Software Risk Management Makes Good Business Sense

[article]
Summary:

As software technologies continue to grow in power and complexity and microprocessors continue to shrink, we are witnessing the rapid expansion of software into virtually all areas of our business and private lives. Today, it is found in cars, traffic lights, household appliances, communications and transportation systems, hospitals, airplanes, medical devices, next-generation payment cards, business supply chains, and enterprise management systems. Software is truly becoming ubiquitous. This article illustrates the consequences of software failure, the dynamic process of risk analysis, and the importance of the right business decision.

As business' reliance on software grows, so do the business-related consequences of software failure. In today's rapid-paced business environment, software must work. In fact, if your software fails, your company may be right behind it.

The term essential software refers to software that must be reliable, safe and secure. Nearly every large enterprise relies on essential software that is either embedded in its products or driving its eCommerce business systems and operations. The next wave of the Internet revolution will see the emergence of mission-critical eBusiness software running business-to-business (B2B) transaction engines, Internet-enabled smart cards and devices, and intelligent manufacturing and supply chain automation systems. Medical devices running embedded software will also become more commonplace. Software has become the very heart of the new economy, and business risk management must include software risk management (SRM).

First, the Bad News
The consequences of essential software failure can be dramatic. At the extreme, the failure of essential software in a safety-critical system, automobile brakes for example, can result in loss of life. From a business perspective, the financial consequences of essential software failure can be severe as well. They include:

  • Revenue loss in the millions when software fails or key information is stolen or compromised
  • Brand damage and severe market impact when software does not work as advertised or security vulnerabilities impact consumer trust
  • Liability costs when consumers cannot complete online transactions or when software embedded in airplanes, automobiles, pacemakers or nuclear reactors causes injury or death
  • Productivity loss when software malfunctions or ceases to function altogether

A few examples show, in no uncertain terms, that software risk must be managed like other serious business risks:

  • Hershey's sales for Q3 1999-the company's peak shipping period-dropped more than $150 million (12 percent) from the previous year because of an enterprise software glitch that prevented Halloween candy from being shipped. As a result, the candy maker's net income for that same period was down 19 percent from 1998.1
  • Online auction giant eBay experienced revenue loss of nearly $4 million in the form of customer credits when a software problem caused a 22-hour system outage in June 1999.2 The lost revenue was just the beginning of eBay's problems; the impact on investor confidence resulted in a loss of $5.7 billion in market capitalization.3
  • In 1999, the U.S. Securities and Exchange Commission fielded over 20,000 investor complaints related to software problems in online trading-a dramatic increase from the roughly 1,000 complaints filed in 1998.4
  • The former parent company of bankrupt pharmaceutical distributor FoxMeyer is suing SAP for $500 million because the vendor's enterprise resource planning software allegedly brought FoxMeyer to a virtual standstill.5
  • The Standish Group estimates that software problems accounted for $85 billion in lost productivity in U.S. companies in one year alone.6

Even dot-coms with little tangible equity are concerned about software quality. After all, when a business spends millions to build its brand, it makes sense to invest in reliable, safe and secure software to protect that brand. Brand awareness and consumer confidence are all too easily eroded, and often software problems are to blame.

Need more proof?

  • A software glitch allowed H&R Block's online customers to view other clients' tax returns, causing a loss of credibility for the Web-based service offering and damaging the venerable firm's reputation.7
  • Online music retailer CDUniverse's reputation was damaged when a security flaw in its software was exploited by a hacker who stole 300,000 credit card numbers and published them online, complete with the cardholders' names and addresses.8

Light at the End of the Tunnel: Assessing Software Risk
Fortunately, business people understand how to manage risk. Executives do it every day when they make calculated decisions. Given the right data about software behavior, managers can control software risk as they would any other business risk.

In order to be successful, any software risk management approach must apply an advanced, proven methodology, appropriate technologies, and specialized expertise in software risk identification, mitigation and management.

If a software package is essential to your business, either because it is embedded in your products or because your operations platform relies upon it, the risks inherent in flawed software may be unacceptably high. The software reliability issue boils down to determining how much risk your company is willing to accept by counting on a product that includes potentially damaging, even dangerous, software.

Put succinctly, the fundamental software question is one of software risk assessment and management. These issues can be framed in terms of potential payoff and required investment, and sound decisions can thus be made using a marriage of business goals and technology realities.

Just as there is no "sure thing" in business, there is also no "sure thing" in SRM. The key to an appropriate approach is to understand the business impact of technical software risks, then address the most pressing risks using sound technology. Business risks, including technology risks, must be identified, ranked in order of severity and addressed in rank order by well-conceived mitigation techniques.

The Early Bird Gets the Bug
Starting the risk analysis process early is important; the earlier in the development process that risks are taken into account, the more efficiently mitigation planning and resource allocation can proceed. Software risk management efforts-including test planning, technology choice, human resource allocation and budgeting-should be driven by business impact determinations.

Fundamentally, risk analysis helps project leadership choose among a large set of possible SRM approaches, and realistically determine which ones should be applied.

A basic outline of an SRM methodology based on business-relevant risk analysis should include the following steps:

  • Identify software-induced business risks.
  • Synthesize information relevant to product use and business goals.
  • Create a software risk management strategy to determine critical trade-offs between technology-driven approaches and business objectives.
  • Implement the software risk management strategy by designing, measuring, monitoring and testing software against identified business risks.

Keep in mind that risk identification is not just a one-time activity. It is a dynamic process; risks evolve and change according to fluctuating market pressures, technology advances and business strategy. Any type of severity ranking is clearly context-sensitive and time-dependent, hinging directly on the changing business needs and goals. Thus, it is important to regularly revisit the risk analysis process and periodically review the risks according to changing business and technology scenarios. Software upgrades and changes in operating environments make this process all the more important as their introduction can create new, unforeseen vulnerabilities.

In the End, a Business Decision
The threat of software-related losses provides a significant incentive for businesses to manage the risks of essential software failure. In the past, business risk management models traditionally underplayed the importance of software risk management. Today, however, executives recognize the increasingly central role of software in virtually every aspect of business operations.

In the age of eBusiness, software failure can lead directly to business failure. Software product performance and its direct relation to business success or failure is clearly an executive management issue. As a result, a proven, methodical approach to software risk management is an absolute necessity.

Footnotes
1. From Hershey's Form 10-K. Filed March 13, 2000 with U.S. Securities and Exchange Commission.

2. From eBay's Form 10-Q. Filed August 9, 1999 with U.S. Securities and Exchange Commission.

3. "Coping with E-Business Emergency." InformationWeek. September 6, 1999.

4. "Software Hell." Business Week. December 6, 1999.

5. Ibid.

6. Ibid.

7. "Internet Glitch Exposes Taxpayers' Data." USA Today, p.1A. February 17, 2000.

8. "Thief Reveals Credit Card Data When Web Extortion Plot Fails." New York Times, p.A-1. January 10, 2000.

This article appeared in the Q4 2000 issue of SRM Magazine, which is published by Cigital, Inc. It is reprinted here with their permission. For further information on Software Risk Management, visit www.cigital.com. Copyright @ 2000 by Cigital, Inc.

About the author

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.