Software risk analysis and management

© 2017 ONE BCG. All Rights Reserved.
Software Risk Analysis

2
Table of Contents
Presentation focuses on the below stated items :-
• What is a Risk?
• Types of Risks
• Examples of Risks
• Why does Risk arouse?
• Why bother with Risks?
• Risk Analysis and Management
• Elements of Risk Analysis
• Strengths of Risk Analysis
• Limitations of Risk Analysis
• Conclusion
• Case Study

3
What is a Risk?
• Probability of loss ‘or’ potential negative event that may or may not occur in the
future.
• Loss can be anything i.e. increase in production cost, development of poor quality
software, not meeting project deadlines, etc.
- Software Risk: Possibility of suffering from loss in the Software Development
Process.
• Risk is caused due to the lack of information, time or future uncertainty.
• It provides an opportunity to develop the project better.
• There’s a difference between a Problem and a Risk.
- A problem is an event that has already occurred, but Risk is something that’s
unpredictable.

4
Types of Risks
• Software Risk can be of two types:
– Internal Risks
• Come from risk factors within the organization and arise during normal
operation.
• Within the control of the project team and are often forecastable, and thus
can be avoided or mitigated.
• Mainly arise from human ‘or’ technical factors.
– External Risks
• Difficult to control and come from risk factors outside the
organization/project.
• Beyond the control of the project team.
• Mainly stem from legislative, environmental or political changes.

5
Examples of Risks
Example 1:
Scenario
• The team is working on a project and the developer walks out of the project due to
unavoidable circumstances.
• Another person is recruited in his place and he doesn’t work on the same platform.
• A new developer converts it into the platform he is comfortable with.
• Now the project has to yield the same result in the same period.
A risk that can be drawn from the above Scenario.
• Whether the team will be able to complete the project on time or not and that’s the
Risk of Schedule.

6
Examples of Risks
Example 2:
Scenario
• BA has elicited requirements on what the Solution should deliver.
• BA thus prepares the RSD (Requirement Specification Document) and sends it to
stakeholders for feedback.
• Most of the stakeholders respond and are requested for sign-off.
Risks that can be drawn from the above Scenario
• Requirements change before sign-off.
• Stakeholders misunderstand the RSD.
• A few key stakeholders are unavailable to participate.
• One stakeholder refuses to sign-off.

7
Why does Risks arouse?
• Software Risks arise mainly of three possible cases:
– Known Knowns
• Risks are known to the entire project/team.
• These are defined in the Project Management Plan.
• Example: Project delay due to not having enough developers.
– Known Unknowns
• The risks project team is aware of but is unsure whether they still exist or not.
• Example: Requirements from the client are not captured properly and this fact
is known to the project team. However, whether the client has communicated
all the information properly or not is unknown to the project.
– Unknown Unknowns
• Risks about which organization is unaware of.
• Example: They are generally related to working with technology ‘or’ tools that
you have no idea about but your client wants to work that way.

8
Risk Analysis and Management
• Risk Analysis and Management involves the identification of the areas of
uncertainty that could negatively affect value; Analyze and Evaluate those
uncertainties; and also develops and manages the Ways of dealing with the Risks.
• Risk Management is an ongoing activity i.e. continuous consultation and
communication with stakeholders helps to both identify new Risks and to monitor
the identified Risks.
• The Project Team can develop plans for avoiding, reducing, or modifying the Risks,
and when necessary, implementing these plans.

9
Elements of Risk Analysis - Identification
• The goal is to identify a comprehensive set of relevant Risks and to minimize the
unknowns.
• Risks are discovered and identified through a combination of expert judgment,
stakeholder input, experimentation, past experiences, and historical analysis of
similar initiatives and situations.
• A Risk event could be due to one occurrence, several occurrences, or even a non-
occurrence.
• A Risk condition could be just one event or a combination of events. One event or
condition may have several consequences, and one consequence may be caused by
several different events or conditions.

10
Elements of Risk Analysis - Analysis
• Analysis of a Risk involves understanding the Risk and estimating the level of a Risk.
– Sometimes controls may already be in place to deal with some Risks, and these
should be taken into account when analyzing the Risk.
• The likelihood of its occurrence could be expressed as a probability either on a
numerical scale or with values such as Low, Medium, and High.
• The impact of any Risk can be described in terms of cost, duration, solution scope,
solution quality, or any other factor agreed to by the stakeholders such as
reputation, compliance, or social responsibility.

11
• Each Risk can be described in a “Risk Register” that supports the analysis of those
Risks and Plans for addressing them.

12
• The “Risk Impact Scale” is the best way to showcase the impact of Risks.

13
Elements of Risk Analysis - Evaluation
• The Risk Analysis results are compared with the potential value of the change
‘or’ of the solution to determine if the level of Risk is acceptable or not.
• An overall project Risk level may be determined by adding up all the individual
risk levels.

14
Elements of Risk Analysis - Treatment
There are four possible ways to deal with Risks:
– Avoid:
Eliminate the threat ‘or’ protect the project from its impact. Common actions
that can eliminate Risks are
• Change the scope of the project.
• Extend the schedule to eliminate a Risk to timely project completion.
• Change project objectives.
• Clarify requirements to eliminate ambiguities and misunderstandings.
– Transfer:
This involves moving the impact of the Risk to a third party.

15
Elements of Risk Analysis - Treatment
– Mitigate:
Reduce the probability or impact of the risk.
This is not always possible and often comes
with a price that must be balanced against the
value of performing the mitigating action.
– Accept:
Sometimes there is no other alternative than to
proceed with the project and accept the Risk.
But producing documentation, holding
meetings, and communicating the Risk with
stakeholders can go a long way toward
minimizing the damage.

16
Strengths of Risk Analysis
• It can be applied to Strategic Risks which affect the long-term value of the
enterprise; Tactical Risks which affect the value of a change; and Operational Risks
which affect the value of a solution once the change is made.
• An organization typically faces similar challenges on many of its initiatives. The
successful Risk responses on one initiative can be useful lessons learned for other
initiatives.
• The Risk level of a change ‘or’ of a solution could vary over time. Ongoing Risk
Management helps to recognize that variation and to re-evaluate the Risks and the
suitability of the planned responses.
• It can transform Risks into a threshold for new opportunities.
• Prevents department isolation.

17
Limitations of Risk Analysis
• The number of possible Risks to most projects can easily become unmanageably
large. It may only be possible to manage a subset of potential Risks.
• There is the possibility that significant Risks are not identified.
• High dependency on team experience.
• Vague, difficult to implement plans.

18
Conclusion
• Managing Risks doesn’t mean one will be able to fend off all the unwanted events
from the project but it does imply that when ‘or’ if they do happen, you’re prepared
to respond to them.
• No matter how hard one tries, it is impossible to plan for every single Risk.
• As soon as something is noticed that’s not quite right, don't mull over it excessively -
voice it out and collaborate with the project team to develop an effective strategy
for responding to it.

19
Case Study - Todd Herman Associates
• Situation:
– This company provides various financial, accounting, investment management,
and tax services to its clients. Information Systems play a critical role in
delivering these services.
• Problem:
– This company outsourced much of its Information Systems function.
– Executives and management believed that this arrangement was working well
and that the network / certain applications were being adequately maintained
and protected under the guidance of their network service provider.
– Top Executives, however, wanted to validate this belief, both for their peace of
mind, as well as to be able to answer questions from clients, auditors, and
bankers.

20
Case Study - Todd Herman Associates
• Solution:
– Our approach was to perform an Initial Risk Assessment related to network,
infrastructure and security technologies in use, to assess the level of Risks
associated (High, Medium, or Low).
– The team performed the Risk Assessment taking into consideration the various
factors such as network availability, data security, etc.
• Results after Assessment and Recommendations:
– Several areas that management had not truly assessed were shown to have
better security than believed.
– The internal and external threat assessments identified specific steps required
to mitigate several remaining Risks.
– Upon completion of these steps, management responsible for the Information
Systems function was better able to assess potential Risks, through knowledge
and techniques learned during this engagement

21
You can measure opportunity with the same yardstick that measures the
risk involved. They go together.
– Earl Nightingale

22
Thank You !

Software risk analysis and management

More Related Content

What's hot

Similar to Software risk analysis and management

More from ONE BCG

Recently uploaded

Software risk analysis and management