Software risk management begins with the notion that software risk is an issue that needs to be managed. Software risk at its core stems from problems within the software itself, i.e., the source code that is introduced during development. Software risk management must then address two Software types of issues:
Software risk management takes a proactive approach Software risk by providing an approach and methodology to look for areas where a software defect impacts the usability of the software for end users and the business. For example, a catastrophic failure as the result of a software bug that does not allow the software to run correctly or at all is a type of software risk that must be managed.
Software risk as an impact on project management, program management, or delivery is one in which software defects and complexity impact the ability to release software on-time or within budget. The impact here is in delays and costs to the business that must be absorbed. For example, a defect found late in the development process could result in re-work that takes days or weeks to correct thereby delaying a project.
Both of these issues require strong risk management practices to mitigate against the risk. But do you actually manage this risk? First, you should identify and understand the root cause.
What are the ways that you can address software risk management? A set of software risk management principles and best practices can serve as a guide to help ensure that the risk of critical issues is mitigated. Currently, most software risk management relies on testing. But testing is not necessarily enough to truly manage risk. And it’s important to note that the old adage, “You can’t manage what you don’t measure” very much applies to managing software risk.
Creating a software risk management plan helps to both jump start managing software risk as well as making it on ongoing part of your software development process. A software risk management plan should typically include:
These steps comprise the basis of comprehensive risk management. Of course, as you develop your software risk management plan, incorporate procedures and processes that make the most sense to your business. But recall that system-level risks are the greatest threats and it is these threats that require the most mitigation.
One key issue around software risk is that the issues that are the most damaging are not always the first ones that appear. Risk analysis in software testing helps determine where the most critical defects are that must be addressed.
* Li, et al. (2011). Characteristics of multiple component defects and architectural hotspots: A large system case study. Empirical Software Engineering, 16 (5), 667-702
In a study in Empirical Software Engineering, researchers found that while only 8% of defects are system level flaws, they account for 90% of system downtime. Thus, in addressing software risk, it's critical to focus on system level issues where the impact can be greatest.