Step Six: Quantify Risks and Risk Analysis
The best managers of software projects seem to have an uncanny ability to anticipate what can happen to their projects and devise just-in-time mitigation approaches to avoid the full impacts of the problems. In reality, this ability is simply the skillful application of well known risk management techniques to the well known problems of software management. Unfortunately, too many software managers are skilled in seeing potential risks and then ignoring them outright.
Before we explore the risk management process and how to apply it to the risks associated with sizing and estimation, it is important to understand what a risk is and that a risk, in itself, does not necessarily pose a threat to a software project if it is recognized and addressed before it becomes a problem.
Many events occur during software development. Risk is characterized by a loss of time, or quality, money, control, understanding, and so on. The loss associated with a risk is called the risk impact.
We must have some idea of the probability that the event will occur. The likelihood of the risk, measured from 0 (impossible) to 1 (certainty) is called the risk probability. When the risk probability is 1, then the risk is called a problem, since it is certain to happen.
For each risk, we must determine what we can do to minimize or avoid the impact of the event. Risk control involves a set of actions taken to reduce or eliminate a risk.
Risk management enables you to identify and address potential threats to a project, whether they result from internal issues or conditions or from external factors that you may not be able to control. Problems associated with sizing and estimating software potentially can have dramatic negative effects. The key word here is potentially, which means that if problems can be foreseen and their causes acted upon in time, effects can be mitigated. The risk management process is the means of doing so.
The risk management process is straightforward and, from a process standpoint, one of the easier disciplines to plan and implement. You should be able to complete a fully functional risk management process within 30 days of identifying your requirement. That is the easy part. Ideally, an organization’s management will recognize that the risk management process is an essential management tool and thus value, support, and effectively use it. However, in reality, the bias against risk management is often so strong that it may take years to achieve cultural acceptance and integration of the process if they can be achieved at all. Risk management is the antithesis of the can-do attitude, highlighting the potential for failure and reminding management of factors which, should they occur, would affect the expected success of an endeavor.
Many managers incorrectly perceive that if they identify risks that subsequently become problems they will be held responsible for the problems. In fact, the opposite is true. By using risk management techniques to anticipate potential risks, the manager is protected against liability because if the problem does occur, it can be demonstrated that the cause was beyond what any prudent manager could have foreseen.
Although cost, schedule, and product performance risks are inter-related, they can also be analyzed independently. In practice, risks must be identified as specific instances in order to be manageable.
Step Five: Prepare Baseline Estimate
Step Seven: Estimate Validation and Review