Towards Knowledge Based Risk Management Approach in Software Projects

All projects involve risk; a zero risk project is not worth pursuing. Furthermore, due to software project uniqueness, uncertainty about final results will always accompany software development. While risks cannot be removed from software development, software engineers instead, should learn to manage them better (Arshad et al., 2009; Batista Webster et al., 2005; Gilliam, 2004). Risk Management and Planning requires organization experience, as it is strongly centred in both experience and knowledge acquired in former projects. The larger experience of the project manager improves his ability in identifying risks, estimating their occurrence likelihood and impact, and defining appropriate risk response plan. Thus risk knowledge cannot remain in an individual dimension, rather it must be made available for the organization that needs it to learn and enhance its performances in facing risks. If this does not occur, project managers can inadvertently repeat past mistakes simply because they do not know or do not remember the mitigation actions successfully applied in the past or they are unable to foresee the risks caused by certain project restrictions and characteristics. Risk knowledge has to be packaged and stored over time throughout project execution for future reuse. Risk management methodologies are usually based on the use of questionnaires for risk identification and templates for investigating critical issues. Such artefacts are not often related each other and thus usually there is no documented cause-effect relation between issues, risks and mitigation actions. Furthermore today methodologies do not explicitly take in to account the need to collect experience systematically in order to reuse it in future projects. To convey these problems, this work proposes a framework based on the Experience Factory Organization (EFO) model (Basili et al., 1994; Basili et al., 2007; Schneider & Hunnius, 2003) and then use of Quality Improvement Paradigm (QIP) (Basili, 1989). The framework is also specialized within one of the largest firms of current Italian Software Market. For privacy reasons, and from here on, we will refer to it as “FIRM”. Finally in order to quantitatively evaluate the proposal, two empirical investigations were carried out: a post-mortem analysis and a case study. Both empirical investigations were carried out in the FIRM context and involve legacy systems transformation projects. The first empirical investigation involved 7 already executed projects while the second one 5 in itinere projects. The research questions we ask are:

[1]  Robert N. Charette,et al.  Applications Strategies for Risk Analysis , 1990 .

[2]  Nicolas Anquetil,et al.  A risk taxonomy proposal for software maintenance , 2005, 21st IEEE International Conference on Software Maintenance (ICSM'05).

[3]  Victor R. Basili,et al.  Software development: a paradigm for the future , 1989, [1989] Proceedings of the Thirteenth Annual International Computer Software & Applications Conference.

[4]  Márcio de Oliveira Barros,et al.  Evaluating software project portfolio risks , 2007, J. Syst. Softw..

[5]  Paul W. H. Chung,et al.  Towards Safer Industrial Computer Controlled Systems , 1997, SAFECOMP.

[6]  H. D. Rombach,et al.  THE EXPERIENCE FACTORY , 1999 .

[7]  John Dhlamini,et al.  Intelligent risk management tools for software development , 2009 .

[8]  Frank Bomarius,et al.  Get Your Experience Factory Ready for the Next Decade--Ten Years after "How to Build and Run One"-- , 2007, 29th International Conference on Software Engineering (ICSE'07 Companion).

[9]  B. Kitchenham,et al.  Case Studies for Method and Tool Evaluation , 1995, IEEE Softw..

[10]  F. Wilcoxon Individual Comparisons by Ranking Methods , 1945 .

[11]  Vikram Pudi,et al.  Advances in Knowledge Discovery and Data Mining, 14th Pacific-Asia Conference, PAKDD 2010, Hyderabad, India, June 21-24, 2010. Proceedings. Part I , 2010, PAKDD.

[12]  Kurt Schneider,et al.  Effective experience repositories for software engineering , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[13]  V. C. Ramesh,et al.  Real options for risk management in information technology projects , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[14]  Jyrki Kontio,et al.  Software engineering risk management : a method, improvement framework, and empirical evaluation , 2001 .

[15]  Mike Holcombe,et al.  Improving the quality of Software Engineering courses through University Based Industrial Projects , 1998 .

[16]  Juha Koskela,et al.  A Review of Small and Large Post-Mortem Analysis Methods , 2004 .

[17]  Ana Regina Cavalcanti da Rocha,et al.  Managing Organizational Risk Knowledge , 2003, J. Univers. Comput. Sci..

[18]  Art Gemmer,et al.  Risk Management: Moving Beyond Process , 1997, Computer.

[19]  David P. Gilliam Security risks: management and mitigation in the software life cycle , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[20]  Rik Maes,et al.  On the Role of Ambiguity and Incompleteness in the Design of Decision Tables and Rule-Based Systems , 1988, Comput. J..

[21]  Scott E. Donaldson,et al.  Enriching Your Project Planning: Tying Risk Assessment to Resource Estimation , 2007, IT Professional.

[22]  D. Oxley Design Paradigms: Case Histories of Error and Judgment in Engineering , 1997 .

[23]  A. Mohamed,et al.  Organizational structural strategies in risk management implementation: best practices and benefits , 2009 .

[24]  Han van Loon A Management Methodology to Reduce Risk and Improve Quality , 2007, IT Professional.

[25]  Léa A. Deleris,et al.  Three key enablers to successful enterprise risk management , 2010, IBM J. Res. Dev..

[26]  Jan Vanthienen,et al.  A tool-supported approach to inter-tabular verification , 1998 .