2. • Introduction game
• What is Risk and Risk Management?
• Identifying risks
• Categorize risks - Extreme, High, Medium and Low
• Risk-based requirement writing
• Risk-based testing
• Defects / bugs / issues in IT projects
• Software vs. Review defects
• Impact of identifying and resolving review defects
• Intro to Disaster Risk Management & Green Risk Management
• Q&A
Kompusys Consultants 2
3. Introduction Game
Let’s play a game by introducing ourselves
• Name
• Area of specialization
Kompusys Consultants 3
4. What is Risk?
Risk: Is the probability that a particular threat will
exploit a particular vulnerability of the system
Damage (consequences / impact, loss)
– Direct loss: financial, environmental, market, etc.
– Technical: impact on other projects / products or services
– Loss of (faith of) clients, damage to corporate identity, like hacking
– Legal, loss of license, due to regulatory lapses
– Technical: detection and repair time, e.g. underground
– Probability of use
– Lost morale
Probability of failure
– Depends on the knowledge of development project and product (just
before testing)
Kompusys Consultants 4
5. Risk Management
• Risk identification: Is the process of determining
risks that could potentially prevent the project,
enterprise, or investment from achieving its
objectives. It includes documenting and
communicating the concern to the stakeholders
• Risk estimation: The likelihood of occurrence and
consequences of each risk identified
• Risk evaluation: Risks evaluated against its risk
thresholds and placed in priority ordering -
criteria determined by stakeholders. Contingency
plans should be developed for all risks above
their thresholds
Kompusys Consultants 5
6. Risk Management (contd..)
• Risk treatment: Involves the selection, planning,
monitoring, and controlling of actions to decrease
risk exposure
• Risk mitigation: The process of elimination or
reduction of the severity, frequency or magnitude of
exposure to risks or minimization of the impact of a
threat
• Risk management: It’s a continuous process
for systematically addressing risk throughout
the life-cycle of a project or service
• Risk management plan: A plan that defines how the
risk management activities are implemented and
supported during a project. It is always PROACTIVE.
Kompusys Consultants 6
7. Risk Management (contd..)
Managing risks is of no
value without
understanding what
risks to take and why!
Risks
Threats
Consequence
Vulnerability
Kompusys Consultants 7
8. Identifying risks
Catalysts to identify risk Types of IT risks
• Strategic – long-term
• Stakeholders –
opportunities
people on a project • Regulatory – Changes by local
• Experience – lessons government
learnt • Training – project / product
• Location – country, • Operational – late shipment,
industry incomplete project or
obsolete process
• Funding
• Financial – not getting paid
• Technology • Inherent – meetings,
• Environment documentation, sign-off, etc.
Kompusys Consultants 8
9. Categorize risks - Extreme, High, Medium
and Low
Risk = Probability * Impact
• Simply put: How LIKELY it is to happen and how
BAD it would be if it ever happened
• Without uncertainty or damage, there is no risk
• Every individuals perspective of IMPACT is
different
The biggest single risk for any organization
is the risk management doesn’t really
work – leading to rising failed projects
Kompusys Consultants 9
10. Categorize risks – Risk matrix –
Extreme, High, Medium and Low
IMPACT ANALYSIS
Very high High Moderate Low
Most likely EXTREME EXTREME HIGH HIGH
Likely EXTREME HIGH HIGH MEDIUM
Less likely HIGH HIGH MEDIUM LOW
Least likely HIGH MEDIUM LOW LOW
Unlikely MEDIUM LOW LOW LOW
Probability means Likelihood
Impact Analysis is Consequence
Kompusys Consultants 10
12. Risk-based requirement writing
• Requirements should be • Encourages development
malleable – flexible till teams to negotiate risk
project / product end mitigation strategies with
• Requirement changes, stakeholders
which create significant risk • Helps to identify and
• It allows business analysts resolve inconsistencies in
to decide what requirement requirements
additions are valid from a • Ensures consistency
policy or development between the requirements,
standpoint all policies, and the
• Provides platform to system’s functionality
negotiate with the • Stakeholder involvement is
customer key to this
Kompusys Consultants 12
13. Risk-based requirement (contd..)
• Offers developers and customers, the opportunity to
compromise on four variables (cost, time, scope, quality)
• Customers are allowed to choose the desired values for three
of these four variables, and the developers determine the
value of the last variable
Examples
• Customer might state that they want “a high quality release”
on May 1 for $x, and the developers can tell them which of
the customer-prioritized requirements might make it into that
release
• Customer might state that they want a “high quality release”
with specified features for $y, and the developers will
determine when they can deliver the release.
Kompusys Consultants 13
14. Risk-based testing (RBT)
More testing will not result in stable deliveries
• Traditional testing is finding the right bugs,
whereas RBT involves deferring the right bugs, by
employing right skills
• Helps to find the right level of quality that can be
delivered within a short schedule and limited
skilled resources
• Completely based on identifying business and
technical requirements for an application
• Demonstrated improvement in the project
success factor
• RBT allows QA teams to make informed decisions
while setting a clear test exit criteria
Kompusys Consultants 14
15. Risk-based testing (RBT)
More testing will not result in stable deliveries
• Industry specific – Healthcare, Insurance,
Financial, Construction, Mining, …
• Test according to the risk matrix with a 3rd
dimension – SCENARIO; customer-focused
• Schedule test for all risk-based requirements
• Test all EXTREME / CRITICAL and HIGH risk items
• Validate risk matrix with known situations
• Test all medium risks during slack time or
between cycles
• Document medium and low untested risks
during lessons learnt (project closure)
Kompusys Consultants 15
16. RBT- Scenario
Driver is driving a car
• Loss of control – vehicle manufacturers
• Meets with an accident – insurance
• Either dies or is injured – health services
Probability for losing control is greater than
accident, which is greater than the impact
Kompusys Consultants 16
17. RBT – Project Scenario
Project Manager is driving the project
• Unclear scope – sponsor
• Several defects – test team
• Kill project or delay – stakeholders
Reversing this
Probability for successful project delivery is
greater when defects are fixed, which is
greater when the risks are addressed earlier
Kompusys Consultants 17
18. Defects / bugs / issues in IT
projects
• Defects are anomalies in the functionality
• Incidence of risk occurrence – known defects
• Considering the risk means considering the
defects
• The defects should be analyzed and classified
• Action is REACTIVE
• RBT focuses on detecting issues much earlier
during planning
Kompusys Consultants 18
20. Software vs review defects
SOFTWARE DEFECTS REVIEW DEFECTS
• Traditionally found bugs • Found while inspection
or issues or review of documents
• Identified only during • Identified throughout
execution & monitoring the project lifecycle
phase • Early detection starts
• Logged and managed from planning stage
between cycles • Classified by Severity
• Categorized with • Linked with risk
Severity & Priority • Proven to save
• Rarely linked to risks substantial $s
Kompusys Consultants 20
21. Impact of identifying and resolving
review defects
Addresses risks and saves money
Advantages
• Universal across all industries
• Risk based approach
• Cost is quite low to fix any defects / bugs
• Most defects lead to clarification and close
• Resource training is uniform and the
turnaround cycles are quite aggressive
Kompusys Consultants 21
22. Intro to Disaster Risk Management
Involves 4Rs – Readiness, Response, Recovery
& Reduction
•Disaster risk reduction (DRR) is a systematic
approach to identifying, assessing and reducing
the risks of disaster
•DRR if not acted upon quickly may turn out to
be hazardous / critical
•Helps build better infrastructure
•DRR is an avoidance or delayed method
Kompusys Consultants 22
23. Intro to Green Risk Management
Greening IT infrastructure reducing the risks of
failure lowers maintenance costs
•Green Risk Management is highly proactive
•Returns on investment is sustainable
•Better and faster infrastructure
•Improved business results – Legacy IT migrations
•Marketplace mandate – Current trends like Cloud
computing
•Environmental impacts are reduced
Kompusys Consultants 23