9. Managing project risk
Richard E. (Dick)
Èñòî÷íèê: Richard E. (Dick) Fairley Managing and leading software projects // a John Wiley & Sons, inc., publication. 2009.
9.1 Introduction to managing project risk
The goal of risk management is to identify and mitigate potential problems with
suffi cient lead time to prevent adverse impacts on project factors, such as budget,
schedule, resources, and cost, and on product features and quality attributes. If unattended,
potential problems can become real problems that may lead to crisis situations.
For software projects, a crisis is a “show-stopper” that halts or seriously
impedes progress. You do not want to be the manager of, or a member of, a project
that is in a crisis situation; risk management can help you mitigate potential problems
and avoid crises.
Informally, it can be said that risk is the chance a bad thing might happen and
the associated consequences should the bad thing happen. More formally, the chance
of a bad thing happening is expressed as the probability of occurrence. The bad
thing that might happen is a potential problem that hasn’t happened yet but, if it
occurs, will have a negative impact on one, some, or all of budget, schedule, resources,
cost, product features, and quality attributes. The consequences of the negative
impact could be loss of human life, property, information, money, reputation, late
delivery of an unacceptable product, unacceptable cost, or your job.
Table 9.1a Quantitative determination of risk exposure levels.
Table 9.1b Qualitative determination of risk exposure levels
Risk is thus characterized by probability p , where 0 < p < 1, and potential loss L .
For software projects, the potential loss is usually expressed on an ordinal scale of (Low, Medium, High), or in monetary units, or in dimensionless units of utility.
In mission – critical situations, risk may be expressed as the potential for loss of
human life or the potential for signifi cant loss of information or property. Both
characterization (probability and potential loss) are important. If p = 0, it means
that the potential loss will never become a real loss; if p = 1, it means that the loss
has already occurred or will occur with certainty. If the potential loss is negligible
there is no reason for concern. If the potential loss is great, effort may be exerted
to reduce the impact or the probability even if the probability of occurrence is
already very low.(Low, Medium, High), or in monetary units, or in dimensionless units of utility.
In mission – critical situations, risk may be expressed as the potential for loss of
human life or the potential for signifi cant loss of information or property. Both
characterization (probability and potential loss) are important. If p = 0, it means
that the potential loss will never become a real loss; if p = 1, it means that the loss
has already occurred or will occur with certainty. If the potential loss is negligible
there is no reason for concern. If the potential loss is great, effort may be exerted
to reduce the impact or the probability even if the probability of occurrence is
already very low.
Risk exposure (RE) is the product of probability and potential loss:
RE=p*L
A risk factor having probability p=0.25 of occurrence and potential loss of
L=$100,000 has a risk exposure of $25,000.
Quantitative values of probability and potential loss can be used to determine
levels of risk exposure, as in Table 9.1a. It is not always possible to quantify the
probabilities and potential impacts of risk factors. In those cases risk exposure is
characterized in a qualitative manner using an ordinal measurement scale. Risk
exposure is then determined by combinations of probability and potential impact,
as in Table 9.1b.