Saturday, January 7, 2012

Identifying Risks to Software Projects

Threats to software development projects are often minimized or overlooked altogether because they are not as tangible as risks to projects in other industries. The risks are there though and just as capable of derailing the software development scheme as a scheme in any other industry.

Most scheme managers in the information field have had the palpate of planning a software development scheme down to the last detail, planning the exertion for each of the tasks in the plan down to the last hour and then having some unforeseen issue come along that derails the scheme and makes it impossible to deliver on time, or with the feature set originally envisioned.

Successful scheme managers in any industry must also be skillful risk managers. Indeed, the assurance industry has formalized the position of risk manager. To successfully conduct the risks to your software development project, you first must identify those risks. This record was written to contribute you with some tips and techniques to help you do that. There are a few terms that are not directly applicable to the activity of identifying risks that are helpful to understand before learning risk identification. These are some of those definitions:

  • Risk event - This is the event that will affect the scheme if it should happen.
  • Threat - A risk event that will have a negative impact on the scope, quality, schedule, or funds of the scheme should it happen.
  • Opportunity - Not all risks are threats, some are opportunities which will have a definite impact on scope, quality, schedule, or funds should they happen. Threats should be avoided, or their impacts diminished and opportunities encouraged, or their impacts enhanced.
  • Probability - The likelihood that a risk event will happen. This is what people in the gambling enterprise call odds.
  • Impact - regularly refers to a comparative cardinal or ordinal rank assigned to a risk event. It may also refer to an absolute monetary value, duration of time, feature set, or quality level.
  • Risk Tolerance - This refers to your organization's advent to taking risks. Is it conservative? Does your society welcome calculated risks?
  • Risk Threshold - Your organization's risk tolerance will regularly be expressed as a cardinal or ordinal comparator using the risk events probability and impact to yield the comparator. Risks whose Probability/Impact score exceed this threshold will be avoided or mitigated. Risks whose score is below the threshold are acceptable.
  • Risk Contingency - This is a sum allotted to the scheme for the purpose of managing risks. It should be split into two sums: one for managing identified risks and one for managing unidentified risks, or unknown unknowns. The sum can be whether a monetary number or an number of time.
The scheme owner of a software development scheme can look to several sources for help in identifying risks: tasteless risks (risks tasteless to every software development project), risks identified with the performing organization, risks identified with the Sdlc methodology chosen for the project, risks specific to a development activity, subject Matter Experts, risk workshops, and surveys.

Common Risks

There are a number of risks that are tasteless to every software development scheme regardless of size, complexity, technical components, tools, skill sets, and customers. The following list contains most of these:

  • Missing requirements - Requirements needed by the software ideas to be developed to meet the enterprise goals and objectives of the project.
  • Misstated requirements - Requirements that have been captured but the primary intent has been lost or misconstrued in the process of capturing them.
  • Key or critical resources are lost to the scheme - These resources are regularly particular contributors, or team members with skill sets in scarce contribute for which there is a strong demand in the performing organization. The possible impact of losing the reserved supply for any duration of time will be increased if they are assigned tasks on the critical path.
  • Bad estimation - The estimations for exertion required for developing the software are whether significantly understated (bad) or overstated (also bad). Underestimation is the most tasteless event. Work tends to be prolonged until it takes up all the time allotted by an overestimation.
  • Missing or incomplete skill sets - The results of this risk event will be the same as the results of bad estimation, but the risk will be mitigated differently. The result of a junior programmer being identified as an intermediate programmer may be a critical growth in the number of exertion required to yield their deliverables, or a perfect inability to yield them.
- These risk events should be captured by the scheme owner at the outset of any risk identification exercise, even though they will probably be identified by person else on the team. Manufacture them visible to the team in develop of any risk identification exercises will avoid time wasted in calling them out and may stimulate thinking about linked risks (".....what if Jane were to be called away to a higher priority project, might that also cause Fred to be lost to the project?").

Organizational Risks

These are risks that are unique to the society performing the project. They may consist of some of the risks in the list of tasteless risks, and other sources, but will also consist of risks that have no other sources.

The scheme owner should consult the archives of previous software development projects for the tasteless risks, where scheme records have been archived. Get the risk registers of all the previous projects (or at least adequate to contribute you with a representative option of risk registers) and try to match risks in each register. It is extremely unlikely that a risk will be tasteless over all projects where there is a good option of registers but you should intimately recognize risks that appear in two or more registers for applicability to your project.

Survey the scheme managers responsible for past software development projects in your society where archives are not available. It is possible that these scheme managers may have archived scheme artifacts together with their risk registers, in their personal space even if the society does not have a structured advent to archival. Getting the benefit of seasoned scheme manager's palpate from past projects will also be beneficial for deciphering the risk captured in archived risk registers.

Risks will not be stated in duplicate language over different registers (or over different scheme managers for that matter). You will need to analyze the risk event statement to decree where two or more risk events are identical, despite different descriptions.

Sdlc specific Risks

Your software development scheme will be exposed to some risks and shielded from others depending on which Sdlc (Software development Life Cycle) methodology you choose to use for your project. Risk avoidance is a critical notice when selecting an Sdlc for the scheme and your scheme should choose the Sdlc which avoids or reduces the impact of the risks most probable in your case. To that end the identification of risks and the option of an Sdlc are like the chicken and the egg: it is difficult to decree which comes first. Here's a tip for sequencing the two. choose your Sdlc based on the type of software ideas being developed and the society you are developing it in (How experienced is the society with the tools and components involved? How experienced are they with each Sdlc? What are the scheme priorities?, etc.). Once you've decided on an Sdlc you can identify the risks linked with it and if the level of risk linked with it exceeds your organization's risk tolerance, you can re-visit your choice.

There are risks possible with each different type or type of Sdlc. We will talk about a few of the most tasteless risks for the most beloved types or categories of Sdlc.

Waterfall

Projects using the Waterfall methodology for development will be most prone to any risk event impacting the program and that is because there are no intermediate checkpoints in the formula to catch problems early on in the build phase. Delays to any activity from requirements conference to User Acceptance Testing will delay the final delivery for the project. Risk events which fall into the "delay" type will include: delays due to unfamiliarity with tools or components (e.g. Programming languages, test tools), delays due to underestimation of effort, delays due to inexperience, and delays due to requirements contributors missing deadlines.

Delays are not the only risk events a waterfall scheme is susceptible to. Waterfall projects are not well designed to propagate learning over the scheme so a mistake made in one area of development could be repeated over other areas and would not come to light until the end of the project. These mistakes could mean that development could take longer than critical or planned, that more re-work is critical than was initially allowed for, that scope is reduced as a result of discarding bad code, or that stock quality suffers.

The Waterfall formula tends to be used on larger projects which have a greater duration than other development methodologies Manufacture them prone to change. It is the job of the convert supervision process to cope all requested changes in an orderly fashion but as the duration of the scheme increases so too do the chances that the scheme will be overwhelmed with requests for convert and buffers for analysis, etc. Will be used up. This will lead to scheme delays and funds overruns.

Rapid Application development (Rad)

The intent of Rapid Application development is to shorten the time required to produce the software application. The primary benefit from this advent is the elimination of convert requests - the ideas being that if you contribute a quick adequate turn-around there will be no necessity for changes. This is a duplicate edged sword though. The fact that the formula relies on the absence of convert requests will severely limit the project's quality to adapt them.

The risks that will be the most likely to occur on a scheme using this methodology will have to do with the software applications fitness for use. The store or enterprise could convert during the scheme and not be able to retort to a resulting convert ask within the primary schedule. whether the program will be delayed while the convert is made, or the convert will not be made resulting in the build of a ideas that does not meet the client's needs.

The Rad formula requires a relatively small team and a relatively small feature set to withhold a quick turn-around. One possible result of having a small team is a failure to have a needed skill set on the team. Someone else will be the lack of redundancy in the skill sets which means that the illness of a team member cannot be absorbed without delaying the program or getting face help.

Scrum

The distinguishing characteristic of this development formula is the lack of a scheme manager. This role is substituted by a team lead. The team lead may be a scheme manager, but it is unlikely that the performing society will seek out and engage an experienced scheme owner to fulfill this role. The formula avoids supervision by a scheme owner to avoid some of the rigors of scheme supervision best practices in an exertion to streamline development. The risk introduced by this advent is that there will be a lack of critical discipline on the team: convert management, requirements management, program management, quality management, cost management, human resources management, procurement management, and risk management.

The lack of scheme supervision discipline could leave the scheme open to an inability to adapt convert properly resulting in changes being ignored or changes being incorrectly implemented. Lack of palpate in human resources supervision could result in an unresolved conflict, or inappropriate work assignments.

Iterative Methods

The main iterative methods are Rup (Rational Unified Process) and Agile. These methods take an iterative advent to produce and development so are lumped together here. This formula is intended to adapt the changes to a scheme that a dynamic enterprise requires. The cycle of requirements definition, design, build, and test is done iteratively with each cycle spanning a matter of weeks (how long the cycles are will depend on the methodology). Iterative development allows the scheme team to learn from past mistakes and join changes efficiently.

Iterative methods all rely on dividing the ideas up into components that can be designed, built, tested, and deployed. One of the advantages of this formula is its quality to deliver a working model early on in the project. One risk possible in this formula is the risk that the architecture does not withhold the divorce of the ideas into components that can be demonstrated on their own. This introduces the risk of not learning from a mistake that won't be found until the users test the system.

There is a trade off implied in iterative development: produce a core functionality that can be demonstrated first vs. produce the component that will yield the most learning. selecting core functionality to produce may introduce the risk of failing to learn adequate about the ideas being developed to help future iterations. selecting the most involved or difficult component may introduce the risk of failing to yield the ideas the client needs.

Activity specific Risks

Each activity in a development cycle has its own set of risks, regardless of the methodology chosen. The requirements conference activity has the following risks: the requirements gathered may be incomplete, the requirements gathered may be misstated, or the requirements conference exercise may take too much time.

The produce quantum of the cycle will have the following risks: the produce may not elucidate the requirements correctly so that the functionality built will not meet the customer's needs. The produce could be done in a way that calls for more complexity in the code than necessary. The produce may be written in such a way that it is impossible for a programmer to produce code that will function properly. The produce could be written in a way that is ambiguous or difficult to follow, requiring a lot of result up questions or risking bad implementation. There may be several stages of produce from a industrial Specification all the way to a detail produce Document. The interpretation of requirements straight through each stage exposes the stated requirements to misinterpretation.

Programmers may misinterpret the specifications, even when those are perfectly written, risking the development of an application that does not satisfy requirements. The unit, function, and ideas testing may be slipshod, releasing errors into the Qa environment that consume extra time to resolve. different programmers may elucidate the same specification differently when developing modules or functions that must work together. For example, a section of functional specification may deal with both the input of one module and the yield of Someone else that are given to two different programmers to develop. The risk is that the disagreement will not be found until the software is integrated and ideas tested.

Testing here refers to quality assurance testing and User Acceptance testing. While these two activities are different from a tester perspective, they are similar adequate to lump together for our purposes. Actual testing exertion may exceed the planned exertion because of the number of errors found. An excessive number of errors found during testing will cause excessive rework and retesting. Test script writers may elucidate the specifications they are working from differently than analysts, programmers, or the clients. User Acceptance Testers come from the enterprise society so are susceptible to the risk of enterprise demands reducing or eliminating their availability.

Subject Matter Experts (Smes)

Subject Matter Experts are key to the success of the scheme because of their knowledge. subject Matter Experts can conduce to all areas of the scheme but are especially leading to requirements gathering, diagnosis of convert requests, enterprise analysis, risk identification, risk analysis, and testing. The key risk for Smes is that the Smes key to your scheme may not be available when they are promised. This will be especially harmful when the Sme is responsible for a deliverable on the critical path.

Risk Workshops

Risk workshops are an exquisite tool for identifying risks. The workshops have the benefit of conference a group of subject Matter Experts in a room so that their knowledge is shared. The result should be the identification of risks that would not have been discovered by polling the Smes individually and the identification of mitigation strategies that can address complicated risk events.

Advice on how to guide productive workshops is face the scope of this record but there are a few tips I'll give you that may help you get started:

  1. Invite the right Smes - you need to cover all phases and all activities of the project.
  2. Communicate all the details of the scheme you are aware of. These consist of deliverables, milestones, priorities, etc.
  3. Get the scheme sponsor's active backing. This should consist of attendance at the workshop where feasible.
  4. Invite at least one Sme for each area or phase.
  5. Split the group into sub-groups by area of expertise, or scheme phase where you have large numbers of Smes.
  6. Make definite the different groups or Smes recap their risks to each other to encourage new ways of seeing at their areas.
The risk workshop does not end with the identification of risks. They must be analyzed, collated, assessed for probability and impact, and mitigation or avoidance strategies devised for them.

Surveys

Surveys or polls are an thorough alternative to risk workshops where your subject Matter Experts are not collocated. The lack of synergy that you get with a workshop must be made up by you, however. You'll need to recap all the information that could be helpful to the subject Matter Experts you identify at the outset of the exercise. Once that is done, you can send out forms for the Smes to perfect which will capture the risk events, the source of the risk, the way the risk event might impact the scheme objectives, etc.

Collate the risks after you receive them, and look for risk events which are whether different approaches to describing the same risk, which allow you to join the two risk events into one, or can be addressed by the same mitigation strategy.

Lack of participation is Someone else disadvantage of the recognize or poll method. You may be able to get by with a particular Sme in one scheme phase or area of expertise but will have to result up on reluctant contributors. Don't hesitate to ask for your scheme sponsor's help in getting the level of participation you need. You may even get them to send the invitation and recognize forms out initially.

Team Meetings

So far all the sources of identified risks we have discussed have been linked with the planning phase of the project. Executing properly during the planning phase will allow you to Get a unabridged list of risks, but they will tend to more accurately reflect risks to the earlier scheme phases than to later phases. Once you've created your first risk register you must keep that document current as you learn more about the scheme by doing the work and risks become obsolete because the work exposed to the risk has been completed.

Team meetings are the ideal place to update your risk register. The issues that will be brought send as the team discusses its develop towards completing its deliverables are often linked to the risks of meeting the deadlines for the deliverable. You may want to set apart a segment of your meeting for reviewing the impact and probability scores of existing risks to decree the impact the tube of one week has had on them. You should also monitor the team for any new risks they can identify. Risks that went unnoticed when the work was first planned may become visible as the start date for the work gets closer, or more is learned about the work. The scheme may identify new work as the planned work is done which was not contemplated when risks were initially identified.

You may want to guide isolate risk strategy meetings with your Smes in cases where the team is insufficiently acquainted with scheme risks to make them active contributors to an up to date risk register. You should use this advent in addition to your team meetings when your software development scheme is large adequate to require sub-projects. recap each active risk in the register and analyze it for the impact the tube of time has had on it. Typically as work approaches the likelihood of the risk event and/or the impact will increase. As more of the work is done, the likelihood and impact will tend to decrease.

You should monitor the scheme plan for work that has been completed. Risks to the work just completed will be obsolete and should no longer form part of the consulation of risk probability and impact.

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)