Software Risk Management

There are numerous large software projects in the world nowadays. However, 91% of them are failed because of lots of different reasons [1]. Hence, software risk management would be a critical principle in the long term, large scale software development projects.

The definition of risk and risk management

Risk is the probability of the incurring a loss or enduring a negative impact [2]. It can be expressed by the equation RE = P (UO) * L (UO) [3]. RE illustrates the risk explore, the probability of unsatisfactory outcome is P (UO) and L (UO) demonstrate the impact of unsatisfactory result for the project. Also, we can describe risk as uncertainty, which cannot represent the probability distribution [4]. Risk is the probability of failing to achieve the certain cost, optimal performance, schedules objectives, leading to the failure of projects.

In order to reduce the frequency of failing in projects, we should try to do something to avoid it.  Hence risk management plays a dominant role in every project.  There are many elements would reduce the success rate of the project, instead of planning to assume the best case, we should incorporate the ways things go wrong into the plan [1].  Hence, we should organize risk management. It is an organized process for identifying and dealing with high-risk elements. Including both initial management and future risk management [2].

How to organize risk management process

The human species is the only species that hold its own fate. Human has the capacity to explore the future. We are always ignoring the project risk although there are some statistics evidences proving the existence of risk in project [1]. After people experienced various failure projects, they recognize that they should focus more on risk prediction and corrective actions.

An original project might provide a sense of unsatisfactory in many features, such as budgets, overruns, wrong functionality, schedule and poor-quality software. Hence, manager should create a process to improve this case like below:


To be more exact, firstly, the management should identify risk factors in the project [4].  Every large project would produce some crisis to impact the consequence of the project. This risk is a potential problem in project. Some of them should be ignored to facilitate the productivity and conserve the  time. However, it is essential that we should consider many important high-risk elements before we put enthusiasm and energy into the project. In order to practice in all positive part of the project, we should make a list of all high-risk elements, which would help people gain the risks of project. Secondly, Assessing risk probabilities and effects are necessary. For software projects, the desired outcome is an acceptable product delivered on time and within budget. If we prefer to achieve the desired result, we have to assess these high-risk elements carefully. It would make a contribution to select appropriate elements and deal with them. When we execute these two steps well, we could avoid to wasting much time on some unnecessary improvement. Also, it will boost the efficiency to implement the rest steps of risk management.

If we pre-process the elements during the first two steps, in the following stage, we should develop strategies to mitigate identified risks. A risk transform to a problem when the value of a quantitative metric  exceeds its predetermined threshold. The threshold would be established by regarding the corrective action and ahead of time of corrective action as a standard. During this step, risk plan should be divided into two sections. One of them is action planning, it can mitigate the risk by instant response. We could use experienced people or train the team, but it should not spend much time to address this problem. In terms of contingency planning,  risk management needs to monitor the future response. For example, contingency planning would monitor the vendor’s progress and develop a software emulator for the target machine [5].

After that, we should monitor risk factors and invoke a contingency plan. We observe the changed value in the metrics which crosses the predetermined threshold. Subsequently, it is essential that people should allocate adequate resources and specify a drop-dead date, then we could manage crisis, such as re-evaluate the project with corrective action. At last, we should review the crisis to summarize some principles, which would have a great effect on the future projects.

The strategy of risk management

When it comes to some strategies that could help us solve the risk problem. There are many aspects should be referred.

The initial problem is that people lack sufficient knowledge and experience to figure out the real issues in projects.  The strategy is that we should do something easy at first during a short period. After people deliver these to the system, they could detect the problem clearly and try to address them, but they should not do this many times because it will lower the efficiency of the long term large scale program. Secondly, it is smart that we divide the program and deliver some parts of them to the system early and regularly.It is very significant to do this because it can address the problem with the optimal techniques and learn from each other.We need to create a delivery schedule to ensure when we need to deliver the program, after this we could organize a team and communicate about it. This should be held not very regularly, such as six months.

When we divided the program into some parts, we would find some methods to address them, but we need to make every solution independently because all these solutions would be constrained by the manager’s insufficient information. We need to examine the small system and put the small system into large system. We could adjust or change the prototype if they are incorporated. It could help us to discover the best decision on how to reduce the risk. Then the completed program, which was adjusted by risk management, should be implemented to test your existed system.  In order to acquire the accurate data from the large program, including staff learning rates, technology effects, the management needs to run carefully, we need use our own people and experts. Most papers claim that we only need one expert. However, only one expert would lead to subjectivity, and experts are always concentrating on a special knowledge; hence we should employ two or three experts to control risk management.

Organizing a team with multiple specialties is necessary for risk management. Team has an inherent advantage of promoting communication and coordination. One factor we should focus on is the size of the team. If the team is so small like only one person, it would difficult to complete the program perfectly. In contrary, if the team is too large, it will need spend much time on holding the meeting and communication, causing conflicts, leading to the low productivity. Sometimes, we should address the problem independently; large team would result in relying on others. Also, we should start our projects immediately, the earlier, the better. Because when we put the theoretical methods into the reality, there are some high-risk elements would be found. People could communicate and cooperate to adjust and improve them . The information of risks in the program could be up to the minute, which can help experts  monitor and  control risk management.

According to the large program, we should divide the program into several appropriate parts to allocate to everyone in the team. Making sure that everyone should assume the responsibility of something by their own knowledge background. However, it is essential that we should strike the balance between different conflicts and ownership needs. If we can solve these problems well, people in the team could interact and coordinate better. There are some inevitably disturb in projects. It would become another risk to make program fail. When it is happening, we should focus on the primary goal and ignore these distractions. If we consider more about these distractions, these risks would become problems to impact the program.


There are many theoretical methods supporting risk management, which can make software development successfully. Most of these resources come from numerous program failure experiences and some prediction. Hence, when we complete one project, no matter what is a successful project, we need to summarize how we avoid risks and address problems. Or why we fail the program, where we should improve it and predict something. For instance, when we fail one project, maybe we having a weak risk assessment, which will introduce a considerable doubt to the accuracy and value of the results. Although we have some risk management methods now, such as waterfall and evolution, because of the lack of sufficient background knowledge and enough resources, we would choose inappropriate people and tools, underestimate the complexity of the program, make inefficient plan adjust projects.

It is no doubt that risks exist in every project, we have to do risk management to avoid potential problems, which would fail the program, especially for large software program, we have to control projects, adjust and eliminate the problem before they can impact the program.


[1]. The slide of course.

[2].Software Risk Management. R.E. Fairley. IEEE Software, May/June 2005.

[3].Software Risk Management. R.E. Fairley. IEEE Software, May/June 2005.

[4].Software Risk Management: Principles and Practices. B.W. Boehm. IEEE Software, January 1991.

[5].Implementing Risk Management on Software Intensive Projects. E.H. Conrow, P.S. Shishido. IEEE Software, May/June 1997.

[6].Risk Management For Software Projects. R. Fairley. IEEE Software, May 1994.

2 thoughts on “Software Risk Management”

  1. Pingback: socialeum

Comments are closed.