• Introduction game• What is Risk and Risk Management?• Identifying risks• Categorize risks - Extreme, High, Medium and Low• Risk-based requirement writing• Risk-based testing• Defects / bugs / issues in IT projects• Software vs. Review defects• Impact of identifying and resolving review defects• Intro to Disaster Risk Management & Green Risk

Management• Q&A

Kompusys Consultants 2

Introduction Game

Let’s play a game by introducing ourselves

• Name• Area of specialization

Kompusys Consultants 3

What is Risk?Risk: Is the probability that a particular threat will

exploit a particular vulnerability of the systemDamage (consequences / impact, loss)

– Direct loss: financial, environmental, market, etc.– Technical: impact on other projects / products or services– Loss of (faith of) clients, damage to corporate identity, like hacking– Legal, loss of license, due to regulatory lapses– Technical: detection and repair time, e.g. underground– Probability of use– Lost morale

Probability of failure– Depends on the knowledge of development project and product (just before testing)

Kompusys Consultants 4

Risk Management• Risk identification: Is the process of determining

risks that could potentially prevent the project, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern to the stakeholders

• Risk estimation: The likelihood of occurrence and consequences of each risk identified

• Risk evaluation: Risks evaluated against its risk thresholds and placed in priority ordering - criteria determined by stakeholders. Contingency plans should be developed for all risks above their thresholds

Kompusys Consultants 5

Risk Management (contd..)• Risk treatment: Involves the selection, planning,

monitoring, and controlling of actions to decrease risk exposure

• Risk mitigation: The process of elimination or reduction of the severity, frequency or magnitude of exposure to risks or minimization of the impact of a threat

• Risk management: It’s a continuous process for systematically addressing risk throughout the life-cycle of a project or service

• Risk management plan: A plan that defines how the risk management activities are implemented and supported during a project. It is always PROACTIVE.

Kompusys Consultants 6

Risk Management (contd..)

Managing risks is of no value without understanding what risks to take and why!

Kompusys Consultants 7

Risks

Threats

Vulnerability

Consequence

Identifying risksCatalysts to identify risk• Stakeholders –

people on a project• Experience – lessons

learnt• Location – country,

industry• Funding• Technology• Environment

Types of IT risks• Strategic – long-term

opportunities• Regulatory – Changes by local

government• Training – project / product• Operational – late shipment,

incomplete project or obsolete process

• Financial – not getting paid• Inherent – meetings,

documentation, sign-off, etc.Kompusys Consultants 8

Categorize risks - Extreme, High, Medium and Low

Risk = Probability * Impact• Simply put: How LIKELY it is to happen and how

BAD it would be if it ever happened• Without uncertainty or damage, there is no risk• Every individuals perspective of IMPACT is

different The biggest single risk for any organization

is the risk management doesn’t really work – leading to rising failed projects

Kompusys Consultants 9

Categorize risks – Risk matrix –Extreme, High, Medium and Low

Very high High Moderate Low

Most likely EXTREME EXTREME HIGH HIGH

Likely EXTREME HIGH HIGH MEDIUM

Less likely HIGH HIGH MEDIUM LOW

Least likely HIGH MEDIUM LOW LOW

Unlikely MEDIUM LOW LOW LOW

Kompusys Consultants 10

IMPACT ANALYSIS

Probability means Likelihood

Impact Analysis is Consequence

Traditional requirement

Kompusys Consultants 11

Risk-based requirement writing• Requirements should be

malleable – flexible till project / product end

• Requirement changes, which create significant risk

• It allows business analysts to decide what requirement additions are valid from a policy or development standpoint

• Provides platform to negotiate with the customer

• Encourages development teams to negotiate risk mitigation strategies with stakeholders

• Helps to identify and resolve inconsistencies in requirements

• Ensures consistency between the requirements, all policies, and the system’s functionality

• Stakeholder involvement is key to this

Kompusys Consultants 12

Risk-based requirement (contd..)• Offers developers and customers, the opportunity to

compromise on four variables (cost, time, scope, quality)• Customers are allowed to choose the desired values for three

of these four variables, and the developers determine the value of the last variable

Examples• Customer might state that they want “a high quality release”

on May 1 for $x, and the developers can tell them which of the customer-prioritized requirements might make it into that release

• Customer might state that they want a “high quality release” with specified features for $y, and the developers will determine when they can deliver the release.

Kompusys Consultants 13

Risk-based testing (RBT)More testing will not result in stable deliveries

• Traditional testing is finding the right bugs, whereas RBT involves deferring the right bugs, by employing right skills

• Helps to find the right level of quality that can be delivered within a short schedule and limited skilled resources

• Completely based on identifying business and technical requirements for an application

• Demonstrated improvement in the project success factor

• RBT allows QA teams to make informed decisions while setting a clear test exit criteria

Kompusys Consultants 14

Risk-based testing (RBT)More testing will not result in stable deliveries

• Industry specific – Healthcare, Insurance, Financial, Construction, Mining, …

• Test according to the risk matrix with a 3rd dimension – SCENARIO; customer-focused

• Schedule test for all risk-based requirements• Test all EXTREME / CRITICAL and HIGH risk items• Validate risk matrix with known situations• Test all medium risks during slack time or

between cycles• Document medium and low untested risks

during lessons learnt (project closure)

Kompusys Consultants 15

RBT- Scenario

Driver is driving a car• Loss of control – vehicle manufacturers• Meets with an accident – insurance • Either dies or is injured – health services

Probability for losing control is greater than accident, which is greater than the impact

Kompusys Consultants 16

RBT – Project Scenario

Project Manager is driving the project• Unclear scope – sponsor• Several defects – test team • Kill project or delay – stakeholdersReversing this Probability for successful project delivery is

greater when defects are fixed, which is greater when the risks are addressed earlier

Kompusys Consultants 17

Defects / bugs / issues in IT projects

• Defects are anomalies in the functionality• Incidence of risk occurrence – known defects• Considering the risk means considering the

defects• The defects should be analyzed and classified• Action is REACTIVE• RBT focuses on detecting issues much earlier

during planning

Kompusys Consultants 18

Risks and review defects found

Kompusys Consultants 19

Software vs review defectsSOFTWARE DEFECTS• Traditionally found bugs

or issues• Identified only during

execution & monitoring phase

• Logged and managed between cycles

• Categorized with Severity & Priority

• Rarely linked to risks

REVIEW DEFECTS• Found while inspection

or review of documents• Identified throughout

the project lifecycle• Early detection starts

from planning stage• Classified by Severity • Linked with risk • Proven to save

substantial $s

Kompusys Consultants 20

Impact of identifying and resolving review defects

Addresses risks and saves moneyAdvantages• Universal across all industries• Risk based approach • Cost is quite low to fix any defects / bugs• Most defects lead to clarification and close• Resource training is uniform and the

turnaround cycles are quite aggressiveKompusys Consultants 21

Intro to Disaster Risk Management

Involves 4Rs – Readiness, Response, Recovery & Reduction

•Disaster risk reduction (DRR) is a systematic approach to identifying, assessing and reducing the risks of disaster•DRR if not acted upon quickly may turn out to be hazardous / critical•Helps build better infrastructure•DRR is an avoidance or delayed method

Kompusys Consultants 22

Intro to Green Risk Management

Greening IT infrastructure reducing the risks of failure lowers maintenance costs

•Green Risk Management is highly proactive•Returns on investment is sustainable•Better and faster infrastructure•Improved business results – Legacy IT migrations•Marketplace mandate – Current trends like Cloud computing•Environmental impacts are reduced

Kompusys Consultants 23

Kompusys Consultants 24

References

• IEEE Standards• BS standards• EN standards• PMI• DRM articles / papers• Green & Sustainable

Project Management

• Project experience - myself

• Several intl. papers• Online discussions• Research results• LinkedIn articles• Google images

Kompusys Consultants 25

Contact for future consultancy

Narasimhan Bhagavan - CPRM, CIPM, MPM, MQM, CIA, CLAPrincipal ConsultantKompusys Consultants

Phone: 647-248-1398eMail: Bhagavan.Narasimhan@Gmail.ComLinkedIn: http://www.linkedin.com/in/bnweb

Kompusys Consultants 26