Measuring the Risk Factor


The concept of risk is inherent in any development effort. Since risk is impossible to avoid, the best way to deal with risk is to contain it. One way to contain risk is through risk management. Risk management involves the identification of risks, analysis of exposure to the risks in a development effort, and execution of the risk management plan. In this article, Yamini Munipalli details one way of assigning and managing risk to a software development plan. This version of risk analysis, drawn from many schools of thought, remains flexible enough to use within any company for any project.

Risk management is tricky because the process involves subjective thinking on the part of individuals in the organization. The identification of risks is generally based on an individual's experience and knowledge of the system. Since experience and knowledge are unique to each individual, it is important to get a wide range of individuals on the risk management team.

Risk management also involves an assessment of the tolerance level for risk in the organization. Companies that are more tolerant of risk will be less likely to develop a risk management approach. However, in some industries like the medical industry, there is little tolerance for risk.

While risk management can be applied to any type of industry, this paper discusses a software risk management technique. This paper discusses risk analysis.

What is Risk Analysis?
Risk analysis is part of an organization's overall risk management strategy. Risk analysis is a method used to assess the probability of a bad event happening. It can be done by businesses as part of disaster recovery planning and as part of the software development lifecycle. The analysis usually involves assessing the expected impact of a bad event such as a hurricane or tornado. Furthermore, risk analysis also involves an assessment of the likelihood of that bad event occurring.

In this paper, I present a method to complete software risk analysis using other indicators than "expected impact" and "likelihood of failure." Methods of risk analysis proposed by others include different indicators also. For example, in the article "Knowing the Odds" Payson Hall recommends a risk analysis matrix that includes expected impact, probability, and surprise or the difficulty of timely detection of the risk. Rex Black, in the article "Risks to System Quality: Investing in Software Testing," proposes using the indicators of severity, priority and likelihood of failure, to complete a risk analysis. Johanna Rothman , in the article titled "Risk Analysis Basics" recommends using severity and probability of occurrence. In the article "Software Risk Management Makes Good Business Sense", Steve Goodwin recommends using severity as the only indicator of risk. Dr. Ingrid B. Ottevanger recommends in the article titled "A Risk-Based Test Strategy," multiplying the "chance of failure X damage." This is essentially the likelihood of failure multiplied by the expected impact. James Bach and Geoff Horne, in "Risk-Based Testing" also consider likelihood of failure and impact of failure as good indicators of the magnitude of risk. The method adopted here modifies Rick Craig and Stefan Jaskiel's work in Systematic Software Testing . Before we do a risk analysis however, we must understand what is meant by the term "risk."

Definitions of Risk
Risk is the probability that a loss will occur. According to Tom DeMarco and Timothy Lister in Waltzing With Bears: Managing Risk on Software Projects , risk is also "a weighted pattern of possible outcomes and their associated consequences." It is a term that "means the probability that a software project will experience undesirable events, such as schedule delays, cost overruns, or outright cancellation." Capers Jones writes that "Risk is proportional to size and inversely proportional to skill and technology levels" Thus, the larger the project, the greater the risk.

These definitions indicate that risk involves possible outcomes and the consequences of those outcomes. Potential outcomes include both negative and positive aspects. Negative outcomes such as undesirable events can occur, and when they occur, there will be a loss to someone. The loss can occur in terms of money, lives, or damage to property. Risk reduction strategies differ based on the level of maturity of the organization. In general, the more mature the organization, the


About the author

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.