Software Engineering Lecture 6: Risk Analysis & Management.
-
Upload
sherilyn-doyle -
Category
Documents
-
view
219 -
download
0
Transcript of Software Engineering Lecture 6: Risk Analysis & Management.
![Page 1: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/1.jpg)
Software Engineering
Lecture 6: Risk Analysis & Management
![Page 2: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/2.jpg)
Today’s Topics Reactive vs. proactive strategies Types of software risk Risk identification & projection Risk mitigation, monitoring, management
(RMMM) Safety risks and hazards
![Page 3: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/3.jpg)
Characterizing Risk
Risk concerns the future What can we do today to avoid problems tomorrow?
Risk involves changeWhat aspects of the problem domain and solution are unstable?
Risk involves choice & uncertaintyWe often make decisions based on incomplete information
![Page 4: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/4.jpg)
Quotes
“..risk, like death and taxes, is one of the few certainties of life” [Charette, 1989]
“While it is futile to try to eliminate risk, and questionable to try to minimize it, it is essential that the risks taken be the right risks.” [Drucker, 1975]
![Page 5: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/5.jpg)
Reactive vs. Proactive Strategies
Reactive• “Indiana Jones school of risk management”
• Risk management = Crisis management (“fire-fighting mode”)
![Page 6: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/6.jpg)
Reactive vs. Proactive [2]
Proactive• Identify risks in advance
• Assess probability, impact
• Prioritize by importance
• Explicit risk management plan
• “Risk is unavoidable”
![Page 7: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/7.jpg)
Software Risks uncertainty : The event that characterizes the
risk may or may not happen; P never equals 1.0 loss : If the risk becomes a reality, unwanted
consequences or losses will occur Important to quantify these for each risk
analyzed!
![Page 8: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/8.jpg)
Categories of Risk
Project risks Technical risks Business risks Known risks Predictable risks Unknown risks
![Page 9: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/9.jpg)
Project Risks
Threaten the project plan Problems with budget, schedule, personnel,
resources, customer, requirements
![Page 10: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/10.jpg)
Technical Risks
Threaten quality and timeliness of software “Implementation may become difficult or
impossible” Problems with design, implementation,
interfacing, verification, maintenance
![Page 11: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/11.jpg)
Technical Risks (2)
Include specification ambiguity, technical uncertainty, technical obsolescence, “leading-edge” technology
“The problem is harder to solve than we thought it would be”
![Page 12: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/12.jpg)
Business Risks No market for product (market risk) Product no longer fits in the business plan (strategic
risk) Sales force doesn’t know how to sell the product
(sales risk) Loss of management support (management risk) Loss of budget, people (resource risk)
![Page 13: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/13.jpg)
Known Risks
Uncovered during plan evaluation Examples:
• Unrealistic delivery date
• Lack of documented requirements
• Lack of scope
• Poor development environment
![Page 14: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/14.jpg)
Predictable Risks
Extrapolate from past experience Examples:
• Staff turnover
• Poor customer communication
• Dilution of staff effort by maintenance
![Page 15: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/15.jpg)
Unpredictable Risks
Everything else that can’t be anticipated… Experience in a particular development domain
suggests certain risk factors that can and should be applied globally
![Page 16: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/16.jpg)
Risk Identification
Specify threats to the project plan “Identification is the better part of mitigation” “If you don’t actively attack the risks, they will
attack you” [Gilb, 1988]
![Page 17: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/17.jpg)
Risk Subcategories
Generic risks (affect every software project)
Product-specific risks, specific to:• the particular technology
• the specific individuals
• the particular environment
![Page 18: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/18.jpg)
Risk Item Checklist
Product size: What risks are associated with overall size of the software?
Business impact: Risks associated with management or market constraints
![Page 19: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/19.jpg)
Risk Checklist [2] Customer characteristics: risks associated with
the sophistication and communication skills of the customers
Process definition: risks associated with the maturity of the development process
![Page 20: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/20.jpg)
Risk Checklist [3] Development environment: risks associated with
the quality of development tools Technology to be built: risks associated with
system complexity and ‘newness’ of the solution Staff size and experience
![Page 21: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/21.jpg)
Product Size Risks
Estimate LOC or FP• degree of confidence in estimates?
• # of programs, files, events?
• % deviation from average size?
![Page 22: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/22.jpg)
Size Risks [2] Size of associated database(s)? Number of users? Number of projected requirements changes? Amount of reused software?
![Page 23: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/23.jpg)
Business Impact Risks
Impact on revenue? Visibility to management? Reasonableness of deadlines? Number of customers? Consistency of customers?
![Page 24: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/24.jpg)
Business Risks [2] Interoperability? User sophistication? Documentation required? Government constraints? Cost of late delivery, defects?
![Page 25: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/25.jpg)
Customer-Related Risks
Customers have different needs and personalities Customer / supplier relationships vary Customers are contradictory “Bad” customers are a significant threat and a
substantial risk
![Page 26: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/26.jpg)
Generic Customer Risks
Have you worked with them before? Do they understand what is needed? Are they willing to write specs? Are they willing to attend reviews? Level of technical understanding? Do they understand the development process?
![Page 27: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/27.jpg)
Process Risks Is there a standard development process which is
well-documented? Do staff follow the process? Do they have adequate training? Do you track the process with formal reviews and
walkthroughs? Do you use configuration management?
![Page 28: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/28.jpg)
Technology Risks
Is the technology new to you? New algorithms or I/O? Interface with new/unproven HW/SW/DB? Specialized user interface? New analysis, design, testing methods?
![Page 29: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/29.jpg)
Technology Risks (2)
Unconventional development methods? (e.g., AI) Excessive performance constraints? Customer uncertain about feasibility?
![Page 30: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/30.jpg)
Impact Assessment Four risk types:
• Performance Risk, Cost Risk, Support Risk, Schedule Risk
Four impact categories:• Negligible, Marginal, Critical, Catastrophic
Characterization of consequences• (1) errors, (2) failure to achieve outcome
![Page 31: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/31.jpg)
[From SEPA 5/e]
Impact Assessment
![Page 32: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/32.jpg)
Sample Risk Table[From SEPA 5/e]
Assigned using impact assessment table
![Page 33: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/33.jpg)
Risk and Management Concern
[From SEPA 5/e]
![Page 34: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/34.jpg)
Risk Referent Level
[From SEPA 5/e]
![Page 35: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/35.jpg)
RMMM
Risk Mitigation, Monitoring, andManagement
• Mitigation: Reduce probability and/or impact of risks in advance
• Monitoring: Watch factors that indicate change in risk probability
• Management: Implement contingency plan(s)
![Page 36: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/36.jpg)
RMMM (2)
RMMM adds overhead! 80/20 rule: 80% of overall risk from 20% of
identified factors RMM Plan
• for every risk above a certain threshold, create a risk information sheet (RIS)
• track / update RMMM plan regularly
![Page 37: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/37.jpg)
RiskInformationSheet
[From SEPA 5/e]
![Page 38: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/38.jpg)
Safety Risks and Hazards
Classic case: control systems Language systems: critical control or
instructional scenarios Mitigation:
• limit scope of software, increase human role
• limit scope of human intervention, increase redundant backup systems
![Page 39: Software Engineering Lecture 6: Risk Analysis & Management.](https://reader034.fdocuments.in/reader034/viewer/2022051417/5697bf831a28abf838c86597/html5/thumbnails/39.jpg)
Questions?