Risk Management Models

Risk Management Models

A number of models of risk management, readily usable by project managers, have been identified by the Project Management and Software Engineering Institutes and through the groundbreaking software engineering work of Barry Boehm.

Figure 1 illustrates project risk management made up of:

●  Risk identification - developing the sources of risk, identifying potential risk events, and symptoms of risk

●  Risk quantification - using qualitative and quantitative analysis, determining the value of the opportunities to pursue versus the threats to avoid, and the opportunities to ignore versus the threats to accept

●  Response planning - developing the risk management and contingency plans, identifying reserves required in both dollars and person-hours, and determining how mitigation can occur through contractual means.

●  Monitoring and control - developing corrective action plans and monitoring their implementation as part of the overall implementation of the risk management plan

Project Management Institute Risk Model

Barry Boehm's risk management process was first presented in the tutorial, "Software Risk Management," published by IEEE Computer Society Press in 1989. Figure 2 illustrates the graphic representation of the model. Risk management consists of the two activities of risk assessment and control. Risk assessment is further divided into risk identification, analysis, and prioritization.

Boehms Project Risk Model

Risk identification is accomplished by using checklists, decision-driver analysis, and problem decomposition. For problem domains where the project manager and team have previous experience, checklists can be developed to ensure that all previously "known known" risks are identified for this project. For projects that are in a new domain or a dramatically different technology from the team's experience, decision-driver analysis and problem decomposition are used. With these tools, the project team can take a deeper look into the problem domain for which the software will be developed and decide on the general classes of risk to be faced.

Analysis of the risks identified is done through modeling performance and cost, and analyzing network, decision, and quality factors. Performance and cost models allow the project manager to create "what-if" scenarios based on performance and cost variables. The values of these variables are estimated based on the inherent knowledge of the problem domain. Advanced Monte Carlo statistical techniques can be added to gain further analysis area coverage. Network, decision, and quality factor analyses provide the team with enhanced views of the information developed during problem decomposition in risk identification.

After the risks have been identified and analyzed, their relative potential for occurrence and impact on the project must be determined. This risk prioritization allows the project team to focus on those critical few risks that will have the greatest potential for causing project failure. The calculation of risk exposure, explained later in this section, should be done for each high priority risk. Risk leverage is a further quantification of risk exposure. First calculate the current risk exposure (RE) and then the RE after completion of mitigation efforts. Calculate the costs of the risk mitigation efforts. Subtracting the RE after mitigation efforts from the RE before and dividing the result by the mitigation cost, derives the measure of the relative cost benefit. Compound risk reduction is simply the decomposition of multi-factored risks into single-factor risks so they can be prioritized within the risk mix.

Risk control consists of risk management planning, risk resolution, and risk monitoring. As with risk assessment, these three components are supported by sets of tools and techniques.

Risk management planning uses the tools of buying information and risk avoidance, transfer, reduction, element planning, and plan integration. Buying information is another way of saying, "Hire the experts!" It can consist of contracting with subject matter expert consultants, subscribing to databases of topical information, and subscribing to research services.

Risk avoidance is simply finding a way to restructure the project and product to avoid that risk. Risk transfer generally involves buying insurance against the occurrence of the risk. It is the actual transfer of responsibility for that part of the project, with the inherent risk, to another organization.

Risk element planning and risk plan integration work together in the structuring of the project plan. By decomposing the risk into its constituent parts, each element of the risk can be individually addressed and resolved. This is the divide-and-conquer strategy to risk mitigation. Risk plan integration takes these separate elements and incorporates their solution into the overall project.

Risk resolution is accomplished through prototypes, simulations, benchmarks, analyses, and staffing. At this point in the risk model, the mapping to Boehm's spiral model of software development becomes very apparent. Prototypes, simulations, and benchmarks generally involve additional tools and capabilities. These tools have great payback in risk reduction and mitigation, but there must be an investment in the tools and training to realize these benefits.

Milestone tracking, top-ten risk tracking, risk reassessment, and corrective action provide the tools for risk monitoring. These tools are all part of the steps that a project manager takes to implement complete risk management. They will be discussed in the section on how to develop a risk management plan.


cost variables, inherent risk, risk mitigation, software development
The contents available on this website are copyrighted by TechPlus unless otherwise indicated. All rights are reserved by TechPlus, and content may not be reproduced, published, or transferred in any form or by any means, except with the prior written permission of TechPlus.
Copyright 2018 SPMInfoBlog.
Designed by TechPlus