Abnerson+Malivert+&+Ahmad+Bilal+Project+4

Objectivetoc
Software risk management is an important process for the organization to ensure project risks are handled and resolved appropriately. The following scenario will be considered where a consulting firm consisted of Abnerson Malivert and Ahmad Bilal are conjuring up a risk management plan draft for a small software tools manufacturer called ABC Software Inc. Our job will be to implement a risk awareness culture and set a generic process and plan in place that will help manage risk. Having a good Software Risk Management process in place will help ABC Software Inc. produce high quality products. A good software risk management process will also help the software projects schedule and process is more efficient. This report is a software risk management process for ABC Software Inc.

1.0 Goals

 * Goal 1: Software risk management is planned and implemented throughout the ABC Software Inc. organization
 * Goal2: Software risks for each project are assessed, analyzed, tracked and controlled according to this document.
 * Goal3: Software risk management activities are documented, reviewed, and reported according to the instructions of this document.
 * Goal4: Software Risk management is the culture at ABC Software Inc.

1.1 Purpose
The hierarchy of goals, illustrated in Figure 1 is the framework for defining software risk management. The basis of the hierarchy of goals is to show what is needed to get to max production capability. To achieve this goal, ABC Software Inc. needs to focus on limiting the loss from risk while optimizing potential gain from opportunities.

1.2 Objectives
The following objectives are an overview of the plan implementation in support of ABC Software Inc. goals to ensure that:
 * 1) Achieve and maintain reduce cost of risk by implementing the risk management process.
 * 2) Evaluate, document and assess all known and unknown project risks.
 * 3) Mitigate or Prevent loss from project risks.
 * 4) Improve software risk management practice.
 * 5) Verify compliance of risk management plan.
 * 6) Maximize opportunities while minimizing risks.
 * 7) Train ABC Software Inc. employees on integrating and implementing Software risk management plan into their project.

1.2.1 Authorities and Responsibilities

 * Responsibilities:** It is the responsibility of each ABC software Inc. employees to identify risks in their software project and report their concerns or finding to the risk manager, which shall then report it to the project manager during the weekly project review meetings.
 * Authorities:** The risk manager under the authority of the project manager is responsible for all risk activities including:
 * 1) The risk manager is responsible for Building an action team. The team is to report to the risk manager, who shall report the project manager during the weekly staff meetings. The team should be consisted of 5 to 20 members depending on the project cost and size. The risk manager is allocated 8 hrs quarterly to use for team building and strengthening exercises.
 * 2) The risk manager shall meet with all vendors, contractors and customers to review contractual requirements. The output from these meetings should be a better understanding of the user’s and our requirements.
 * 3) The risk manager should plan the risk management activities for the project. The activities for the project are affected by the project size, budget and complexity. The risk manager shall take those factors into consideration and plan the risk management activities accordingly. The risk management activities are derived from the project planning process. The risk manager is responsible for reviewing the project planning process and come up with the budget, schedule, staffing, and planning for risk management activities. Image below is an illustration of a project process. Figure 2 below
 * 4) [[image:Screen_shot_2010-06-23_at_7.37.07_PM.png caption="Risk Management process outline"]]
 * 5) The risk manager is responsible for Coordinating risk management training. The risk management training should consist of a week long face to face meeting class, followed by yearly online refresher training. The risk manager is in charge of developing the training material and provides a copy of the training material to the program manager for approval. The training material should be divided into sessions for example:
 * Session 1: Risk management concepts.
 * Session 2: Risk assessment methods.
 * Session 3: Risk management process.
 * Session 4: Risk management measures.
 * Session 5: Proactive risk management.


 * 1) The risk manager is responsible for attaining training feedback in the form of a survey at the end of each risk management training class. The training feedback should assess the instructor’s capability to properly deliver the material. The assessment form shall be anonymous collection of student’s assessment of the training material and the presentation of the material.
 * 2) The risk manager is in charge of drafting, and documenting draft policy for approval by the ABC Software Inc. branch supervisor. The policy has to be implemented in the ABC Software Inc. operating manual. This will provide easy access to users that already have to use the manual for everyday tasks.


 * Procedure:** The risk manager shall utilize the following procedure to manage risk in software projects:
 * 1) Document a risk management plan.
 * 2) Perform risk assessment, outlined in section 4 of this document.
 * 3) Report risk in a formal format in the weekly staff meetings to the project manager.
 * 4) Track risk and review risk at monthly project reviews.
 * 5) Maintain the risk database, outlined in section 5 of this document.

1.3 Scope
This section gives an overview of the major sections of the risk management plan. This policy affects all of our business aspects and requires implementation into:
 * New and Current Business
 * New Proposals.
 * New and old projects
 * Internal research and development.

The risk management plan can be tailored to meet the needs of every part of our organization pending the approval of the project manager. This document covers the following topics:
 * 1) **Goals**- this section provides the direction and focus for the risk management team and assigns responsibilities for risk management objectives.
 * 2) **Strategy**- This section contains the philosophy and guiding principles of risk management process and also how people should organize to manage risk. This section also covers the approach to risk management and assigning roles and responsibilities.
 * 3) **Process**- is the tailored version of the standard risk management process. It covers the topic of identifying, analyzing, planning, tracking and resolving risk throughout a software project.
 * 4) **Verification**- shares the evaluation criteria for practice compliance. This section covers the evaluation for the risk management plan and how it has affected the project. An internal and external audit takes place in this part of the risk management plan.
 * 5) **Mechanism**- Are the methods the project team will use to execute the risk management process. These methods include the risk checklist, risk management form and the risk database structure.

2.0 Strategy
This section covers the approach used when implementing the ABC Software Inc. risk management plan. The risk management plan needs to comply with a written organizational risk management policy. This section covers the risk management policy, the risk management approach and the project roles.

2.1 Policy
The ABC Software Inc. Risk management policy is derived from the office of the CEO. It is the belief of ABC Software Inc. that software project risk management is the responsibility of each employee. ABC software Inc. is dedicated to preventing risk while maximizing profit. Every employee is accountable for risk management and should implement the approved risk management process into their project. Our job is to give you the tools needed to succeed in preventing risk exposure. Questions can be directed toward your immediate supervisor.

2.2 Approach
ABC Software Inc. takes a proactive approach towards risk management. We do not want to react to risk events; we want to prevent them from happening. Every ABC Software Inc. employee should implement this approach to their software projects. ABC Software Inc. mandates that a documented risk assessment period should take place at the beginning stage of each software projects.


 * Risk Assessment:** The risk assessment is in support of the above approach method. The risk assessment period should consist of:
 * 1) Train the project team. The guideline for the training section is covered under section 1.2.1 of this document.
 * 2) Identify Risk. The Risk Appraisal form is used to identify risk. A risk appraisal form shall be used during the phase readiness review stage of the risk assessment phase to identify the top 5 risks on the project. Review the risk checklist (sample risk checklist found in section 5.1) and the Work Breakdown Structure (WBS) to get a broader risk candidate list. Details are in section 3.1 of this document.
 * 3) Discover unknown risks by sharing team knowledge.
 * 4) Analyze risk. Details in section 3.2 of this document.
 * 5) Sort risk in the risk management database. This requirement is under section 1.2.1 of this document.
 * 6) Prepare all the findings in a formal document to be briefed at weekly project meetings.

2.3 Project Roles
Listed on the table below are the roles and responsibilities of each member of the software project team:
 * **Project Roles** || **Responsibilities** || **Interfaces** ||
 * Project Manager || Leader of project, maintain strategic plan, assign risk manager position || Sponsors, contractors, vendors, upper management, system engineering ||
 * Administration Support || Maintain office environment, time cards, travel, equipment || Project team, program office, contract facilities ||
 * Finance manager || Budget execution and tracking, contract performance evaluation || Project manager, sponsor ||
 * Risk manager || Facilitate risk, maintain risk database, reference section 1.2.1 || Project manager, sponsor, project team, contractor, costumer ||
 * Configuration manager || Perform data management, status accounting, change control || Project manager, project team ||
 * Quality manager || Enforce standards and procedures, conduct independent review || Project manager, project team ||
 * System engineer || Develop concept of operations, requirements management || Project manager, engineering, contractors, quality manager ||
 * Hardware engineer || Oversee hardware cost estimation, procurement, integration || System engineering, quality manager, test engineering ||
 * Software engineer || Perform software requirements analysis, design, code, peer review || System engineer, quality manager, test engineer ||
 * Test engineer || Conduct internal verification and validation, integration of test schedules || System engineer, software, hardware, quality manager ||

**3.1 Identify Risk**
The first step in the risk management process is the risk identification process which defines activities and methods used to discover risk. The table in figure 1-1 shows some components of process controls such as project requirements and resources to regulate the risk identification process. The risk management checklist organizes known risks and it provides a plan of action to resolve those risks. The form also includes the scale of 1 to 10 for expectation, impact and severity of the risk which can provide an overview to the ABC Software Inc. of their current risk. The following tables 3.1.1 contain some examples of how to use the checklist appropriately as shown below:



The Work breakdown structure (WBS) provides a framework for identifying risk for a specific project where only activities in the project WBS are worked on which can benefit the ABC Software company in organizing their budget and schedule. Working on activities that are not on the project WBS can indicate unknown risk which can cause cost overruns and delay in completing the projects. The table 3.1.2 shows the work breakdown structure that can be used as a checklist of risk areas where known risks are found in the activities listed.



Another useful form that can be used as a risk identification mechanism is called a risk management form which can be used by any individual in ABC Software Inc. at any time. The form should include the following:
 * The individual need to enter his or her name and the date of risk occurrence.
 * A brief description of the risk.
 * Project activities that can be impacted by the risk.



**3.2 Analyze Risk**
The second step in risk management process is risk analysis which defines the activities and methods to estimate and evaluate risk. The ABC Software Inc. can benefit from the following two set of activities among others since these tasks transform statements of risk into a prioritized risk list:

Risk drivers are the variables that cause the probability and consequence of software risk to fluctuate rapidly and these variables exist in performance, support, cost and schedule. The ABC Software Inc. can found performance drivers in technical specifications. 1) Using Risk Analysis Techniques and Tools. 2) Estimate the Risk Exposure.
 * 3.2.1 Determine Risk Drivers**

Risk analysis techniques can facilitate in ABC Software Inc. cost, performance goals, risk preference and they can be utilized in selecting system designs. These techniques are used in structuring, analyzing, evaluating and communicating risk.
 * 3.2.2 Use Risk Analysis Techniques and Tools**

1. Structure For the ABC Software Inc., influence diagrams can benefit in structuring a decision model and it provides a graphical representation of the elements of a decision model. The following diagram list the choices, decision to buy commercial off-the-shelf, the chance test activity outcome and the value of the possible outcomes:



2. Analyze Next the variables need to be determined by analyzing the decision model where Pareto analysis and sensitivity analysis can assist in this process. Pareto analysis can assist ABC Software Inc. in determining their most frequent risks and the greatest cost which can help in determining the most important issues. It is based on 80/20 rule where 20 percent of the sources cause 80 percent of the problems and it is utilized in focusing on the risks that have the greatest potential for reducing issues. The Pareto chart shown below displays the relative importance of risks in a visual format where customer, planning, staffing and schedule are program constraints and feasibility is under product engineering. It is utilized in displaying the distribution of some sample identified risks.



Sensitivity Analysis can facilitate the ABC Software Inc. in determining the sensitivity of the model to variations in input variables by setting each variable to its extreme points and holding all other variables at nominal values. This analysis focuses on the variables that have the greatest significance and it helps to prioritize data collection. ABC Software Inc. can utilize tornado diagrams to see the most sensitive variables first and they are located at the top where the least ones are located at the bottom. The data required to plot a tornado diagram depends on a list of variables and their range of possible values and the high or low values of each variable determine how much effect the variable have. The following sample tornado diagram is shown below where the length of the bar for a given variable in this sample represents the extent to which profit is sensitive to the variable.



3. Evaluate The ABC Software Inc. can utilize risk evaluation criteria where the criteria to measure are probability, consequence, and time frame for action and by using this approach, the risks can be organized according to their importance. The likelihood of risk occurrence can be evaluated qualitatively or quantitatively. The following table 3.2.1 shows the probability evaluation criteria which can be used to clarify the risks in ABC Software Inc. projects.

The consequence evaluation criteria are also helpful since it can provide the effect of risk occurrence and it should be tailored to a specific project. The following table 3.2.2 shows a sample consequence criteria which consist of cost, schedule and technical goals.

The time frame for action to prevent risk occurrence is important for ABC Software Inc. to examine before the risk gets out of control and therefore it is also tailored to a specific project.



4. Communicate The ABC Software Inc. can communicate risk analysis results by sharing insights to facilitate decision making. The results of risk analysis are stored in a centralized risk database and they can be made accessible.

The ABC Software Inc. can now rank the risks to focus project resources effectively and they can consider the time frame to arrive a final prioritized list of assessed risks. A Top-10 Risk list can be utilized which is a report of the most significant risks. The following sample Top-10 Risk list can be used by ABC Software Inc. as shown below:
 * 3.2.3 Rank Risk Relative to Other Risks**



**3.3 Plan Risk**
Planning for risk management includes the activity of developing risk management policy and procedures where technical staff and integrated product teams develop more detailed action plans to resolve technical risk. The ABC Software Inc. can use these plans to delegate responsibility and authority for managing risk to the lowest possible levels within their company. The following activity will facilitate ABC Software Inc. in transferring their prioritized risk list into a plan for risk resolution.

These alternatives are the set of options that may resolve risk once the ABC Software Inc. implements them. For the ABC Software Inc., they need to focus on risk acceptance, risk avoidance and risk protection as shown below:
 * 3.3.1 Develop Risk Resolution Alternatives**

1. Risk Acceptance The ABC Software Inc. can use this strategy when they have to live with the loss; for example, if the cost of getting an entry-level engineer is the same as providing additional benefit to an experienced engineer to keep them on the team, then the strategy is to accept the risk that the trained personnel will eventually leave their company and the cost of hiring new engineers is the consequence ABC Software Inc. would have to live with.

2. Risk Avoidance This is a strategy for risk resolution to eliminate the risk altogether and the ABC Software Inc. need to make an appropriate decision on managing their risks. For example, the ABC Software Inc. may choose not to bid a proposal for a fixed cost project in robotic hand for accurate surgery purpose. The following areas should be discussed appropriately to determine if situation is a loss:
 * Cost risk --- There is a fixed budget $ 10 million over its entire life cycle.
 * Schedule risk--- The robotic arm must be integrated into surgical hospitals.
 * Performance risk ---There are design constraints on robotic movement, volume, mass and power.
 * Operability risk --- there are uncertain operation conditions and various procedures would require different approaches to assist patients.

If the cost risk is realized, then ABC Software Inc. cannot afford to continue the project and if the schedule or performance risk is realized, the robotic arm will not be integrated into tougher procedures in surgical places; if the operation risk realized, the robotic arm may not perform in operation completely. The ABC Software Inc. need to use a risk scenario to determine they have organizational support, experience staff and risk management expertise to handle this project.

3. Risk Protection This is a strategy which reduces the probability or consequence of risk; for example, if ABC Software inc. has a project which was working fine for several years and suddenly it stopped functioning properly; they can always use the backup if they have saved it previously and then they can work on resolving the issue.

The ABC Software Inc. can use their risk action plan template to capture the risk resolution strategy in a standard format. The template provides room to add the events and conditions of the risk scenario. The ABC Software action plan template consists of detailed activities and their current status:
 * 3.3.2 Risk Action Plan Template**



**3.4 Track**
The ABC Software Inc. can monitor risk status by utilizing risk tracking process where the management can monitor risk scenarios, provide notification for triggers and take software measures.

The events and conditions in risk scenarios are monitored to determine if the probability of risk occurrence is increasing. It can provide evidence that attention is required because the risk is materializing. ABC Software Inc. need to track events and conditions of their risk scenario and decide whether the increase in risk exposure justifies immediate action. Tracking their risk scenario over time will increase the level of confidence by knowing that risk probability is decreasing. The following ABC Software Inc. Project risk track form can be used to keep track of events and conditions of risk scenario in their projects.
 * 3.4.1 Monitor Risk Scenarios**



When trigger is set, notification is then sent to the appropriate personnel in ABC Software Inc. through established communication channels. To activate, triggers provide a wake-up call to ABC Software Inc. for revisiting a risk action plan; to deactivate, triggers closes the risk resolution activity and to suspend, triggers put the execution of risk action plans on hold. The ABC Software Inc. can utilize the following two types of triggers to provide notification of unacceptable risk levels:
 * 3.4.2 Provide Notification for Triggers**
 * __Periodic event__ --- This includes ABC Software Inc. project schedule events, monthly management reports, project reviews and technical design reviews and these are the basis for periodic event triggers.
 * __Elapsed time__ --- This includes ABC Software Inc. specific dates such as calendar consist of thirty days from today, end of the quarter, and beginning of the fiscal year and it is the basis for elapsed-time triggers.

It is essential for ABC Software Inc. to indicate where a project is with respect to its goal since an unreliable software measurement process is a significant risk. The following two books are recommended for ABC Software Inc which the measurement community has defined, documented and distributed guidebooks on proved software measurement techniques.
 * 3.4.3 Software Measures**
 * __Practical Software Measurement (PSM)__ by the DoD’s Joint Logistics Commanders Joint Group on Systems Engineering is a guidebook for project managers, which uses measurement indicators to deal with risks that cannot be measured directly.
 * __Software Measures and the Capability Maturity Model__ applies GQM paradigm to the goals of each CMM key process area and indicators are grouped into categories that provide visibility for status and insight into process effectiveness.

**3.5 Resolve Risk**
In order to resolve risk appropriately, the ABC Software Inc. need to execute the risk action plan, report progress against the plan and develop a corrective Action Procedure.

ABC Software Inc. needs to follow a written risk action plan to resolve risk and they should use the engineering model of requirements, design, implement and test. They also need to map their objectives of the risk action plan to specific actions that they can take to reduce uncertainty and increase control. If their objectives are not completely satisfied, then another action should be added to the matrix.
 * 3.5.1 Execute the Risk Action Plan**

The ABC Software Inc. must report the results of risk resolution efforts. Risk project status should be done on regular basis to improve communication within the team and the team needs to review the following areas in their decision making regularly: 1) Review risk status 2) Review measures, 3) Review metrics
 * 3.5.2 Report Progress Against the Plan**

A corrective action procedure can facilitate ABC Software Inc. in correcting for variations in the process and the team needs to follow the following four steps in correction action procedure: 1) Identify the problem --- The ABC Software Inc. need to first find the problem in their product which can be an intermediate work product such as the risk action plan. 2) Assess the problem --- They need to perform an analysis to understand and evaluate the documented problem. 3) Monitor progress --- They should be able to track progress until the problem is resolved and lessons should be recorded for future reference.
 * 3.5.3 Develop a Corrective Action Procedure**

4.0 Verification
This section covers the verification part of the ABC Software Inc. risk management plan. This section is to make sure that the project practices adhere to the documented risk management plan. Compliance is key to the success of this organization risk management plan.

4.1 Review Criteria
The project team shall review the risk management plan to understand the risk management practices expected to be performed by the project personnel, and to understand the project roles with responsibility for risk management activities, and to also understand the expected outputs produced by performing risk management. The project team shall assess the risk management plan for:
 * Completeness- do the contents consider all aspects of risk management? Check the risk management team and review it against risk management knowledge learn from the training sessions, to ensure that nothing is missing from it.
 * Understandability- Is the plan easy to understand? Check if it takes reading the plan multiple times to gain a working level understanding of it.
 * Level of Detail- is the level of detail sufficient to execute the plan? Check to see if the plan is too vague and does not give enough information to carry out the impending tasks.

4.2 Audit Procedure
Internal Audit: The ABC Software Inc. quality assurance team is responsible for doing internal auditing. They are responsible for ensuring that the established risk management plan is being followed. The audit team checks every part of the software risk management plan to meet the goal of reaching high quality software system. External Audit: We have a yearly ISO9001 certification audit. The software project team needs to ensure that the risk management plan is ISO9001 compliant. Check the ISO9001 guidelines located on the office network drive. Some of the questions asked by the audit agent are:
 * **Agents** || **Artifacts** || **Activities** ||
 * Are you now or have you been involved in risk assessment? || Do you have, or have you read the risk management plan? || How are risks prioritized? ||
 * What are your responsibilities related to risk? || Do you have any risks assigned to you for mitigation? || How often is the risk management plan updated? ||
 * Risk Manager: is risk status up to date? || Are there closed risks? || How are risks tracked? ||

4.3 Audit Report
The audit report provides visibility into the project risks and also shows where the organization’s risk management plan needs to make improvement. The result of the report should be briefed to the facility manager. Each finding should be an action item to take corrective and preventive action. We have to eliminate the causes of actual deviations. The action items are to be tracked by the project manager. After the actions items are closed they need to be catalogued, filed and maintained in our record management database. Below is an example of a Non- Conformance report. Look at the template to familiarize with the audit report.

5.0 Mechanism
ABC Software inc. software risk management mechanism is used to transform inputs to outputs. This section covers the three mechanisms that are important to the success of the ABC Software Inc. risk management plan.

5.1 Risk Checklist
The risk checklist is used to organize area of concerns into categories to understand the nature of the risk. Use the risk checklist to document known and unknown risk. Below is the standard risk checklist form for ABC Software Inc.

Plan of Action || //Schedule// || //No Funds available until XYZ individual is located.// || //7// || //9// || //63// || //Contact organization to locate XYZ individual.// || //Resources// || //Can’t obtain any extra Assets// || //2// || //5// || //10// || //Not necessary at this time// ||
 * Type of Risk || Jeopardy || Description of the Risk || Expectation of the Risk (1 to 10) || Impact of the Risk (1 to 10) || Severity of the Risk (Expectation x Impact) || Contingencies/
 * //Delay of critical resource// || //Budget//
 * //Delay getting additional data// || //Schedule// || //Contractor is currently searching for it.// || //3// || //7// || //21// || //Focus on task, not additional contingency required// ||
 * //Extra Project Asset// || //Schedule//

5.2 Risk Management Form
The risk management form is used to document risk information essential to managing risk. Below is the standard risk management form for ABC Software Inc. The risk form shall be fully completed and also approved by the risk manager and the project manager. The image below also provide guidance on how to complete the risk management form. 1) 2) 3) ||
 * Project Number/Name: ||  ||
 * Risk Number: ||  ||
 * Affected Activity: ||  ||
 * Risk: ||  ||
 * Risk Source: ||  ||
 * Risk Category: ||  ||
 * Risk Probability: || ||
 * Risk Impact: || ||
 * Impact Description: ||  ||
 * Risk Factor: ||  ||
 * Risk Reduction Actions: || 
 * Date of Risk Occurrence: ||  ||
 * Contingency Plan: ||  ||
 * Mitigation Actions: ||  ||
 * Date Closed: ||  ||

5.3 Risk Database Structure
Use the risk database to electronically file all of the risks after filling out the risk management form. The responsibility and authority of the risk database is assigned to the risk manager according to section 1.2.1 of this document. Below is a screen shot of the risk database GUI.The ABC Software Inc. risk database is located under the U: network drive. The risk database form inherits from the risk management form and should also contain the same field. The requirement for the database is that:
 * It should keep track of risk numbers so that there are no duplicates.
 * Only the risk manager can make changes to the risk database.
 * Should allow users to add new risk into the database.
 * The risk database should use the Microsoft Access platform.
 * Should be available to the whole organization.
 * Should let users create reports and queries.