Faculty of

Computer
Science

Software Project
Management
(SWE 321)

Prof. Abdel Nasser Zaied 2023 / 2024

 KEY AREAS OF
PROJECT
MANAGEMENT
1. Scope Management
2. Time Management
3. Cost Management
4. Quality Management
5. Communications Management
6. Risk Management
7. Procurement Management
8. Human Resource Management
9. Integration Management
 Risk
“Risk” is any
unexpected event
that might affect
the people,
processes,
technology, and
resources involved
in a project.
 In simple
Riskterms,
involvesrisk is the about the
uncertainty
possibility of something
effects/implications badwith respect to
of an activity
somethinghappening.
that humans value (such as health, well-
being, wealth, property or the environment), often
focusing on negative, undesirable consequences.
 Risk management
Risk is the practice of
Management identifying, evaluating,
and preventing or
mitigating risks to a
project that have the
potential to impact the
desired outcomes.
 Risk
Management
Risk management is
the process of
minimizing any
potential problems
that may negatively
impact a project's
timetable.
 Risk
Management

Risk management
is concerned with
identifying risks and
drawing up plans to
minimise their effect
on a project.
 (Cause)

Man Natural
Made Risk Made
Categories Non-
Human Human

(Impact)
 (Cause)

Man Risk Natural

Made Categories Made

(Impact)
 (Cause)

Risk Non-
Human
Categories Human

(Impact)
 Example of Risk Categories
• Human – Illness, death, injury, or other loss of a key
individual.
• Natural – Weather, natural disasters, or disease.
• Operational – Disruption to supplies and operations,
loss of access to essential assets, or failures in
distribution.
• Reputational – Loss of customer or employee
confidence, or damage to market reputation.
• Procedural – Failures of accountability, internal
systems, or controls, or from fraud.
 Example of Risk Categories
• Project – Going over budget, taking too long on key
tasks, or experiencing issues with product or service
quality.
• Financial – Business failure, stock market
fluctuations, interest rate changes, or non-availability
of funding.
• Technical – Advances in technology, or from
technical failure.
• Political – Changes in tax, public opinion,
government policy, or foreign influence.
 Risk
Management
process
Risk Management process
Risk Management process
 Risk Management process

Assessment
Action
Risk Management process
Risk Management process
 Step I: Identify the risks
In this step,
you’ll identify individual
risks that might affect your
project by making a list (or
spreadsheet) of risks that
might arise.
 Step I: Identify the risks
In this step,
you’ll identify what could
go wrong and what its
consequence.
 Step I: Identify the risks
Examples of common project risks:
• implementing a new technology program for
the project,
• having a poorly defined project objective or
deliverable, and
• not having adequate measures to protect the
health and safety of project team members.
 Step I: Identify the risks
The main output of risk identification is a list of
identified risks and other information needed
(likelihood - Source(s) – Impact (consequences).
Risk Impact
Task Source(s)
(likelihood) (consequences)
 Step I: Identify the risks
The main output of risk identification is a list of
identified risks and other information needed
(likelihood - Source(s) – Impact (consequences).

Risk Register
 Step I: Identify the risks
Risk Register
is a document that contains results of various risk
management processes; it is often displayed in a
table or spreadsheet format.

is a tool for documenting potential risk events

and related information of the project.
 Step I: Identify the risks
Risk Register
Elements of a risk register include:

• An identification number for each risk event

• A rank for each risk event
• The name of the risk event
• A description of the risk event
• Category under which the risk event falls
• The root cause of the risk
• Potential responses to each risk
Risk Management process
 Step II: Analyze the risks
• The term risk analysis refers to the
assessment process that identifies
the potential for any adverse
events that may negatively affect
organizations and the environment.

• Risk analysis is the process that figures out how likely risk
will arise in a project. It studies the uncertainty of
potential risks and how they would impact the project in
terms of schedule, quality and costs.
 Step II: Analyze the risks
In this step,
you need to know:
• What are the causes of the
event or the factors in its
occurrence? (causes)
• What exactly would happen if this event
occurred? (consequences)
• How likely is this event to happen?
(likelihood)
 Step II: Analyze the risks

• Understanding the causes and

factors of an event and how
likely it is, will help you decide
how to control the risk.
• Understanding how severe the
damage could be if it
happened, will help you decide
what you need to do.
 Step II: Analyze the risks

5 risk analysis methods

If you are interested in

conducting risk analysis, there
are several methods to
choose from, including these
five:
 Step II: Analyze the risks
Risk analysis methods can be:
Bow tie analysis
Delphi
SWIFT analysis
Decision tree analysis
Probability/consequence matrix

Risk analysis is often both

an art and a science
 Step II: Analyze the risks
Risk analysis based on:

quantitative or qualitative
• Quantitative risk analysis uses mathematical
models and simulations to assign numerical
values to risk.
Risk analysis
• Qualitative is often
risk analysis both
relies on a person's
subjective judgment to build a theoretical model
of risk art
anfor a givenand ascience
scenario.
 Step II: Analyze the risks
Risk analysis based on:

quantitative or qualitative
Qualitative risk analysis is the most
analysing tool used.
This two-dimensional technique is used
to rate probability (likelihood) and
impact (consequences).
Step II: Analyze the risks
Risk Management process
Step III: Evaluate the risks

Risk evaluation attempts to

define what the estimated risk
actually means to people
concerned with or affected by the
risk.

A large part of this evaluation will

be the consideration of how
people perceive risks.
Step III: Evaluate the risks

Risk management attempts to

select the right course of action
based on the results of the risk
assessment.
Where no acceptable risk
standards exist, the risk
management process will attempt
to derive "acceptable" or
tolerable risk on a case-by-case
basis.
Step III: Evaluate the risks

How to evaluate risks to your

business
• First, you should consider all
the types of risks your business
may face.
• Identify these risks and rank them
in order to evaluate them.
• You should rank the risks by
considering the consequence and
the likelihood of each.
Step III: Evaluate the risks

How to evaluate risks to your

business
• Each risk is rated on a scale of one
to ten or twenty or …
• If a risk is rated high number, this
means a major concern to the
company or to the project.
Step III: Evaluate the risks
Risk Management process
 Step IV: Treat
the risks
After identifying and categorizing risk based on
probability and impact, the next step is to create a
comprehensive response plan if these risks occur.
Typically, there are four main courses of action when
responding to risks:
• Terminate: Termination involves removing a step of a
project, plan or strategy because an unavoidable risk
or highly probably risk that significantly implicates
your objective is associated the step.
 Step IV: Treat
the risks
After identifying and categorizing risk based on
probability and impact, the next step is to create a
comprehensive response plan if these risks occur.
Typically, there are four main courses of action when
responding to risks:
• Transfer: Transferring risk is the process of delegating
the associated step or steps to another department or
team more equipped to respond to the risk.
 Step IV: Treat
the risks
After identifying and categorizing risk based on
probability and impact, the next step is to create a
comprehensive response plan if these risks occur.
Typically, there are four main courses of action when
responding to risks:
• Treat: Treating refers to taking immediate action to
eliminate risks before they occur during a project, plan
or strategy.
 Step IV: Treat
the risks
After identifying and categorizing risk based on
probability and impact, the next step is to create a
comprehensive response plan if these risks occur.
Typically, there are four main courses of action when
responding to risks:
• Tolerate: Tolerating means continuing with the
project, plan or strategy without adjusting to avoid or
eliminate risks because the benefits of the outcome
outweigh the negatives of the risk.
Risk Management process
 Step V: Monitor and
Review the risks
• Once you have completed risk
analysis and implemented a
response plan, monitor the success
of the techniques you chose.
• Consider reassessing risk at critical moments to
ensure the response plans are functioning as
intended and to gauge the effectiveness of your
plan on the probability and impact of risks.
 Step V: Monitor and
Review the risks
• Continually evaluating and controlling
risk can also help you react effectively
to new uncertainties or unforeseen
events and prevent negative
outcomes.

“Plan-Do-Check-Act” is
another helpful method
in implementing a
solution.
 Step V: Monitor and
Review the risks

The four phases in this (PDCA) cycle are:

• Plan: Create a solution for a risk.
• Do: Implement the solution on a small scale.
• Check: Review the results of the solution on a small
scale to ensure its success.
• Act: Apply the solution on a large scale. Monitor the
progress and make changes as part of the cycle.
 Example
• Risk analysis, or risk assessment, is the first step
in the risk management process.
• IT risk analysis focuses on the risks that both
internal and external threats pose to
the availability, confidentiality, and integrity of
your data.
• During risk analysis, a company identifies risks
and the level of consequences, such as potential
losses to the business, if an incident happens.
 Risk Identification and
Assessment
Data Inventory
• Identify and define all valuable assets in
scope: servers, critical data, regulated data
or other data whose exposure would have a
major impact on business operations.
For example:
 Risk Identification and
Assessment
Level of
Type of data Description sensitivity (High,
Moderate, Low)
• Name
Personally
• Address
identifiable High
• Social Security number
information
• Credit card number
• Credit card number
• Verification code
Financial
• Expiry date High
information
• Authorization reference
• Transaction reference
 Risk Identification and
Assessment
System Users
• Describe who is using the systems, with
details on user location and level of access.
For example:
 Risk Identification and
Assessment

Access
Level
System User Number of Home Geographic
(Read,
name Category users Organization Location
Write,
Full)
Regular Read/
XYZ 10 ABC Group Atlanta
user Write
 Risk Identification and
Assessment
Threat Identification
• Develop a catalogue of threat sources.
Briefly describe risks that could negatively
affect the organization’s operations, from
security breaches and technical missteps to
human errors and infrastructure failures:
For example:
 Risk Identification and
Assessment
Threat source Threat action
• Web defacement
• Social engineering
Cyber criminal
• System intrusions (break-ins)
• Identity theft
 Risk Identification and
Assessment
Threat source Threat action
• Browsing of personally
identifiable information
• Unauthorized system access
• Accidental or ill-advised
Malicious insider
actions taken by employees
that result in unintended
physical damage, system
disruption or exposure
 Risk Identification and
Assessment
Threat source Threat action
• Illness, death, injury or other
Employees
loss of a key individual
• Loss of confidence from
employees
Reputation
• Damage to the reputation of
the company
• Natural or man-made
Environmental
disasters
 Risk Identification and
Assessment
Threat source Threat action
Organizational
(planning, schedule,
estimation, • Improper worker termination
controlling, and reassignment actions
communication,
logistics, resources
and budget)
 Risk Identification and
Assessment
Threat source Threat action
Legal and • Regulatory penalties
administrative actions • Criminal and civil proceeding
• Malicious code (e.g., virus)
• System bugs
• Failure of a computer, device,
Technical application, or protective
technology or control that
disrupts or harms operations
or exposes the system to harm
 Risk Identification and
Assessment
Vulnerability Identification
• Assess which vulnerabilities and weaknesses
could allow threats to breach your security.
For example:
 Risk Identification and
Assessment

Vulnerability Description

Passwords used are weak. Attackers

Poor password
could guess the password of a user to
strength
gain access to the system.

There are no procedures to ensure

Lack of disaster ongoing operation of the system in the
recovery event of a significant business
interruption or disaster.
 Risk Identification and
Assessment
Risk Determination
• Here, you assess the probability that threats,
and vulnerabilities will cause damage and the
extent of those consequences.

Risk Probability Determination

• During this step, focus on assessing risk
probability — the chance that a risk will occur.
 Risk Identification and
Assessment
Level Probability Definition Example
The threat source is Unauthorized
highly motivated and malicious
sufficiently capable, and disclosure,
High
controls to prevent the modification, or
vulnerability from being destruction of
exercised are ineffective. information
 Risk Identification and
Assessment
Level Probability Definition Example
The threat source is
motivated or capable,
Moderate

Unintentional
but controls are in place
errors and
that may impede
omissions
successful exercise of
the vulnerability.
 Risk Identification and
Assessment
Level Probability Definition Example
The threat source lacks
motivation or capability,
or controls are in place IT disruptions due
Low to prevent, or at least to natural or man-
significantly impede, the made disasters
vulnerability from being
exercised.
 Risk Identification and
Assessment
Impact Analysis
• Perform risk impact analysis to understand
the consequences to the business if an
incident happens.
• Risk analysis can include qualitative risk
assessments to identify risks that pose the
most danger, such as data loss, system
downtime and legal consequences.
 Risk Identification and
Assessment
Impact Analysis
• Perform risk impact analysis to understand
the consequences to the business if an
incident happens.
• Quantitative risk assessment is optional and
is used to measure the impact in financial
terms.
 Risk Identification and
Assessment
Incident Consequence Impact
The loss of confidentiality with
major damage to organizational
assets.
Unauthorized
The incident may result in the
disclosure of
costly loss of major tangible High
sensitive
assets or resources, and may
information
significantly violate, harm or
impede the organization’s
mission, reputation or interests.
 Risk Identification and
Assessment
Incident Consequence Impact
The loss of availability with a
IT disruptions serious adverse effect on
due to organizational operations.
unauthorized The organization is able to Medium
changes to perform its primary functions, but
the system the effectiveness of the functions
is significantly reduced.
 Risk Identification and
Assessment
Incident Consequence Impact
The loss of integrity with a limited
Non-sensitive
effect on organizational
data is lost by
operations assets, or individuals.
unauthorized
The organization can perform its Low
changes to
primary functions, but the
the data or
effectiveness of the functions is
system
noticeably reduced.
 Risk Identification and
Assessment
Risk Level Evaluation
• During this step, the results of the risk
analysis are compared to the risk evaluation
criteria. The results are used to prioritize
risks according to the level of risk.
 Risk Identification and
Assessment
Level of
Risk Level Definition
Impact
There is a strong need for corrective
measures. The system may continue
High to operate, but a corrective action
plan must be put in place as soon as
possible.
 Risk Identification and
Assessment
Level of
Risk Level Definition
Impact
Corrective actions are needed and a
plan must be developed to
Moderate
incorporate these actions within a
reasonable period of time.
 Risk Identification and
Assessment
Level of
Risk Level Definition
Impact
The system’s owner must determine
Low whether corrective actions are still
required or decide to accept the risk.
 Risk Identification and
Assessment
Risk Assessment Results
• List the risks in the Risk Assessment Results
table.
• The report should describe the threats and
vulnerabilities, measure the risk, and
provide recommendations for control
implementation.
 Risk Identification and
Assessment
Threat Vulnerabilities
Hurricane Power outage

Lack of disaster recovery plan Disaster recovery

Unauthorized users can access

Open access to sensitive
the server and browse
content
sensitive company files
 Risk Identification and
Assessment
Threat Mitigation
Hurricane Install backup generators
Develop and test a
Lack of disaster recovery plan
disaster recovery plan
Perform system security
Unauthorized users can access monitoring and testing to
the server and browse ensure adequate security
sensitive company files is provided for <server
name>.
 Risk Identification and
Assessment
Threat Likelihood
Hurricane Moderate

Lack of disaster recovery plan Moderate

Unauthorized users can access

the server and browse Moderate
sensitive company files
 Risk Identification and
Assessment
Threat Impact
Hurricane Low

Lack of disaster recovery plan High

Unauthorized users can access

the server and browse High
sensitive company files
 Risk Identification and
Assessment
Threat Risk
Hurricane Low

Lack of disaster recovery plan Moderate

Unauthorized users can access

the server and browse Moderate
sensitive company files