1 qualität & informatik dr. e. wallmüller software risk management – better chances for...

1 Qualität & InformatikQualität & InformatikDr. E. Wallmüller

Software Risk Management – Better Chances for Project Success

Copyright © QUALITÄT & INFORMATIK

Zurich, Munich, Vienna

www.itq.ch


Agenda

• Trend and examples• Best practices• Methodical considerations• Tools• Hints for implementation


Challenges:

• New Business Modelse.g. eBay, Amazon, …

• Global Processes and Systemse.g. NOKIA

• New Information Needse.g. Transparency in Value Generation

But mindset:"The Titanic is unsinkable."

Capt. E. J. Smith

Too little attitude:"First count, then risk."

von Moltke

Living with Risks ...


CH Study: „IT Costs and Performance 2002“ (Ploner)


What are the Reasons? CH Study: „IT Costs and Performance 2002“ (Ploner)


Trend

• TronTraG Law in Germany-- Risk management system / indicator control system-- Failure of projects are operational risks

• Maturity Models with risk management process areas -- CMMI

-- SPICE

• Certification based onBS7799-2 (Information Security System)

• Conferences on risk management

7 Qualität & InformatikQualität & InformatikDr. E. Wallmüller08/23/99 11Project Management Shared Experiences Workshop, CECockrell

8 Qualität & InformatikQualität & InformatikDr. E. Wallmüller08/23/99

Risk Spider Chart (Essential Program Elements)

Consequence of Resource Limits

Risk ManagementApproach

Communication

Requirement Definition Information

Transfer

Controlled Process

Planning

Level of TechnologyReadiness

Experience Level of Team

Design to Cost

Visibility of Project Activities

Extensive, Peer &Independent Reviews

Limited Reviews, Project Internal

Proven Team

OJT

TRL 5-6

TRL 1-3

Existing

Extensive, Up-FrontReactive

Clear, Fixed,Parent-Child

Developed as Needed, Free Float

Dynamic, Interactive

Team Operation

Cohesive, Authority

Widely Dispersed, Controlled

Performance is a Tradable Resource

Result of Technical/ Schedule ActivityLowest

Risk


RiskCommunication

Requirements

Planning

TRLExperience

Cost

Visibility

Team

RiskCommunication

Requirements

Planning

TRLExperience

Cost

Visibility

Team

RiskCommunication

Requirements

Planning

TRLExperience

Cost

Visibility

Team

RiskCommunication

Requirements

Planning

TRLExperience

Cost

Visibility

Team

Low Risk Profile High Risk Profile

Low Risk/Single Weakness High Risk/Multiple Strengths & Weaknesses


Began CRM Training Program in 1997 42 Certified CRM Instructors NASA-wide 2316 students trained NPG 8000.4 Approved April 2002 NPG 7120.5 B reviewed, updated and pending release Updated existing training products to be consistent with

NIAT and NPG’s

CRM Training


How has Risk Management been lived by Management?

Washington: - Nasa boss Sean O'Keefe will renew the

culture of the agency.

- The final report says:Missing risk awareness andlacking moral courage of employees

Nasa took consequences fromthe Columbia Disaster : Manager fired!

7 crew members died on February, 1st 2003


Critical Success Project Factors

ProjectProjectwins ..wins ..

Vision, ContractVision, Contract

ExecutiveExecutiveSponsorSponsor

Team work,Team work,CooperationCooperation

Priorities,Priorities,DecisionDecision

Goal andGoal andRiskRisk

ControllingControlling

Respon-Respon-sibilities,sibilities,

ProjectProjectOrganisationOrganisation


o Better understanding and careful dealing with risks and issues

o Asking assumptions and restrictions on which project planning is based

o Better control of the project

o Bases for quality management and assurance

What we want to achieve ...

- Definition: Risk is the possibility of suffering loss.

- Risk in itself is not bad; - risk is essential to progress; - failure is often a key part of learning.


Examples of Known Processes

• Barry Boehm (1989)

• Kontio (1997) CRM and TRM of SEI

PMI

...


Continuous Risk Management (CRM)

Principles:

- Global perspective - Forward-looking view - Open communications - Integrated management - Continuous process - Shared product vision - Teamwork


Continuous Risk Management…(SEI, www.sei.cmu.edu/programs/sepm/risk/)

Function Description

Identify Search for and locate risks before they become problems.

Track Monitor risk indicators and mitigation actions.

Analyze Transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks.

Plan Translate riks information into decisions and mitigating actions (both present and future) and implement those actions.

Control Correct for deviations from the risk mitigation plans.

Communicate Provide information and feedback internal and external to the project on the risk activities, current risks, and emerging risks.Note: Communication happens throughout all the functions of risk management.


Candidates for Project Risk Management

Project Risk Manager as a Central Function

IT ControllerInternal Audit functionProject OfficeProject Manager as a Risk

ManagerExternal Project Risk Manager


Risk IdentificationIdentification of non-fictional and manageable risks with

impact to:

Costs Schedule Scope Technical Performance Contract Expectations of Client

Procedure: - Workshop with brainstorming

- Workshop with questionnaire and checklist


Risk Area Checklist V2.1

Schedule/Implement

- Time frame- Geography- Location- Real Schedule vs. Bid Schedule

Technical

- Requirements- Prototypes- Tools- Functionality- Technical Performance- Available and Future Technologies- Architectures- Integration- Support Service

(Training, Rollout, Installation)- Baseline Management- Unproven Hardware

Subcontractors

- Statement of Work- Price- Terms & Condition- Resources/Experiences- Subcontractor Management- Quality Control- Invoicing- Alternate Sources

Contract

- Change Control Process- Terms & Condition/Payment Plan- Acceptance Criteria- Statement of Work/Deliverables

Resources

- Bid/Proposal Resources- Skills/Qualification/Capabilities- Implementation Resources- Facilities (e.g. Space, Equipment)- Logistics

Innovation Projects

- Market Knowledge- Transformation Client Needs- Speed Idea => Product- Changes of Requirements- Team- Management Support/Commitment- Number of Projects in Parallel

© Qualität & Informatik

Software Development Risk Taxonomy(SEI Questionnaire)


Top Software Risks I

• Personnel Shortfall staffing with appropriate personnel, job matching, team building, securing key personnel agreements, cross-training, rescheduling key people, subcontracting

• Unrealistic schedule and budget detailed multi-source cost and schedule estimation, designing to cost, incremental development, software reuse, requirement scrubbing, renegotiation with client

• Developing the wrong software functions organisation analysis, mission analysis, ops-concept formulation, user surveys, prototyping, early user manual development, development of and agreement to acceptance criteria

• Developing the wrong user interface prototyping, operational scenarios, task analysis,user characterisation (functionality, style, workload)

W.B. Boehm


Top Software Risks II

• Gold Plating requirement scrubbing, prototyping, cost benefit analysis, designing to cost

• Continuing stream of requirement changes high change threshold, information hiding, incremental development, deferral of changes to later increment, tight change control, agreement to acceptance criteria

• Shortfalls in externally furnished components (Procured software) benchmarking, inspection, reference checking, compatibility analysis

• Shortfalls in externally performed tasks (Subcontractors) reference checking, preaward audits, award-fee contracts, competitive design or prototyping, team building

• Straining Computer Science Capabilities technical analysis, cost-benefit analysis, prototyping, reference checking, performance analysis, sizing analysis

W.B. Boehm


A Good Risk Statement …

For example:

The commercial off-the-shelf (COTS) high-speed data link selected by the project team was never envisioned by the vendor to be used in a hardened environment; it may not perform as needed, causing rework and integration slips.


How to describe Risks?


Possible Risk Strategies

• Can I avoid the risk? • Can I reduce the risk impact or Can I reduce the risk probability?

• Can I limit the risk? (Contingency)?

• Can I transfer the risk?

• Can I accept the risk ?

Risk Reduction Staircase


Reporting with Risk Information ...

• Specific Risks• Actions

Reporting Date

Dev

elo

pm

ent

Co

sts

in

CH

F

Cost Trend

01.01.00 02.07.00 31.12.00 01.07.01 31.12.01

Project Information

Project Status

Project: xxxxxxx Manager: yyy.zzzz

Goals: .....

Reporting Date: dd-mm-jj

Time

Costs

Quality

Sig

nifi

can

ce

Likelihood

3

4

2

1

6

57

Risk Mapping

Milestone Trend

01.01.98

02.07.98

31.12.98

01.07.99

30.12.99

01.01.98 02.07.98 31.12.98 01.07.99 30.12.99

Reporting Date

Q3Q4Q5Q6


Example Monthly Status Report


Costs & Benefit

– 0.25 % of Project Costs– Start with risk workshop– 1 or 2 days per month

– Reduction of Deviations

– High Transparency

– Reduction of Rework

– Avoidance of Disasters

– Reduction of Deviations

– High Transparency

– Reduction of Rework

– Avoidance of Disasters


Summary

Key Elements

Start early Iterative Process during Life Cycle Find and look for Chances Responsibility (Process, for each risk) Work Break Down Structure (WBS) as a good

source for risk identification Monitor and track risks and measures Involve the whole project team Develop Risk Awareness


Questions

Ernest WallmüllerCEO, Senior Consultant

Telefon 0041 1 748 52 56Mobile 0041 79 402 44 [email protected]

Qualität & Informatik

Haslernstr. 14

CH-8954 Geroldswil

Many thanks for your attention!


WEB Links for Risk Management

Qualität & Informatik - Links/RM www.itq.ch/links/

Risk Net www.risknet.de

SEI-RM Overview www.sei.cmu.edu/programs/sepm/risk/

www.risknet.de www.dacs.dtic.mil

NASA RM smo.gsfc.nasa.gov

Risk Management Resources www.processimprovement.com

Tool Risk Radar www.iceincusa.com

Tool CARISMA www.sbi-ag.ch


Literature Boehm B.: Software Riskmanagement, IEEE, 1989

Charette R. N.: Software Engineering Risk Analysis and Management, McGraw-Hill, 1989

Gaulke M.: Risikomanagement von IT-Projekten, Oldenbourg, 2002

Hall E.: Managing Risk, Addison Wesley, 1998

Kendrick T.: Identifying and Managing Projekt Risk, AMACOM, 2003

Kerzner H.: In Search of Excellence in Project Management, Van Nostrand Reinhold, 1998

Phillips D.: The Software Project Manager’s Handbook, IEEE, 1998

Schnorrenberg U.: Risikomanagement in Projekten, Vieweg, 1997

SEI: Continuous Risk Management Guidebook, 1996

Tom DeMarco, T. Lister: Bärentango, Hanser, 2003

Wallmüller E.: Ganzheitliches Qualitätsmanagement in der Informationsverarbeitung, Hanser, 2001

Wallmüller E.: Software-Risikomanagement - Leitfaden für die Implementierung, Hanser, erscheint 2004

1 qualität & informatik dr. e. wallmüller software risk management – better chances for...

Documents

risk management slide

risk activities

bad risk

functions of risk management

risk management process

risk mitigation plans

missing risk awareness

analyzetransform risk