Project
RISK ASSESSMENT & MANAGEMENT
By
SE512
Managing Software Development
Assoc. Prof. Dr. Kamil Dimiler
I would like to present very special thanks to my Assoc. Prof. Dr. Kamil Dimiler who had guide
me since the beginning of Project. Thanks to him for provide guidance, advice, and useful feedback
regarding the semester project either in documentation parts or technical parts. In addition,
guideline and briefing on how to produce a good quality report for this project also provided to
me.
Besides that, my thanks also go to my parents who keep on encouraging me while I facing problem
and when I going to give up. Without their support, I may not be able finish my semester project
on time. Their supports are truly appreciated.
2
ABSTRACTS
The project is concerned with the risks associated with software development and with the range
of factors that can impact on the quality of the project management process. The management goal
is to mitigate these risks leaving the project plan as unperturbed as possible. To achieve this goal
risk analysis must attempt to identify the high risk elements of the project, provide ways of
documenting the impacts of risk mitigation strategies and review the risks on a continuing basis as
the project proceeds. A model is proposed for such risk analysis and to demonstrate its realization
Risk management's importance to software development is greater now than ever before. The
importance stems from the growing role software plays in delivering value to customers. As we
move to a knowledge economy, software embodies the knowledge that brings value. Software
applications have become larger, more complex, more susceptible to attack and unanticipated
interactions. They are being called on to solve problems for which solutions may not be possible;
either the knowledge doesn't yet exist to solve the problem or a reliable solution doesn't exist
3
TABLE OF CONTENTS
ACKNOWLEDGEMENT .............................................................................................................. 2
ABSTRACTS ................................................................................................................................. 3
1. Introduction ............................................................................................................................. 7
4
11.4 Risk Control Cycle ..................................................................................................... 20
REFERENCES ............................................................................................................................. 23
5
LIST OF FIGURES
6
1. Introduction
Risk management is one of the most important jobs for a project manager. Risk management
involves anticipating risks that might affect the project schedule or the quality of the software
being developed, and then taking action to avoid these risks.
Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to assure the confidentiality,
integrity, and availability of all the components in the organization’s information systems
The primary deliverable from risk assessment was a list of documented vulnerabilities,
ranked by criticality of impact
2. Categories of Risk
1. Project risks: Risk that affect the project schedule or resources. An example of a project risk is
the loss of an experienced designer. Finding a replacement designer with appropriate skills and
experience may take a long time and, consequently, the software design will take longer to
complete.
2. Product risks: Risk that affect the quality or performance of the software being developed. An
example of a product risk is the failure of a purchased component to perform as expected. This
may affect the overall performance of the system so that it is slower than expected.
3. Business risks: Risk that affect the organization developing or procuring the software. For
example, a competitor introducing a new product is a business risk. The introduction of a
competitive product may mean that the assumptions made about sales of existing software products
may be unduly optimistic.
Of course, these risk types overlap. If an experienced programmer leaves a project this can be a
project risk because, even if they are immediately replaced, the schedule will be affected. It
inevitably takes time for a new project member to understand the work that has been done, so they
cannot be immediately productive. Consequently, the delivery of the system may be delayed. The
loss of a team member can also be a product risk because a replacement may not be as experienced
and so could make programming errors. Finally, it can be a business risk because that
programmer’s experience may be crucial in winning new contracts. You should record the results
of the risk analysis in the project plan along with a consequence analysis, which sets out the
7
consequences of the risk for the project, product, and business. Effective risk management makes
it easier to cope with problems and to ensure that these do not lead to unacceptable budget or
schedule slippage.
Risk management is particularly important for software projects because of the inherent
uncertainties that most projects face. These stem from loosely defined requirements, requirements
changes due to changes in customer needs, difficulties in estimating the time and resources
required for software development, and differences in individual skills. You have to anticipate
risks; understand the impact of these risks on the project, the product, and the business; and take
steps to avoid these risks. You may need to draw up contingency plans so that, if the risks do occur,
you can take immediate recovery action.
8
Figure 1: The process of risk management
9
You then need to prune this list to a manageable size. If you have too many risks, it is practically
impossible to keep track of all of them.
4.2 Risk analysis
During the risk analysis process, you have to consider each identified risk and make a judgment
about the probability and seriousness of that risk. There is no easy way to do this.
1. The probability of the risk might be assessed as very low (_ 10%), low (10–25%), moderate
(25–50%), high (50–75%), or very high (_ 75%).
2. The effects of the risk might be assessed as catastrophic (threaten the survival of the project),
serious (would cause major delays), tolerable (delays are within allowed contingency), or
insignificant.
You should then tabulate the results of this analysis process using a table ordered according to the
seriousness of the risk. Figure 3 illustrates this for the risks that I have identified in Figure 2.
Obviously, the assessment of probability and seriousness is arbitrary here. To make this
assessment, you need detailed information about the project, the process, the development team,
and the organization. Of course, both the probability and the assessment of the effects of a risk
may change as more information about the risk becomes available and as risk management plans
10
are implemented. Therefore, you should update this table during each iteration of the risk process.
Once the risks have been analyzed and ranked, you should assess which of these risks are most
significant. Your judgment must depend on a combination of the probability of the risk arising and
the effects of that risk. In general, catastrophic risks should always be considered, as should all
serious risks that have more than a moderate probability of occurrence.
11
Figure 4: Strategies to help manage risk
Again, there is no simple process that can be followed for contingency planning. It relies on the
judgment and experience of the project manager. Figure 4 shows possible risk management
strategies that have been identified for the key risks (i.e., those that are serious or intolerable)
shown in Figure 3.
These strategies fall into three categories:
1. Avoidance strategies following these strategies means that the probability that the risk will arise
will be reduced. An example of a risk avoidance strategy is the strategy for dealing with defective
components shown in Figure 4.
2. Minimization strategies following these strategies means that the impact of the risk will be
reduced. An example of a risk minimization strategy is the strategy for staff illness shown in Fig4.
3. Contingency plans following these strategies means that you are prepared for the worst and
have a strategy in place to deal with it. An example of a contingency strategy is the strategy for
organizational financial problems that I have shown in Figure 4.
You can see a clear analogy here with the strategies used in critical systems to from failures.
Obviously, it is best to use a strategy that avoids the risk. If this is not possible, you should use a
strategy that reduces the chances that the risk will have serious effects. Finally, you should have
12
strategies in place to cope with the risk if it arises. These should reduce the overall impact of a risk
on the project or product.
4.4 Risk monitoring
Risk monitoring is the process of checking that your assumptions about the product, process, and
business risks have not changed. You should regularly assess each of the identified risks to decide
whether or not that risk is becoming more or less probable. You should also think about whether
or not the effects of the risk have changed.
To do this, you have to look at other factors, such as the number of requirements change requests,
which give you clues about the risk probability and its effects.
These factors are obviously dependent on the types of risk. Figure 5 gives some examples of factors
that may be helpful in assessing these risk types. You should monitor risks regularly at all stages
in a project. At every management review, you should consider and discuss each of the key risks
separately. You should decide if the risk is more or less likely to arise and if the seriousness and
consequences of the risk have changed.
13
Step 1: Identify potential risks. Sit down and create a list of every possible risk and opportunity
you can think of. If you only focus on the threats, you could miss out on the chance to deliver
unexpected value to the customer or client. Ask your team to help you brainstorm during the
project planning process, since they might see possibilities that you don't. Here's a list of 130
project risks to get you started.
Step 2: Determine probability. What are the odds a certain risk will occur? It’s a lot more likely
that a key team member will be out for a week with the flu than develop total amnesia. Rate each
risk with high, medium, or low probability.
Step 3: Determine Impact. What would happen if each risk occurred? Would your final delivery
date get pushed back? Would you go over budget? Identify which risks have the biggest effect on
your project's outcomes, and rate them as high impact. Rate the rest as medium or low impact
risks.
14
Determine the existing controls and analyses risks in terms of consequence and likelihood in the
context of those controls
Evaluate risks
Compare estimated levels of risk against the pre-established criteria so risks can be ranked and
management priorities identified
Treat risks
Low-priority risks should be monitored and reviewed
For higher consequence risks, develop and implement a specific management plan or procedure
that includes consideration of all aspects required to mitigate the risk to an acceptable level
Monitor and review
Monitor and review the performance of the risk management system and changes that might affect
it
Communicate and consult
Communicate and consult with internal and external stakeholders as appropriate at each stage of
the risk management process as well as the process as a whole.
15
Reduce or allocate risks.
Provide a rational basis for better decision making in regards to all risks.
Plan.
Assessing and managing risks is the best weapon you have against project catastrophes. By
evaluating your plan for potential problems and developing strategies to address them, you’ll
improve your chances of a successful, if not perfect, project.
16
– Unforeseen regulatory requirements
– Natural disasters
– Vandalism, sabotage or unpredicted side effects
Predictable
– Market or operational risk
– Social
– Environmental
– Inflation
– Currency rate fluctuations
– Media
Technical
– Technology changes
– Risks stemming from design process
Legal
– Violating trademarks and licenses
– Sued for breach of contract
– Labor or workplace problem
– Litigation due to tort law
– Legislation
–
10 Risk Control Strategies
Risk control is an important part of risk management. It involves determining what to do with
uncontrolled risks. Some questions to ask when selecting a risk control strategy are, “What is an
acceptable level of risk?” and “What should I do about the risks?” There are four basic strategies
for controlling risks: avoidance, transference, mitigation, and acceptance.
Avoidance – This step involves preventing the exploitation of a vulnerability. This can be
accomplished through applying technical security controls and safeguards that eliminate or reduce
the uncontrolled risk. For example, “system administrators can configure systems to use
passwords where policy requires them and where the administrators are both aware of the
requirement and trained to implement it” (Mattord & Whitman, p.310).
17
Transference – This step involves shifting the risk to other areas or to outside entities. Some
companies transfer the risk by contracting with an outside company to provide security
expertise. For example, the organization might decide to contract with an ISP to outsource its Web
services. Risk can also be transferred by purchasing insurance. In this case, the insurance
company is responsible for the risk. The organization would be reimbursed if the risk actually
occurred.
Mitigation – This step involves taking a proactive approach to reduce the severity or impact should
an attacker successfully exploit a vulnerability. For example, an organization develops and
implements a disaster recovery plan in the event that a system attack causes disruption to
services. The disaster recovery plan would restore the organization’s IT operations to their former
state.
Acceptance – This step involves understanding the consequences and acknowledging the risk without any attempts
at control or mitigation. Some risks are accepted because they simply cannot be avoided. For example, a company
may decide to move its operations to the midwest part of the country where the market in that area is a perfect fit, yet
tornadoes are more prevalent. A tornado is a risk that cannot be avoided even though you can take necessary
precautions beforehand.
19
11.3 Risk Handling Decision points
20
12 Categories of controls
Controlling risk through avoidance, mitigation, or transference may be accomplished by
implementing controls or safeguards
One approach to selecting controls is by category:
– Control Function
– Architectural Layer
– Strategy Layer
– Information Security Principles
21
12.3 Strategy Layer
Controls are sometimes classified by the risk control strategy they operate within:
– avoidance
– mitigation
– transference
22
REFERENCES
23