Risk Management in Software Development Projects Risk management in a software development improves performance and efficiency, also helps to reach target and goals in the correct way. It reduces the chances of undesirable things taking place or reduces the effect if they do happen. Thus provide a greater control over the outcomes. Reduces shocks and increases likelihood of success in software development. What is a Risk? A risk is an uncertain event or condition that affects the project. Risk is possibility or any deviation from what is planned. It is something which may or may not happen but if it happens then it impacts the project.
It has the potential impact on time, cost etc. Not all the risks are negative. There can be positive risks too. In one hand, negative risks bring threat on the other hand positive risks brings opportunity. “A person who can foresee problems / difficulties and identify proactive solutions will live happily”-Chanakya (350-283 BC) Author of Artha Sashtra. We face risks all around us. In cricket, Batsman take a lot of risk before hitting a six. Marriage can be considered as a huge risk as we do not know what our partner is exactly like. Investing in stock is a risky thing as we do not know whether the share prices will rise or fall.
Changing a job is a risk as we do not know about our new environment. Even going to office is even a risk because of the accident prone high traffic roads. There are risks all around us. An interesting fact says that cat drinks milk closing its eye because it does not want to get disturbed by the surrounding and enjoy the taste of milk completely. So, when anybody comes to beat him it remains unnoticed to the cat. Hence, it is beaten easily. The moral is we should not be so much involved in current successes that we forget to plan the future risks. We must always be ready with a risk management plan.
Organisation must undergo risk management in order to protect their business and asset from threats. In IT industry a weak password is a risk as there is a likelihood that a hacker might harm the industry by losing data secrecy. In software development we can have strategic risks like having a new competitor in the market, or financial risks like non-payment by a customer or client or we can have operational risks like theft of equipment or failure of hard drive etc. What is risk management plan? “If you need water today, you should dig well yesterday”-Old Chinese proverb.
Plan for the risk in the beginning and keep reviewing the plan throughout the project. Do all your risk management by meeting with the team and keep meeting them throughout the project. The meeting not only helps the project manager to understand the technical difficulties but also help him to further improve the plans continuously in a way that is more suitable to the efficient working of the team. It actually diminishes the gap between reality and ideal. According to the famous proverb “If you fail to plan then you are planning to fail. ” But what goes into Risk Management Planning are as follows:
Planning – It clearly shows that you have plans and vision of the future. You must divide the project time into sub categories. The project must be sub divided among the team with the specified time. We must inculcate the time for testing and many other critical factors. We must be ready for the fact the time will cross the deadline or any of the unexpected risk will cause problem. We must be ready for the worst thing to happen during project and have even backup plans and alternatives available. Roles and responsibilities-The project must be divided among the team where each member must have a definite role.
The roles and responsibilities must be decentralised and none should have a very big say in the project in a way that he could possess a threat in completion of project and all work goes in vain. The project manager must be known to the fact that exactly how many members are needed for which work, as if there is a fewer member then it will create a lot stress on the employee and if there is are large members then it will slow down the progress rate because of miscommunication or gap and delay because the work has to be passed from a large number of heads so the process becomes time taking.
And both the cases are inefficient and undesirable. So there must be proper roles and responsibilities. Risks Related to IT project Technical Environment- Environment in IT industry is never stabilise, one has to always find new ways to adapt to fit in the changing scenario. So, it becomes very difficult for any member to set up his mind in such an environment. Information Security- It is very much necessary in the IT industry to secure the Data or program from getting leaked. Programming Logic- this is also a risk in IT industry as suppose a program is made with a logic that it supports 999 variables.
If there is more than 999 variables then the program fails because of the programing logic. Infrastructure- It is also a risk that the infrastructure is cable of supporting the growth. Many times the infrastructure is in sufficient to handle the growing number of employees and hence project manager finds it difficult to accommodate all the members with sufficient facilities. Technology itself is a risk. Suppose tomorrow a new more beautiful language than JAVA arrives or somebody develops a new bugs or virus in java coding . Then whatever our work done in JAVA becomes obsolete.
So depending on only one language makes the company really suffer and it becomes a big threat. So the organisation must be flexible enough for multiple programming language and should be ready to welcome and adapt the newer technology. Technical architecture should be made in a way that it can welcome the near future technology very easily. Volatile Requirements- the Requirements are changing continuously. Whenever marketing staff, customers and users recommend new features or demands something new, whole working plans had to be changed.
The management in software companies actually never stabilise because of fluctuating demands and changing working scenario. Poor planning- the plans made at software companies aim to shorten time to market interval by scheduling tasks in parallel using iterative and spiral techniques. These plans not only stress their employee and more probable to fail but also demand more from the employees and many a times forces them to switch companies. All because of poor planning. Plans should be like a living document, iterating and evolving over time. How to identify Risks
Since all the risks cannot be mitigated so it is very important to have a close monitoring over the risks is extremely important in order to control or manage the risks. Project manager must identify the places where the organization is vulnerable to the risks by thinking what could happen in future. Create an atmosphere where team members are comfortable bringing up potential risks. All ideas should belong to the team and not to the individual. And including right people is also necessary otherwise all might come up with the risks which are not so much relevant to the company.
Brain Storming- It is a group activity, it involves with people and ask each member of the team what risk they think can impact the company. As they will be working on the project so it is very much necessary to know their views on risks they think of. Project Manager should encourage the team members to share their views on the risk regarding the project, it helps to come up with thoughts that the project manager could never have thought of. So asking everyone is important to get many angle viewing of the project risks. It also helps in making the members start thinking of the Risks and get a wider range of opinion on the subject.
Delphi method- It involves the expert advice who has done similar project earlier. And ask them how they have managed the use of new technology’s risks. Look at the surveys regarding the subject matter and try to learn from the past as much as possible. The mistakes must not be repeated again and we must learn how to tackle with the risks. Filter which risks actually impact your company the most and which risks are more probable. All these will help you significantly to come up with a perfect plan. Interviews may be done with the different people face to face and tell them about your project and ask them their opinion on what may go wrong.
As many views so many new plans and improvements. SWOT Analysis-it is analysing any scenario and study what are the strengths, weakness, and opportunities or threats associated with the project from any activity of the project. Root cause identification is also very important for solving any problem. If we catch hold of the root cause then we would be able to solve the problem much earlier and smoothly. So it is advised to have a checklist analysis so that you can count all the possible risks and threats so that you are ready for managing them. Identify the Trigger on time, we must observe what is happening around.
We must know the time of arising of problems and then try to find a pattern in them regarding time. For example suppose a website may crash during Christmas, the potential response may be to get additional bandwidth from service provider and the root cause is that the website is designed for only average visitor traffic during normal days. So if you fore see the problem then you will get the potential response before anything wrong like crashing of the website occurs. So if you are acquainted with the problem and have planned before. Then look for the trigger point to overcome the risk nothing wrong happens.
That is the power of planning. What are the different ways to manage the Risks? Make sure that the information in the risk register is correct, a wrong data leads us to a wrong conclusion and examine carefully how likely risks are going to happen and how bad it will be if they do. It could be a financial impact or it could be an impact on the schedule. If it is a financial impact then observe whether it is effecting ten percent of the budget or fifty percent of the budget. It is always good to be ready for any risk. Risk response can have many things involved.
The first and most simple way thing to deal with the risk is to just avoid it. This is also called eliminate. It might look as the safest way but this is not profitable in all cases. It is working on plans that the risks is less likely to occur or to repeat. The second approach towards risk planning is mitigate, this is also known as reduction. In this approach towards risk response we take action that will cause little impact to the project. It just reduces the impact and not the probability of occurring of risk. It makes the outcome less severe. For example for the threat of spyware or malware we install antivirus software.
Even we try to mitigate a lot of risks, it is practically not worth to your time and money to mitigate all the risks. Software companies uses a cost benefit analysis to determine whether a risk is worth mitigating or not. It is more concerned with the impact of the risks. The third way of risk response is transfer, here you give someone a part of the profit in order to reduce the risk. This is done by to pay someone to accept it for you. The most common way is to outsource or to buy insurance. Transfer helps in minimising the risks. This is done by having an outside authority to handle the risk for you.
The fourth way to response to a risk is to accept when you do not do anything. Even when we accept the risk, at least you have looked at all the alternatives and know what will happen if it occurs. US Department of Defence calls these four categories as ACAT-Avoid, Control, Accept and Transfer. Critical Success factors for effective Risk Management Organization culture and organization structure are a key factor for any risk management for an organization. As an organization is investing a lot of money to come up with a product, there is always a risk of the product failing or launch becomes unsuccessful.
Structure means whether it is a Flat structure or a hierarchy structure. In a flat structure it is very easy for anyone to give decisions immediately whereas any functioning in a hierarchy structure take a longer time but a better decision can be expected as it is being reviewed many times. Communication and trust is also a critical factor for effective risk management as any organisation is made up of people and it cannot be productive unless they have trust on each other, their methodology and the Project Manager. Also a communication gap due to any reason builds a bigger problem and can even lead to failure of the project.
Best Practices in Risk Management Project manager must understand the 3 P’s of Software management i. e. –Processes, Products and People. If they are managed well a lot of risks are handled automatically. Recognise the good processes and add value. Making people use the process is a challenge and it can be resolved by making your process as the most preferred way of business. Adding value is only possible when we use the process to learn from the both positives and negatives. It is performance that makes or breaks the product from customer’s view. Planning must be done for risks.
So there should be continuous product improvement going on because quality makes a difference between your product and others in the market. People is the greatest asset of any company. So, it is always advised to reward your top performers and commit to a personal growth. Identify Risks in the earlier part of the project. Plan beforehand what problem could possibly arise. For example a computer can be affected by malware, spyware, theft or other hardware failure or even loss of internet connectivity. Communicate with the stakeholders about the risks.
Build bridges through open communications. Simulate a free exchange of information across the organisation. For each risk there must be someone who is clearly responsible, accountable, consulted and then informed (RACI). Someone who has a plan for a risk, whom we can ask something if risk possess threats and consult what should be done in action and informed him if the risk happens. We need to understand the priority of the risks. Some of the risks might have a large impact but it is very likely not to happen then we can give such a risk a lower priority.
Strategies are not just important, Risk Management strategies must be implemented to get results. Maintain risk register throughout the project life cycle and do not forget about residual and secondary risks. Try to work on all the relevant risks where consider both threats and opportunities. Common Mistakes in Software Management Plans Choose wisely the number of person in any project. Fred Brooks mentioned this famous mistake as the “pregnant woman” mistake. As a woman can have a baby in nine months does not mean that nine woman can have a baby in one month.
The idea is adding more and more people in a project does not means that the project will be completed quicker. The mathematics does not works directly here. This is because every person we add to the project also add friction to the project as well. In fact there exists a tripping point after which adding more person actually slows down the progress more than it speeds up things. We must be cautious in appointing number of person to a project. Wrong Data Interrelation Many times, data are made to be interpreted according to our will. Such a Data does not give any useful meaning.
So the organization makes many wrong decisions based on wrong metrics rather than right one due to convenience. It is very difficult to understand the numbers. For example, In case of a ‘bug ticket’ the helpdesk closes the ticket of things that are not actually fixed causing proliferation of tickets. The organisation open as many as tickets as possible and closes them as quickly as possible in order to have a high resolution rate. Thus the metric it makes is actually unreliable and should not be used by managers. Inappropriate time Goals
Even if we account for the things that alter timelines or priorities, there is a very small probability of things occurring on time as the manger has planned. So some extra time must be taken care so that it can be managed in case of time shortage. Projects must be divided into smaller component tasks in order to distribute time all over the things including all tests and complete procedures, otherwise a vague description of time like two weeks often shorts as it does not involve sufficient time for all procedures. So make appropriate time goals to prevent deadlines from blowing away.
Poor Communication A lot of mistrust arises because of the fact that business people does not know what is going inside the project. So the mangers do not feel a good control over the project. So the managers start forcing the project in a direction as they like. This creates an atmosphere of stress and mistrust. So it is easier to mitigate the problem by communicating people the current stand of the project and informing the progress and the status of the project. Creating a wall of process A company is likely to have created a large number of process in the way they work.
Sometimes most simple changes even requires the request form to be filled up, signed and countersigned by a lot of managers. These processes limits the smoothness of a project and makes the atmosphere as counterproductive and hostile. Multi-Tasking The more people are asked for multi-tasking, their performance becomes poorer. They take longer time to finish their project. It is not a good idea to demand more from people. Demanding more from people makes them slow and makes them non-productive. Even in some cases it forces them to switch jobs.