Introduction
The last few decades—especially the end of 20th century and the beginning of 21st century—have shown an increase in the interest in automation of different activities. Automation is dependent in its core on sound functional software. The complexity of software development has increased significantly over the years. Articles showing the failure of projects in the software industry are not surprising. Standish Group (1994) reports show that about 53% of projects get completed, but they do not meet the cost and schedule requirements, and about 31% are canceled before the completion of the projects. These failure reports are significantly alarming.
With the tremendous growth in the complexity of software development in the last 10 to 15 years, the management of risks in software engineering activities is becoming an important and nontrivial issue from three perspectives: project, process, and product. Therefore, researchers and practitioners are continually trying to find effective risk management approaches.
This article should help the academicians, researchers, and practitioners interested in the area of risk management in software engineering to gain an overall understanding of the area.
background
Meaning of Risk Management
Simply put, risk management is a way to manage risks. In other words, it concerns all activities that are performed to reduce the uncertainties associated with certain tasks or events. Risk management reduces the impacts of undesirable events on a project or the final product. Risk management in any project requires undertaking decision-making activities.
origin of Risk Management
Risk management has its roots in probability theory and decision making under uncertainty. Three well-known theories in these areas—expected utility theory (Bernoulli, 1954; Hogarth, 1987), theoryofboundedrationality (Simon, 1979), and prospect theory (Kahneman & Tversky, 1973; Kahneman, Slovic, & Tversky, 1982)—were of the greatest influence. These theories may be considered as disciplines by themselves. Therefore, to put our discussions on risk management in context, we briefly state hereafter only what each of these theories propose.
In brief, the expected utility theory discusses how people make choices from different alternatives, based on their expected utility. The theory of bounded rationality states that for real life events the outcomes and their associated probabilities are very limitedly understood by people to make the required decisions to maximize their expected utility. Therefore, people have a tendency to set up targets of aspiration in life by eliminating alternatives from the different options they have. This theory is useful for modeling the behavior of project management personnel in charge of risk management. Prospect theory, which has its origin in psychology, helps to model how the perceptions of human beings influence their choices from the given options. Thus, it helps for understanding and estimating the utility losses of different alternatives while analyzing risks in risk management.
Purpose of Risk Management
Risk management in software has different uses. It helps to save projects or products from failing due to different factors such as noncompletion of projects within the specified schedule and budget constraints and not meeting the customer expectations of the final product.
In the context of projects, risk management looks at projects from different perspectives to ensure that the threats to the projects are identified and analyzed, and appropriate strategies are undertaken to mitigate and control risks. The mitigation strategies may not necessarily mean the cancellation of tasks that involve risks. Many tasks are undertaken in the software industries even after knowing that undertaking them involves taking high risks. The high-risk tasks are sometimes important to provide the industries a leading edge over their competitors.
Software risk management takes a preventative approach leading to completion of projects or the development of products within predictable time, money, and according to the product specifications. In fact, risk-managed projects and products have the ability to reduce costs and time of completion and increase the overall quality of the project and product deliverables. Without these, organizations could risk loss of revenue and customer trust in an average case, or a complete bankruptcy of the participating organizations in the worst.
risk management in software projects
The software development projects in the early years of the last century conducted risk management using different ad hoc approaches, without following any systematic methodologies. However, with the increasing complexity of software development, industries have realized the importance of risk management, because it helps in reducing the uncertainties involved in developing software and decreasing the chances of project or product failures.
In the context of projects, before applying any risk management method, the team members should be clear about the following dimensions of risks in their projects (Smith & Pichler, 2005):
• The nature of uncertainty involved, and the likelihood with which the risk will occur.
• The loss that will be incurred if the risk occurs. Loss in software projects can take many forms including loss of revenue, loss of market share, and loss of customer goodwill.
• The severity of the loss.
• The duration of the risks.
Different Approaches
Project Risk Management
Several software project risk management approaches have been proposed in the past, most of which assess risks during all the phases of software development, by integrating risk management practices along with the software development process. As a result, in these approaches the risk management approaches follow a disciplined process. These approaches are listed as follows:
• Boehm’s risk management model (win-win) (Boehm & Ross, 1989; Boehm & Bose, 1994; Boehm et al. 1998),
• SEI’s software risk management model (SRE Version 2.0) (Williams et al., 1999),
• Hall’s risk management model (P2I2) (Hall, 1998)
• Karolak’s risk management model (Just-In-Time Software) (Karolak, 1998), and
• Kontio’s riskit methodology (Kontio, 2001).
A “horizontal” comparison of all of these approaches may not be fair because although each of them addresses risk management, they were developed under different circumstances for solving—may be related but different issues. For example, Hall’s P2I2 was developed from a risk management capability modeling perspective. On the other hand, Boehm’s win-win model (Boehm & Ross, 1989; Boehm & Bose, 1994; Boehm et al. 1998) was developed primarily as a novel software development process model (“spiral” development) taking a risk-based approach. However, we provide later on an overview of the characteristics of all these approaches.
Of all these approaches, Boehm’s win-win (Boehm & Ross, 1989; Boehm & Bose, 1994; Boehm et al. 1998) is perhaps the most influential software engineering risk management process model, which became popular during the early 1990s. He developed the first software engineering risk management process model, which integrates seamlessly into the software development lifecycle.
SEI’s software risk evaluation approach (called, SRE) (Williams et al., 1999) is also quite popular in practice. It has been applied in several software development projects of several government, and nongovernment organizations. SEI’s SRE provides a systematic, detailed, and step-wise approach one could use in software development and acquisition projects. It is based on the idea of continuous risk management. Another characteristic of SRE is that it integrates team risk management principles into the core framework.
Hall (1998) proposed a framework from a different perspective. She proposed a comprehensive framework based on the notion of risk management capability maturity. Her approach is based on four critical success factors of risk management, namely, people, process, infrastructure, and implementation (P2I2). However, it is the “process” component of the framework which discusses the risk management processes.
Karolak (1996, 1998) looked at software engineering risk management from the just-in-time viewpoint, the idea of which was popular in the traditional manufacturing industries. Like Hall, he also provided a complete framework that one could use for risk management in software development. His framework first identifies a set of highlevel risk categories, associates them with risk factors, specifies risks assessment measures for each of these factors to obtain quantitative estimates of risks.
Kontio took a stakeholder-oriented approach to risk management. He proposed a thorough process model that recognizes and manages risks by balancing the stakeholder expectations. According to this approach, the stakeholder goals and expectations are modeled as essential entities for defining risks.
Recently, there has been few mentionable works conducted in the area of software risk management. In this article, we mention below some of the following recent approaches:
• Software risk assessment model of Foo and Muru-gananthan (2000): It takes a quantitative approach to predict risks using situational factors.
• Source-based software risk assessment methodology of Deursen and Kuipers (2003): It is based on the collection of different types of facts.
• ProRisk risk management framework of Roy (2004): It provides a complete framework for risk management based on the Australian AS/NZS 4350 standard.
• One-minute risk assessment tool of Tiwana and Keil (2004): It provides a tool that project managers could use to assess risks in a very short time.
future trends
Many of the approaches discussed in this article are limited by the lack of empirical evidences supporting them. This is an important area in which future work should be targeted. Focus should be made on comparing the competing approaches with respect to a predefined set of evaluation criteria.
Software development often involves contractors. None of the risk management approaches clearly address the issues related to such resources. Similarly, they do not address the several telecommuters who may be working on the project remotely. More so, the impact of recent changes like offshoring and outsourcing may have several impacts on software development, and their influence in the context of risk management in software engineering should be investigated. The major challenges lie in social and cultural differences between the different players on the project in an outsourced project environment. It might so happen that in a project there are two or more software developers doing similar jobs with vastly different cultural settings and vastly different pay scales. There are issues like time zone differences and, above all, the “perceived” quality by the customers due to outsourcing.
For most of the proposed approaches we need controlled case studies and actual field trials for assessing their effectiveness and applicability under modern contexts and shifting paradigms.
The volatility of software project risks has some negative impact on the acceptance of the risk models that suggest different risk mitigation strategies. Thus, we should perform future studies on software risks keeping the aforementioned factors in mind.
conclusion
It is conjectured that the management of risks can lead to the success of projects. Risk management has been popular in non-software domains for several decades. However, it is primarily in the last few years that risk management in software domains has become popular. However, at present, risk management in software is a developing discipline—it is poorly understood and practiced. Compared to the risk management literature available in other disciplines (e.g., insurance and manufacturing), the volume of risk management literature available in software is scarce. In this article, we attempted to review the fundamentals of software risk management and the different popular risk management project and product-based approaches.
We have reviewed the principles of software project risk management, reviewed some of the risk management approaches popular in the software engineering community, provided a summary of some of the important works conducted recently in this area in the last 5 years, and finally, provided some thoughts on future works that can be done.
The article should help the academicians, researchers, and practitioners interested in the area of risk management in software engineering to gain an overall understanding of the area. The article should be of immense help to the software engineering community.
The implications for practitioners is that they can use risk management approaches to know all possible risks in a project, assess their severity and consequence, and then determine resolution steps depending on the nature of the risks. The idea is to minimize any unforeseen and unexpected issues arising during the course of the project or product by properly planning for eventualities. Proper planning leads to minimizing uncertainties, which might lead to a “turbulent” completion, or a complete cancellation of the projects.
key terms
P2I2: Elaine Hall’s approach for risk management in projects. It is based on four critical success factors of risk management, namely, people, process, infrastructure, and implementation.
Product Risks: Risks related to products developed. These risks have the potential to affect the successful operation of the products. They are often associated with the reliability of operation of the products.
Project Risks: Risks related to projects. These risks have the potential to affect the successful completion of the projects. They are associated with project parameters such as the project time lines and budgets.
Risk: “Risk refers to a possibility of loss, the loss itself, or any characteristic, object, or action that is associated with that possibility” (Kontio, 2001).
Risk Management: The disciple of managing risks using strategies such as planning, assessment, analysis, and control of risks.
Software Reliability: A branch of software engineering dealing with the evaluation of how reliably a software system will perform when functional.
Software Risk Management: The disciple of managing risks in software projects, processes, and products.
