Everybody agrees that risk management, if done properly, is a good thing to do. Who wouldn't want to identify potential problems early enough to make a difference in the ultimate quality of the product? Continuous Risk Management "helps people avoid disasters, avoid rework, avoid overkill, and stimulate win-win situations on software projects [Boehm 89, p. 1]." Risk management reduces a project's risk exposure and reducing exposure makes good business sense [Charette 89].
If it's so wonderful, why don't we do it or why do we fail to do it successfully? Here are some of the reasons project personnel give for not doing risk management. All of these reasons are barriers to effective risk management. Some of them are cultural barriers. All of them need to be overcome.
Continuous Risk Management is a software engineering practice with processes, methods, and tools for managing risks in a project. It provides a disciplined environment for proactive decision making to:
Note: Project and program are considered synonymous terms in this document.
Continuous Risk Management, when performed successfully, provides a number of benefits:
There are three types of costs associated with Continuous Risk Management:
These types of cost typically include "expenditure of funds, time, personnel, and management involvement [Charette 89, p. 69]."
Determining cost-benefit value is difficult when some costs and benefits cannot be quantified. For example, how do you quantify what you saved by mitigating a risk? How do you estimate what it would have cost you if it had become a problem [Charette 89]? There are no clear-cut answers.
The cost of performing Continuous Risk Management must be balanced against the expected benefits and the cost of not doing risk management [Charette 89].
Example: A major acquisition program manager from the Department of the Defense learned about a risk that could have been a "showstopper" for the program. Through Continuous Risk Management, a risk was identified regarding achievement of the specified gross aircraft weight. Added equipment to satisfy specific new mission requirements might increase the weight beyond allowable limits. Early identification and better definition of the risk enabled the program manager to justify funding for an early start of the design, thereby ensuring proper aircraft weight in time to meet the program schedule. This example illustrates a risk identified through Continuous Risk Management that could have stopped the program if it had gone unnoticed until it became a problem. For this program manager, the mitigation of this risk saved what would have been a year's delay in the program schedule, clearly worth the expense of performing risk management.
Continuous Risk Management is simply an area of emphasis of every day business. It should be ongoing and comfortable. Like any good habit, it should seamlessly fit into your daily work. There is no one special set of methods, tools, or communication mechanisms that will work for every project. The key is to adhere to the principles, perform the functions, and adapt the practice to suit your needs.
Continuous Risk Management is built upon a set of principles that provide an effective approach to managing risk regardless of the specific methods and tools used. These principles, were defined by [Higuera 94], and breakdown into the following three types:
Continuous Risk Management simply cannot succeed without the constant attention to fostering open communication, the core principle. No one can find the risks to the project as well as the people who work on it day in and day out. Always ask, "Is the way the project responds when members bring forward issues and concerns going to encourage them to bring more?" Open communication requires:
The defining principles focus on how the project sees risks, and how ambitious it is about looking for and dealing with uncertainty. The principles foster the development of a shared view that clarifies the when, why, and what of Continuous Risk Management.
Forward-looking view: Develop the ability to look ahead, beyond today's crisis to the consequences of that crisis and of the decisions the project makes to deal with it. This principle is also concerned with sharpening the view of how far into the future to look. Forward-looking view requires:
Shared product vision: This is the development of a common understanding of the objectives of the project and the goods and services it will produce for the world. Shared product vision requires:
Global perspective: This requires project members to escape the local interests of groups within the project and within the organization to reach a common view of "what's most important to the project." Project members should develop a common viewpoint at a global level, and be able to move toward deciding how to mitigate specific risks. Global perspective requires:
The sustaining principles focus on how the project goes about its daily business of Continuous Risk Management. These are foundational. If established early in the project and constantly nurtured, these will assure that Continuous Risk Management becomes the way business is conducted.
Integrated management: This principle is concerned with assuring that Continuous Risk Management processes, paperwork, and discipline are consistent with established project culture and practice. Continuous Risk Management is simply an area of emphasis of good project management; therefore, wherever possible. Continuous Risk Management tasks should be integrated into well-established project routine. Integrated management re- quires
Teamwork: No single person can anticipate all the risks that face the project. Continuous Risk Management requires that the project members find, analyze, and work risks together. Group synergy, reliance, and cooperation in dealing with risk need to be rewarded.
Teamwork requires:
Continuous process: Risk management must not be allowed to become "shelf ware." The processes must be part of daily, weekly, monthly, and quarterly project management. Stamp out the idea that risk management only happens during "risk management season."
Continuous process requires
Principles and Tailoring Continuous Risk Management Processes
Continuous Risk Management is not "one size fits all." To be effective, tailoring is needed. Tailoring occurs when organizations adapt the Continuous Risk Management processes and select methods and tools, which best fit with their project management practice and their organizational culture. Following the principles of Continuous Risk Management is the key to successful tailoring.
[Boehm 89] Boehm, Barry. IEEE Tutorial on Software Risk Management. New York: IEEE Computer Society Press, 1989.
[Charette 89] Charette, Robert N. Software Engineering Risk Analysis and Management. New York: McGraw-Hill, 1989.
[Higuera 94] Higuera, Ronald P.; Dorofee, Audrey J.; Walker, Julie A.; & Williams, Ray C. Team Risk Management: A New Model for Customer-Supplier Relationships (CMU/SEI-94-SR-05). Pittsburgh, Pa.: Software Engineering Institute, Carnegie Mellon University, 1994.
� January 1, 2006 James C. Helm, PhD., P.E.