-
- "If a project has no risks, don't do it." - WaltzingWithBears by TomDeMarco and TimothyLister
RiskManagement is balancing the amount of risk we want to take with the amount of risk our project exposes us to.
Our RiskExposure varies over the length of a project. RiskManagement therefore must be a continuous iterative process even if our project lifecycle is not.
A RiskManagementCycle?:
- (re)discover the risks that might impact the project
- break new risks into resolvable components - RiskTree
- estimate the probability and lifetime of each new risk
- create a ContingencyPlan for each new problem
- cost any mitigation required by the ContingencyPlan
- decide on a strategy for each risk
- add RiskMitigation tasks and a RiskReserve to the schedule
- as risks materialise, start their ContingencyPlans
- remove risks once they have materialised or expired
- at regular intervals return to the discovery phase
The
FiveCoreRisks of software projects should number among our identified risks. They are:
- inherent schedule flaw
- FeatureCreep
- employee turnover
- ambiguous specification
- poor productivity
For more on
RiskManagement strategies see:
A common risk is lack of skills. For example, when developers who have written nothing but Visual Basic are expected to crank out production Java code. In this situation:
RiskDiscovery
? is feedback. If we don't act on it, we have wasted our time collecting it.
HandWaving is a common
RiskEvasion tactic. However,
RiskManagement takes time and resources like any other part of
ProjectManagement. Once we have our
RiskExposure for each risk, we can sort our risks and manage only the
TopTenRisks.
[1] acceptance means accepting a portion of the impact equal to the probability and padding the cost/schedule accordingly; this is in contrast to evasion, where we trust to luck that the impact will not occur.
Contributors: LaurentBossavit, PaulSinnett, and others
Resources
EnterpriseRiskManagement? framework summary 2004 http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
See AnatomyOfRisk, AtsRiskManagement, ExtremeRiskManagement