Risk Management in Software Engineering

Identify

• Risk management involves a series of steps software engineers take to identify, address, and remove project risks throughout the entire software development life cycle. Risk management deals with risk types such as generic, project, product-specific, product, and business risks. Generic risks include "across-the-board" risks that can occur at any time, such as project funding or team member availability. Project risks include those that affect the project or resources, such as budget constraints or a tight time frame for completion. Product-specific risks deal with factors associated with the type of software engineering project, such as providing adequate pre-release testing resources. Product risks affect the quality or performance of the software and can include the quality of program code or changes in requirements. Business risks concern the viability of the project itself, and include changes in economic conditions or management decisions.

Analyze

• Risk analysis involves determining and assessing probability and impact. Software engineers usually classify risk probability with statistical numbers. Calculated risk ranks in the order engineers believe it will occur. The associated impact of a calculated risk can be classified using numbers that rate the impact as negligible, marginal, critical, or catastrophic. Engineers then create a risk assessment chart listing known risks by type, probability and impact.

Prioritize

• When prioritizing risks, engineers first look at the probability of the risk occurring. Next, they determine the cost to the project in dollars if the risk occurs, and then assign a cost to address the risk. For example, losing a senior programmer in the middle of a project could affect the quality of program code, delay release of the software program and cost the project $25,000. Assuming the project has additional, qualified team members to work on it, dividing the workload between other team members is one solution that may cost $3,000.

Plan

• With risks identified, analyzed and prioritized, engineers then decide on a course of action. This may require taking a step back and gathering additional information on the potential risks and costs involved with them. It can also involve creating a contingency plan in the event the risk does happen, deciding on a way to reduce the chances of the risk occurring, or making the decision to accept the possibility of the risk occurring and waiting to develop a plan until it does.

Mitigate

• Mitigation involves looking at the project as a whole, considering all factors and determining ways to reduce or eliminate the possibility of a risk occurring. Risk avoidance is a strategy engineers may take if risks outweigh the benefits of beginning or continuing with a software development project. Risk avoidance means an end to the project. Risk protection opts to create a compromise that all can live with, such as adding alternate team members, upgrading equipment before beginning a project, or extending a tight project completion time frame.

Monitor

• Monitoring is a continual process of assessing progress, reevaluating project goals, identifying new risks, and continuing the development cycle. The degree of risk management monitoring will be greater in the beginning stages of the software development life cycle, but should continue throughout all stages. Monitoring eventually ends with retirement of the software program.