m


A risk is a possibility of
loss.
Undesirable
outcome.
Missed opportunity.


 


Probability of occurrence

Oisk

Consequence: size of loss

2
m
 
O


  
 

  


 


 

   

  

 
  

 
3

 

O
   
 


2 
 
 Problems  Oisks
¦ Exist Today ¦ Potential Problems
¦ Current Effect of Past ¦ Future Effect of Current
Decisions Decisions


 
 





O






 


 

Oisk management is a systematic

process for the identification,
assessment, control and
communication of risks to life,
property, or other valued objects

5
 


   
Definition:
The art of assessing and managing risks to ensure that the
objective is accomplished within established tolerance levels

Meaning:
Oisks that arenǯt known canǯt be managed

Oisks are managed by recognizing them, risk mitigation and

risk reduction and monitoring the effectiveness of these
measures

Oisk tolerance is how much variation in outcome we can

accept (financial, time, outcome etc)

6
m  


 
 

To meet our contractual and internal
commitments

If we recognize where potential issues may

arise we can manage them

If we donǯt proactively identify issues the odds

are that we wonǯt be prepared to deal with
them

7
x   


 
Protection of the University reputation

Oealistic costings

Proper allocations of resources

Higher probability of meeting targets

Full awareness of potential hazards for everyone

Informed go/no-go decisions

8
½    


 
Can take extra time to do

Can be seen as pessimistic

Ensuring that the risk management activities

appropriate to the nature and scale of the
activities is key

Effective risk communication is vital

9
ë  


 2 
Identify risks

Learn about risks Analyze risks

Oisk
Knowledge
Base

Plan for risks

Oesolve risks

Track risks

10
m
  


 
Definition:
Enterprise Oisk Management is the
identification and management of all the
risks within the organization

Meaning:
this term is an umbrella term that covers the
integration of risk management from
different parts of an organization
11
 


 2
 
 For each risk, identify how risk is to be
identified, managed, monitored, and
closed out. Consider:
¦ What is the risk,
¦ Where and When might the risk occur,
¦ Who is responsible for managing that risk,
¦ Why does the risk exist, and
¦ How will the risk be handled if it occurs?

12
 



 

O
 
3
     

   


   
 

  

  
  

  
   

     
 



  
     
    
  
 
 
 

 


 
   

1
 



 

O
   
O
       
    
  
 
  
     

 


      
     
 
  
 
     
 
   
   
    
    
    
 

 
 
         
     
  

   
  
     

 

1
 
  
 Assess each identified risks regularly to
decide whether or not it is becoming less
or more probable.
 Also assess whether the effects of the risk
have changed.
 Each key risk should be discussed at
management progress meetings.

15
  
 
O

    

ë


    
        
  



  
     
   
  


 


 


 
 
ë 


    
 
 
   

   

  


 
 

 !  
 
   
   
 


16
 ë
V Internal Oisk: Probability of suffering losses because of
inadequacies in process capability and organizational
culture.

V External Oisk: Probability of suffering losses due to

uncertainties in external conditions

17
   x
ë

V Oisk ID: A unique reference number given to each risk
for traceability

V Oisk Probability: The likelihood of risk occurrence

V Oisk Impact: The level of damage if risk occurs

18
    
V Oisk Origin: Source of risk (internal or external)

V Oisk Category: A group or class with a set of similar

risks

V Oisk Exposure: The combination of risk probability

and risk impact

19

!  



 
Two major activities of risk management are:

V Oisk Assessment: Discovery process of identifying

source of risk and evaluating their potential effects

V Oisk Control: Process of developing risk resolution

plans, monitoring risk status, implementing risk
resolution plans, and correcting for deviations from
the plan

20


   

 Software Project Oisks
¦ Oesource constraints, external interfaces, supplier relationships,
nonperforming vendors, internal politics, interteam/intergroup
coordination problems, inadequate funding.

 Software Process Oisks

¦ Undocumented software process, lack of effective peer reviews,
no defect prevention, poor design process, poor requirements
management, ineffective planning.

 Software Product Oisks

¦ Lack of domain expertise, complex design, poorly defined
interfaces, poorly understood legacy system(s), vague or
incomplete requirements.

21


   

O

O


   

    OO   

22
 


  
The basic concepts of risk management are as
follows:
V ·oal: We manage risk in relation to a specific
goal and can effect only the work that remains
to achieve the goal
V Uncertainty: The likelihood that a loss will
occur helps to determine the relative priority
of the risk

2
 


   
V Loss: Unless there is a potential for loss, there is no
risk. The loss can be either a bad outcome or a lost
opportunity
V Time: We need time to anticipate and prevent
problems. As time goes by, viable options tend to
decrease. By managing risk, we reduce wasted time by
using it our advantage
V Choice: Unless there is a choice, there is no risk
management. Doing something or doing nothing
should be a conscious choice
2
 ½! 2 


 
V Project Visibility

V ·oal Setting

V Product Development

V Development

V Maintenance

V Supply Chain

25
 "x 

uadrant Ȃ I uadrant Ȃ II

High risk High risk

Low Benefit High Benefit
O

uadrant Ȃ III uadrant Ȃ IV

Low risk Low risk

Low benefit High benefit


26
m   
   
V Inadequate understanding of customer needs
V Poor requirements documents
V Poor requirements management
V Poor or no architecture/design
V Code first and ask questions later
V Poorly understood legacy design/code
V No peer reviews to catch problems early
V Inexperienced or incapable personnel
V Ineffective testing Ȃ misses serious defects

27