Project Risk Management

23 November 2015

Name: Sreeja K U
Emp Number: 395668
Email:sreeja.ku@tcs.com

Contents
Introduction ............................................................................................................................................ 3
What is Risk? ........................................................................................................................................... 3
Primary Components .............................................................................................................................. 3
Risk Management ................................................................................................................................... 3
Categories of Risk .................................................................................................................................... 4
Product Risk ........................................................................................................................................ 4
Project Risk.......................................................................................................................................... 4
Risk Management Process ...................................................................................................................... 5
Risk Identification ............................................................................................................................... 5
Risk Analysis ........................................................................................................................................ 5
Risk Mitigation / Risk Control.............................................................................................................. 6

Introduction
Risk is inevitable in a business organization when undertaking projects. However, the project
manager needs to ensure that risks are kept to a minimal. Risks can be mainly divided between two
types, negative impact risk and positive impact risk.
Not all the time would project managers be facing negative impact risks as there are positive impact
risks too? Once the risk has been identified, project managers need to come up with a mitigation
plan or any other solution to counter attack the risk.

What is Risk?
In software testing Risks are the possible problems that might endanger the objectives of the
project stakeholders. It is the possibility of a negative or undesirable outcome. A risk is something
that has not happened yet and it may never happen; it is a potential problem.
In the future, a risk has some probability between 0% and 100%; it is a possibility, not a certainty.
The chance of a risk becoming an outcome is dependent on the level of risk associated with its
possible negative consequences.

Primary Components
Risk has two primary components for a given event:
A probability of occurrence of that event
Impact of the event occurring (amount at stake)
Conceptually, risk for each event can be defined as a function of likelihood and impact; that is,
as either the likelihood or impact increases, so does the risk. Both the likelihood and impact
must be considered in risk management.
Risk constitutes a lack of knowledge of future events. Typically, future events (or outcomes) that are
Favorable are called opportunities, whereas unfavorable events are called risks.
Another element of risk is the cause of risk. Something, or the lack of something, can induce a risky
Situation. We denote this source of danger as the hazard. Certain hazards can be overcome to a
great extent by knowing them and taking action to overcome them.

Risk Management
Risk management is the act or practice of dealing with risk. It includes planning for risk, assessing
(Identifying and analyzing) risk issues, developing risk handling options, and monitoring risks to
determine how risks have changed.

Risk management is not a separate project office activity assigned to risk management department,
but rather is one aspect of sound project management. Risk management should be closely coupled
with key Project processes, including but not limited to: overall project management, systems
engineering, cost, scope, quality and schedule

Categories of Risk
We can classify risks into following categories:

Product Risk
Factors relating to what is produced by the work,(i.e. the thing we are testing).
Product risk is the possibility that the system or software might fail to satisfy or fulfil some
reasonable expectation of the customer, user, or stakeholder. (Some authors also called the Product
risks as Quality risks as they are risks to the quality of the product.)
The product risks that can put the product or software in danger are:
If the software skips some key function that the customers specified, the users required or
the stakeholders were promised.
If the software is unreliable and frequently fails to work.
If software fail in ways that cause financial or other damage to a user or the company that
user works for.
If the software has problems related to a particular quality characteristic, which might not
be functionality, but rather security, reliability, usability, maintainability or performance.

Project Risk
Factors relating to the way the work is carried out, i.e. the test project)
The exposure to a company that arises from taking on a particular task. A project risk can be internal
to the business, it can involve external events or it can stem from any other circumstances that can
hamper the project's overall success and result in loss or embarrassment to the firm undertaking it.
The project risks that can endanger the project are:
Risk such as the late delivery of the test items to the test team or availability issues with the test
environment. There are also indirect risks such as excessive delays in repairing defects found in
testing or problems with getting professional system administration support for the test
environment.

Risk Management Process

Risk Identification
Risk identification is the first step in risk management. We need to identify both project and product
risk by using certain techniques. Some of the most common techniques which can be applied to
identify different risks are using risk templates, interviewing the stakeholders, project retrospectives
etc
Several formal techniques like Failure Mode and Effect Analysis (FMEA) and Failure Mode Effect and
Criticality Analysis (FMECA) are used to find the risk. These techniques identify the effects of the risk
if in case that becomes an outcome. The effects can be on people,society, users, customers etc.

Risk Analysis
Risk analysis is the second step of risk management. In risk analysis you study the risks identified is
the identification phase and assign the level of risk to each item. You first need to categorize the
risks and then need to determine the level of risk by specifying likelihood and impact of the risk.
Likelihood is the percentage of the risk occurrence and arises from different technical factors. Some
of the technical factors which should be considered while assessing likelihood are:

How complex the technology is?

Technical skills of the test team
Team conflicts
Geographically distributed teams
Bad quality of the tools used in the project
Complex integration etc.

Impact is the effect of the risk in case it happens. Impact arises from business considerations. You
should consider following business factors while assessing impact.

Loss of customers
Loss of business
Loss or harm to society
Financial loss
Criminal proceedings against company
Loss of license to continue business

You can apply Quantitative or Qualitative risk analysis to determine the level of risk.
In Quantitative risk analysis you have numerical ratings for likelihood and impact. Likelihood can be
seen in percentage and impact can be seen in monetary terms. If you multiply these two values the
outcome is expected loss in case that risk occurs.
Qualitative analysis is performed when you do not have statistically valid data on which you can
perform quantitative analysis. So in qualitative analysis you can say that likelihood of the risk is very
high, high, medium, low or very low. IN software engineering use of quantitative approach is almost
5

inappropriate in most projects because saying likelihood in percentages like 90%, 50%, 25%, 10%
does not make much sense and is misleading.

Risk Mitigation / Risk Control

The third step in the risk management is risk mitigation or risk control. After assessing the risk in
your project you must control them. In order to control the risks you can use following options.
Mitigation: In mitigation we take preventive measures to reduce the likelihood of the risk or to
reduce the impact of the risk in case it occurs.
Contingency: In case if the risk becomes an outcome that we have contingency plan to reduce the
impact of the risk.
Transfer: In this case we transfer the risk to third party who will accept the consequences of risk if it
occurs.
Lastly, you can also have a Plan to accept the risk and the consequences in case the risk occurs.
Certain project risks which you should be concerned about are:

Test tools and environment availability

Skills of test team
Availability of resources (Software, hardware)
Availability of testing staff
Lack of standards and techniques for testing

You should try to mitigate risk before your test execution starts. For this you can prepare test
environments well in advance, start testing of early versions of the product, having tough entry
criteria for testing, participating in review discussions etc.
Quality risk control should be addressed throughout the software development life cycle, like
reviewing requirement and design documents to find issues with non-feasible requirements and
buggy design.
During test execution you mitigate quality risks of product. When you find defects you reduce risks
by providing awareness of defect and how to handle it well in advance before the release dates.
So, finally we can conclude that risk control is the activity which is carried out throughout the
software development life cycle and not limited to any specific phase of testing.