TrainingConferencesAbout UsContact UsAdvertiseSQE.comRSS Feed
StickyMinds.com: brain food for building better software

Log In

Search For:
 Clarify Your Search Criteria

Tips on Using Our Search Feature(s)
 
StickyMinds.com Home
ResourcesTopicsCommunityPowerPassBlogs
Home  >  Detail: Risk Analysis Basics



A StickyMinds.com Original
Article Picture
Risk Analysis Basics

By Johanna Rothman

Send This Content to a FriendGet a Short Link to This ContentPrint This ContentSee User Comments About This Content

Summary: Have you ever had a challenging time trying to get a manager or coworker to recognize a potentially project-stalling issue? Risk is inherent when creating something valuable and complex (like software), but sometimes it’s hard to analyze and explain in a productive way. Here Johanna Rothman shares her method for addressing risks.


ThoughtWorks
Setting: Our tester, Tim, is verifying load performance of a server. He has been waiting for his chance to use the server to run his tests. While he’s waiting for the developers to finish, he realizes that if the server dies, he can’t verify the load performance of the application. Tim makes a beeline for Pam the project manager’s office.

Tim: "Hey, did you know this server is critical to our ability to load test?"

Pam: "Hmm, no, I didn’t realize that." (Pam goes back to reviewing the schedule.)

Tim: "Well, I want to get another one, okay?"

Pam: "What?! No, you can’t have another server. If you get another server, other people will want more servers, and then our budget will be shot."

Tim: "But if we don’t have the server at all, I won’t be able to test."

Pam: "Hmm, then our bug counts will go down. That’s not bad."

(Tim glares at Pam.)

Pam: "Okay, then it’s your job to tell me how likely the equipment is to break and how much it will cost to fix."

Ever had a conversation like this with a project manager? I hope not. But if you had, you probably walked away furious and disgusted. You knew that the project manager really didn’t care what your answer was. However, you know that you somehow have to bring this information to the project manager’s attention, so that she can take a more responsible approach to managing the potential issue.

Potential issues are risks. Formal risk analysis is what happens when you consider the likelihood that a potential issue will occur, and take into account the severity of it happening, giving you the exposure. Then you create a mitigation plan to deal with the problem. Testing is one form of risk mitigation, by looking for defects before the customers find them. But that’s not the only form of risk mitigation you’re likely to need.

Sometimes mapping out the risk can be helpful. I use a table like this one to explain risks:

Risk

Probability of occurrence

Risk severity

Exposure

Trigger date

Mitigation plan

Define this in words

How likely is this risk to occur? Use high, medium, low

How severe a problem is this risk if it occurs? Use high, medium, low

Multiply probability and severity together, to derive a joint value

The date by which you will set the mitigation plan in place

What are you going to do about this risk?

Load server may not be available in time to test

High (it was in use by other groups for the last release)

High (we can’t test performance under load without the server)

(High, High)

2/1

Buy a new server, install it by 2/15, up and running by 3/1, in time to start load testing

First, I define the risk in words people can understand. Here, we’re talking about a particular server's availability. Then, I define the probability that this problem could occur. If you have historical information, use it. If you don’t have any previous knowledge, then guess. In my example, we know that in the previous release, other groups also needed to use the load server.

Then, define the severity of the risk. How bad a problem is this, if it occurs? In this case, the potential problem is very bad, assuming we need to test the product under load. Once you’ve defined the probability and severity, you can multiply them together. Some people use numbers to quantify risk, so they can easily multiply and get a number. I find that having managers see (High, High) in bright red is enough information. In my experience, managers or other people with organizational power manipulate the numbers to give the answer other managers or other powerful people want to see. It’s much harder to manipulate the highs, mediums, and lows.

For all risks, define the date by which you need a mitigation plan, a plan to manage the risk if it does come true. For High exposure risks, define the mitigation plan. (In your organization, you may also need a plan for medium exposure risks. Some organizations require plans for even lower exposure risks. It depends on the risk tolerance of your organization.)

Now, when you go to your project manager to explain that there’s a potential problem with testing, it’s easier for the project manager to see the potential problems and how they impact the whole project.

Of course, risk management doesn’t give you a magic wand and a crystal ball. Rather, risk management is about looking at likely scenarios (and even at some unlikely scenarios) and taking some action to reduce their potential effects.

Why do risk analysis?
You do risk analysis for only one reason: Would you manage the project differently if any of your risks happened? I especially look for risks that could put us out of business, or prevent us from shipping product.

When I work with people on generating risk scenarios in the project, I ask them to look at risks in these areas:

  • Risks to getting the project completed. (The machine availability problem above is a great example of that risk.)
  • Risks to using the product in the field. (I find use cases or other forms of customer-scenario generation work well here.)
  • Risks to the business from using the product in the field. (If your customers find this problem, could their reaction impair your ability to do business?)

Then you make plans to deal with the risks you never want to come true. In Tim’s project, for example, the lack of the machine when it was needed would prevent them from doing load testing. How bad a problem is that, really? Would Tim’s company have shipped anyway? If so, then there was no risk. (I’m not saying this is good business, but if Tim’s company already decided that the potential down side, the severity, is not high enough, then there is only limited business risk if a server is not available and the testing is not done.)

Risk analysis can’t be exact. If it were exact, you’d be predicting the future (and by the way, if you figure out how to predict the future, please do let me know). But having a place to start the discussion about what the problem is, and how it affects the project, is much better than the frustrating and inadequate dialog we saw at the beginning of this column.



About the Author
Johanna Rothman observes and consults on managing high-technology product development, looking for the leverage points that will make her clients more successful. She recently co-moderated a RoundTable “Making the Transition to Management” with Esther Derby. You can reach Johanna at jr@jrothman.com or by visiting www.jrothman.com.

Back to Top 

StickyMinds.com Weekly Column From 12/10/01 

Member Comments
Add Your CommentExpand Comments
 
Comment:    
by Fiona Charles 4/15/2009

Useful article, Johanna, which covers the basics within the constraints of a short column. To amplify a little: I typically work with 3 different categories of risk, all of which are important enough to communicate to the project manager, though she/he may or may not choose to incorporate them in the project risk log.

Project risks are those that could derail the project. Mostly, those aren't my concern to identify as a test manager, though assessment of the next category -- testing project risks -- could identify risk to the whole project. I also escalate any risks I need help to mitigate. Testing project risks are those that...Read On

 
 
Comment:    
by Jayatheerthan Sundararajan 11/24/2003

Johanna, The testing risks become the sub-set of the project risk. We do as test managers, identify risk at the test strategy level and mostly we don't track it as the project becomes more complex and hence, the risk. Would be more interested to know about the risk tracking. Is it just to say that we have crossed the activity and risk has happened or not? Newer risks overshadows the idetified risks as the project progresses. What one should do whenever a newer risk crops up? How it should be ploughed back into the future project/process improvement?. Also, in future should we need to drop risks identified but not occured in earlier projects?

 
 
Comment:    
by Robert Lee 12/13/2001

Johanna, Shouldn't the project manager or a committee on his/her staff be keeping and managing the project's risks & top 10 risks list? If so, they should certainly be open to this input. If not [just mortals?] how can we gracefully suggest that this Best Practice be picked up? Also, this is small, but the RED, YELLOW, GREEN had visual problems on a white background (at least viewed on my iMac). Your screen mileage may vary, but I'd suggest making the YELLOW more an ORANGE. This also applies to anyone doing this risk analysis on a whiteboard - don't burn out their eyes! We once did yellow highlighter on a white board - we did that once...Read On

Author's Response: 12/14/2001    
Bob, yes, on "normal" projects, the PM or the PM assistant tracks the overall project risks. However, most of us don't work on "normal" projects (how many of you actually track risks??), and even if the PM tracks project risks, each subproject (such as the testing subproject) has its own risks. We may want to promote those risks to the PM, as in the example above, where the lack of a server can stop testing. If you want to suggest risk management as a practice than can help, use an example from your last project. Was there a risk that "everyone" knew about, but no one planned for? When it happened, was there a crisis? Could you have planned for it? If so, what was the cost of the crisis response? Can you compare that cost to managing the risk in a proactive way? I find that making costs real to the organization is key in adopting risk management. Sorry about the colors. I was insistent with the SQE staff that we *had* to have the colors, but I guess they were too hard to see sometimes. I tend to use highlghter colors with black print on white paper, something we can do electronically in word processors.) I figure as long as I highlight the Really Big Risks in Red, I have a chance of having a discussion with the people I need to talk to. That's the whole point of risk management. How do you start the dialogue? Any tool that works is fine with me.

 
 
Comment:    
by Gerold Keefer 12/13/2001

some qa on this worthwhile article: what johanna describes is commonly refered to as "risk management". "risk analysis" is only a part of it. focus areas are very useful for risk identification/brainstorming-sessions. recently i used the classification people/technology/business/methodology. moreover, i separate impact categories development costs, operation costs, development time, and quality. what is missing in the article is a cost estimate of the mitigation activity. this should have an important impact on your top-ten list. one question: the last time i did RM, people/methodology issues were at the top of the list (number one was...Read On

 
 
Comment:    
by George Wilkinson 12/13/2001

When accessing risk it's worth pointing out that it is good to get more than one set of eyes on the potentially 'risky' apsect of the project. This can be gained via the project manager, developers or others. Being a tester myself I know we 'testers' can get too close to the wood to see the trees sometimes, and this is no different when accessing risk, especially commercial risk.

 
 
Comment:    
by Wayne Larson 12/11/2001

I have been conducting risk analysis and risk management for several years now. I liked Johanna's "basics" article. Technical (product) risks are best analyzed WAY-UP-FRONT when garnering requirements inputs and contemplating architectural and interface constructs. These (technical) risks are best managed (during development) by proper requirements delineation (of "design" mitigation), astute requirements management/traceability, and making (technical) risk analysis an attribute of issue tracking and resolution during SDLC. Project & Business risks are best defined and managed with an interdependent (up-front) analysis performed in...Read On

 
 
Comment:    
by Laura Elliott 12/11/2001

I like the table approach for identifying risks. It keeps it simple and answers the key questions.

 
 
Comment:    
by yogita sahoo 12/11/2001

I'm pretty new to the art of risk analysis. Having read a lot about the concept, I have some realistic questions for you. Risk analysis happens very early in the process and mostly done for big sized projects of longer duration. And during the course of the project, circumstances change, hence affecting the Mitigation Plan. The fix thought 4 months back might not seem feasible and achievable at that point of time. To give a simple example, you analyze the risk of one of your very dependable programmer leaving his job when the project is mid-way through. The mitigation plan suggests hiring an experienced candidate immediately as none of the...Read On

Author's Response: 12/11/2001    
Not only do you do risk analysis up front, you continue re-assessing the risks during the project. I try to keep an up-to-date Top 10 risks list. I may be tracking more than 10 risks, but I'll only publish the top 10 risks. That way, if I realize that I need to take action earlier, I can. In your example of the programmer leaving, I'd want more information. The general risk of people leaving is something you address with cross-training and other techniques for multiple people to understand each others' work. When I've worried about a specific person leaving, I use a multi-prong mitigation plan: early hiring, cross-training, etc. However, sometimes you just can't anticipate everything, so risk analysis is a continous and dynamic process. You don't stop looking for risks just because you've defined some of the most egregious risks. You need to keep looking out for risks. When I manage projects, I tend to update my risk list at least as often as I update the project schedule.

 
 
Comment:    
by Richard Henry 12/10/2001

From a testing perspective, risk analysis must begin during the early stages of the project, the requirements gathering. We all know that we will never have the time we need to do all of the testing we planned to do. What we must test is those requirements that are considered critical to the business, those that should they fail the business would lose money, customers, credibility, or all of the above. Do be able to do this, we must be involved during the requirements gathering phase and we must be talking to the users about these requirements, which are critical, which are important, which are not important, so we can design our tests...Read On

 
 
Comment:    
by Chris DeNardis 12/10/2001

Another comment I would like to add on Why do Risk analysis - one reason is to focus ones test team onto the areas that is most critical, and not the ones that have not changed. One thing that should flag risk analysis is learning what changes have gone into an area that is already working or tested. I would even suggest those areas which are affected by that change be tested as well.

 
Back to Top



 
Ads By Google
What's This?
 
 

Home   |   Resources   |   Topics   |   Community   |   PowerPass



© 2010 StickyMinds.com. All rights reserved.
StickyMinds.com is a division of Software Quality Engineering.
Privacy Policy    Terms & Conditions    Link to StickyMinds.com    Feedback
ThoughtWorks




STAREAST 


Better Software Conference