GC

T6 Risk Management

Risk Management Overview

  • Presented By: Russell Lock, Loughborough University

Introduction to Risk Management

  • Every aspect of life involves some level of risk, including software development and operation.

  • Risk Management: A proactive approach to identify, prioritize, and manage potential issues.

    • Encompasses processes that include:

      • Identify potential issues.

      • Prioritize those issues.

      • Implement strategies to manage them effectively.

    • Particularly critical in safety-critical domains.

Risk Management Terminology

  • Hazard: An event or circumstance that could negatively impact the system or its users.

  • Risk: Describes a hazard's likelihood and impact.

  • Risk Analysis: The process of identifying probable hazards and determining their likelihood and potential impact.

Sources of Hazards

  • Technology:

    • Software product

    • Project tools

    • COTS (Commercial Off-The-Shelf) components

  • Software Process:

    • Requirements

    • Specifications

    • Documentation

  • Management:

    • Personnel

    • Training

    • Project schedules

    • Available resources

  • Business Context:

    • Customer relations

    • External competition

    • Internal politics

    • Regulatory requirements

  • Environmental Factors

Risk Analysis Process

  • Classifies identified hazards based on their probability and impact.

  • Allows for prioritization based on:

    • Ease of Mitigation: Focus on strategies that are cost-effective and quick to implement first.

    • Severity: Concentrate on risks with the potential for the most significant negative outcomes.

Measuring Risk: Probability

  • Probability is represented quantitatively, with values ranging from 0 to 1.

    • Enables formal analysis of the severity of identified risks.

    • Stakeholders might prefer qualitative insights (e.g., "low," "medium," "high").

  • Example Mapping: 0 = Very unlikely to 5 = Occurring frequently.

Measuring Risk: Consequence

  • The effects of a hazard can vary and are often challenging to predict.

  • Consequence measurement can include:

    • Project delays

    • Financial costs of damage repair

    • Qualitative descriptors, e.g., insignificant, tolerable, catastrophic.

    • Numeric scaling: 1 = Insignificant to 5 = Catastrophic.

Four Quadrant Diagram Approach

  • Visual representation of risk assessment using four quadrants based on probability and consequence:

    • High Probability, High Consequence.

    • High Probability, Low Consequence.

    • Low Probability, High Consequence.

    • Low Probability, Low Consequence.

Risk Prioritization Formulas

  • Assign numerical scales to occurrence probability and consequences.

  • Formula:

    • Relative Risk = Probability of Occurrence x Consequence.

    • Both factors must use the same scale (e.g., 1-5) for effective prioritization.

Examples of Risk Assessment Results

  • Example risks discussed with formula applications:

    • Sole developer being sick: Probability 2, Consequence 5 = 10.

    • Data protection law changes: Probability 1, Consequence 4 = 4.

    • Changes in stakeholder needs: Probability 4, Consequence 2 = 8.

Challenges in Prioritization

  • Determining the assessment scale typically falls on project managers lacking risk management specialists.

  • Variability in interpretation of qualitative terms.

  • Changes in probability and consequence assessments over time.

    • Continuous updates and revisions needed as project conditions evolve.

Documentation of Risk Management

  • Risk Management is documented in Risk Registers, utilizing tables that include:

    • Hazard Name

    • Probability

    • Impact

    • Risk Level

    • Mitigation

    • Contingency

  • These are often paired with quadrant charts for visual clarity.

Strategies for Managing Risk

  • Once risk is analyzed, strategies must be implemented, typically in three ways:

    • Avoidance: Reduce the likelihood of risk.

    • Minimization: Lower potential consequences if a risk occurs.

    • Contingency Planning: Prepare for the eventuality when unavoidable risks manifest.

  • Strategies:

    • Avoidance and Minimisation are proactive.

    • Contingency Planning is passive and prepares for risks that cannot be avoided.

Examples of Risk Scenarios

  1. A construction machine damages campus network infrastructure.

  2. Development project experiencing timeline overruns.

  3. Power outages impacting IT center services.

Risk Management in Project Management

  • Similar to standard project management, the RAG (Red, Amber, Green) grading system is used:

    • Green: Project on track, no issues.

    • Amber: Some minor issues identified.

    • Red: Significant problems reported.

    • Blue: Issues have been resolved.

Continuous Risk Monitoring

  • Risk management should be an ongoing, iterative process.

  • Hazards may evolve over time affecting their:

    • Probability and Consequences.

  • New risks may surface during project advancement necessitating continual analysis and prioritization.

Risk Management Conundrums

  • Ensuring comprehensive coverage of risk assessments is challenging similar to requirements documentation.

  • Potential conflicts may arise from risk management strategies.

    • For instance, employing alternative COTS components could inadvertently lower performance below required standards.

  • Prioritization may be swayed by political considerations, and some hazards might lack any effective management method. Recognition of such risks remains beneficial.

Summary of Risk Management Principles

  • Failing to integrate Risk Analysis into systems development introduces significant risks.

  • Properly calculated, categorized, and prioritized risks can be effectively managed.

  • Environmental factors and changing dynamics can impact identification of hazards.