Chapter Five

Planning for Software Project

Risks

04/24/2024 1
 Chapter Objectives
• Identifying project risks
• Several software risks to avoid
• Completing qualitative and quantitative analyses
• Preparing the risk response plan

04/24/2024 2
 Introduction
• A risk is any event that could prevent the project from
progressing as planned, or from successful completion.
• Risk is uncertainty that can have a negative or positive effect on
meeting project objectives.
• Risk is everywhere
• When you do something risky, you must calculate whether the
potential reward is worth the potential risk.
• One of the toughest jobs for any project manager is managing
project risks.
• Negative risk is “the possibility of loss or injury.”
• Positive risk are risks that result in good things happening;
sometimes called opportunities.
04/24/2024 3
 …contd’
• Project risks include the following:
– Inadequate time for completing the project
– Inadequate budget for completing the project
– Unrealistic scope expectations
– A project team that needs additional time to ramp up
development language
– Stakeholders that do not or cannot provide clear project
requirements
• The goal of risk management is to identify, quantify,
plan for, and then react to the risk potential to keep the
risks from affecting the project’s success.
04/24/2024 4
 Identifying Pure and Business Risks
• Pure risks: These risks have no upside, only a
downside.
• Pure risks include things like loss of life or limb,
fire, flood, and other bad stuff that nobody likes.
• Business risks: These risks are the calculated risks
you are concerned with in project management.
• A perfect example of a business risk is using a
worker with less experience in order to save
money on the project’s budget.

04/24/2024 5
 …contd’
• The risk is that the worker will screw up and your
project will be doomed.
• The reward is that the worker will cost less than
the more experienced worker and save the project
some cash.
• An addition, reward is that by challenging this
employee you will encourage his or her growth
and buy in on the project. This worker is more
likely to be of greater value to you in future
projects.
04/24/2024 6
• Business risks are a big concern for any project
manager with an eye towards reality.
• Business risks are the more common risks you
encounter in your project management activities:
– Employees quit
– Mistakes are made in the requirements gathering process
– The software is full of bugs, errors, and failures
– The expectations of the project time, cost, and scope are not
realistic to begin with
– The project is larger than the capacity of the project team
– etc.
04/24/2024 7
Eight risks every software project has:
• Time
• Costs
• Scope
• Feasibility
• Quality
• Stakeholder expectations
• Human resources
• Technical accuracy
04/24/2024 8
 Risk Management
• Risk Management: is a systematic process of
identifying, analysing and responding to project
risk.
• It is concerned with identifying risks and drawing
up plans to minimize their effect on a project.
• The goal of project risk management is to minimize
potential negative risks while maximizing potential
positive risks.
• A person’s willingness to accept risks is called his or
her utility function.
04/24/2024 9
 1. Risk Planning
• Risk planning is a plan that documents the procedures
for managing risk throughout a project.
• Deciding how to approach and plan the risk management
activities for the project.
• Planning is critical to establish the importance of risk
management, allocating proper resources and time to risk
management and establish the basis for evaluating risk.
• It is important that resources, processes, and tools be in
place to adequately plan the activities for project risk
management.
04/24/2024 10
 2. Risk Identification
• Risk Identification is the process of understanding what
potential events might hurt(harm) or enhance a particular
project.
• Risks can be identified from a number of different sources,
during the project lifecycle and identified by anyone
associated with the project.
• Some risk will be inherent to the project itself, or it can be
result of external influences that are completely outside the
control of the project team.
• Risk identification consists of determining which risks are
likely to affect the project and documenting the
characteristics of each.
04/24/2024 11
 Risk Identification Tools & Techniques
• Brainstorming: is a technique by which a group attempts to
generate ideas or find a solution for a specific problem by
amassing ideas spontaneously and without judgment.
• An experienced facilitator should run the brainstorming
session.
• Delphi technique: is a technique that allows stakeholders to
anonymously (secretly) offer their input into identifying
risks.
• They can send their suggestions via e-mail to one person
who will then consolidate (organize) the information into
one document without naming the source of the information.

04/24/2024 12
 …contd’
• Interviewing is a fact-finding technique for collecting
information in face-to-face, phone, e-mail, or instant-
messaging discussions.
• Interviewing people with similar project experience is
an important tool for identifying potential risks.
• SWOT analysis (strengths, weaknesses, opportunities,
and threats) can also be used during risk identification.
• Helps identify the broad negative and positive risks that
apply to a project.
04/24/2024 13
 Risk Register
• A risk register: is a document that contains the results of
various risk management processes and that is often
displayed in a table or spreadsheet format.
• A tool for documenting potential risk events and related
information.
• Risk Register Contents
– An identification number for each risk event.
– A rank for each risk event.
– The name of each risk event.
– A description of each risk event
04/24/2024 14
 …contd’
– The category under which each risk event falls.
– The root cause of each risk
– Triggers for each risk; triggers are indicators or symptoms
of actual risk events.
– Potential responses to each risk.
– The risk owner or person who will own or take
responsibility for each risk.
– The probability and impact of each risk occurring.
– The status of each risk.

04/24/2024 15
 3. Qualitative Risk Analysis
• Assess the likelihood and impact of identified risks to
determine their magnitude and priority.
• Example
Sample Qualitative Risk Impact Matrix
Risk Probability Impact Risk Risk Score
Server crashes Low Medium Low
Lack of High Medium High
developers
Firmware Low Medium Low
changes

04/24/2024 16
 4. Quantitative Risk Analysis
• Numerically estimating the effects of risk on project
management.
• Example
Sample Qualitative Risk Impact Matrix
Risk Probability Impact Risk Risk Score
Server crashes .1 $5000 $500
Lack of .9 $80000 $72000
developers
Firmware .2 10day 2days
changes

04/24/2024 17
 5. Risk Response
• After identifying and quantifying risks, you must
decide how to respond to them.
• Risk response is steps taken to enhance an
opportunities and reducing threats to meeting
project objectives.
• The risk response plan is a document that details
the identified risks within a project, their impact,
and their associated costs, and then identifies how
the project team will respond to the risks.

04/24/2024 18
 Response Strategies for Negative Risks
• Risk Avoidance- often the most desirable risk response is to
just avoid the risk.
• This means getting creative in the project scheduling,
assigning senior developers to key activities, or creating
other workarounds so that the risk doesn’t come in to play.
• You’ve done risk avoidance if you’ve done any of the
following:
– Changed a project plan to avoid risk interruption
– Hired experts to consult the project team during the development
Process
– Spent additional time with the project stakeholders to clarify all
project objectives and requirements

04/24/2024 19
 …contd’
• Risk Transference -shift the impact of a risk to a third
party (like a subcontractor). It does not eliminate it, it
simply shifts responsibility.
• You’ve used transference if you’ve ever done any of
the following:
– Purchased insurance, such as errors and omissions insurance
– Hired experts to complete a portion of the project work
– Demanded warranties from vendors
– Brought in consultants to test units and builds of your
software

04/24/2024 20
 …contd’
• Risk Mitigation -Take steps to reduce the probability
and/or impact of a risk.
• You’ve used mitigation if you’ve ever done the following:
– Added extra testing, verification, or customer approval activities
to ensure that the software conforms to requirements
– Reduced the number of processes, activities, or interactions
within a smaller project to streamline and focus project
management activities on accomplishing specific project tasks
• Risk acceptance– Simply accept that, this is a risk.

04/24/2024 21
 Response Strategies for Positive Risks

• Exploit: This strategy seeks to eliminate the uncertainty

with an opportunity by changing a project objective to
ensure it happens. An example of this is assigning the best
workers to a project to reduce time to complete.
• Share: Allocating ownership of the positive risk event to a
third party who is best able to capture the opportunity for
the project.
• Enhance: Increasing the probability and/or positive
impact of an opportunity
• Acceptance: Simply accept that this is a risk
04/24/2024 22
 Residual and Secondary Risks
• It’s also important to identify residual and secondary
risks.
• Residual risks are risks that remain after all of the
response strategies have been implemented.
• Secondary risks are a direct result of implementing a
risk response.

04/24/2024 23
 6. Risk Monitoring and Control
• Involves executing the risk management
process to respond to risk events.
• Workarounds are unplanned responses to risk
events that must be done when there are no
contingency plans.

04/24/2024 24
 The End!

04/24/2024 25