Introduction JC HELM Notes

Everybody agrees that risk management, if done properly, is a good thing to do. Who wouldn't want to identify potential problems early enough to make a difference in the ultimate quality of the product? Continuous Risk Management "helps people avoid disasters, avoid rework, avoid overkill, and stimulate win-win situations on software projects [Boehm 89, p. 1]." Risk management reduces a project's risk exposure and reducing exposure makes good business sense [Charette 89].

Reasons We Don't Do Risk Management

If it's so wonderful, why don't we do it or why do we fail to do it successfully? Here are some of the reasons project personnel give for not doing risk management. All of these reasons are barriers to effective risk management. Some of them are cultural barriers. All of them need to be overcome.

I don't have the time. There's too much regular project work to do.

It's not rewarded. Nobody wants to hear about what we can't do.

It's a bureaucratic nightmare. The processes are too complicated and time consuming.

I don't want to look stupid, especially in front of upper management.

We already know our risks. We did an assessment at the beginning of the project. Once is enough!

This is just another management initiative. I'll wait to see if they're serious before I put any effort into it. Why waste time and energy?

They shoot the messenger. If I had a solution I wouldn't need to bring it up in the first place.

Identifying risks means you need to solve them. We already have enough to do.

Fill in your own___________________________________________________

What is Continuous Risk Management?

Continuous Risk Management is a software engineering practice with processes, methods, and tools for managing risks in a project. It provides a disciplined environment for proactive decision making to:

Assess continuously what could go wrong (risks)

Determine which risks are important to deal with

Implement strategies to deal with those risks

Note: Project and program are considered synonymous terms in this document.

Benefits of Continuous Risk Management

Continuous Risk Management, when performed successfully, provides a number of benefits:

1. Prevents problems before they occur, identifies potential problems and deals with them when it is easier and cheaper to do so before they are problems and a crisis exists

2. Improves product quality: focuses on the project's objective and consciously looks for things that may affect quality throughout product development

3. Enables better use of resources: allows the early identification of potential problems (the proactive approach) and provides input into management decisions regarding resource allocation

4. Promotes teamwork: involves personnel at all levels of the project and focuses their attention on a shared product vision and provides a mechanism for achieving it.

Costs of Continuous Risk Management

There are three types of costs associated with Continuous Risk Management:

1. Infrastructure costs: those costs associated with implementing and supporting risk management within an organization (e.g. setting up a training program, purchasing common tools)

2. Risk management costs: those costs associated with conducting risk management activities within a project (e.g. time to document new risks or write risk status reports)

3. Mitigation costs: those costs directly associated with mitigating a specific risk to the project (e.g. the cost to carry out the mitigation plans)

These types of cost typically include "expenditure of funds, time, personnel, and management involvement [Charette 89, p. 69]."

Cost vs. Benefit

Determining cost-benefit value is difficult when some costs and benefits cannot be quantified. For example, how do you quantify what you saved by mitigating a risk? How do you estimate what it would have cost you if it had become a problem [Charette 89]? There are no clear-cut answers.

The cost of performing Continuous Risk Management must be balanced against the expected benefits and the cost of not doing risk management [Charette 89].

Example: A major acquisition program manager from the Department of the Defense learned about a risk that could have been a "showstopper" for the program. Through Continuous Risk Management, a risk was identified regarding achievement of the specified gross aircraft weight. Added equipment to satisfy specific new mission requirements might increase the weight beyond allowable limits. Early identification and better definition of the risk enabled the program manager to justify funding for an early start of the design, thereby ensuring proper aircraft weight in time to meet the program schedule. This example illustrates a risk identified through Continuous Risk Management that could have stopped the program if it had gone unnoticed until it became a problem. For this program manager, the mitigation of this risk saved what would have been a year's delay in the program schedule, clearly worth the expense of performing risk management.

How Should I Do Continuous Risk Management?

Continuous Risk Management is simply an area of emphasis of every day business. It should be ongoing and comfortable. Like any good habit, it should seamlessly fit into your daily work. There is no one special set of methods, tools, or communication mechanisms that will work for every project. The key is to adhere to the principles, perform the functions, and adapt the practice to suit your needs.

What are the Principles of Continuous Risk Management?

Continuous Risk Management is built upon a set of principles that provide an effective approach to managing risk regardless of the specific methods and tools used. These principles, were defined by [Higuera 94], and breakdown into the following three types:

1. Core

2. Sustaining

3. Defining

Core Principle

Continuous Risk Management simply cannot succeed without the constant attention to fostering open communication, the core principle. No one can find the risks to the project as well as the people who work on it day in and day out. Always ask, "Is the way the project responds when members bring forward issues and concerns going to encourage them to bring more?" Open communication requires:

1. Encouraging free-flowing information at and between all project levels

2. Enabling formal, informal, and impromptu communication

3. Using consensus-based processes that value the individual voice (bringing unique knowledge and insight to identifying and managing risk)

Defining Principles

The defining principles focus on how the project sees risks, and how ambitious it is about looking for and dealing with uncertainty. The principles foster the development of a shared view that clarifies the when, why, and what of Continuous Risk Management.

Forward-looking view: Develop the ability to look ahead, beyond today's crisis to the consequences of that crisis and of the decisions the project makes to deal with it. This principle is also concerned with sharpening the view of how far into the future to look. Forward-looking view requires:

Thinking toward tomorrow, identifying uncertainties, anticipating potential outcomes

Managing project resources and activities while anticipating uncertainties

Shared product vision: This is the development of a common understanding of the objectives of the project and the goods and services it will produce for the world. Shared product vision requires:

Arriving at a mutual product vision based upon common purpose, shared ownership, and collective commitment

Focusing on results

Global perspective: This requires project members to escape the local interests of groups within the project and within the organization to reach a common view of "what's most important to the project." Project members should develop a common viewpoint at a global level, and be able to move toward deciding how to mitigate specific risks. Global perspective requires:

Viewing software development within the context of the larger systems-level definition, design, and development

Recognizing both the potential value of opportunity and the potential impact of adverse effects

Sustaining Principles

The sustaining principles focus on how the project goes about its daily business of Continuous Risk Management. These are foundational. If established early in the project and constantly nurtured, these will assure that Continuous Risk Management becomes the way business is conducted.

Integrated management: This principle is concerned with assuring that Continuous Risk Management processes, paperwork, and discipline are consistent with established project culture and practice. Continuous Risk Management is simply an area of emphasis of good project management; therefore, wherever possible. Continuous Risk Management tasks should be integrated into well-established project routine. Integrated management re- quires

Making Continuous Risk Management an integral and vital part of project management

Adapting Continuous Risk Management methods and tools to a project's infrastructure and culture

Teamwork: No single person can anticipate all the risks that face the project. Continuous Risk Management requires that the project members find, analyze, and work risks together. Group synergy, reliance, and cooperation in dealing with risk need to be rewarded.

Teamwork requires:

Working cooperatively to achieve a common goal

Pooling talent, skills, and knowledge

Continuous process: Risk management must not be allowed to become "shelf ware." The processes must be part of daily, weekly, monthly, and quarterly project management. Stamp out the idea that risk management only happens during "risk management season."

Continuous process requires

Sustaining constant vigilance

Identifying and managing risks routinely throughout all phases of the project's life cycle

Principles and Tailoring Continuous Risk Management Processes

Continuous Risk Management is not "one size fits all." To be effective, tailoring is needed. Tailoring occurs when organizations adapt the Continuous Risk Management processes and select methods and tools, which best fit with their project management practice and their organizational culture. Following the principles of Continuous Risk Management is the key to successful tailoring.

References

[Boehm 89] Boehm, Barry. IEEE Tutorial on Software Risk Management. New York: IEEE Computer Society Press, 1989.

[Charette 89] Charette, Robert N. Software Engineering Risk Analysis and Management. New York: McGraw-Hill, 1989.

[Higuera 94] Higuera, Ronald P.; Dorofee, Audrey J.; Walker, Julie A.; & Williams, Ray C. Team Risk Management: A New Model for Customer-Supplier Relationships (CMU/SEI-94-SR-05). Pittsburgh, Pa.: Software Engineering Institute, Carnegie Mellon University, 1994.

Contents