Software risk analysis and management
Download as PPTX, PDFā¢1 likeā¢551 views
The document outlines concepts related to software risk analysis, including definitions of risk, types of risks (internal and external), and examples of scenarios where risks arise. It discusses the processes of risk identification, analysis, management, and treatment, highlighting strengths and limitations of risk analysis. Additionally, it includes a case study that examines risk assessment in a financial service company to validate their information systems and improve security measures.
Software risk analysis and management
- 1. Ā© 2017 ONE BCG. All Rights Reserved. Software Risk Analysis
- 2. 2 Ā© 2017 ONE BCG. All Rights Reserved. Table of Contents Presentation focuses on the below stated items :- ā¢ What is a Risk? ā¢ Types of Risks ā¢ Examples of Risks ā¢ Why does Risk arouse? ā¢ Why bother with Risks? ā¢ Risk Analysis and Management ā¢ Elements of Risk Analysis ā¢ Strengths of Risk Analysis ā¢ Limitations of Risk Analysis ā¢ Conclusion ā¢ Case Study
- 3. 3 Ā© 2017 ONE BCG. All Rights Reserved. What is a Risk? ā¢ Probability of loss āorā potential negative event that may or may not occur in the future. ā¢ Loss can be anything i.e. increase in production cost, development of poor quality software, not meeting project deadlines, etc. - Software Risk: Possibility of suffering from loss in the Software Development Process. ā¢ Risk is caused due to the lack of information, time or future uncertainty. ā¢ It provides an opportunity to develop the project better. ā¢ Thereās a difference between a Problem and a Risk. - A problem is an event that has already occurred, but Risk is something thatās unpredictable.
- 4. 4 Ā© 2017 ONE BCG. All Rights Reserved. Types of Risks ā¢ Software Risk can be of two types: ā Internal Risks ā¢ Come from risk factors within the organization and arise during normal operation. ā¢ Within the control of the project team and are often forecastable, and thus can be avoided or mitigated. ā¢ Mainly arise from human āorā technical factors. ā External Risks ā¢ Difficult to control and come from risk factors outside the organization/project. ā¢ Beyond the control of the project team. ā¢ Mainly stem from legislative, environmental or political changes.
- 5. 5 Ā© 2017 ONE BCG. All Rights Reserved. Examples of Risks Example 1: Scenario ā¢ The team is working on a project and the developer walks out of the project due to unavoidable circumstances. ā¢ Another person is recruited in his place and he doesnāt work on the same platform. ā¢ A new developer converts it into the platform he is comfortable with. ā¢ Now the project has to yield the same result in the same period. A risk that can be drawn from the above Scenario. ā¢ Whether the team will be able to complete the project on time or not and thatās the Risk of Schedule.
- 6. 6 Ā© 2017 ONE BCG. All Rights Reserved. Examples of Risks Example 2: Scenario ā¢ BA has elicited requirements on what the Solution should deliver. ā¢ BA thus prepares the RSD (Requirement Specification Document) and sends it to stakeholders for feedback. ā¢ Most of the stakeholders respond and are requested for sign-off. Risks that can be drawn from the above Scenario ā¢ Requirements change before sign-off. ā¢ Stakeholders misunderstand the RSD. ā¢ A few key stakeholders are unavailable to participate. ā¢ One stakeholder refuses to sign-off.
- 7. 7 Ā© 2017 ONE BCG. All Rights Reserved. Why does Risks arouse? ā¢ Software Risks arise mainly of three possible cases: ā Known Knowns ā¢ Risks are known to the entire project/team. ā¢ These are defined in the Project Management Plan. ā¢ Example: Project delay due to not having enough developers. ā Known Unknowns ā¢ The risks project team is aware of but is unsure whether they still exist or not. ā¢ Example: Requirements from the client are not captured properly and this fact is known to the project team. However, whether the client has communicated all the information properly or not is unknown to the project. ā Unknown Unknowns ā¢ Risks about which organization is unaware of. ā¢ Example: They are generally related to working with technology āorā tools that you have no idea about but your client wants to work that way.
- 8. 8 Ā© 2017 ONE BCG. All Rights Reserved. Risk Analysis and Management ā¢ Risk Analysis and Management involves the identification of the areas of uncertainty that could negatively affect value; Analyze and Evaluate those uncertainties; and also develops and manages the Ways of dealing with the Risks. ā¢ Risk Management is an ongoing activity i.e. continuous consultation and communication with stakeholders helps to both identify new Risks and to monitor the identified Risks. ā¢ The Project Team can develop plans for avoiding, reducing, or modifying the Risks, and when necessary, implementing these plans.
- 9. 9 Ā© 2017 ONE BCG. All Rights Reserved. Elements of Risk Analysis - Identification ā¢ The goal is to identify a comprehensive set of relevant Risks and to minimize the unknowns. ā¢ Risks are discovered and identified through a combination of expert judgment, stakeholder input, experimentation, past experiences, and historical analysis of similar initiatives and situations. ā¢ A Risk event could be due to one occurrence, several occurrences, or even a non- occurrence. ā¢ A Risk condition could be just one event or a combination of events. One event or condition may have several consequences, and one consequence may be caused by several different events or conditions.
- 10. 10 Ā© 2017 ONE BCG. All Rights Reserved. Elements of Risk Analysis - Analysis ā¢ Analysis of a Risk involves understanding the Risk and estimating the level of a Risk. ā Sometimes controls may already be in place to deal with some Risks, and these should be taken into account when analyzing the Risk. ā¢ The likelihood of its occurrence could be expressed as a probability either on a numerical scale or with values such as Low, Medium, and High. ā¢ The impact of any Risk can be described in terms of cost, duration, solution scope, solution quality, or any other factor agreed to by the stakeholders such as reputation, compliance, or social responsibility.
- 11. 11 Ā© 2017 ONE BCG. All Rights Reserved. Elements of Risk Analysis - Analysis ā¢ Each Risk can be described in a āRisk Registerā that supports the analysis of those Risks and Plans for addressing them.
- 12. 12 Ā© 2017 ONE BCG. All Rights Reserved. Elements of Risk Analysis - Analysis ā¢ The āRisk Impact Scaleā is the best way to showcase the impact of Risks.
- 13. 13 Ā© 2017 ONE BCG. All Rights Reserved. Elements of Risk Analysis - Evaluation ā¢ The Risk Analysis results are compared with the potential value of the change āorā of the solution to determine if the level of Risk is acceptable or not. ā¢ An overall project Risk level may be determined by adding up all the individual risk levels.
- 14. 14 Ā© 2017 ONE BCG. All Rights Reserved. Elements of Risk Analysis - Treatment There are four possible ways to deal with Risks: ā Avoid: Eliminate the threat āorā protect the project from its impact. Common actions that can eliminate Risks are ā¢ Change the scope of the project. ā¢ Extend the schedule to eliminate a Risk to timely project completion. ā¢ Change project objectives. ā¢ Clarify requirements to eliminate ambiguities and misunderstandings. ā Transfer: This involves moving the impact of the Risk to a third party.
- 15. 15 Ā© 2017 ONE BCG. All Rights Reserved. Elements of Risk Analysis - Treatment ā Mitigate: Reduce the probability or impact of the risk. This is not always possible and often comes with a price that must be balanced against the value of performing the mitigating action. ā Accept: Sometimes there is no other alternative than to proceed with the project and accept the Risk. But producing documentation, holding meetings, and communicating the Risk with stakeholders can go a long way toward minimizing the damage.
- 16. 16 Ā© 2017 ONE BCG. All Rights Reserved. Strengths of Risk Analysis ā¢ It can be applied to Strategic Risks which affect the long-term value of the enterprise; Tactical Risks which affect the value of a change; and Operational Risks which affect the value of a solution once the change is made. ā¢ An organization typically faces similar challenges on many of its initiatives. The successful Risk responses on one initiative can be useful lessons learned for other initiatives. ā¢ The Risk level of a change āorā of a solution could vary over time. Ongoing Risk Management helps to recognize that variation and to re-evaluate the Risks and the suitability of the planned responses. ā¢ It can transform Risks into a threshold for new opportunities. ā¢ Prevents department isolation.
- 17. 17 Ā© 2017 ONE BCG. All Rights Reserved. Limitations of Risk Analysis ā¢ The number of possible Risks to most projects can easily become unmanageably large. It may only be possible to manage a subset of potential Risks. ā¢ There is the possibility that significant Risks are not identified. ā¢ High dependency on team experience. ā¢ Vague, difficult to implement plans.
- 18. 18 Ā© 2017 ONE BCG. All Rights Reserved. Conclusion ā¢ Managing Risks doesnāt mean one will be able to fend off all the unwanted events from the project but it does imply that when āorā if they do happen, youāre prepared to respond to them. ā¢ No matter how hard one tries, it is impossible to plan for every single Risk. ā¢ As soon as something is noticed thatās not quite right, don't mull over it excessively - voice it out and collaborate with the project team to develop an effective strategy for responding to it.
- 19. 19 Ā© 2017 ONE BCG. All Rights Reserved. Case Study - Todd Herman Associates ā¢ Situation: ā This company provides various financial, accounting, investment management, and tax services to its clients. Information Systems play a critical role in delivering these services. ā¢ Problem: ā This company outsourced much of its Information Systems function. ā Executives and management believed that this arrangement was working well and that the network / certain applications were being adequately maintained and protected under the guidance of their network service provider. ā Top Executives, however, wanted to validate this belief, both for their peace of mind, as well as to be able to answer questions from clients, auditors, and bankers.
- 20. 20 Ā© 2017 ONE BCG. All Rights Reserved. Case Study - Todd Herman Associates ā¢ Solution: ā Our approach was to perform an Initial Risk Assessment related to network, infrastructure and security technologies in use, to assess the level of Risks associated (High, Medium, or Low). ā The team performed the Risk Assessment taking into consideration the various factors such as network availability, data security, etc. ā¢ Results after Assessment and Recommendations: ā Several areas that management had not truly assessed were shown to have better security than believed. ā The internal and external threat assessments identified specific steps required to mitigate several remaining Risks. ā Upon completion of these steps, management responsible for the Information Systems function was better able to assess potential Risks, through knowledge and techniques learned during this engagement
- 21. 21 Ā© 2017 ONE BCG. All Rights Reserved. You can measure opportunity with the same yardstick that measures the risk involved. They go together. ā Earl Nightingale
- 22. 22 Ā© 2017 ONE BCG. All Rights Reserved. Thank You !