Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010132689 | QA76.76.D47 P364 2007 | Open Access Book | Book | Searching... |
Searching... | 30000010196979 | QA76.76.D47 P364 2007 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Few software projects are completed on time, on budget, and to their original specifications. Focusing on what practitioners need to know about risk in the pursuit of delivering software projects, Applied Software Risk Management: A Guide for Software Project Managers covers key components of the risk management process and the software development process, as well as best practices for software risk identification, risk planning, and risk analysis.
Written in a clear and concise manner, this resource presents concepts and practical insight into managing risk. It first covers risk-driven project management, risk management processes, risk attributes, risk identification, and risk analysis. The book continues by examining responses to risk, the tracking and modeling of risks, intelligence gathering, and integrated risk management. It concludes with details on drafting and implementing procedures. A diary of a risk manager provides insight in implementing risk management processes.
Bringing together concepts across software engineering with a project management perspective, Applied Software Risk Management: A Guide for Software Project Managers presents a rigorous, scientific method for identifying, analyzing, and resolving risk.
Author Notes
Pandian\, C. Ravindranath
Table of Contents
1 Risk Culture | p. 1 |
1.1 Risk Thinking | p. 1 |
1.2 What Is Risk? | p. 2 |
1.3 A Boundary Problem | p. 3 |
1.4 Expressing Risk: The Basic Terms | p. 6 |
1.4.1 Additional Terms | p. 6 |
1.5 Risk Vocabulary | p. 6 |
1.6 Risk-Driven Project Management | p. 7 |
1.6.1 Project Visibility | p. 7 |
1.6.2 Goal Setting | p. 7 |
1.6.3 Product Development | p. 7 |
1.6.4 Development | p. 8 |
1.6.5 Maintenance | p. 9 |
1.6.6 Supply Chain | p. 9 |
1.7 Controlling the Process, Environment, and Risk | p. 10 |
1.7.1 Process Management and Risk Management | p. 10 |
1.7.2 SPC and Risk | p. 10 |
1.7.3 Five S and Risk | p. 10 |
1.7.4 Defect Prevention and Risk Management | p. 11 |
1.8 Maturity in Risk Culture | p. 11 |
1.9 Risk Scale | p. 13 |
1.9.1 Case Study | p. 14 |
1.9.1.1 Background Data | p. 14 |
1.9.1.2 Comments | p. 14 |
1.9.1.3 What Do We Learn from This Example? | p. 15 |
1.10 Preparing for Risk | p. 15 |
1.10.1 People | p. 15 |
1.10.2 Communication | p. 16 |
1.10.3 Body of Knowledge | p. 16 |
1.10.4 Metrics | p. 16 |
1.10.5 Estimation Models | p. 17 |
1.10.6 Detailed Planning | p. 17 |
1.10.7 Effective Defect Management | p. 17 |
2 Risk Management Process | p. 19 |
2.1 What Is Risk Management? | p. 19 |
2.1.1 Risk or Opportunity? | p. 20 |
2.2 Risk Management Paradigms | p. 21 |
2.3 Is There a Process? | p. 23 |
2.4 In Real Life | p. 23 |
2.5 Five Models for Risk Management | p. 24 |
2.5.1 The Core Models | p. 24 |
2.5.2 Superstructure Models | p. 24 |
2.5.3 Application of the Models | p. 24 |
2.6 Model 1: The Organic Risk Management Process | p. 25 |
2.6.1 An Analogy | p. 25 |
2.6.2 Comments | p. 26 |
2.7 Model 2: Goal Selection | p. 26 |
2.8 Thinking about Less Risky Alternatives | p. 27 |
2.8.1 Category 1 Risk-Informed Project Objectives | p. 27 |
2.8.2 Category 2 Risk-Informed Product Goals | p. 27 |
2.8.3 Category 3 Risk-Informed Requirement Management | p. 27 |
2.8.4 Category 4 Risk-Informed Milestone. Design | p. 28 |
2.8.5 Category 5 Risk-Informed WBS | p. 28 |
2.9 Model 3: Minimum Risk Management | p. 28 |
2.9.1 Creating Risk Awareness Is Risk Management | p. 29 |
2.10 Model 4: Medium-Scale Risk Management | p. 29 |
2.10.1 Risk Management Is Acting upon Risk Awareness | p. 31 |
2.11 Model 5: IAMT Cycle | p. 31 |
2.12 Model 6: Full-Scale Risk Management | p. 31 |
2.12.1 Initiative 1 | p. 33 |
2.12.2 Initiative 2 | p. 33 |
2.12.3 Initiative 3 | p. 33 |
2.13 Risk Management at Different Levels | p. 33 |
2.13.1 The Mixup | p. 35 |
2.13.2 External Risks and Layers | p. 35 |
2.13.3 Can We Manage Subprocess Risks? | p. 35 |
2.13.4 Project-Level Risk Management | p. 36 |
2.13.5 Program-Level Risk Management | p. 36 |
2.13.6 SBU-Level Risk Management | p. 36 |
2.13.7 Enterprise Risk Management | p. 36 |
2.14 Risk Escalation | p. 37 |
2.14.1 Risk Elevation | p. 37 |
2.14.2 Troubleshooting Move | p. 37 |
2.14.3 Lack of Cooperation | p. 38 |
3 Risk Attributes | p. 41 |
3.1 Risk Classification | p. 41 |
3.2 Risk Attributes | p. 41 |
3.3 Risk Origin | p. 44 |
3.3.1 Internal Risks | p. 44 |
3.3.2 External Risks | p. 44 |
3.3.3 Drawing the Boundary Line between Internal and External | p. 44 |
3.3.4 Break Boundaries Within | p. 45 |
3.3.5 External Risks: A Class Apart | p. 45 |
3.3.6 Vendor Risks | p. 46 |
3.4 Screening the Risks | p. 46 |
3.4.1 Hazard Risks | p. 46 |
3.4.2 Constraint Risks | p. 47 |
3.4.3 Nominal Risks | p. 47 |
3.4.4 Trivial Risks | p. 47 |
3.5 Three P's | p. 47 |
3.5.1 Project Risks | p. 48 |
3.5.2 Process Risks | p. 49 |
3.5.3 Product Risks | p. 49 |
3.6 Risk Severity | p. 50 |
3.7 SEI Risk Taxonomy | p. 51 |
3.8 Risk Levels | p. 52 |
3.9 Time Element | p. 52 |
3.10 Affected Process Areas | p. 54 |
3.11 Affected Key Result Areas (KRA) | p. 54 |
3.12 Affected Goals | p. 54 |
3.13 Affected Requirements | p. 54 |
3.14 Risk Name | p. 54 |
3.15 Who Will Assign the Attributes? | p. 55 |
3.15.1 Extension of Attributes | p. 55 |
3.15.2 Risk Record Structure | p. 55 |
3.15.3 Risk Classification Is Risk Measurement | p. 56 |
4 Risk Identification | p. 57 |
4.1 The Meaning of Risk Identification | p. 57 |
4.2 Risk Identification Methods | p. 58 |
4.2.1 Type I: Intuitive Methods | p. 59 |
4.2.1.1 Mind Mapping | p. 59 |
4.2.1.2 Brainstorming | p. 60 |
4.2.1.3 Out-of-the-Box Thinking | p. 60 |
4.2.1.4 Analogy | p. 61 |
4.2.2 Type I: History-Based Methods | p. 61 |
4.2.2.1 Top Ten Risks | p. 61 |
4.2.2.2 Risk Checklist | p. 63 |
4.2.2.3 Taxonomy-Based Questionnaire | p. 63 |
4.2.3 Type II: Project-Specific Risk Identification | p. 65 |
4.2.3.1 Phase I: Context Setting | p. 65 |
4.2.3.2 Phase II: Data Gathering | p. 65 |
4.2.3.3 Phase III: Risk Discovery | p. 67 |
4.2.3.4 Phase IV: Assigning Attributes | p. 69 |
4.2.3.5 Phase V: Validation | p. 70 |
4.2.3.6 Phase VI: List | p. 72 |
4.3 Levels in Identification | p. 72 |
4.3.1 Process-Level Risk Identification | p. 72 |
4.3.2 Project-Level Risk Identification | p. 72 |
4.3.3 Enterprise-Level Risk Identification | p. 72 |
4.4 Identifying Product Risks | p. 73 |
4.4.1 Distinguishing Product Risks from Process Risks | p. 73 |
4.4.2 Distinguishing Product Risks from Product Defects | p. 73 |
4.4.3 Product Risk Management versus Defect Management | p. 74 |
4.5 Implementing Risk Identification Processes | p. 74 |
5 Risk Analysis | p. 81 |
5.1 Scope and Purpose of Risk Analysis | p. 81 |
5.1.1 Bias for Action | p. 81 |
5.1.2 Risk Selection | p. 82 |
5.1.3 Types of Risk Analysis | p. 82 |
5.2 First-Order Analysis | p. 83 |
5.2.1 Analysis 1: Risk Screening | p. 83 |
5.2.2 Analysis 2: Quadrant Map | p. 84 |
5.2.3 Analysis 3: Top Ten Risks List | p. 86 |
5.3 Useful Risk Distribution Analysis | p. 87 |
5.3.1 Analysis 4: Internal-External Risk Distribution | p. 87 |
5.3.2 Analysis 5: Project, Product, Process Risk Distribution | p. 88 |
5.3.3 Analysis 6: Process Risk Signature | p. 88 |
5.3.4 Analysis 7: Time Analysis | p. 89 |
5.3.5 Analysis 8: Causal Analysis | p. 90 |
5.4 Seeing the Larger Picture | p. 92 |
5.4.1 Analysis 9: The Process Map | p. 92 |
5.4.2 Analysis 10: Performance Area Map | p. 93 |
5.5 Risk Levels and Analysis Effort | p. 93 |
5.6 Ownerless Risks | p. 94 |
5.7 Putting Together the Preliminary Analyses | p. 94 |
5.8 The Analysis Report | p. 94 |
5.9 More Analysis | p. 95 |
5.10 How to Implement Analysis | p. 95 |
6 Responding to Risk | p. 97 |
6.1 Getting Started 7 | p. 97 |
6.2 Special Treatment for Catastrophic Risks | p. 98 |
6.2.1 Communicate Risks | p. 98 |
6.2.2 Find Solutions | p. 98 |
6.2.3 Carry People Along | p. 99 |
6.2.4 The Action Plan | p. 99 |
6.2.5 Organizational Response to Hazard | p. 100 |
6.2.6 Fallacy of Risk Ranks | p. 100 |
6.2.7 Beyond Statistics | p. 100 |
6.3 The Constraint Risks | p. 100 |
6.4 Responding to Ordinary Threats | p. 101 |
6.5 A Comparison of Two Levels of Response | p. 101 |
6.6 Risk Response Plans | p. 102 |
6.7 Risk Avoidance | p. 102 |
6.8 Risk Transfer | p. 102 |
6.9 Risk Acceptance | p. 103 |
6.10 Risk Monitoring | p. 103 |
6.11 Risk Mitigation | p. 103 |
6.11.1 The Questions | p. 104 |
6.11.2 A Risk Mitigation Plan Case Study | p. 105 |
6.12 Contingency Plans | p. 107 |
6.12.1 Continuous Monitoring | p. 107 |
6.12.2 Triggers | p. 107 |
6.12.3 The Onset | p. 108 |
6.13 Strategic Plan | p. 109 |
6.14 Risk Escalation | p. 109 |
6.15 Implementing Risk Response | p. 110 |
6.15.1 Suggestions | p. 112 |
7 Risk Tracking | p. 113 |
7.1 What Do We Track in Risks? | p. 113 |
7.2 A Moving Target | p. 113 |
7.3 Tracking Risk Response Plans | p. 114 |
7.4 Tracking the Bigger Response: Audits | p. 115 |
7.5 Tracking Hazard Risks | p. 116 |
7.6 Trigger Levels | p. 116 |
Case Study: How Wrong Triggers Fail Risk Management | p. 117 |
7.7 Tracking Project Risks | p. 118 |
7.7.1 Tracking until Project Ends | p. 118 |
7.7.2 Milestone Risk Review | p. 119 |
7.7.3 Performance Targets and Risks | p. 119 |
7.8 Tracking Operational Risks | p. 119 |
7.8.1 Tracking Risk Exposure | p. 119 |
7.8.2 Categorywise REN | p. 120 |
7.8.3 Risk Metric | p. 120 |
7.8.4 Risk Closure | p. 120 |
7.9 Tracking Enterprise Risks | p. 120 |
7.10 Learning by Tracking | p. 121 |
7.10.1 Tracking Improves Risk Management | p. 121 |
7.10.2 Surprises | p. 121 |
7.10.2.1 Surprise 1: No Real Risk | p. 122 |
7.10.2.2 Surprise 2: Other Forces in Action | p. 122 |
7.10.2.3 Surprise 3: True Risk Definition | p. 122 |
7.11 Risk Tracker Tool | p. 122 |
7.12 The Hardening of Risks | p. 123 |
7.12.1 Hardening of Business Risks | p. 123 |
7.12.2 Hardening of Product Risks | p. 124 |
7.12.3 Hardening of Process Risks | p. 125 |
7.12.4 Hardening of Project Risks | p. 125 |
7.13 Implementing Risk Tracking | p. 125 |
7.13.1 Suggestions | p. 125 |
8 Risk Models | p. 127 |
8.1 Why Models? | p. 127 |
8.1.1 Models Connect | p. 127 |
8.1.2 Models Enable Risk Discovery | p. 127 |
8.1.3 Models Integrate | p. 128 |
8.1.4 Models Give Visibility | p. 128 |
8.1.5 Types of Models | p. 129 |
8.2 Simple Risk Models | p. 129 |
8.2.1 Matrix Models | p. 129 |
8.2.2 Tree Models | p. 130 |
8.2.3 Failure Mode Effects Analysis (FMEA) | p. 132 |
8.2.3.1 Managing Product Risk Using FMEA | p. 134 |
8.2.4 Affinity Diagram | p. 137 |
8.2.5 Risk Line | p. 139 |
8.2.6 Probability Density Function (pdf) | p. 140 |
8.2.7 Risk Simulation | p. 142 |
8.3 Implementing Risk Models | p. 143 |
9 Risk Intelligence | p. 145 |
9.1 Natural Warning Systems | p. 145 |
9.2 Metrics Models | p. 146 |
9.2.1 Metrics Choice | p. 146 |
9.2.2 Product Risk Metrics: An Example | p. 146 |
9.2.3 Early Indicators | p. 147 |
9.2.4 Control Charts | p. 147 |
9.2.5 Scorecard | p. 147 |
9.3 Earned Value Model | p. 148 |
9.4 Estimation Model | p. 149 |
9.4.1 Using COCOMO to Study Risk | p. 149 |
9.5 Requirement Model | p. 151 |
9.5.1 Kano Model | p. 151 |
9.6 Critical Path Model | p. 154 |
9.7 WBS Model | p. 156 |
9.8 PERT Model of Risk | p. 157 |
9.8.1 Task Network Scenario A | p. 157 |
9.8.2 Task Network Scenario B | p. 157 |
9.8.3 Task Network Scenario C | p. 158 |
9.9 Implementing Risk Intelligence | p. 159 |
10 Feed Forward | p. 161 |
10.1 Beyond Risk-Reports | p. 161 |
10.2 Passing Knowledge Forward | p. 162 |
10.3 Risk Communication: The Critical Need | p. 163 |
10.4 Ten Barriers to Risk Communication | p. 164 |
10.5 Risk Dashboard | p. 165 |
10.5.1 Traffic Lights | p. 165 |
10.5.2 Risk Scorecard | p. 166 |
10.6 Analytical Views | p. 166 |
10.7 Use of Models | p. 167 |
10.8 The Tool | p. 167 |
10.8.1 Risk Reports | p. 169 |
10.9 Risk Closure Report | p. 170 |
10.10 Better Than SPC | p. 171 |
10.11 Incorporating FFL in Risk Management | p. 171 |
11 Integrated Risk Management | p. 173 |
11.1 Economy Drive | p. 173 |
11.1.1 A Problem | p. 173 |
11.1.2 The Need for an Integrated Approach | p. 173 |
11.1.3 Interfaces | p. 174 |
11.1.4 Collaboration | p. 174 |
11.2 The Visible and the Invisible | p. 175 |
11.2.1 Two Worlds | p. 175 |
11.2.2 Connecting Threads | p. 175 |
11.2.3 An Example | p. 176 |
11.3 The Positive and the Negative | p. 176 |
11.4 Program-Level Integration | p. 177 |
11.4.1 Artifacts for Risk Integration | p. 177 |
11.4.2 Decision Analysis | p. 178 |
11.5 Strategic Business Unit (SBU)-Level Integration | p. 178 |
11.6 Enterprise-Level Integration | p. 178 |
11.7 Integrated Plans | p. 178 |
11.7.1 Transfer to Other Plans | p. 179 |
11.8 Integrated Risk Management: An Agile Process | p. 179 |
11.9 How to Establish Integrated Risk Management | p. 180 |
12 Risk Management: Draft Procedures | p. 183 |
12.1 Can There Be a Procedure? | p. 183 |
12.1.1 Dangers of the Stereotype | p. 183 |
12.1.2 Procedure Is Only a Tool | p. 183 |
12.1.3 Risk Is a Game | p. 184 |
12.2 The Risk Arena | p. 184 |
12.3.1 Culture versus Procedure | p. 184 |
12.3 Symptoms of Not Having a Formal Risk Management Procedure | p. 184 |
12.4 The Anatomy of a Risk Management Procedure | p. 185 |
12.4.1 Evolution | p. 185 |
12.4.2 Empathetic Initiative | p. 186 |
12.4.3 The Layers | p. 186 |
12.5 For Whom? | p. 186 |
12.6 Implementing the Procedures | p. 187 |
12.7 Procedure 1: Risk Management at Project and Operations Level | p. 188 |
12.8 Procedure 2: Enterprise Risk Management | p. 196 |
Appendix A Caper Jones's Risk | p. 203 |
Appendix B Rex Black's Quality Risk List | p. 205 |
Appendix C SEI Risk Taxonomy | p. 207 |
Appendix D Top N Software Risks | p. 211 |
Appendix E PMI, Risk Management Process | p. 213 |
Appendix F IRM, Risk Management Standard | p. 217 |
Appendix G Continuous Risk Management (CRM) Paradigm | p. 219 |
Appendix H Barry Boehm's Risk Management Process | p. 221 |
Appendix I Risk Management in CMMi | p. 223 |
Appendix J Requirement Risk versus Measurable Quality Attributes | p. 225 |
Appendix K Diary of a Risk Manager | p. 227 |
Risk Glossary | p. 237 |
References | p. 239 |
Index | p. 243 |