 6 groups; Final Risk Scorecard MPS RMMM Staged 6 [1-6] Matrix-based • 6 drivers for assessing on an ordinal scale business risks RIMS RMM for Enterprise Risk Management (ERM) Staged 6 [0-5] Matrix-based • 7 process attributes; for each one, a series of Key Drivers defined IS RMM Staged 5 [1-5] Level-based • 9 control elements, each one with a variable number of components INCOSE RMM Staged 4 [1-4] Matrix-based • 5 Drivers Risk Analysis (WBS) + RBS --- --- WBS -based • Creation of a Risk Breakdown Structure according to the project WBS and quantification of risks by each WBS task (calculation) Choosing Risk Mgmt MCMs - Results
  21. 21. www.eng.it21 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Agenda • Introduction – A couple of examples about (non) Risk Management… – Some questions… • MCMs (Maturity & Capability Models) – Representations & Dimensions – Why do we need to choose a MCM? – Coverage & classification of MCMs • MCMs & Risk Management in Horizontal MCMs (H-MCMs) – CMMI-DEV/SVC and ISO 15504-2 – Other Sources • LEGO and Risk Management – The LEGO approach – Applying LEGO to Risk Management Elements of Interest (EoI) – Suggested Improvements • Conclusions & Prospects • Q & A Risk Mgmt and LEGO
  22. 22. www.eng.it22 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck LEGO and SvcMgmt The LEGO Approach 1. MCM Repository 2. Process Architecture 4. Appraisal Method3. Mappings & Comparisons 1. Identify goals 2. Query MCM repository 3. Include new elements 4. Adapt & Adopt Source: Buglione L., Gresse von Wangenheim C., Hauck J.C.R., Mc Caffery F., The LEGO Maturity & Capability Model Approach, Proceedings of 5WCSQ, 5th World Congress on Software Quality, Shanghai (China), Oct 31- Nov 4 2011
  23. 23. www.eng.it23 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Applying LEGO to Risk MgmtExperiencing LEGO... The LEGO steps & related activities & outcomes: 1. Identify Goals  Improve the internal Risk Management (RM) capability in order to generate more value to our organization over time (product+service)  Assume the target BPM (Business Process Model) to improve is generically the ISO 15504 MAN.5 process 2. Query the MCM repository  Filter the list of available KM-based MCMs from the MCM repository  Next table (EoI – Element of Interest) is a filter of the elements by each of the KM MCMs considered 3. Include new elements into the target BPM  Next table (Suggested Improvements) lists the possible EoI matched with the requested MCMs (both SPs and GPs) 4. Adapt & Adopt  Map each practice of the improved process to the related internal QMS process(es)  Validate the mapping results before using them in the daily activities
  24. 24. www.eng.it24 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Step 2 - EoI: Elements of Interest (1/4) Model/ Framework Elements of Interest (EoI) Project Risk Maturity Model (PRMM)  Six (6) perspectives (Stakeholders; Risk Identification; Risk Analysis; Risk Responses; Project Management; Culture)  Paid attention to: o The ‘Culture’ perspective is interesting because it deals with people attitude towards risk o The ‘Stakeholders’ analysis can allow to catch all possible threats and vulnerabilities in terms of missing items to be discussed and analyzed for possible contingencies to the project plan. The PRMM process considers their engagement for initiating the risk management process o ‘Risk Response’ is what in other models/frameworks could be the list of ‘countermeasures’ in a ‘Risk Catalogue’ IACCM CMM  Quantitative approach (from SixSigma practices) with 9 dimensions (1. leadership; 2. customer/supplier experience; 3. execution and delivery; 4. solution requirements management; 5. financial; 6.information systems/knowledge management; 7. risk management; 8. strategy; 9. people development)  Interesting the eventual inclusion of o ‘Solution Requirements management’ o ‘IS/Knowledge Management’, o ‘People development’, as in the SEI’s People-CMM LEGO and Risk Mgmt
  25. 25. www.eng.it25 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Step 2 - EoI: Elements of Interest (2/4) Model/ Framework Elements of Interest (EoI) MMGRseg  Alignment with security issues (ISO 27005 [32])  Refinement of the maturity levels into three stages (immaturity, maturity, excellence)  6 Control Objectives (CO) – processes - each one with a series of practices o CD1 Context Definition; AA1 Risk Analysis/Assessment; RT1 Risk Treatment; RA1 Risk Acceptance; RC1 Risk Communication; MA1 Monitoring & Critical Analysis  Paid attention to: o CD1.9 (Collect and Store information); AA1.7 (Avoid Rework); AA1.8 (Revise the process of risk estimation); RT1.4 (Define how to measure the effectiveness of controls); RT1.5 (Calculate Residual Risks); RC1.x (all practices); MA1.3 (Standardize the Monitoring and Critical Analysis activity)  Assessment representation with Kiviat graphs, possible to use also a questionnaire (as in the old Sw-CMM) or also a NPLF ordinal scale using the typical MCM appraisal approach MPS RMMM  ML grow with a larger environment to control (the larger the environment, the higher the ML)  This MCM is about Police Security and cross a series of organizational structures that should be in place, according to their org model  Two dimensions in the matrix-grid: Maturity Level by Maturity Elements  Ordinal scale (No, Minimal, Partial, Yes, Significant; Substantial, Full) for rating each crossed cell in the matrix LEGO and Risk Mgmt
  26. 26. www.eng.it26 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Step 2 - EoI: Elements of Interest (3/4) Model/ Framework Elements of Interest (EoI) RIMS RMM  7 process attributes (Adoption of ERM-based discipline; ERM process management; Risk appetite management; Root-cause discipline; Uncovering risk; Performance Management; Business Resiliency and Sustainability), for each one, a series of Key Drivers defined  In each process attribute, there is a definition for matching a certain level (from Non-Existent till Level 5)  Particular attention could be devoted to those aspects: o PA#4 (Root-Cause Discipline)  historicize data, classify risk, understanding the why’s o PA#5 (Uncovering Risks)  formalizing risk indicators/measures; transforming risks into opportunities (CSF’s) o PA#7 (Business Resiliency and Sustainability)  understanding of consequences of action or inaction IS RMM  9 control elements (Participants; Technologies; Information; Work Practices; Products & Services; Customers ; Infrastructure; Environment ; Strategies)  Based on ISO 31000 Risk Management Process [31], refining the process activities into ‘Control Objectives’: EC (Establishment of the Context); AP (Risk Assessment); TR (Risk Treatment); CR (Communication); SR (Monitoring & Review)  To pay attention eventually to: o EC.3 (Define a normalized method for the definition of the context) o EC.4 (Define a method of appreciation of the risks) o EC.7 (Define a plan of communication) o EC.9 (Define the level of tolerance or acceptance of the risks) o AP.6 + TR.6 + CR.3 + SR.4 (Collect and Store information about…) o SR.1 (Monitor Risk Management Indicators) LEGO and Risk Mgmt
  27. 27. www.eng.it27 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Step 2 - EoI: Elements of Interest (4/4) Model/ Framework Elements of Interest (EoI) INCOSE RMM  5 Drivers (Definition; Culture; Process; Experience; Application)  Checklist (matrix-based) crossing Levels from 1 (Ad-hoc) to 4 (Managed) with the drivers, asin Crosby’s Quality Management Maturity Grid (QMMG) [2]  To pay attention eventually to: o Definition  towards a proactive use of risk management o Culture + Experience  learn from experiences, knowledge management for risk management o Application  use of quali-quantitative tools helping to deal with risks as an opportunity when planning and estimate a new activity/project LEGO and Risk Mgmt
  28. 28. www.eng.it28 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Step 3 - Suggestions for Improvement (1/2) ISO 15504 MAN.5 process Suggested Improvements BP 01 – Establish Risk Management scope  Add practices/notes for collecting information about the Context for the project to be analysed (scope management)  Fundamental a proper definition of events and related risks in a Risk Catalogue  Add practices about the need to consider the right stakeholders for eliciting requirements and consequently potential risks form multiple viewpoints. It can help to better define the scope for the project and its related risks BP 02 - Define Risk Management strategy  Add practices/notes about the strategic need to be resilient as a way to ‘genetically’ manage risks in a proactive way. Define a method for evaluating risks for a proper (proactive) management.  Communication needs to be part of a risk strategy: people not aware about what is a risk couldn’t work for excellence neither for obtain good results (wouldn’t be a lean organization, at least!)  Culture and Experience from teams is fundamental to avoid and learn by experience, sharing information by a ‘Risk Catalogue’ (as well as in IT Service Management models, ITSM personnel use a ‘Service Catalogue’) BP 03 – Identify risks  Add practices/notes about the need for a ‘risk catalogue’, querying it for any risk analysis in order to find yet classified/managed risks, with possible countermeasures.  Any uncovered risk should be recorded as a new item into the risk catalogue, updating the organization risk history as a basis for any further improvement LEGO and Risk Mgmt In the following tables, there is a list of ‘suggested improvements’ to the target process (in this example MAN.5 from ISO 15504) that could be added in its next revision by BP (Base Practice), kept from the EoI previously analysed and listed.
  29. 29. www.eng.it29 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Step 3 - Suggestions for Improvement (2/2) ISO 15504 MAN.5 process Suggested Improvements BP 04 - Analyze risks  Add practices/notes about the opportunity to have a yet-ready list of possible countermeasures from a Risk Catalogue, properly updated over time from the whole organization’s teams BP 05 – Define and perform risk treatment actions  Add practices for specifying how to measure the effectiveness of controls and calculate residual risks.  Another fundamental issue will be the definition of thresholds and criteria based on historical data for their dynamic revision over time, choosing the proper updating frequency for any kind/family of risk issues. BP 06 - Monitor risks  Add in order to standardize the monitoring of risks along time.  Need to formalize risk indicators/measures and transforming risks into opportunities (CSF’s). BP 07 - Take preventive or corrective actions  Add practices/notes about the need for RCA (Root-Cause Analysis) as the basic TQM technique to use for determining the best choice from your own historical project/organizational data.  Communication is not only part of the strategy but – as an action – also the closing step for a corrective/preventive action, checking that the target audience will have properly received and acted against the requested action.  Tools could help in making easier the identification of recurring risk patterns and suggest possible countermeasures LEGO and Risk Mgmt
  30. 30. www.eng.it30 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Agenda • Introduction – A couple of examples about (non) Risk Management… – Some questions… • MCMs (Maturity & Capability Models) – Representations & Dimensions – Why do we need to choose a MCM? – Coverage & classification of MCMs • MCMs & Risk Management in Horizontal MCMs (H-MCMs) – CMMI-DEV/SVC and ISO 15504-2 – Other Sources • LEGO and Risk Management – The LEGO approach – Applying LEGO to Risk Management Elements of Interest (EoI) – Suggested Improvements • Conclusions & Prospects • Q & A Risk Mgmt and LEGO
  31. 31. www.eng.it31 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Conclusions & Future Works • Risks as threats or opportunities?  A risk should be known, analyzed and managed: having a ‘risk catalogue’ (as a service catalogue) can help organizations to manage a threat and possibly convert it into an improvement opportunity  Contigencies should be evaluated but not spent directly into a Gantt chart if not still happened  Risk Management is not part of Project Management, but it’s a separated, supporting process  Possibly risks should be measured, not only evaluated  Look at Value as the final goal to achieve in order to really improve our activities • Models and Methods  Many models, taxonomies and frameworks can be valid for managing risks  The value when better managing risks can lead to a lower TCO for projects  E.g. ISO 31000 is not the solely source to consider, but also CMMI/SPICE risk-related process could be considered • LEGO’ (Living EnGineering prOcess) approach • http://slideshare.re/nssLR8 [5WCSQ, Shangai, Nov 2011] • Choose and integrate the ‘pieces of the puzzle’ you need for your goals the target is your QMS, not the model(s) you are using  Next Steps  Identify further ‘silver bullets’ for leveraging the joint view of products and services, also from a business viewpoint  Hybridize more models and techniques between the two communities for benchmarking purposes All models are wrong. Some models are useful. (George Box, Mathematician, 1919-2013) Risk Mgmt and LEGO
  32. 32. www.eng.it32 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Lessons Learned... URL:www.dilbert.com Risk Mgmt and LEGO
  33. 33. www.eng.it33 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Q & A Danke für Ihre Aufmerksamkeit! Thanks for your attention! Risk Mgmt and LEGO
  34. 34. www.eng.it34 IWSM-MENSURA 2016 – October 6, 2016 © 2016 Buglione; Abran, Gresse von Wangenheim, McCaffery, Hauck Our Contact DataRisk Mgmt and LEGO Luigi Buglione Engineering Ing. Inf. /ETS luigi.buglione@eng.it Fergal McCaffery DKIT fergal.mccaffery@dkit.ie C. Gresse von Wangenheim UFSC gresse@gmail.com Alain Abran ETS alain.abran@etsmtl.ca Jean Carlo R. Hauck UFSC jeanhauck@gmail.com

×