This repo outlines some aspects of risk governance in software development projects.
Be welcome to copy, modify, and apply them in your own work or business, as well as share them with whomever you consider necessary.
Risk control is vital to software development projects.
A project can be defined as a work that seeks the creation of a product or the execution of a service.
Whether it is a product or a service, all activities need to be planned, scheduled, and, when executed, need to be controlled.
Incorporate risk management in the software development process, evaluate the results and propose improvements to the plan is an important factor for the success or failure of any project.
Operate in a preventive way, acting actively to reduce risks that are present in software development projects by identifying, analyzing, treating, and controlling them.
-
Improvement of the products and services developed.
-
Increased productivity of the product development process.
-
Deliveries on schedule.
-
Reduction of losses.
-
etc...
The risk management process is a blueprint for the actions that need to be done. And there are five basic steps that are taken to manage the risk. These steps are commonly referred to as the risk management process. It begins with risk identification, advances to risk analysis, then the risk is prioritized, a solution is implemented, and finally, the risk is monitored.
So, these are the five essential steps of a risk management process:
Step 1: Identify the risk Step 2: Analyze the risk Step 3: Assess or classify the risk Step 4: Treat the risk Step 5: Monitor and review the risk
-
Communication and consultation
// TODO: define ways of communication and consultation
-
Establishing the context
"By establishing the context, the firm articulates its objectives and defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process." (AS/NZS ISO 31000:2009)
-
Risk identification
The identification of risks is a crucial step in effective risk management and needs to be comprehensive. If a potential risk is not identified at this stage, it will obviously be ignored in later analyses, implying possible disastrous consequences should it occur.
All possible risks must be identified, even if they have never occurred.
-
Risk analysis
-
Risk response strategies:
- Avoid: eliminate the threat to protect the project from the impact of the risk.
- Example: cancelling the project.
- Transfer: shifts the impact of the threat to as third party, together with ownership of the response.
- Example: contract insurance.
- Mitigate: act to reduce the probability of occurrence or the impact of the risk.
- Example: choose a different supplier.
- Accept: acknowledge the risk, but do not take any action unless the risk occurs.
- Example: document the risk and put aside funds in case the risk occurs.
- Avoid: eliminate the threat to protect the project from the impact of the risk.
-
Probability:
- VERY LOW: UNLIKELY - The event may even occur in exceptional situations, but the circumstances do not indicate this possibility.
- LOW: RARE - The event may occur unexpectedly or casually, as the circumstances indicate little of this possibility.
- MEDIUM: POSSIBLE - Event could occur in some way because circumstances moderately indicate this possibility.
- HIGH: PROBABLE - The event can occur in an even expected way because circumstances strongly indicate this possibility.
- VERY HIGH: ALMOST CERTAIN - The event will certainly occur because the circumstances clearly indicate this possibility.
-
Impact:
- VERY LOW: minimally compromises the achievement of the objective; for practical purposes, does not alter the achievement of the objective/result.
- LOW: compromises the achievement of the objective to some extent, but does not prevent the achievement of most of the objective/result.
- MEDIUM: reasonably compromises the achievement of the goal/outcome.
- HIGH: Compromises most of the achievement of the objective/result.
- VERY HIGH: totally or almost totally compromises the achievement of the of the objective/result.
-
-
Risk assessment
Risk assessment is the process of identifying potential hazards and analyzing what might happen if they occur.
-
Risk treatment
The market presents countless tools and services for risk control and treatment, but the truth is that not all companies can afford them.
It is also true that many companies experiencing growth, with little or no profit, are unlikely to stop investing in their primary activities in order to invest in risk control.
It is the reality of each company that will define if risk control will be delegated to specialists or implemented by its own members through the development and execution of an action plan, which can be immediate or preventive.
These are actions already thought out, discussed, and assigned to the risk, even if the risk has never occurred. This is not an exhaustive list, because new actions may be suggested at any moment. Hence the importance of the constant revision of the risk management plan.
-
Immediate actions: These are actions that should be implemented immediately when the risk occurs.
-
Preventive actions: These are actions that should be constantly implemented aiming at the prevention of risk occurrence.
-
-
Monitoring and critical analysis
The revision of the risk treatment plan is fundamental because even if a risk does not present immediate or preventive actions at a certain moment does not mean that it will not present them at another moment.
This risk occurs when the product owner presents the product/service requirements and the development team members do not understand what he really wants. This risk is directly related to the experience level of the professional responsible for business design, feature analysis, requirements gathering, and so on.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the project requirements document is lost or has not been created by the development team.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: Check if there is any backup in case it has been lost.
- Causes: TODO
- Consequences: TODO
Start documenting the requirements that have already been implemented as well as the ones that have not yet been implemented.
- Preventive Actions: Define and adopt rules to secure the document against loss and prevent project development from starting without this document having been minimally prepared.
This risk occurs when the project requirements document doesn't cover the necessary data for the project's development.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the requirement development is done in disagreement with what the customer defined in the requirements document.
It also occurs when there has been no formal development of the requirements document and the development team misinterprets what the customer wants.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the team develops a requirement that changes its understanding throughout its development.
It also occurs when the requirement is no longer necessary after its completion.
The requirement change can be necessary (e.g. legal imposition) or due to lack of good definition in the initial design phase of the project.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when requirements that were not foreseen during the beginning of the project appear during its development.
The emergence of an unforeseen requirement may occur in an imposed way (e.g. legal imposition) or by failure of the development team in the initial phase of project conception.
When the appearance of an unforeseen requirement is due to an imposition of any kind, there is no need to talk about corrective or preventive actions, but only about the implementation of the requirement.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
Implementation of unnecessary requirements by the development team, not defined by the product owner
This risk occurs when unnecessary functionalities are added to the project that were not requested by the product owner.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the development of the project exceeds or is not in accordance with the planned schedule.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when one or more technologies are adopted during the development of the project.
It also occurs when the project starts with technologies not defined as standard by the company.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when there is no effective methodology defined for managing the project development.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
Misapplication of the methodology or methodologies adopted for the project management and development
This risk occurs when the methodology used is poorly applied.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the development team uses inappropriate or unnecessary tools in the development of the project.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the customer is not satisfied with the project that has been developed or is under development.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the customer does not cooperate with the development of the project, for example, not doing the necessary tests to evaluate the requested and already developed requirements.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when one or more members of the development team lack motivation during the development of the project.
The demotivation can be for a specific project or over the course of other projects as well.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the amount of people in the development team is sufficient for the project development.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when a member of a development team is transferred to another, no longer continuing the activities he or she performed in the development of the project.
This risk is aggravated when more than one member of the same team leaves for the same reason at the same time during the project's development phase.
This risk can impact the work of other teams as well.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when a member of the development team falls ill and is unable to participate in the project until his or her recovery.
This risk is aggravated when more than one team member is absent for the same reason at the same time.
This risk can impact the work of other teams.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the person assigned to manage the team that is developing the software does not have adequate management skills.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when there are conflicts among the members of the software development team, which can occur between technicians, between technicians and their managers, and even between managers of different teams.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the software or part of it is developed by third parties without the proper follow-up regarding the expected quality (Example: freelancers, software factory etc).
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when there is a change of address of the company or simply of the department with the infrastructure and team responsible for the software development. (Example: Termination of the lease contract without the possibility of renewal).
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the environment destined for the team responsible for software development presents inadequate conditions, for various reasons, that affect the expected production (Example: noise, furniture, facilities, temperature, etc).
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when the software under development is not tested properly.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
This risk occurs when there is no efficient version control of the software developed.
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
- Probability: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Impact: VERY LOW / LOW / MEDIUM / HIGH / VERY HIGH
- Immediate Actions: TODO
- Preventive Actions: TODO
- Causes: TODO
- Consequences: TODO
Thanks for viewing this repo!
You are welcome to suggest other risks and also to follow-up on the evolution of this work if you wish.
Please share the link with people who might be interested and willing to contribute to this research on the subject.
