A Review of Risk Assessment Method in Software Engineering



Abstract: Everything that happens in this world is always has risks, although just a little. Therefore the Risk Management becomes  important.   The Risk Assessment is one of important elements in the process of risk management, as well as in risk management in software engineering. In Risk Assessment there are four popular methods that have been used. But actually it is more than that the method proposed by some researchers. The objective of this article is to present some Risk Assessment method  that to be related with risk management in software engineering.
Keyword: Risk Assessment, Risk Assessment Method, Risk Management, Software engineering risk.


1. Introduction

Risk management has a long and storied history in both engineering and finance. As far back as 1800 BC, inscribed in the Code of Hammurabi in ancient Babylon, there is evidence that insurance premium were paid by farmers to cover the risk of a crop failure [2]. This was essentially an insurance policy, or way to manage risk, which became a growth industry in Europe during the 1600s with the advent of global trade and the need to mitigate shipping risks [2]. In the field of software, risk management is critical dicipline. Risk management is a dicipline for living with the possibility that future events may cause adverse effects. Moreover,  according  to  [16],  risk  management  is  divided  up  into  risk assessment  and  risk  controlling.  The  risk assessment  is  divided  into  three  sub levels  which  are  risk  identification,  risk analysis,  and  risk  prioritization.  The second  part  of  risk  management,  risk control,  is  also  broken  down  into  risk management planning,  risk  planning, and risk communication. Then , There are four popular risk assessment method [30]: software risk assessment model (SRAM), software risk assessment and estimation model (SRAEM), risk identification mitigation and avoidance model for handling software risk (RIMAM), software risk assessment and evaluation process using model based approach (SRAEP). From that perspective  of  risk management  and  software  development classification,  we  will  focus  our  paper particularly on risk assessment level in software engineering. On  the  other  hand,  the  main objective  of  this  review  is  to  present research workers an understanding of the current  level of  risk  assessment.  Additionally,  the  paper provides information about the different sorts  of  risk  assessment  methods  that  found  in  the  literature based  on  the  context  of  risk  assessment.

2.        Risk Management

Risk management is process to identify and access risk and apply methods to reduce it to an acceptable extent. The main goal of risk management is to help organizations better manage risks associated with their missions [1]. Risk management also a process that allows IT managers to balance the operational and economic costs of achieving missions with the protection of IT systems and capabilities of organizations to achieve missions. Risk management can also cause reasonable decisions in all aspects of daily life [1]. A risk is a potential event that will adversely affect the ability of a system to perform its mission should the risk event take place [20]. Research of failed software projects showed that “their problems could have been avoided or strongly reduced if there had been an explicit early concern with identifying and resolving their high-risk elements” (Boehm, 1991)[13].

2.1    Risk Management Activities

Some of the activities include the studied risk management in software engineering [16].
2.11          Risk Management Planning
The purpose of risk management planning is to determine the risk management strategy, necessary resources to carry out the process and schedule of risk management.
2.12          Risk Assessment
This activity consisits of two processes : Risk Identification and Risk Analysis. Process identify risk following techniques can be used : brainstorming, work breakdown analysis, risk breakdown structure, checklist.  Risk analysis characterizes the most important aspect risk, which aims to explore the best mitigation strategies.
2.13          Risk Planning
This  activity  aims  to  handle  the  identified  risks  according  to  their  analysis. Therefore choosing risk planning activities to be managed. In addition, for these risks, contingency plans and action plans (to reduce or avoid) are described. This plan assessed through a cost-benefit analysis, to verify the cost of action against the costs of risk. so, if the cost of action is greater than the cost of the risk, it is not feasible to implement such measures, and therefore other alternatives should be considered.
2.14          Risk Controlling
Risk controlling is reponsible for monitoring and tracking the risks and to examine whether the risk management activities have been effective. Risk controlling is possible to update mitigation strategy and restructure the priority risks, once during the project life cycle of new risks may arise and other risks may have their priority reduced.
2.15          Risk Communication
Risk communication can be considered as a point of integration between the other activities presented before. This activity is a critical component for successful risk management,  because  risk  communication  allows  information  exchange  between  project  stakeholders, contributing to collective effort and integration of activities in the process of risk management.

2.2    Information Category Of  Risk

To determine the level of risk in software development there are several categories of information required includes. 
  • Change  : This category changes in the scope, requirements, implementation or design phase.
  • Code : This present source code-based about metrics for software risk assessment. This kind of information can be very helpful when there is a project that uses the same programming language.
  • Complexity : Complexity is associated with the product and is an indicator of risk, but not until the detail calculation method. In addition, the process of defining the various indicators into account also the level of complexity of the project. If the project is complex, somewhat difficult to implement because of some kind of information, such as the size of the project or product, the level of dependence, function points, and other
  • Cost  : Metrics or indicators using to measure the cost of information about risk. Generally, they provide the cost monitoring of risk-driven or adapt the model measurement of financial risk.
  • Design  : This category of metrics or indicators approach related to the product design process, with a focus more on architectural design.
  • Organization : This category relates directly to the process or organizational characteristics, such as maturity level (inversely related to the level of risk) or the type of organization size features and security issues.
  • Quality  : This category using the information about the quality of products for measuring risk, is generally included in the testing activities.
  • Risk  : Using information directly from any risks that are identified as exposure risk (probability of occurence and impact), the number of identified risks and the risk of dependence.
  • Size : Two kind of size is project and product. The greater size of the project / product, there are more associated risk factors.
  • Team : The information used is about the teams characteristics, levels of knowledge, experience, expertise, motivation, turnover, effort rate and levels of communication.
  • Time : This category uses the information about the time or schedule for the measure of risk. The most cases aim to create better control schedule or time estimates.
Boehm (1991) identified 10 software risk items to be addressed by software development projects :[14]
  •  Personnel shortfalls 
  • Unrealistic schedules and budgets
  • Developing the wrong functions and properties
  • Developing the wrong user interface
  • Gold plating (adding more functionality /features than is necessary)
  • Continuing stream of requirements changes
  • Shortfalls in externally furnished components
  • Shortfalls in externally performed tasks
  • Real-time performance shortfalls

3.        Risk Assessment

Risk  assessment is the first process in the risk management methodology. In risk assessment, there are three main process. They are software risk identification, risk analysis and risk priorization [9].
  • Risk Identification :  is a process to find all possibilities and events in a project or organization.A  typical  risk  identification  technique  includes examination of decision drivers, assumption analysis, Brainstorming, Work Breakdown Analysis, Risk breakdown structure, checklist, among others [16].
  • Risk Analysis : is process to characterizes and prioritizes the identified risks in order to help in making decisions. Typical technique include performance models, cost models, network analysis.
  • Risk Priorization : is process to produces a ranked ordering of the risk identified and analyzed. Typical technique include risk exposed analysis, risk reduction leverage. (especially involving cost-benefit analysis).
The purpose of risk assessment is to prioritize the risks so that attention and resources can be focused on the more risky items risky. Risk identification is the first step in the risk assessment, which identifies all the different risks for a particular project. This risk depends on the project and identifying them is an exercise in imagining what could go wrong. The method can help identify risks include a list of possible risks, surveys, meetings and brainstorming, and review plans, processes, and work products.
Checklists common risk is probably the most common tool for the identification of risks - most organizations prepared a list of frequently occurring risks for projects, drawn from a survey of previous projects. The list can form the starting point for identifying risk for the current project.
Risk identification only identify undesirable events that may occur during the project, ie, detailing the "unexpected" events that may occur. It does not determine the probability of the risk and the impact on the realization of the project if the risk is realized. Therefore, the next task is the analysis of risks and priorities. In risk analysis, the probability of occurrence of a risk to be estimated, along with the loss that would occur if the risk does not materialize. This is often done through discussion, using the experience and understanding of the situation, although structured approaches also exist.
Figure 1 shows the main process of risk assessment is also part of the risk management. The figure 1 describe that Risk Assessment become one of important element in Risk Management. Risk Assessment is in a position before Risk Controlling, because Risk Assessment must define first before others.  Risk Assessment has three process steps, they are Risk Identification, Risk Analysis and Risk Priorization. 

 4.        Software Risk Assessment Method

There are a quite number of models in the literature, which utilizes different procedures or algorithms for assess the risk of software in general, althought some of witch are prototyped, a tool as a proof of concept utilization. In this section, we review  the  literature of four popular Risk Assessment Model [30]:

  • Software Risk Assessment Model (SRAM).
  • Software Risk Assessment and Estimation Model (SRAEM).
  • Risk Identification Mitigation and Avoidance Model for Handling Software Risk (RIMAM).
  •  Software Risk Assessment and Evaluation process using Model Based Approach (SRAEP).

 5.        Conclusion

This paper introduces a formal risk assessment methods for software projects based on probability and metrics automatically collectable from beginning of the project. The risk assessment is one of important elements in the process of risk management. The processing in the risk assessment and estimation methods from different perspective. Risk assesment methods are used most major based on software metrics such as Software Risk Assessment and Estimation Model (SRAEM) and Software Risk Assessment and Evaluation Process (SRAEP) because these method are the latest method in the field of risk assessment and estimation software. A comparative study between SRAEM and SRAEP using a model-based approach is used to present insight into models and how these models useful for researchers and practitioners to develop new methods or to improve existing methods.

 6.        References

[1]     Tohidi Hamid, “The Role of Risk Management in IT systems of organizations”. Prodia Computer Science. 2011.
[2]     Lopez Cristina, Jose L. Salmeron, “Monitoring Software Maintenance Project Risks”. Procedia Technology. 2012.
[3]     Gupta Rashmi, Shalini Raghav. “Risk Assessment Techniques and Survey Method for COTS Components”. International Journal of Software Engineering & Applications (IJESEA). 2012.
[4]     Sharif A.M., Shuib Basri. “A Study on Risk Assessment for Small and Medium Software Development Projects”. International Journal on New Computer Architechtures and Their Applications (IJNCAA). 2011.
[5]     Wu Chun-Hui. “Exploring Impacts of Development Process Maturity on Project Risk”. Proceedings of the IEEE IEEM. 2008.
[6]     Stern Robert, Jose Carlos Arias. “Review of Risk Management Methods”. Business Intelligence Journal. 2011.
[7]     Verdon Denis, Gary McGraw. “Risk Analysis in Software Design”. IEEE Security & Privacy. 2004.
[8]     Clarke Paul, Rory V. O’Connor. “The Situational factors that affect the software devvelopment process: Toward a Comprehensive Reference Framework”. Journal of Information Software and Tehcnology. 2012.
[9]     Ahmad M. Khan, Shadab Khan, Mohd Sadiq, “Systematic Review of Software Risk Assessment and Estimation Models”. International Journal of Engineering and Advanced Technology (IJEAT). 2012.
[10]   Kaushal Poonam. “Software Effort Estimation and Risk Analysis – A Survey”. International Journal of Engineering and Innovative Technology. 2012.
[11]   Sharif A.M., Shuib Basri. “A Study on SME Software Development and Risk Assessment Implementation in Malaysia”. World Applied Science Journal. 2013.
[12]   Persson John Stouby, et al. “Managing Risks in Distributed Software Projects: An Integrative Framework”. IEEE Transactions on Engineering Management. 2009.
[13]   Boehm Barry W. “Software Risk Management: Principles and Practices”. IEEE Software. 1991.
[14]   Kwak Y.H, Stoddard J. “Project Risk Management: Lesson Learned from Software Development Environtment”. Technovation. 2004.
[15]   Murad Abdullah Al, Shamsul Arefeen. “Software Risk Management: Importance and Practices”. IJCIT. 2011.
[16]   Menezes Julio Jr, Et al. “Defining Indicator for Risk Assessment in Software Development Projects”. CLEI Electronic Journal. 2013.
[17]   Sharif A.M., Mohd. Zaidi A.Z., “Design and Implementation of Project Time Management Risk Assessment Tool for SME Projects Using Oracle Application”. World Academy of Science, Engineering and Technology. 2010.
[18]   Yucel Gulcin, Et al., “A Fuzzy Risk Assessment Model for Hospital Information System Implementation”. Expert System with Applications. 2011.
[19]   Persson John Stoudy, Lars Mathiassen. “A Process for Managing Risks in Distributed Team”. IEEE Software. 2010.
[20]   Kwan Tak Wah and Hareton K.N Leung. “A Risk Management Methodology for Project Risk Dependencies”.  IEEE Transactions on Software Engineering. 2011.
[21]   Feng Nan, Minqiang Li. “An Information Systems Security Risk Assessment Model Under Uncertain Environtment”. Applied Soft Computing. 2011.
[22]   Asnar Yudistira, Et al. “Goal-driven Risk Assessment in Requirements Engineering”. Requirements Engineering. 2011.
[23]   Soldal Mass Lund, Et al. “Evolution In Relation To Risk and Trust Management”. IEEE Computer. 2010.
[24]   Benaroch Michel, Ajit Appari. “Financial Pricing of Software Development Risk Factors”. IEEE Software. 2010.
[25]   Fu Yun, Et al. “Impact Propagation and Risk Assessment of Requirement Changes for Software Development Project Based on Design Structure Matrix”. International Journal of Project Management. 2012.
[26]   Alsoghayer Raid, Karim Djemame. “Resource Failure Risk Assessment Modelling in Distributed Environtments”. The Journal of System and Software. 2013.
[27]   Aloini Davide, Et al. “Risk Assessment in ERP”. Information Systems. 2012.
[28]   Douglas E. Johnston, Petar  M. Djuric, “The Science Behind Risk Management. IEEE Signal Processing Magazine. 2011.
[29]   Ray Mitrabinda, Durga Prasad Mohapatra. “Risk Analysis: A Guiding Force in The Improvement of Testing”. IET Software. 2012.
[30]   T. Jayaletchumi Sambantha M, et al. “The Need For Usability Risk Assessment Model”. SDIWC. 2013.