Software Risk Management Better Chances for Project Success

Software Risk Management – Better Chances for Project Success Copyright © QUALITÄT & INFORMATIK Zurich, Munich, Vienna www. itq. ch Dr. E. Wallmüller 1 Qualität & Informatik

Agenda • Trend and examples • Best practices • Methodical considerations • Tools • Hints for implementation Dr. E. Wallmüller 2 Qualität & Informatik

Living with Risks. . . Challenges: • New Business Models e. g. e. Bay, Amazon, … • Global Processes and Systems e. g. NOKIA • New Information Needs e. g. Transparency in Value Generation But mindset: "The Titanic is unsinkable. " Capt. E. J. Smith Too little attitude: "First count, then risk. " von Moltke Dr. E. Wallmüller 3 Qualität & Informatik

CH Study: „IT Costs and Performance 2002“ (Ploner) Dr. E. Wallmüller 4 Qualität & Informatik

What are the Reasons? CH Study: „IT Costs and Performance 2002“ (Ploner) Dr. E. Wallmüller 5 Qualität & Informatik

Trend • Tron. Tra. G Law in Germany -- Risk management system / indicator control system -- Failure of projects are operational risks • Maturity Models with risk management process areas -- CMMI -- SPICE • Certification based on. BS 7799 -2 (Information Security System) • Conferences on risk management Dr. E. Wallmüller 6 Qualität & Informatik

Dr. E. Wallmüller 08/23/99 7 Project Management Shared Experiences Workshop, CECockrell Qualität & Informatik 11

Risk Spider Chart Level of Technology Readiness (Essential Program Elements) Experience Level of Team TRL 1 -3 OJT Visibility of Project Activities Limited Reviews, Project Internal TRL 5 -6 Proven Team Extensive, Peer & Independent Reviews Existing Planning Reactive Extensive, Up-Front Lowest Risk Clear, Fixed, Parent-Child Dynamic, Interactive Design to Cost Result of Technical/ Schedule Activity Performance is a Tradable Resource Cohesive, Authority Controlled Process Widely Dispersed, Controlled Team Operation Developed as Needed, Free Float Requirement Definition Information Transfer Communication Dr. E. Wallmüller 08/23/99 8 Consequence of Resource Limits Risk Management Approach Qualität & Informatik

Low Risk Profile TRL Experience High Risk Profile Visibility TRL Experience Visibility Cost Planning Team Requirements Communication Requirements Risk Communication Experience Risk High Risk/Multiple Strengths & Weaknesses Low Risk/Single Weakness TRL Team Visibility TRL Experience Visibility Cost Planning Team Requirements Communication Dr. E. Wallmüller Team Requirements Risk Communication 9 Risk Qualität & Informatik

CRM Training v Began CRM Training Program in 1997 v 42 Certified CRM Instructors NASA-wide v 2316 students trained v NPG 8000. 4 Approved April 2002 v NPG 7120. 5 B reviewed, updated and pending release v Updated existing training products to be consistent with NIAT and NPG’s Dr. E. Wallmüller 10 Qualität & Informatik

How has Risk Management been lived by Management? Nasa took consequences from the Columbia Disaster: Manager fired! Washington: - Nasa boss Sean O'Keefe will renew the culture of the agency. - The final report says: Missing risk awarenessand lacking moral courageof employees 7 crew members died on February, 1 st 2003 Dr. E. Wallmüller 11 Qualität & Informatik

Critical Success Project Factors Vision, Contract Priorities, Decision Goal and Risk Controlling Project wins. . Executive Sponsor Team work, Cooperation Responsibilities, Project Organisation Dr. E. Wallmüller 12 Qualität & Informatik

What we want to achieve. . . o Better understanding and careful dealing with risks and issues o Asking assumptions and restrictions on which project planning is based o Better control of the project o Bases for quality management and assurance - Definition: Risk is the possibility of suffering loss. - Risk in itself is not bad; - risk is essential to progress; - failure is often a key part of learning. Dr. E. Wallmüller 13 Qualität & Informatik

Examples of Known Processes • Barry Boehm (1989) • Kontio (1997) · CRM and TRM of SEI · PMI ·. . . Dr. E. Wallmüller 14 Qualität & Informatik

Continuous Risk Management(CRM) Principles: - Global perspective - Forward-looking view - Open communications - Integrated management - Continuous process - Shared product vision - Teamwork Dr. E. Wallmüller 15 Qualität & Informatik

Continuous Risk. Management… (SEI, www. sei. cmu. edu/programs/sepm/risk/) Function Description Identify Search for and locate risks before they become problems. Analyze Transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks. Plan Translate riks information into decisions and mitigating actions (both present and future) and implement those actions. Track Monitor risk indicators and mitigation actions. Control Correct for deviations from the risk mitigation plans. Communicate Provide information and feedback internal and external to the project on the risk activities, current risks, and emerging risks. Note: Communication happens throughout all the functions of risk management. Dr. E. Wallmüller 16 Qualität & Informatik

Candidates for Project Risk Management v. Project Risk Manager as a Central Function v. IT Controller v. Internal Audit function v. Project Office v. Project Manager as a Risk Manager v. External Project Risk Manager Dr. E. Wallmüller 17 Qualität & Informatik

Risk Identification of non-fictional and manageable risks with impact to: v v v Costs Schedule Scope Technical Performance Contract Expectations of Client Procedure: - Workshop with brainstorming - Workshop with questionnaire and checklist Dr. E. Wallmüller 18 Qualität & Informatik

Risk Area Checklist V 2. 1 © Qualität & Informatik Schedule/Implement Subcontractors Resources - - - Time frame Geography Location Real Schedule vs. Bid Schedule Technical Statement of Work Price Terms & Condition Resources/Experiences Subcontractor Management Quality Control Invoicing Alternate Sources - Innovation Projects Requirements Prototypes Tools Contract Functionality Technical Performance - Change Control Process Available and Future Technologies - Terms & Condition/Payment Plan Architectures - Acceptance Criteria Integration - Statement of Work/Deliverables Support Service (Training, Rollout, Installation) - Baseline Management - Unproven Hardware Dr. E. Wallmüller 19 Bid/Proposal Resources Skills/Qualification/Capabilities Implementation Resources Facilities (e. g. Space, Equipment) Logistics Market Knowledge Transformation Client Needs Speed Idea => Product Changes of Requirements Team Management Support/Commitment Number of Projects in Parallel Qualität & Informatik

Software Development Risk Taxonomy (SEI Questionnaire)

Dr. E. Wallmüller 21 Qualität & Informatik

Top Software Risks I • Personnel Shortfall staffing with appropriate personnel, job matching, team building, securing key personnel agreements, cross-training, rescheduling key people, subcontracting • Unrealistic schedule and budget detailed multi-source cost and schedule estimation, designing to cost, incremental development, software reuse, requirement scrubbing, renegotiation with client � • Developing the wrong software functions organisation analysis, mission analysis, ops-concept formulation, user surveys, prototyping, early user manual development, development of and agreement to acceptance criteria • Developing the wrong user interface prototyping, operational scenarios, task analysis, user characterisation (functionality, style, workload) W. B. Boehm Dr. E. Wallmüller 22 Qualität & Informatik

Top Software Risks II • Gold Plating requirement scrubbing, prototyping, cost benefit analysis, designing to cost • Continuing stream of requirement changes high change threshold, information hiding, incremental development, deferral of changes to later increment, tight change control, agreement to acceptance criteria • Shortfalls in externally furnished components (Procured software) benchmarking, inspection, reference checking, compatibility analysis • Shortfalls in externally performed tasks (Subcontractors) reference checking, preaward audits, award-fee contracts, competitive design or prototyping, team building • Straining Computer Science Capabilities technical analysis, cost-benefit analysis, prototyping, reference checking, performance analysis, sizing analysis W. B. Boehm Dr. E. Wallmüller 23 Qualität & Informatik

A Good Risk Statement … For example: The commercial off-the-shelf (COTS) high-speed data link selected by the project team was never envisioned by the vendor to be used in a hardened environment; it may not perform as needed, causing rework and integration slips. Dr. E. Wallmüller 24 Qualität & Informatik

How to describe Risks? Dr. E. Wallmüller 25 Qualität & Informatik

Possible Risk Strategies • Can I avoid the risk? • Can I reduce the risk impact or Can I reduce the risk probability? Risk Reduction Staircase • Can I limit the risk? (Contingency)? • Can I transfer the risk? • Can I accept the risk ? Dr. E. Wallmüller 26 Qualität & Informatik

Reporting with Risk Information. . . Project Information Manager: Risk Mapping yyy. zzzz dd-mm-jj Project Status • Specific Risks • Actions Time Costs Quality Significance Project: xxxxxxx Goals: . . . Reporting Date: 4 2 5 1 7 Likelihood Cost Trend Development Costs in CHF 3 6 Milestone Trend 30. 12. 99 01. 07. 99 Q 3 Q 4 Q 5 Q 6 31. 12. 98 02. 07. 98 01. 01. 00 02. 07. 00 31. 12. 00 01. 07. 01 01. 98 02. 07. 98 31. 12. 98 01. 07. 99 30. 12. 99 31. 12. 01 Reporting Date Dr. E. Wallmüller 27 Qualität & Informatik

Example Monthly Status Report Dr. E. Wallmüller 28 Qualität & Informatik

Costs & Benefit – Reduction of Deviations – High Transparency – Reduction of Rework – 0. 25 % of Project Costs – Start with risk workshop – 1 or 2 days per month Dr. E. Wallmüller – Avoidance of Disasters 29 Qualität & Informatik

Summary Key Elements Ø Ø Ø Start early Iterative Process during Life Cycle Find and look for Chances Responsibility (Process, for each risk) Work Break Down Structure (WBS) as a good source for risk identification Ø Monitor and track risks and measures Ø Involve the whole project team Ø Develop Risk Awareness Dr. E. Wallmüller 30 Qualität & Informatik

Questions Dr. E. Wallmüller 31 Qualität & Informatik

Ernest Wallmüller CEO, Senior Consultant Telefon 0041 1 748 52 56 Mobile 0041 79 402 44 11 wallmueller@itq. ch Qualität & Informatik Haslernstr. 14 CH-8954 Geroldswil Many thanks for your attention!

WEB Links for Risk Management Qualität & Informatik - Links/RM www. itq. ch/links/ Risk Net www. risknet. de SEI-RM Overview www. sei. cmu. edu/programs/sepm/risk/ www. risknet. de www. dacs. dtic. mil NASA RM smo. gsfc. nasa. gov Risk Management Resources www. processimprovement. com Tool Risk Radar www. iceincusa. com Tool CARISMA www. sbi-ag. ch Dr. E. Wallmüller 33 Qualität & Informatik

Literature v Boehm B. : Software Riskmanagement, IEEE, 1989 v Charette R. N. : Software Engineering Risk Analysis and Management, Mc. Graw. Hill, 1989 v Gaulke M. : Risikomanagement von IT-Projekten, Oldenbourg, 2002 v Hall E. : Managing Risk, Addison Wesley, 1998 v Kendrick T. : Identifying and Managing Projekt Risk, AMACOM, 2003 v Kerzner H. : In Search of Excellence in Project Management, Van Nostrand Reinhold, 1998 v Phillips D. : The Software Project Manager’s Handbook, IEEE, 1998 v Schnorrenberg U. : Risikomanagement in Projekten, Vieweg, 1997 v SEI: Continuous Risk Management Guidebook, 1996 v Tom De. Marco, T. Lister: Bärentango, Hanser, 2003 v Wallmüller E. : Ganzheitliches Qualitätsmanagement in der Informationsverarbeitung, Hanser, 2001 v Wallmüller E. : Software-Risikomanagement - Leitfaden für die Implementierung, Hanser, erscheint 2004 Dr. E. Wallmüller 34 Qualität & Informatik