Abstract:
Everything that happens in this world is always has risks, although just a
little. Therefore the Risk Management becomes important. The
Risk Assessment is one of important elements in the process of risk management,
as well as in risk management in software engineering. In Risk Assessment there
are four popular methods that have been used. But actually it is more than that
the method proposed by some researchers. The objective of
this article is to present some Risk Assessment method that to be related with risk management in
software engineering.
Keyword: Risk Assessment, Risk
Assessment Method, Risk Management, Software engineering risk.
1. Introduction
Risk management has a long and storied history in
both engineering and finance. As far back as 1800 BC, inscribed in the Code of
Hammurabi in ancient Babylon, there is evidence that insurance premium were
paid by farmers to cover the risk of a crop failure [2]. This was essentially
an insurance policy, or way to manage risk, which became a growth industry in
Europe during the 1600s with the advent of global trade and the need to
mitigate shipping risks [2]. In the field of software, risk management is
critical dicipline. Risk management is a dicipline for living with the
possibility that future events may cause adverse effects. Moreover, according
to [16], risk
management is divided
up into risk assessment and
risk controlling. The
risk assessment is divided
into three sub levels
which are risk
identification, risk
analysis, and risk
prioritization. The second part
of risk management,
risk control, is also
broken down into
risk management planning,
risk planning, and risk
communication. Then , There are four popular risk assessment method [30]:
software risk assessment model (SRAM), software risk assessment and estimation
model (SRAEM), risk identification mitigation and avoidance model for handling
software risk (RIMAM), software risk assessment and evaluation process using
model based approach (SRAEP). From that perspective of
risk management and software
development classification,
we will focus
our paper particularly on risk
assessment level in software engineering. On
the other hand,
the main objective of
this review is
to present research workers an
understanding of the current level
of risk
assessment. Additionally, the paper
provides information about the different sorts
of risk assessment
methods that found
in the literature based on
the context of
risk assessment.
2. Risk Management
Risk management is
process to identify and access risk and apply methods to reduce it to an
acceptable extent. The main goal of risk management is to help organizations
better manage risks associated with their missions [1]. Risk management also a process that allows
IT managers to balance the operational and economic costs of achieving missions with the
protection of IT systems and capabilities of organizations to achieve missions.
Risk management can also cause reasonable decisions in all aspects of daily
life [1]. A
risk is a potential event that will adversely affect the ability of a system to perform
its mission should the risk event take place [20]. Research
of failed software projects showed that “their problems could have been avoided
or strongly reduced if there had been an explicit early concern with
identifying and resolving their high-risk elements” (Boehm, 1991)[13].
2.1 Risk Management Activities
Some of the activities include
the studied risk management in software engineering [16].
2.11
Risk Management Planning
The purpose of risk management planning is to determine
the risk management strategy, necessary resources to carry out the process and
schedule of risk management.
2.12
Risk Assessment
This activity consisits of two processes : Risk Identification
and Risk Analysis. Process identify risk following techniques can be used :
brainstorming, work breakdown analysis, risk breakdown structure,
checklist. Risk analysis characterizes
the most important aspect risk, which aims to explore the best mitigation
strategies.
2.13
Risk Planning
This activity aims
to handle the
identified risks according
to their analysis. Therefore choosing risk planning
activities to be managed. In addition, for these risks, contingency plans and
action plans (to reduce or avoid) are described. This plan assessed through a
cost-benefit analysis, to verify the cost of action against the costs of risk.
so, if the cost of action is greater than the cost of the risk, it is not
feasible to implement such measures, and therefore other alternatives should be
considered.
2.14
Risk Controlling
Risk controlling is reponsible for monitoring and
tracking the risks and to examine whether the risk management activities have
been effective. Risk controlling is possible to update mitigation strategy and
restructure the priority risks, once during the project life cycle of new risks
may arise and other risks may have their priority reduced.
2.15
Risk Communication
Risk communication can be considered as a point of
integration between the other activities presented before. This activity is a
critical component for successful risk management, because
risk communication allows
information exchange between
project stakeholders,
contributing to collective effort and integration of activities in the process
of risk management.
2.2 Information Category Of Risk
To
determine the level of risk in software development there are several
categories of information required includes.
- Change : This category changes in the scope, requirements, implementation or design phase.
- Code : This present source code-based about metrics for software risk assessment. This kind of information can be very helpful when there is a project that uses the same programming language.
- Complexity : Complexity is associated with the product and is an indicator of risk, but not until the detail calculation method. In addition, the process of defining the various indicators into account also the level of complexity of the project. If the project is complex, somewhat difficult to implement because of some kind of information, such as the size of the project or product, the level of dependence, function points, and other
- Cost : Metrics or indicators using to measure the cost of information about risk. Generally, they provide the cost monitoring of risk-driven or adapt the model measurement of financial risk.
- Design : This category of metrics or indicators approach related to the product design process, with a focus more on architectural design.
- Organization : This category relates directly to the process or organizational characteristics, such as maturity level (inversely related to the level of risk) or the type of organization size features and security issues.
- Quality : This category using the information about the quality of products for measuring risk, is generally included in the testing activities.
- Risk : Using information directly from any risks that are identified as exposure risk (probability of occurence and impact), the number of identified risks and the risk of dependence.
- Size : Two kind of size is project and product. The greater size of the project / product, there are more associated risk factors.
- Team : The information used is about the teams characteristics, levels of knowledge, experience, expertise, motivation, turnover, effort rate and levels of communication.
- Time : This category uses the information about the time or schedule for the measure of risk. The most cases aim to create better control schedule or time estimates.
Boehm (1991)
identified 10 software risk items to be addressed by software development
projects :[14]
- Personnel shortfalls
- Unrealistic schedules and budgets
- Developing the wrong functions and properties
- Developing the wrong user interface
- Gold plating (adding more functionality /features than is necessary)
- Continuing stream of requirements changes
- Shortfalls in externally furnished components
- Shortfalls in externally performed tasks
- Real-time performance shortfalls
3. Risk Assessment
Risk assessment is the first process in the risk
management methodology. In risk
assessment, there are three main process. They are software risk identification, risk analysis and risk
priorization [9].
- Risk Identification : is a process to find all possibilities and events in a project or organization.A typical risk identification technique includes examination of decision drivers, assumption analysis, Brainstorming, Work Breakdown Analysis, Risk breakdown structure, checklist, among others [16].
- Risk Analysis : is process to characterizes and prioritizes the identified risks in order to help in making decisions. Typical technique include performance models, cost models, network analysis.
- Risk Priorization : is process to produces a ranked ordering of the risk identified and analyzed. Typical technique include risk exposed analysis, risk reduction leverage. (especially involving cost-benefit analysis).
The purpose of risk
assessment is to prioritize the risks so that attention and resources can be
focused on the more risky items risky. Risk identification is the first step in
the risk assessment, which identifies all the different risks for a particular
project. This risk depends on the project and identifying them is an exercise
in imagining what could go wrong. The method can help identify risks include a
list of possible risks, surveys, meetings and brainstorming, and review plans,
processes, and work products.
Checklists common risk
is probably the most common tool for the identification of risks - most
organizations prepared a list of frequently occurring risks for projects, drawn
from a survey of previous projects. The list can form the starting point for
identifying risk for the current project.
Risk identification only identify undesirable events
that may occur during the project, ie, detailing the "unexpected"
events that may occur. It does not determine the probability of the risk and
the impact on the realization of the project if the risk is realized.
Therefore, the next task is the analysis of risks and priorities. In risk
analysis, the probability of occurrence of a risk to be estimated, along with
the loss that would occur if the risk does not materialize. This is often done
through discussion, using the experience and understanding of the situation,
although structured approaches also exist.
Figure 1 shows the main process of risk assessment
is also part of the risk management.
The figure 1 describe that Risk Assessment become one of important element in
Risk Management. Risk Assessment is in a position before Risk Controlling,
because Risk Assessment must define first before others. Risk Assessment has three process steps, they
are Risk Identification, Risk Analysis and Risk Priorization.
4. Software Risk Assessment Method
There
are a quite number of models in the literature, which utilizes different
procedures or algorithms for assess the risk of software in general, althought some of witch are
prototyped, a tool as a proof of concept utilization. In this section, we
review the literature of four popular Risk Assessment
Model [30]:
- Software Risk Assessment Model (SRAM).
- Software Risk Assessment and Estimation Model (SRAEM).
- Risk Identification Mitigation and Avoidance Model for Handling Software Risk (RIMAM).
- Software Risk Assessment and Evaluation process using Model Based Approach (SRAEP).
5. Conclusion
This paper introduces a formal risk assessment methods
for software projects based on probability and metrics automatically
collectable from beginning of the project. The risk assessment is one of important
elements in the process of risk management. The processing in the risk assessment and estimation
methods from different perspective. Risk assesment methods are used most major
based on software metrics such as Software Risk Assessment and Estimation Model
(SRAEM) and Software Risk Assessment and Evaluation Process (SRAEP) because these method are the latest
method in the field of risk assessment and estimation software. A comparative
study between SRAEM and SRAEP using a model-based approach is used to present insight
into models and how these models useful for researchers and practitioners to develop
new methods or to improve existing methods.
6.
References
[1] Tohidi
Hamid, “The Role of Risk Management in IT systems of organizations”. Prodia Computer Science. 2011.
[2] Lopez
Cristina, Jose L. Salmeron, “Monitoring Software Maintenance Project Risks”. Procedia Technology. 2012.
[3] Gupta
Rashmi, Shalini Raghav. “Risk Assessment Techniques and Survey Method for COTS
Components”. International Journal of
Software Engineering & Applications (IJESEA). 2012.
[4] Sharif
A.M., Shuib Basri. “A Study on Risk Assessment for Small and Medium Software
Development Projects”. International
Journal on New Computer Architechtures and Their Applications (IJNCAA).
2011.
[5] Wu
Chun-Hui. “Exploring Impacts of Development Process Maturity on Project Risk”. Proceedings of the IEEE IEEM. 2008.
[6] Stern
Robert, Jose Carlos Arias. “Review of Risk Management Methods”. Business Intelligence Journal. 2011.
[7] Verdon
Denis, Gary McGraw. “Risk Analysis in Software Design”. IEEE Security & Privacy. 2004.
[8] Clarke
Paul, Rory V. O’Connor. “The Situational factors that affect the software
devvelopment process: Toward a Comprehensive Reference Framework”. Journal of Information Software and
Tehcnology. 2012.
[9] Ahmad
M. Khan, Shadab Khan, Mohd Sadiq, “Systematic Review of Software Risk
Assessment and Estimation Models”. International
Journal of Engineering and Advanced Technology (IJEAT). 2012.
[10] Kaushal
Poonam. “Software Effort Estimation and Risk Analysis – A Survey”. International Journal of Engineering and
Innovative Technology. 2012.
[11] Sharif
A.M., Shuib Basri. “A Study on SME Software Development and Risk Assessment
Implementation in Malaysia”. World
Applied Science Journal. 2013.
[12] Persson
John Stouby, et al. “Managing Risks in Distributed Software Projects: An
Integrative Framework”. IEEE Transactions
on Engineering Management. 2009.
[13] Boehm
Barry W. “Software Risk Management: Principles and Practices”. IEEE Software. 1991.
[14] Kwak
Y.H, Stoddard J. “Project Risk Management: Lesson Learned from Software
Development Environtment”. Technovation.
2004.
[15] Murad
Abdullah Al, Shamsul Arefeen. “Software Risk Management: Importance and
Practices”. IJCIT. 2011.
[16] Menezes
Julio Jr, Et al. “Defining Indicator for Risk Assessment in Software
Development Projects”. CLEI Electronic
Journal. 2013.
[17] Sharif
A.M., Mohd. Zaidi A.Z., “Design and Implementation of Project Time Management
Risk Assessment Tool for SME Projects Using Oracle Application”. World Academy of Science, Engineering and
Technology. 2010.
[18] Yucel
Gulcin, Et al., “A Fuzzy Risk Assessment Model for Hospital Information System
Implementation”. Expert System with
Applications. 2011.
[19] Persson
John Stoudy, Lars Mathiassen. “A Process for Managing Risks in Distributed
Team”. IEEE Software. 2010.
[20] Kwan Tak
Wah and Hareton K.N Leung. “A Risk Management Methodology for Project Risk
Dependencies”. IEEE Transactions on Software Engineering.
2011.
[21] Feng
Nan, Minqiang Li. “An Information Systems Security Risk Assessment Model Under
Uncertain Environtment”. Applied Soft
Computing. 2011.
[22] Asnar
Yudistira, Et al. “Goal-driven Risk Assessment in Requirements Engineering”. Requirements Engineering. 2011.
[23] Soldal
Mass Lund, Et al. “Evolution In Relation To Risk and Trust Management”. IEEE Computer. 2010.
[24] Benaroch
Michel, Ajit Appari. “Financial Pricing of Software Development Risk Factors”. IEEE Software. 2010.
[25] Fu Yun,
Et al. “Impact Propagation and Risk Assessment of Requirement Changes for
Software Development Project Based on Design Structure Matrix”. International Journal of Project Management.
2012.
[26] Alsoghayer
Raid, Karim Djemame. “Resource Failure Risk Assessment Modelling in Distributed
Environtments”. The Journal of System and
Software. 2013.
[27] Aloini
Davide, Et al. “Risk Assessment in ERP”. Information
Systems. 2012.
[28] Douglas
E. Johnston, Petar M. Djuric, “The
Science Behind Risk Management”. IEEE Signal Processing Magazine. 2011.
[29] Ray
Mitrabinda, Durga Prasad Mohapatra. “Risk Analysis: A Guiding Force in The
Improvement of Testing”. IET Software.
2012.
[30] T.
Jayaletchumi Sambantha M, et al. “The Need For Usability Risk Assessment
Model”. SDIWC. 2013.