Every systems and software project involves risk. Often, how you manage your program risks is a deciding factor in the eventual success or failure of your program. If you ignore the risks, your program has a higher chance of failing. On the other hand, if you try to track and manage all possible risks, you can expend your entire budget managing the risks, and never produce a deliverable. Risk management, like any other element of systems and software development, requires forethought and careful planning. This article explains what risk management is, and then discusses some common developmental risks.
There is a popular television program that appeals to the brave of heart called "Fear Factor." During this program, contestants compete against each other in events and activities that cause considerable fear for most people. Although it is considered reality TV, the things the contestants are required to eat, drink, touch, dive into, or navigate through are not considered reality by the average person. Contestants are eliminated with each fear-defying competition, until a single winner remains.
In the reality world of software development and/or acquisition, there are circumstances, events, activities, etc. that instill fear in the hearts of software developers, acquirers, and managers. Too often these fear factors are ignored and have devastating impacts on software projects. The authors of this article have participated in the review and assessment of numerous software-intensive systems from the perspective of both developing software and purchasing software. From our experiences, we have identified several issues that are common to many software-intensive programs. These issues, risk factors, are keys to either the success or failure of any software- intensive system.
What Is Software Risk Management?
Risk is defined as, "A possible future event that, if it occurs, will lead to an undesirable outcome" . In the context of software then, software risk management would logically imply the managing of possible future events that could have undesirable effects on software projects. That sounds simple enough. What future events could possibly negatively impact my software project? Risk management is simply defined as a generalized process for managing risks . However, to be an effective risk management process, it has to be both accurate and usable; that is, it must provide results to a manager in time to allow the manager to make informed decisions that allow risks to be minimized or avoided.
Every development project has risks. The risks can range from the common, "We might not be able to find a JOVIAL programming language expert by next month," to the uncommon, "A hurricane might destroy all of the prototype aircraft." How you approach these risks is what is important. In the rest of this article, risk refers to software risk.
The Two Extremes of Software Risk Management
There are two extremes of software risk management: too little and too much. Each one can be explained in terms of popular operating systems.
The first extreme, the too little school, is much like older versions of UNIX. While UNIX is a fine operating system, its roots show a lack of disciplined software development. For those accustomed to a single version of an operating system, there existed numerous versions of UNIX – well over 1001.
Here is an example of the too little school. One of the authors used to work on a Burroughs mini-computer back in the mid- 80s. It ran a version of UNIX referred to as BNIX, which has an interesting property. The memory table that kept a list of all currently running jobs (the process table) had a limited size, but there was no mechanism to protect it. The size was somewhere around 1,023 entries. If you tried to run a process after the table was full, BNIX just bumped the counter to 1,024 and started entering process data.
The fact that the process table was full did not deter it – it just wrote to whatever memory was at the 1,024th position. Since the process table was stored in memory, it was likely (in fact, it was certain) that this 1,024th process just overwrote something critical in the operating system. Assuming that the system did not crash immediately, you could start a 1,025th process. Eventually, the operating system would crash in some bizarre fashion.
By not having mechanisms to deal with the problem, which was a limited size process table, BNIX used the ostrich-head-in-the-sand method of risk management. This method means you assume that all will go correctly, and you just pretend that no risks exist. Many current software development projects use this method – the equivalent of believing in magic, which often occurs because of a new and untested silver bullet. For example, "Now that we are using commercial off-the-shelf software in our program, we're going to cut the schedule by 25 percent." This is unrealistic, unproven, and head-in-the-sand thinking.
The second extreme of software risk management, the too much school, is more like Windows 98. Windows has many mechanisms to ensure you do not overflow process tables, overwrite system memory, or use memory that is currently allocated to other programs. However, Windows 98 sometimes gave a message that said something like, "Unable to run program – not enough memory. Try quitting a running program and try again." Unfortunately, this error message occurred when only running a single program, or even no program.What typically happened was that a previously running program had used memory incorrectly (or crashed prior to cleaning up after itself) and left the system memory corrupted. Windows 98 was unable to ensure that a new program would not be overwriting memory still marked as in use, and would not let the new program run. It usually required a reboot to set things right. This method, being over-cautious of the risks and always assuming that the worst is going to happen, is the other extreme.
To effectively manage risks, you have to take the middle ground. You cannot ignore risks and pretend that all will go well. However, you cannot micromanage all possible risks; you do not have the time and the resources. To take the middle ground, you have to be aware of some common risk factors.
Critical Systems and Software Risk Factors
To adequately manage risks, it is essential to evaluate the program's/project's unique situation. There are, however, certain risks that tend to impact many programs/projects. Having evaluated several programs, we have identified the following critical risk factors as issues that impact the success of many programs. By addressing the key risk factors, programs can make great strides in managing risks that may impact them.
Recently while assisting in the review of a large Department of Defense (DoD) software acquisition program, we asked to review the program's planning documents. In response to the request, the program office produced a Microsoft Project schedule. This response is common when we ask about planning documents while performing program reviews.
There appears to be a lack of desire, interest, ability, and attention to performing adequate program/project planning. Not all programs/projects require the same level of planning; however, they all should include enough planning to adequately assess their issues. Program/project plans should consider the following:
- Date and status of the plan.
- Scope of the plan.
- Issuing organization.
- Approval authority.
- Assumptions made in developing the plan.
- Planned activities and tasks.
- Policies, etc., that dictate the need for this plan.
- Micro-references – other plans or tasks referenced by the plan (other plans or task descriptions that elaborate details of this plan).
- Communication chains.
- Resources and their allocation.
- Responsibilities and authority.
- Quality control measures.
- Stakeholder identification.
- Interfaces among stakeholders.
- Environment/infrastructure, including safety needs.
- Change procedures and history.
- Schematics, diagrams, and architectures to further clarify the intent of the plan.
A lack of adequate planning tends to indicate a lack of forethought and direction. Inadequate planning at either a program or project level greatly increases risk to successful project completion. Elaine M. Hall  has a good explanation of how to plan for risk.
The daughter and son-in-law of one of the authors of this article recently built a house. The couple was anxious to have the home completed so they could move in early enough in the fall to complete the yard before winter. To them this seemed a reasonable request.
As the couple negotiated the deal with the chosen contractor, they were told the house would not be completed in the time schedule desired by the couple. The contractor showed them the list of tasks to be completed and the dependency of each task with other tasks. He further explained to them the dependency on outside factors such as weather, availability of special materials that were part of the couple's design, availability of subcontractors, whims and schedules of building inspectors, and the priority of their house in relationship to other homes the developer was building. The bottom line: the couple was not able to eliminate critical steps in the building process, shortcut the availability of critical resources, or circumvent required inspections.
Have you ever been coerced into or managed a software project that begins with a predetermined schedule? One that is unachievable, to start with, that requires sound processes to be altered or eliminated? One that ignores the requirement for critical resources, eliminates critical reviews, and allows only minimal time for testing? If so, then in talk-show host and author Dr. Phil's words, "What are you thinking?"
Why do we agree to and/or impose software schedules that require the abandonment of everything that we have learned over the past several years as being essential to the success of software development or acquisition projects?
The authors have seen numerous software projects with schedules we consider to be unreasonable, in our opinion, due to the following:
- Schedules based on product need rather than a realistic assessment of engineering effort. This includes schedules based on an arbitrarily imposed due date.
- Effort estimates and resulting schedules based on hallucinations (or unrealistic hope) rather than on historical basis.
- Schedules based on unrealistic, incorrect, or unknown requirements.
- Schedules developed without adequate understanding of sound software engineering practices.
For these reasons, we have included unrealistic schedules as one of our software risk factors.
Unfortunately, managers who attempt to transform unreasonable schedules into accurate and reasonable ones run the additional risk of extreme upper management displeasure. This (and the risk of losing one's job) creates great pressure on lower-level managers to continue to pretend that unreasonable schedules are, in fact, achievable.
Unconstrained Requirements Growth
There have been volumes written over the years about the impact of incomplete, inaccurate, growing, unstable, and on, and on, and on, software requirements problems. In the April 2002 CrossTalk, we enumerated several requirements risks that can drown software projects .
Research conducted by Capers Jones  identified the top five risks that threaten the success of software projects in various sectors. Figure 1 summarizes the approximate percentage of projects that suffer from creeping user requirements.
As indicated in Figure 1, the majority of management information systems and military projects suffer from requirements creep. We further saw that nearly half of the outsourced projects included in the study also suffered from requirements creep.
Our experience shows that nearly all projects suffer from some form of requirements risk. The impact is often catastrophic to the success of the project.We see requirements issues as a substantial risk to the success of many software projects.
Dysfunctional Organizational Culture
The following is the parable of the Happy and Productive Worker:
Once upon a time in a company not far away, there was a worker. He was a productive, happy worker, but alas, he was unsupervised.
The company saw that the worker was unsupervised and made a supervisor.
The coordinator saw that the worker was productive and happy and made a lead worker to make the worker more productive and happier.
The company saw that the department in which the productive, happy worker worked had grown and made a manager to manage the department in which the productive, happy worker worked productively and happily.
The manager saw that the worker was productive and happy and made an assistant manager to help manage the department in which the productive, happy worker worked.
The company saw that the department where the happy, productive worker worked had grown and made an administrator to administer the department in which the productive, happy worker worked.
The administrator saw that the worker was productive and happy and made an assistant administrator to assist in administering the department in which the productive, happy worker worked.
More people were added until the director saw that the department was losing money. So he consulted a consultant. The consultant examined the department in which the productive, happy worker worked productively and happily and advised there were too many people in the department in which the productive, happy worker worked.
And the director paid heed to the counsel of the consultant and fired the productive, happy worker.
In the parable of the Happy and Productive Worker, the organization valued and rewarded the wrong things. As you think of the organizations you work in, what is the culture that exists? Is it a culture plagued with high turnover? Do you enjoy going to work each day, or does it take an act of God to get you out of bed and into the office? Do you have the training and skills required to perform the tasks that are expected of you? Are meetings useful with something actually being accomplished, or are there too many long, useless meetings that just distract from what you are trying to get done?
The organizational culture of many software companies appears to be that of working harder to get out of doing work rather than actually getting things done. This risk factor ties closely to the management. There is an inherent risk with over-managing – and perhaps this risk is greater than under-managing. Over-management forces workers to spend too much time justifying what they do (and do not do). Workers need to be allowed to fail occasionally, and learn from their failure. If you create an environment of one mistake and you're out, workers will spend so much time trying not to fail that they will not have the time to succeed.
During a recent seminar, we asked the attendees how many of them had ever been part of what they considered to be a highperformance team. Of 30 attendees, five indicated that they had. Upon discussion with the group, we identified the following characteristics of a high-performance team:
- Value for all team members.
- Open communication.
- Common understanding of team goals.
- Recognition for valuable contributions.
- Clear understanding of job expectations.
- Shared desire to meet or exceed expectations.
- Demonstrated commitment to the team by management.
It is difficult to successfully develop software in a dysfunctional organization. Management must look honestly at the organization to determine if it is dysfunctional. If your culture is one similar to that of the Happy Productive Worker, that culture is a serious risk to your organization's success in consistently providing quality software.
Not Having or Following Processes
Having and following a good process is essential to the consistent development of quality software systems. It has been said that a software product is only as good as the process used to develop and maintain it. There seems to be common agreement on the value of having and following sound processes in the development and maintenance of software, yet in the authors' experiences, this continues to be a weakness of many software development organizations. We see many organizations that either lack processes or do not follow their existing processes. Some have processes in place but are quick to abandon them when hit with schedule pressure.
When this happens, the good, smart things that help ensure quality software fall by the wayside and programs/projects gradually spin out of control. Not having or following processes is on our list of software risks because this is an area that is often only given lip service. If processes exist, and are required to be followed, many other risks immediately become less critical.
Failure to Actively Manage Software Risk
Have you ever thought about how much we depend on software? The world has evolved to the point where almost everything we do involves software. Lt. Gen. Jim Fain (U.S. Air Force retired), during his tenure as F-22 program director, described software's importance by saying, "The only thing you can do with an F-22 that does not require software is to take a picture of it" . Now in 2004, there is probably not even a non-disposable camera in use that is not at least partially operated by software.
Software has made great technological advancement possible. This dependence on software has also brought with it consequences. Software failures have resulted in significant financial losses and even the loss of life. Software has become the very heart of the new economy, and business risk management must include software risk management to survive.
During a recent program review, one of the authors of this article asked how software risks were managed on the program. The program office produced a list from their risk database of software risks that included risks at a very high level and were generic to the point that they could be applied to any program. When asked how the list was generated, it was explained that a tool had generated the risks based on information provided. We call this risk management in a can. This was a large DoD program that included software with potential life-threatening consequences.
Our dependence on software has pushed us to the point where a proactive software risk management process is essential. Managers must determine whether any unwanted events may occur during the development or maintenance of software, and make appropriate plans to avoid or minimize the impact of these negative consequences. Failure to do so may have devastating consequences. A good software risk management process should include the following steps:
- Identification of program-/projectspecific software-related risks.
- Detailed analysis of each software risk.
- Development of plans to address software risks.
- Active monitoring and tracking of software risks.
- Use of metrics to monitor the riskmanagement process.
By actively managing software-related risks, the probability of experiencing firsthand the consequences of a software failure can be greatly reduced. While failure to actively manage software risk is the last risk mentioned, it is critical.
How detailed should your risk management be? On one recently performed assessment, the risk list on the project ran more than 400 pages, and had a complex formula showing each risk status. Such a complex risk list is almost useless. It is difficult to see the overall project risk status, and it takes a huge amount of time to keep it current.
The authors recently performed another assessment, and saw the risks briefed as a 25-item list, each with either a red, yellow, or green light (standing for high, medium, and low risk). This method was easy to use, easy to understand, and reasonably easy to update. The key point is that the program manager, using this simple 25-item list, has the information to understand the risk exposure of the program and make good decisions.
This article is not intended to present a complete list of risk factors for a particular program/ project – it would take much more space. Likewise, it is not intended to be a primer on correct risk-management practices. What this article is intended to do is heighten your awareness of risk management, and give you a starting point in creating an appropriate risk management strategy. Risk management is usually a task best done by somebody who has some experience in the area. Locate an appropriate source of training or experience, and learn from other's mistakes. If you proactively manage risks properly, then you will spend little time reactively putting out unexpected fires, thus freeing up more time to build your system based on current, accurate, and easy-to-understand risk information.
During a recent "Fear Factor" episode, contestants were required to leap from one boat to another while the two boats were speeding next to each other. This resulted in some of the contestants experiencing very traumatic falls into the water.
In this article, we have identified six risk factors that, based upon our experience, can have significant impact on the success or failure of software programs and projects. By confronting these risks, many inherent problems can be avoided. We recommend the following:
- Take program/project planning seriously.
- Do not lie to yourself; develop schedules based on sound facts and proven approaches.
- Stringently control requirements growth.
- Establish a success-oriented organizational culture.
- Develop and follow sound software development, maintenance, and program/ project management processes.
- Actively identify and manage risks specific to your program/project.
By doing these, you can reduce the probability of your program or project having a traumatic fall into the pit of unsuccessful software programs and projects. The biggest risk of all is failing to manage your risks!
- Leishman, T., and J. VanBuren. "The Risk of Not Being Risk Conscious: Software Risk-Management Basics." STSC Seminar Series, Hill AFB, UT., 2003.
- Hall, Elaine M. Managing Risk. Addison- Wesley, 1998.
- Leishman, Theron, and Dr. David A. Cook. "Requirements Risks Can Drown Software Projects." CrossTalk 15.4 (Apr. 2002): 4-8 www.stsc.hill.af.mil/crosstalk/2002/04/leishman.html.
- Jones, Capers. Assessment and Control of Software Risks. Prentice Hall, 1994.
- Naval Postgraduate School. "Importance of Software to the Military." U.S. Navy, 4 Mar. 2000 www.nps.navy.mil/wings/acq_topics/AcqTopics.htm.
- See www.scs.org/confernc/astc/astc04/cfp/astc04.htm for a starting point.
Theron R. Leishman