Risk Management

What is a Risk?

A risk is an uncertain event that, if it occurs, has a positive or negative effect on project objectives. Risk management converts "we might have a problem" into "we know our options if X happens".

Risk Management Process

1. Plan Risk Management — how will we run the process.
2. Identify Risks — brainstorm, checklists, SWOT, expert interviews.
3. Qualitative Analysis — rate probability and impact.
4. Quantitative Analysis — monetary impact (EMV, Monte Carlo).
5. Plan Responses.
6. Monitor and Control — watch triggers, execute plans, update register.

Categories of Software Risks

• Technical — immature technology, performance targets, integration.
• Schedule — unrealistic deadlines.
• Cost — funding cuts, inflation.
• Organizational — restructuring, loss of sponsor.
• External — regulation, vendor failure.
• People — staff turnover, skill gaps.

Risk Identification Techniques

• Brainstorming with the team.
• Checklists from past projects.
• SWOT analysis.
• Interviews with experts and stakeholders.
• Root cause analysis.
• Assumption analysis.

Risk Register

The risk register is a living document listing every identified risk with: ID, description, category, probability, impact, score (P × I), owner, response, trigger, and status.

Probability-Impact Matrix

Score each risk by probability (1-5) and impact (1-5). Multiply to get a risk score. Plot on a 5×5 matrix: high-high risks go in the red zone and demand immediate action; low-low go in the green zone and may be accepted.

Quantitative Analysis — EMV

Expected Monetary Value (EMV) = Probability × Impact in monetary terms. A 30% chance of a $10,000 loss has EMV = -$3,000. Decision trees roll up EMV across alternatives.

Response Strategies for Threats

• Avoid — change the plan to eliminate the risk.
• Transfer — shift impact to a third party (insurance, warranties, fixed-price contracts).
• Mitigate — reduce probability or impact (prototyping, redundancy).
• Accept — do nothing beyond a contingency reserve.

Response Strategies for Opportunities

• Exploit — ensure the opportunity happens.
• Enhance — increase probability or impact.
• Share — partner with someone better placed.
• Accept — take advantage if it occurs.

Risk Monitoring

Review the risk register in every status meeting. Track trigger conditions, execute response plans when risks materialize, and close risks that no longer apply. Add newly identified risks continuously.

Common Software Risks

• Requirements creep.
• Unrealistic schedule.
• Loss of key staff.
• Vendor failure.
• Security breach.
• Performance not meeting SLAs.

Summary

Risk management is continuous and proactive. A systematic process of identification, assessment, response planning, and monitoring turns uncertainty into informed decisions and protects the project's objectives.

Important Questions

1. Define risk and risk management.
2. List the six steps in the risk-management process.
3. Categorize software risks with examples.
4. What is a risk register? List its columns.
5. Explain the probability-impact matrix.
6. Calculate EMV for P=0.4, Impact=-$50,000.
7. List four response strategies for threats with examples.
8. Give four common risks in software projects and their mitigations.