See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/233529733

Software Risk Identification and Mitigation in Incremental Model

Conference Paper · December 2009

DOI: 10.1109/ICIMT.2009.104

CITATIONS READS
14 384

3 authors:

Basit Shahzad Ihsan Ullah

National University of Modern Languages Technological University Dublin - City Campus
79 PUBLICATIONS   533 CITATIONS    39 PUBLICATIONS   186 CITATIONS   

SEE PROFILE SEE PROFILE

Naveed Khan
Ulster University
24 PUBLICATIONS   58 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

IEEE Access Special Issue View project

International Research Group (IRG) - Security and Trust Management Schemes for Cognitive & Intelligent Communication View project

All content following this page was uploaded by Ihsan Ullah on 11 February 2014.

The user has requested enhancement of the downloaded file.

 2009 International Conference on Information and Multimedia Technology

Software Risk Identification and Mitigation in Incremental Model

Basit Shahzad
Department of Computer Science
King Saud University
Riyadh, KSA
Basit.shahzad@gmail.com

Ihsan Ullah Naveed Khan

Department of Computer Science Department of Computer Science
King Saud University King Saud University
Riyadh, KSA Riyadh, KSA
ih_afridi@hotmail.com Naveed283@gmail.com

Abstract—Software risk are hard to find and harder to manage.
This paper focuses on the identification of software risk in
incremental model of software development. A thorough
handling and avoidance strategy is proposed for the
identification of risk factors when the incremental model is
used for software development. The risk factors identified may
also exist in other software development processes but there
existence in incremental model is not only obvious and justified,
and hence, have been discussed for avoidance and mitigation.
I. INTRODUCTION
Software risk management has proven its importance by
attracting a huge attention in the last decade. In order to help
the software industry to succeed in the projects, the
researchers have devoted their efforts to investigate the risk
factors that have the impact on software development life
cycle. Huge contribution in this domain has been made by
identifying the relative impact ratio technique of risk
management [5] and also many others have worked in the
area of software risk management by using the waterfall
model. In the proceeding sections of the paper 26 risk factors,
specially related to incremental model of software
development have been identified and discussed.
II. RISK IDENTIFICATION AND MITIGATION
In the proceeding subsections, we discuss the risk factors
identified by literature survey and the mitigation strategies
are also proposed.
A. Few Requirement Description
It has been observed through experience that the
customer is unable to describe all the requirements in the
beginning of the project. As a consequence the requirements
keep on originating during the software developing process
as well. The studies show that even learned customer can not
explicitly mention more than 60% of requirement before the
project starts [1,2]. This risk factor can have a very high
impact on the Software Development Life Cycle (SDLC).
Following measures are proposed to either avoid or militate
against this risk factor.
Taking in to consideration the disability of mentioning all
the requirements at one time it is proposed that both teams
can come to a conclusion to determine that how much the
project can change over a specific period of time and also the
broader outlines of the software may also be determined.
The development team must clarify that the changes
disturbing the architecture of the system will only be done on
additional payment.
The requirement provider/customer should have adequate
knowledge of the domain and should be able to describe
about his requirements about the software.
The customer and development team must insure the
usage of Facilitated Application Specification Technique
(FAST) / Joint Application Development (JAD). The usage
of FAST/JAD helps in identifying requirements about the
system under consideration.
The customer must allow the development team to have a
flexible schedule if the requirements are expected to change
during the SDLC.
B. Project size estimation
The experienced professionals, available in the
development firm can help in identifying the actual scope of
the project and ensure that it is not under estimated. [1].At
the same time the capabilities of the development team must
not be over estimated.
The availability of reusable code must be adequately
estimated to ensure the smooth working of SDLC.
Software size estimation tools/matrices may be used to
determine the exact scope of the project.
The development team may find itself unable to scrub the
requirements [12] once they have been finalized by both
sides.
C. Project Funding Uncertainty
The in-time development would ensure that the
development team is not required to beg any favors from the

978-0-7695-3922-5/09 $26.00 © 2009 IEEE 366

DOI 10.1109/ICIMT.2009.104
customers, neither in terms of time nor in terms of
requirements scrubbing [12].
The development team may wish to have adequate
commitments from the funding agencies in the beginning of
the projects so that the development team does not face any
financial circumstances in case the customer plans to with
draw from the project at a latter stage.
The development team must try to maintain cordial
relations with the customer.
The customer must be updated continuously about the
achievement and problems being faced at any point in time
and the development team must provide a helping picture of
the project so that the customer may know about the
development of the project and can continue funding for the
project.
D. Staff Inexperience
Organization must not miss an opportunity to hire an
experienced person only for the sake of saving money, in
contrast the experienced person can help in returning much
more revenues then being incurred on him.
The organizations must arrange seminars in the reputed
universities/institutions in order to hire potential graduates
from the universities.
The organization may arrange biweekly or monthly visits
of the reputed professionals from within the country or even
from the world (if resources allow).
The firm must arrange the programming tutorials about
the latest developments in the development environment.
The employees must be provided short trainings and
meetings to share their thoughts with experienced
professional and learn from them in a practical manner [3]
E. Rapid Change Of Job
The employees must be trusted and provided adequate
training so that they don’t think of changing the job just
because of stressful and less motivated environment.
The organization must ensure that the experienced people
do not leave the organization by offering attractive perk and
privileges to the employees which may include bonuses
housing allowance, medical allowance etc.
A uniform grading system may be implemented
organization wide for providing extra benefits [9].
The organization may opt to originate loans schemes to
the employees in order to facilitate them in any
circumstances.
The employer must be aware of the current and up to date
salary packages being offered in the market.
The employer and junior employees must provide
adequately respectable behavior for the experienced team
leaders.
The role definition for each individual should be clear
and précised. This not only helps in asserting the
responsibility but also convince the employee to work hard
for the justification of his role [9].
The employees must be given importance by developing
cordial relations with them.
The employees must be given access to digital library or
literary resources to keep themselves updated.
367
The employer depending on its available resources may
arrange tri-annually or biannually family gatherings.
The employee must be provided with the over time if the
organization is using his services for extra time.
The employees must be allowed to use his extra time in
consultancy, teaching, etc. if his job is not disturbed.
F. Change in working circumstances by management
In order to cope with dynamic problems, the manager has
to change the circumstances of the project under
consideration. A good manager must insure that maximum
requirements are gathered before project starts.
In extreme circumstances, with out the will of the
employee, the manager should not force him to work for
more than his designated time. The work by force doesn’t
yield a product and rather costs for nothing.
Before assigning a new project the employer must ask
the employee about his availability throughout the duration
of the project. The project must only be assigned to the
employees who are available for the life time of the project.
The role definition for each individual should be clear
and precise to show the management about the schedule of
every individual.
G. Staff Inexperience
The employees must be restricted for not taking out the
code / official documents out side the office to ensure that
documents are not unlawfully transferred to the outside
environment. The back up of data must be taken on daily
basis and at multiple sites. The organization may deploy the
recovery engineers.
The organization may opt to use the backup monitoring
system to ensure that backups are taken regularly and
updates are made on daily basis.
Proper backup systems for power shortage should be
arranged so that no problem is caused due to electricity
failures.
The employees may be provided with the electronic
entrance cards and biometric identification may be used in
order to restrict any unlawful entry in to the organization.
Organization must have fire alarm to report smoke or fire
in the building.
The organization must follow some process model
depending on the need and specialty of the organization. This
will help in making the project documented and restart able
if a problem arises at any time and point.
H. Low estimation of time and cost
The analyst may identify the level of variation identified
in the initial requirements and in the final product. This
estimate can be used for the current project to propose the
timeline for the completion of the project.
The organization must always be optimistic about the
completion of the project. This can be done by having
ultimate faith on developers and by giving them confidence.
But at the same time the scope of the project should not be
under estimated.
The experienced workers should be given a chance to try
the best of their abilities and complete more work in less
time. Any such effort, if successful, must not only be
appreciated but rewarded as well.
The organization may opt to scrub the requirements in
consultation with the customer. If the customer doesn’t allow
requirement scrubbing the iterative project scheduling can be
used to complete the project with in time [12].
The programmers, analyst and team members must be
invited to contribute their opinion and understanding in
defining the scope of the project. The management team can
also help in this regard to estimate the project scope properly
[10].
Organization should keep backup teams which can
occupy the space and can help in reducing the burden on
prime developers, if needed.
I. Hardware Default Changes
The leader ship must be able to forecast the technological
advancement in the hardware and computational resources.
Any commitment about the software development made now
must also be able to run/execute on the hardware platform
available for several years [6,7]
The organization may only suggest the customer to keep
the forecasted hardware changes in mind which may increase
the cost of developing that software.
High budget and time should be allocated to handle such
problems dynamically.
In incremental model [11] the organization must
categorically define the hardware developments expected to
be available till the completion of the product. The customer
may or may not opt to adhere to the suggested opinion but
the responsibility of the organization is delivered by
informing him about the technological advancement.[7]
J. Requirement Postponement
Requirements are difficult to identify and any identified
requirements should not be delayed for inclusion in the
coming increments.
Every possible circumstances must be estimated from the
beginning of the iteration so that neither a requirement is left
nor extra load is put on the development team.
Every increment should be properly tested and all the
bugs/errors must be fixed and must not be left for the
consequent increments.
Adequate increment progress monitoring mechanism
should be in placed to keep a log of the development/effort
done for the completion of the increment. The mile stone
definition with in the increments can help in achieving the
ultimate target more easily and in a calculated manner.
In a team structure the manager may use the homework
pattern to complete the work in time. The employees may be
given sub tasks in the beginning of the week and by the week
end their work may be checked for completion and any
possible errors that it may contain.
K. Impact full presence of bugs/errors
An effective and comprehensive test of a system ensures
that the system presented to the outside world is free of bugs.
It is therefore important that a system is tested against all
368
possible values, conditions that software is expected to
accept.
The programmers are generally considered responsible
for unit testing their code that they have produced.
The presence of errors not only delays the testing process
itself but also delays the software development, as a new
iteration of module correction begins after the errors have
been identified. This costs both time and resources.
If time allows, multiple testing techniques should be
applied in iterations to identify and remove all the errors.
The correctness of errors should be done with minimum
changes in design. For this purpose it is proposed that
software architecture must be flexible to accommodate minor
changes.
L. Technology Change
The programmer should be encouraged to have
competence in more than one tools. They must also be smart
thinkers to recognize the coming trends and practices in
future software development and must also equip themselves
with future software tools [3].
The organization must not impose some projects of new
or unknown technique to the employees.
For the purpose of training, during the training session
the employees may be given technical assignments in order
to help them learning the tool and evaluating them in terms
of abilities to learn and suitability for the larger projects.
New programmers who are expert in advance
programming languages / environments may be hired to
work on new projects. In an effective team structure
programmer working on orthodox languages/ environments
will be benefited.
M. In sufficient data handling due to over whelming
acceptability of the business.
The development team must try to utilize all
computational advancement in resources available. It is
appropriate that development team also considers the fact
about the management of data incase the acceptability of the
product is over whelming.
The architecture of the system should be flexible enough
to handle changes dynamically and meet any expansion
needs at runtime.
The software must be designed in a way that it can easily
be linked with other database software as well. In order to
cope with the emerging needs of the data management.
N. Design and tool independence
In software architecture, the architects strongly
encourage the high cohesiveness and discourage high
coupling of the modules. Loosely coupled module can be
easily modified with out affecting the functionality of the
system. [3].
The design of system should be independent of any tool
and platform in order to generalize the design of the system
for usage against all software tools.
The project must be designed and implemented in a way
that it can work on the system with ease and does not require
extra hardware or software resources to work.
O. Risk of Intruders (hackers, viruses, Trojan horse)
The testing team must ensure the error free
implementation of the system. The mechanism should be
developed to restrict any friendly or unfriendly software to
access the system without permission.
Licensed and updated antivirus should be installed for
security purposes so that the risks of intruders or other
unwanted activities can be minimized.
The antivirus or spy ware software must be registered
with the organization so that no one can copy or use it with
out permission.
Spy ware detection software should be installed in order
to identify and report the presence of any spy in the system.
Scanning of the system must be done on daily/weekly
basis to handle any threat present in the system.
P. Risk of delayed implementation
Although documentation is considered highly essential
for the success of any project yet the time and resources
spend on documentation should not exceed from the
balanced amount of resources required for the documentation
purposes [4].
In incremental model [11] precisely, the delay of one
increment delays the whole system. Therefore it is of utmost
importance that only already calculated amount of time is
spent on each phase of the project.
If in extreme circumstances some members of the
development team may become unavailable the manager
should try to convince the available developers to work more
in order to compensate the loss incurred by he developers
leaving the organization.
The reusable code and CoTS (Commercially of the Shelf
Components) should be used to minimize the development
and testing time.
Requirement scrubbing and task iteration can also works
in specific circumstances [12].
The development team must have the surety and should
get funding according to the already agreed schedule; the
delay in such schedule may affect the delivery schedule of
the product itself.
Q. Market Acceptability
The development team even before starting working on a
project must get a market feedback about the acceptability of
the proposed system and the system should only be
developed if the system is highly acceptable by the local
market.
The experienced professionals can use their intuitions to
guide the development team about the future software
products that may have high impact and acceptability in the
market. If a product fails in public the development team
may add certain features that may increase the acceptability
of the product in the market.
The markets in different localities/cities may have
different behavior and it is not necessary that a product
which is less acceptable in one market also remains less
acceptable in others.
369
R. Misleading estimation about skills of workers
The management should have a concrete description
about the capabilities of each member of development team
while estimating for the scope, size, and cost of the project
the abilities of the programmers should be known adequately
to help the estimation process become more realistic. The
management should not be doing an optimistic estimation
and rather do a realistic estimation if not the pessimistic.
In informal meetings with the programmer it can be
investigated that which specific tasks he can do at his best.
The efficiency of the programmer will increase if he is
assigned a task in his area of specialization.
The programmers may be provided trainings and access
to digital resources to polish themselves and to prove their
suitability to work in a project.
S. Lack of technical feed back
The requirement gathering process requires a thorough
consideration and effective communication at the level of the
team leader/analyst and technical people at the customer side.
The head of organization must not sign a contract without
consulting his technical team to minimize the chance of loss.
It should be tried by development team to cover all
requirements in the first iteration and do not leave any
requirements un addressed.
T. Compromise on profit to save name
A failed project not only harms the revenues of the firm
but also disturbs the reputation as well. Therefore the firms
try their hard not to let a project fail and even at the cost of
financial losses they would like to save their name to
maintain the reputation and goodwill of the market.
Adequate planning about the start and completion of
each increment should be done so that no other project is
affected because of the failure/delay of the current project
and vice versa. The milestones and deliverable of an
increment should be managed according to the schedule to
accomplish the assigned task on or before the due date.
It is imperative to state that a risk should always be
identified before it actually starts harming the system. Once
the risk has shown his presence it doesn’t remain in isolation
and invites other risk factors to make a mesh and insure the
project to delay if not fail at all.
U. Risk of Economy Distortion
The management of software development firm must try
to commit advance payment from the customer if the
economic situation of the country/market is not stable. In the
economic crisis the firm must try maximizing its profit and
should try to provide benefits to the employees to enable
them to face the poor economic situation.
The deep care of the business should be kept not only by
keeping the active interaction with the customer but also
some spending should be done to help the market becoming
out of the financial circumstances.
 III. CONCLUSION [5] Basit Shahzad, Tanvir Afzal, “Enhanced risk analysis and relative
impact factorization”, 1st ICICT, IBA Karachi, August 27-28,
It is strongly believed that success of a risk management 2005 ,pp 290-295.
system lies in the identification of all possible risks for the [6] Basit Shahzad, Javed Iqbal, “”Software Risk Management –
software under consideration. The risks, in this paper, have Prioritization of frequently occurring Risk in”, 2nd International
been identified after thorough discussion with software team Conference on Information and Communication Technology
(ICICT2007), Dec. 16-17, 2007, IBA Karchi.
leaders, academicians, and developers. The mitigation and
avoidance strategies have been advised for each risk factor. [7] Roger S. Pressman, “Software engineering: a practitioner’s approach”,
5th ed, McGraw-hill, pp 151-159.
These strategies are expected to provide a helping hand for
[8] Borland, the open alm company, A Load Testing Strategy, white
the avoidance or mitigation of a risk factor. Utmost effort has paper, April 2006,pp6
been made to address all possible risk factors, present till [9] Duport, “how to control and manage the staff
now. The list of identified risk factors may grow in future turnover ”http://www.duport.co.uk/guides/staff%20issues/Controlling
and so can be the mitigation and avoidance strategies. %20and%20managing%20staff%20turnover.htm, May 2006.
[10] Magic intuition, “definition of
REFERENCES intuition ”http://www.magicintuition.com/intuition.html”, 2009
[1] J. Rothfeder, “It’s Late, Costly, and incomplete-But Try Firing a [11] Roger S. Pressman, “Software engineering: a practitioner’s approach”,
Computer System, “ Business Week, November 7, 1988, pp. 164-65. 5th ed, McGraw-hill, Chapter 1.
[2] Coper Jones, “patterns of software success and failure”, 1996. [12] Javed Iqbal, Basit Shahzad, Iterative project Scheduling: A time
[3] Roger S. Pressman, “Software engineering: a practitioner’s approach”, bound technique, International conference on computing and
5th ed, McGraw-hill, pp 151-159. informatics, June 6th -8th 2006, Kuala Lumpur, Malaysia..
[4] Barry W. Boehm, “software risk management: principles and
practices”, pp 13.

370

View publication stats