September 1999
(safe falling on the head of your lead programmer) may demonstrate a wide range of values
while in another (the project lead leaving the project) the range of values may be packed quite
compactly. The latter variable is therefore more predictable, so there is less risk in estimating
what the value of that variable will be in a new project.
Other variables are unique to the current project, and you must evaluate them on an ad-hoc
basis. While it helps to have a baseline of the same or similar variables to compare with,
sometimes you must evaluate unknown variables as well. The essence of risk management is
determining what is unique about the project youre evaluating. Its just as important to
realize that you cant remove all risk.
Some activities are inherently more risky than others. These activities include introducing new
technologies, assembling an unproven development team, and so on. The Software
Engineering Institute (http://www.sei.cmu.edu/) has devoted considerable attention to risk
management and has developed a checklist of about 100 different possible risk factors, each
of which you can evaluate to include in your current projects risk portfolio. As with many
other checklist-based evaluations, it introduces an additional risk: overlooking a potential
problem that doesnt fit neatly into one of the provided risk categories. For that reason,
although prepared lists of risks can be useful as a starting point for discussion, I would
encourage organizations to develop their own lists of perceived and actual risks. And as with
process improvement, a bottom-up approach almost always yields superior results.
Overrun Insurance
Its interesting to note a corollary to the bottom-up vs. top-down models of risk assessment.
As you go further up the food chain, the individual risks get toned down, often because the
individuals presenting the project to those with approval authority have a vested interest in
getting the project approved. As a consequence, the executives furthest from project
management are the least likely to have adequate risk data available to them, yet they are the
ones charged with the responsibility of deciding whether or not to proceed with the project.
One way top management can help manage risk is by establishing a cost-overrun insurance
policy. Just as homeowners insurance spreads the risk of any client suffering a fire, a
corporate risk insurance policy helps spread the inherent risk measurement costs among
several projects. If a given project manager consistently makes claims against the policy, that
project manager will probably get demoted, terminated, or reassigned to other duties.
Identifying Risks
Remember that Murphy was an optimist. Its too easy for project managers to construct their
models hoping that the things that could go wrong wont for their project. But that is not a
level-headed way of looking at risk. If youre going to fudge the risk factors, you might as well
channel your energy into completing the project and hope that divine intervention will guide
your team to success. But if you want to manage your risks fairly, there are some steps that
can help.
First, name your risks. One of the best ways to do this is to hold team sessions inspections,
if you willto identify possible risks. Once you have a list of candidate risks, you should
evaluate each risk and assign it a weight representing its likelihood. Following that, you must
determine what will happen to the project if each risk becomes an actuality.
Given that its impossible to reduce the likelihood of all risks to zero, you must identify the
most significant risks in terms of severity, likelihood, and potential consequences. Once you
prioritize your risks, develop an action plan for dealing with each of the most important ones.
Finally, your team needs to plan actions to take if risk mitigation doesnt work.
increasingly negative effect on the project. Enter three rows describing the actions you could
take in response to the event, ranging from weakest response to strongest: do nothing,
promote another team member to project lead, and hire another project lead from outside, as
shown in Table 1. In each of the 12 cells, assign a percent value to the cost you would suffer if
that intersection of column and row were to occur. For example, if there is zero effect on the
project if the lead departs, and you do nothing, then the cost is zero. If you do nothing, and
the effect is high, then your cost is 100%. If there is a low effect and you promote someone
from the team, the cost might be 10%. And so on until you fill the grid with these 12
percentages, representing the damaging effect on the project for each combination of severity
and action.
Table 1: Assumptions About Risk if Project Lead Quits
Cost Matrix
Zero
Low
Medium
High
Do nothing
20
50
100
10
20
35
60
40
42
45
50
Using the cost matrix you just constructed, build a similar 12-cell regret matrix, as shown in
Table 2. The headings for the columns and the names of the rows remain the same. But for
each cell in the matrix, use the values entered to determine which policy (do nothing, promote
from team, and so on) produces the best result for each of the severity columns (zero, low,
and so forth).
Table 2: Assumptions About Risk if Project Lead Quits (with Regret)
Cost Matrix
Zero
Low
Medium
High
Do nothing
20
50
100
10
10
40
22
10
Then, perform a key calculation to arrive at regret. Take the best result for each column and
subtract it from the other values in that column to arrive at a measure of regret. For example,
in row one, column one, where both values are zero, subtracting zero from zero gives you zero
regret. But look at the possible medium cost values for each of the actions. Assume that if you
do nothing, the cost is 50%; if you promote from within, the cost is 35%; and if you bring a
lead in from outside, the cost is 45%. Since 35% is the best result of the three, you would
assign a regret value of zero to the intersection of promoting a lead and medium cost. To
arrive at the regret value for the other two actions, subtract 35% from 50% to arrive at a
regret of 15% for doing nothing and subtract 35% from 45% to arrive at a regret of 10%.
After completing the regret matrix, its obvious which course of action produces the least
regret for each cost factor. But more important, you can say with some assurance how much
regret we would feel if we follow any particular course of action. Regret analysis is a powerful
tool, but the authors dont stop there. They show you how to construct graphs that visually
show you how to assess the results from two situations where regret is the same but the
effects on the project are very different.
Tools
Programmers are used to thinking that a tool can solve their problems, even problems that
dont lend themselves to tool-based solutions. That doesnt stop people from trying, and
doesnt stop pundits from calling them silver bullets. That said, if you want a silver bullet, here
are a couple leads to help you find one. At the Software Program Managers Network web site
(http://spmn.com/), you can find a downloadable Access database called Risk Radar. If you
want to use COCOMO for estimating, a version that incorporates risk evaluation is available at
http://sunset.usc.edu/ (follow the Tools link). In the commercial-product arena, risk
management forms a natural fit with project management tools. Primaveras P3 is available
with an optional add-on for risk assessment called Monte Carlo. The company also offers
TeamPlay, a project management suite. Get the details at http://www.primavera.com/. ABT
Corp.s Results Management Suite (http://www.abtcorp.com/) also includes a risk
management module.
A Final Note
Risk management is a complex and broad field. The kinds and severity of risk vary from
industry to industry and market sector to market sector. The risks facing a game software
company are significantly different from the risks facing a Department of Defense contractor.
The risks facing the group developing new software are different from the risks facing the
group maintaining legacy systems. Thats why getting simple answers to complex questions
about risk can be exceedingly difficult. The best source for risk data in your shop is historical
data captured from previous projects. One source for that information belongs on the shelf of
any serious risk management practitioner: Robert Charettes Software Engineering Risk
Analysis and Management (McGraw-Hill, 1989). Unfortunately, this title is out of print. Also
useful is Capers Jones Assessment and Control of Software Risks (Yourdon Press, 1994).
Understanding the language and concepts of risk is a good place to start deciding what kinds
of data you need to capture.