Risk Analysis & Risk Management in Software Engineering

What Is the Definition of Risk in Software Engineering?

Simply put, a risk is a potential problem. It is an activity or event that has the
potential to jeopardize the success of a software development project. Risk is the
possibility of experiencing loss, and total risk exposure to a specific project will
account for both the likelihood and magnitude of the potential loss. Therefore, risk
management should be made an integral part of any project management.

A project manager has to deal with risks arising from three possible cases:

1. Known knowns: are software risks that are actually facts known to the team
as well as to the entire project. For example not having enough number of
developers can delay the project delivery. Such risks are described and
included in the Project Management Plan.
2. Known unknowns: are risks that the project team is aware of but it is
unknown that such risk exists in the project or not. For example if the
communication with the client is not of good level then it is not possible to
capture the requirement properly. This is a fact known to the project team
however whether the client has communicated all the information properly
or not is unknown to the project.
3. Unknown Unknowns: are those kind of risks about which the organization
has no idea. Such risks are generally related to technology such as working
with technologies or tools that you have no idea about because your client
wants you to work that way suddenly exposes you to absolutely unknown
unknown risks.

What is Risk Analysis?

Risk Analysis in project management is a sequence of processes to identify the
factors that may affect a project’s success. These processes include risk
identification, analysis of risks, risk management and control, etc. Proper risk
analysis helps to control possible future events that may harm the overall project. It
is more of a pro-active than a reactive process.
 Principles of Risk Management in Software Engineering
1. Global Perspective: In this step of project management, we will go over the
overall system description, design, and implementation. We consider the risk and
its potential consequences.
2. Keep an eye on the future: Consider the threat that might appear in the future and
make plans to direct the next events.
3. Open Communication: This allows for the free flow of information between the
client and the team members, allowing them to be confident about the risks.
4. Integrated management: Risk management is integrated into project management
in this method.
5. Continuous process: The risks are tracked constantly throughout the risk
management paradigm during this phase.

Steps of Risk Management

1. Risk Identification

Risk identification entails brainstorming. It also entails the creation of a risk list.
Brainstorming is a group discussion technique in which the whole project
management is present. This technique generates new ideas and encourages
creative thinking. The preparation of a risk list entails identifying risks that have
occurred repeatedly in previous software projects.

2. Risk Assessment and Prioritization

It is a procedure within project management that includes the following steps:

 Identifying the issues that are causing risk in projects

 Determining the likelihood of a problem occurring
 Determining the problem's impact
 Assigning probability and impact values ranging from 1 to 10
 Determining the risk exposure factor

The project manager should make a table with all of the values and rank the risks
according to the risk exposure factor.

3. Risk Avoidance and Mitigation

The goal of this technique is to eliminate the occurrence of risks entirely. To avoid
risks, reduce the scope of projects by eliminating non-essential requirements. Risk
avoidance involves identifying potential risks and then eliminating them as much
as possible, or reducing their impact if they cannot be eliminated.

Examples of risk avoidance include:

 Not using certain features in the software due to the potential for bugs or
other problems to occur;
 Increase software testing activities using test cases to ensure no bugs exist in
a product before it goes live;
 Making sure that any changes made to software are thoroughly tested before
they are deployed.

4. Risk transfer

This technique is used in software engineering to reduce the risk of a project. Risk
transfer is usually used when the scope of a project is too large for any one team to
handle, and there is no way to split up the work so that each team can be
responsible for its own piece of it. In this case, you have to find an outside
company that can take on some portion of your project.

For example, if you're working on a video editor app and your team doesn't have
enough designers or programmers to make it happen, project management could
decide to hire someone else who does have the necessary resources. That way, you
don't have to worry about handling all parts of the app yourself and can focus on
what's most important--making sure that everything comes together in an enjoyable
way!

5. Risk acceptance

In software engineering risk acceptance is a technique that involves taking on risks

in order to complete the system. It can be a good idea if there is a lot of uncertainty
about which features will be required and when they'll be needed. In this case, it
makes sense to accept some level of risk in order to have time to figure out what
needs to be done and how long it will take. The only way to know whether this will
work is by trying it out—you may find that you were right all along, or you may
discover that you need more time than expected.
6. Risk Monitoring

The risk should be continuously monitored by reevaluating the risks, the impact of
the risk, and the probability of the risk occurring.

This guarantees that:

 The dangers have been discovered and reduced.

 The magnitude and impact of risk are assessed.

RMMM Plan :
A risk management technique is usually seen in the software Project plan. This
can be divided into Risk Mitigation, Monitoring, and Management Plan
(RMMM). In this plan, all works are done as part of risk analysis. As part of the
overall project plan project manager generally uses this RMMM plan.
In some software teams, risk is documented with the help of a Risk Information
Sheet (RIS). This RIS is controlled by using a database system for easier
management of information i.e creation, priority ordering, searching, and other
analysis. After documentation of RMMM and start of a project, risk mitigation
and monitoring steps will start.
Risk Mitigation:
It is an activity used to avoid problems (Risk Avoidance).
Steps for mitigating the risks as follows.
1. Finding out the risk.
2. Removing causes that are the reason for risk creation.
3. Controlling the corresponding documents from time to time.
4. Conducting timely reviews to speed up the work.
Risk Monitoring:
It is an activity used for project tracking.
It has the following primary objectives as follows.
1. To check if predicted risks occur or not.
2. To ensure proper application of risk aversion steps defined for risk.
3. To collect data for future risk analysis.
4. To allocate what problems are caused by which risks throughout the project.
Risk Management and planning:
It assumes that the mitigation activity failed and the risk is a reality. This task is
done by Project manager when risk becomes reality and causes severe problems.
If the project manager effectively uses project mitigation to remove risks
successfully then it is easier to manage the risks. This shows that the response
that will be taken for each risk by a manager. The main objective of the risk
management plan is the risk register. This risk register describes and focuses on
the predicted threats to a software project.

Example:
Let us understand RMMM with the help of an example of high staff turnover.
Risk Mitigation:
To mitigate this risk, project management must develop a strategy for reducing
turnover. The possible steps to be taken are:
 Meet the current staff to determine causes for turnover (e.g., poor working
conditions, low pay, competitive job market).
 Mitigate those causes that are under our control before the project starts.
 Once the project commences, assume turnover will occur and develop
techniques to ensure continuity when people leave.
 Organize project teams so that information about each development activity is
widely dispersed.
 Define documentation standards and establish mechanisms to ensure that
documents are developed in a timely manner.
 Assign a backup staff member for every critical technologist.
Risk Monitoring:
As the project proceeds, risk monitoring activities commence. The project
manager monitors factors that may provide an indication of whether the risk is
becoming more or less likely. In the case of high staff turnover, the following
factors can be monitored:
 General attitude of team members based on project pressures.
 Interpersonal relationships among team members.
 Potential problems with compensation and benefits.
 The availability of jobs within the company and outside it.
Risk Management:
Risk management and contingency planning assumes that mitigation efforts have
failed and that the risk has become a reality. Continuing the example, the project
is well underway, and a number of people announce that they will be leaving. If
the mitigation strategy has been followed, backup is available, information is
documented, and knowledge has been dispersed across the team. In addition, the
project manager may temporarily refocus resources (and readjust the project
schedule) to those functions that are fully staffed, enabling newcomers who must
be added to the team to “get up to the speed“.
Drawbacks of RMMM:
 It incurs additional project costs.
 It takes additional time.
 For larger projects, implementing an RMMM may itself turn out to be another
tedious project.
 RMMM does not guarantee a risk-free project, infact, risks may also come up
after the project is delivered.