A Review of Two Software Risk Management Methods

Software risk management is necessary

Currently, information industry is growing quite fast. Not only the number of the technologies but also the complexity of the user requirement of software development is increasing. As a result, software companies need to try their best to improve the product quality as well as reduce the development cost. Hence, only when software risks are managed and controlled well can the companies run their business successfully.

In the process of developing a software, when an unsatisfied outcome that can cause negative impacts has a certain possibility to happen, it can be called as a risk.[1] To handle these risks, a great amount of approaches had been developed. In this article, two of the popular ones will be briefly introduced and compared– Boehm’s Risk Management Method and SEI’s Risk Management Method.

Two popular methods

* Boehm’s risk management  method[6]

Boehm, a famous software engineer, contributed a lot in the area of software engineering. Boehm’s risk management methods is also a classical one which can give developers a lot of graceful ideas.


As Figure 1 shows, there are 2 primary phases in Boehm’s method, risk assessment and risk control. In risk assessment, there are three sub-steps: risk identification, risk analysis, and risk prioritization. In risk control, there are also three sub-steps:risk-management planning, risk resolution and risk monitoring. Now a brief explanation for each of the sub-step will be given below:

➤ Risk identification: Produces a list of the risk items according to the specific project. One of the major techniques for this is Boehm’s top-10 software risk items checklist contains the top-10 risk items produced by Boehm in terms of his research, and the management techniques from Boehm for each risk item.

➤ Risk analysis: Makes assessments of the relevant loss and the possibility of the unsatisfied outcome, in terms of each of the risk item listed in the risk identification phase. Besides, assesses the compound risks when all the risk items appear in the same project.

➤ Risk prioritization: Produces a ranked ordering of the risk items. One of the major techniques is calculating the “risk exposure” quantity by multiplying the relevant loss and the possibility of the unsatisfied outcome of each risk item, then make a combined consideration of the three values, i.e., the risk exposure quantity, the possibility of the unsatisfied outcome, and the relevant loss of the outcome.

➤ Risk-management planning: Provides a plan for each risk item, as well as an overall plan for the whole project. A useful tool here is also Boehm’s top-10 software risk items checklist. Plans of numbers of specific risk items can be made according to the checklist without wasting too much time and effort. This phase makes a preparation for the risk control process.

➤ Risk resolution: Implements all the elements in the plan to provide a suitable situation for eliminating or resolving the risk items.

➤ Risk monitoring: Offers the whole project a tracking, in order to ensure the risk management process is under control.

* SEI’s risk management method[2]

Software Engineering Institute(SEI), is a federal research center for software engineering funded by the US Air Force, to improve software system quality, safety, reliability, and so on.

Figure 2 presents the SEI’s Software Management Model, known as SEI-SRM Model, consisting of six parts: identify, analyze, plan, track, control, and communicate.


In the phases of identifying risks, analyzing risks, planning and part of communication, the Software Risk Evaluation (SRE) [2] methodology acts as an important role. SRE Team consists of numbers of software engineers. The duty of SRE Team is analyzing relevant issues and document the result according to the requirement of the project. [2] SRE Team also offers helps when there are unexpected situations.

➤ Identify: Each member of the SRE Team identifies the risk items according to a taxonomy which lists all the potential risk areas, then documents them on the Statement of Risk, which is part of the Risk Management Form.

➤ Analyze: This phase is also supported by SRE Team. Each risk item identified in the first phase will be analysed in terms of its possibility of occurrence and the relevant loss, etc. After that, items will be prioritized and set as different Risk Levels. Lists of risk items with their Risk Levels and an updated Risk Management Forms are produced.

➤ Plan: SRE Team members make a combined consideration of both individual risk items and the whole project, then produce a Risk Management Plan. What’s more, documentations about how to make sure the risks being handled are also provided by SRE Team.

➤ Track: The status of the risk are always being monitored. Whenever the threshold in the relevant documentation is exceeded, actions should be taken to mitigate the risk.

➤ Control: In the Risk Management Plan, there might be deviations. Risk control acts as a role to manage risk plans and make corrections to the deviations, so that the whole process can be improved.

➤ Communicate: Communication lies at the center part of the SEI-SRM model, connected with every other parts. In the whole software risk management process, communication is also significant. Whenever there is information being collected, it should be passed to others for integration so that personnel can share information together, work in the most effective way and come up with the best results. Communication is also necessary between different organizational levels, such as the developer, the customer, and the user. Without an effective communication, no successful risk management process can be implemented.

What are the merits and drawbacks of them?

After the introduction to each of the two risk management methods, a discussion of them will be given below.

Boehm’s method has a high reputation among the software risk management area. The top-10 software risk checklist is a useful tool in many phase of the whole process, saving personnel, time and efforts.[3] The concept of “risk exposure” is also a graceful estimation technique for the criticality of the risk item. A good many investigators have been inspired by Boehm’s idea for further researches. However, several drawbacks cannot be ignored. The top-10 list is just a summary of risk items by integrating relevant information. It lacks convincing articles about its fundamental theories, original data, and induction methods. As time goes by, it is changing continuously, and of course needs to be modified continuously. Moreover, the listed risk items can also be changed according to different risk management methods, so it does not fit all the situations. Thus, the top-10 list needs to be improved and expanded although it has certain universality and practicality. Besides, the estimation of both the possibility of the occurrence of the risk and the relevant loss cannot be one hundred percent accurate. As a result,  the “risk exposure” quantity itself is a risk item.[4]

With the participation of SRE Team, relevant discussion can be made whenever and wherever needed during the risk identification, analysis, and planning process, making the information collection and integration more graceful. This increases the reliability and the efficiency of the risk management process. This works even better when the environment is well planned and the whole process is well managed.[5] However, it may take more time for all the SRE Team members to reach a final agreement in one case. If something went wrong in the communication phase, the situation will easily become a disaster. Furthermore, to organize and manage such a large team increases the expense of the whole risk management process.


This article introduction and a comparison of Boehm’s software risk management method and SEI’s risk management method. Boehm’s software risk management method gives basic techniques and tools for risk management, as well as a large amount of ideas for further investigations. SEI’s software risk management method provides a continuous process for management with the support of SRE Team and successful communication. Although both of them are of high reputation, there are drawbacks need to be improved. As far as we concerned, further researches should focus on the accuracy of data collection and the efficiency of data analysis, as well as the methods to save expense and human labor.


[1] C. J. Alberts and A. J. Dorofee, “Risk management framework,” tech. rep., DTIC Document, 2010.

[2] Y. B. et al, “Software risk management: A practical guide,” 2000. http://cio.doe.gov/sqas.

[3] M. Keil, P. E. Cule, K. Lyytinen, and R. C. Schmidt, “A framework for identifying

software project risks,” Communications of the ACM, vol. 41, no. 11,

pp. 76–83, 1998.

[4] K. Lyytinen, L. Mathiassen, and J. Ropponen, “Attention shaping and

software risk–a categorical analysis of four classical risk management approaches,”

Information Systems Research, vol. 9, no. 3, pp. 233–255, 1998.

[5] R. C. Williams, G. J. Pandelios, and S. G. Behrens, “Sre method description

(version 2.0) & sre team members notebook (version 2.0),” 1999.

[6] B. W. Boehm, “Software risk management: principles and practices,” Software,

IEEE, vol. 8, no. 1, pp. 32–41, 1991.

One thought on “A Review of Two Software Risk Management Methods”

Comments are closed.