Previous articles in this series have addressed identifying risks to the scheme and selecting which risks to avoid or minimize by scoring and prioritizing the identified risks. The purpose of these two activities is to settle which risks you should deal with to increase the likelihood that your scheme will meet its goals and objectives. The actions that can avoid a risk are determined by the nature of risk, as are actions that can reduce the impact or probability of the risk event. The risks to a scheme that will build a bridge will differ from those that will build a software system. This narrative will address devising strategies for risks to software development projects.
Risk strategies are categorized in accordance with their coming to dealing with the risk:
DRYWALL SETTLEMENT
Avoidance
The operation or strategy chosen will be such that it eliminates the factors that generate the risk. For example, multi-sourcing a software system's server will avoid the risk of delays to the scheme if your single source supplier cannot deliver the server on time.
Mitigate
Risk mitigation entails devising an coming that can lessen the likelihood of the risk event happening, but not thoroughly avoid it, or lessen the impact if it does happen, but not thoroughly eliminate it.
Transfer
You don't avoid the risk or mitigate its impact or probability, you change accountability for dealing with the risk to a third party. The superior example of this is insurance.
These strategies all deal with risk events that are threats to the project's goals and objectives. There are things that could beyond doubt enable your scheme to exceed its goals and objectives and these are called Opportunities. Opportunities differ from risks in that risks are discouraged while opportunities are courted. A tasteless example of an opening is the opening that a programmer finishes a piece of coding ahead of schedule. If you do nothing, the programmer will have a nice holiday but the scheme won't benefit. A contingency plan for deploying the programmer in ask on a piece of code on the significant path could help you deliver the scheme ahead of time. Contingency plans are not the only tool in the risk manager's arsenal. Here is the perfect list:
Exploit
To exploit an opening the scheme owner would implement a plan to increase the likelihood of the event happening. Taking our example of the programmer finishing the code earlier than planned, we could put a senior programmer on that code to increase the likelihood they would stop early. It is likely however, that putting the senior programmer on work that lies on the significant path.
Enhance
Deals with the impact of the opportunity. Let's stick with our software ideas example. We have implemented a plan to exploit this opening by assigning the senior programmer to that code. We could enhance our opening by having a marketing agenda ready to capitalize on the early release. Enhancing the opening in this case would mean we not only save money by completing the scheme early, we also increase wage with our marketing campaign.
Share
Sharing the opening means that the opening is shared with one or more parties covering the society performing the project. The superior example of this is the formation of partnerships in the middle of fellowships to make new technology. The purpose of sharing is to engage skill or expertise that the performing society does not have in order to enhance or exploit the opportunity.
There are 2 strategies that we have not covered as yet and they apply to both threats and opportunities. These are:
Acceptance
Risks that are appropriate have scores that are below the project's risk threshold. The costs saved by avoiding or mitigating the risk do not elucidate the expense. Opportunities that are appropriate are not acted upon for a similar reason: the cost of enhancing, exploiting, or sharing the opening exceeds the benefits that would be reaped should the event happen.
Contingency
The key disagreement in the middle of a contingency plan and the other actions for threats and opportunities is that the other plans (avoid, mitigate or change for threats; exploit, enhance, or share for opportunities) are proactive; they need you to act before the risk event happens. Contingency plans need you to devise a plan that will be acted upon should the risk event happen.
The skill that good risk manager's have is not the quality to categorize an coming to a threat or an opportunity, rather it is the quality to recognize the best strategy or plan to deal with the threat or opening with the allocation available. Focus on the strategy or plan before worrying about either the operation falls into the avoidance or mitigation category. Good risk managers know their limitations when it comes to identifying the best strategies and plans and know how to supplement their knowledge with field Matter Experts (Smes) to address their shortcomings. The first part of your risk strategy planning should be the identification of your areas of deficiencies and a plan to engage Smes who can make up for them.
Let's walk through some things to look for in each of the above strategies. The purpose of addition on each of the categories is not to give you a full, list of strategies or plans for each category, but rather to give you an overview of the characteristics that tend to make the distinct strategies or plans effective.
Avoidance
Avoiding a threat to your project's goals will involve a plan to take off the scheme element(s) that would introduce the risk. You need an operation that effectively removes the threat and you need to implement it in time to avoid the risk event. Let's take the example of the risk of flu infecting a programmer developing a key piece of code for your software system. Having that programmer (and probably the entire team) inoculated for flu would be one way of avoiding this threat. Let's assume that the shot has a 2 week incubation period. That means that the shot won't be sufficient until 2 weeks after its been given. To be an sufficient avoidance plan you'll need to ensure the programmer gets the shot at least 2 weeks in develop of the start of programming.
I have exposed a infirmity in the segregation of approaches to dealing with risk into categories: is the flu shot 100% sufficient in avoiding the risk? The disagreement in the middle of avoidance and mitigation lies in that percentage. The flu shot is an avoidance plan if it is 100% effective, but becomes a mitigation strategy if it is only 99% effective. The real ask is: does it eliminate enough of the risk to make it worth while? You would probably need to be a physician to be able to contribute a good rejoinder to that question, but there are other situations where your Smes will be able to contribute good answers.
Let's use other example to demonstrate an sufficient avoidance plan. The risk event you want to avoid is that the introduction of a new development platform that your development team has never used before will add extra attempt to the scheme and delay the delivery of the software ideas past a hard deadline. The platform was chosen in the first place because at last it will make programming more sufficient and yield a great quality ideas but your scheme will not be able to comprehend those benefits. A inherent avoidance strategy would be to continue programming on the old platform. Chronic on the old platform is guaranteed to be 100% sufficient in avoiding this risk because you take off the technology that introduced the risk event in the first place.
The trick to devising a strategy that will effectively avoid a risk event is to pick one your scheme and your society can afford. The cost of the example cited above might be greater than the allocation for the scheme would allow. Worse than that, it might be an coming that your society cannot afford. Delaying the benefits to be derived from the introduction of the new platform might be urgently needed by the company. Your field matter experts can help you fetch the facts you, or your sponsor, need in order to make a good decision.
In the case where an sufficient strategy that avoids the risk event cannot be devised, is it inherent to devise a mitigation strategy that will reduce the impact of the risk event enough to maintain the project's goals and objectives. Would a training agenda that provides the programmers with training in the new technology, plus the addition of 1 or 2 extra programmers reduce the impact of the risk event enough to deliver on time? The selection will all the time be a company decision: is the cost of the preventive strategy greater or less than the benefits derived? Is there a more cost sufficient way of achieving the same goal?
Mitigation
Mitigation is typically reserved for referring to threats to the project, but can be vast to consist of both threats and opportunities if you divide the type into 2 sub-categories: exploitation of the opening or reduction of the likelihood of the threat and enhancement of the opening or reduction of the impact.
Exploit the opening or reduce the Likelihood of the Threat
Mitigation strategies that reduce the likelihood of the risk event, or threat, can be exemplified by our flu shot example. If the flu shot is less than 100% effective, then the flu shot would reduce the likelihood of the risk event. Test tools are other good example of a mitigation strategy that reduces the likelihood of a risk event. The risk event in this case is a bug being introduced into a later development phase such as quality insurance testing or User Acceptance Testing. The introduction of the self-operating test tool will increase the capacity of each programmer to test so if a programmer has a total of x hours to escort unit, function, and ideas testing, the self-operating test tool will increase the estimate of test cases the programmer can run. This will reduce the risk of a bug that should be identified at this stage seeing its way into the next stage where it is more high-priced to fix.
Tools that enable continuous integration are also examples of mitigation through the reduction of the likelihood of the risk event. The risk is that a bug that has to do with the integration of assorted applications in a software ideas will not be found during development and will be propagated to a later test stage where it will be more high-priced to fix. Continuous integration reduces the likelihood of this by compiling and testing the ideas each time a piece of code is checked into the library. The ask is how sufficient is it in reducing the likelihood: 100%?, 75%?, 50%? The rejoinder is that it will depend on the estimate and thoroughness of the test cases.
Notice that the strategy does not reduce the impact of the risk event in any of the examples given above. A bug that escapes the just tests implemented with the self-operating test tool will still cost the same estimate of attempt to narrative and fix.
Exploitation of an opening will also increase the likelihood of an opening without Enhancing its impact. I will stick to the example stated in the section entitled Exploitation above, where you staff the programmer role with a senior programmer to increase the likelihood that they stop the task early. There are any issues to reconsider in this case. Does the estimate of time saved on this task guarantee the cost of the senior programmer? Will challenging the senior programmer for this role put other task at risk?
Enhance the opening or reduce the Impact of the Threat
Reducing the impact of a threat does not have any consequent on the possibility of the event happening. It does tend to reduce the cost of the event if it does happen, either the cost in terms of time or money. Taking our example of the flu shot, let's suppose we have weighed the benefits of reducing the likelihood (or avoiding it altogether in the case of 100% effectiveness) against the cost of the shot and settle our risk allocation can't afford the flu shot. We still want to do something to address the risk we run of the programmer falling ill and delaying delivery of the software system.
We could partner other programmer with them so that if the programmer who is developing an application that is on the significant path falls ill the partner can pick up their work without having to be brought up to speed on the application. The partner should be working on an application that is not on the significant path and has at least 3 days of slack, assuming the median distance of a flu bout is 3 days. The programmer should also have practically the same skill set as the key programmer and have a comparable estimate of experience. The cost of this strategy would beyond doubt be less than the cost of flu shots. It will not reduce the likelihood of your key programmer catching the flu but will reduce the impact of the event if it were to happen.
Please note that this is not a tutorial on appropriate risk responses. The examples I've chosen merely elucidate the points I'm trying to make. Flu shots for the entire development team, or definite members of it, wouldn't be feasible in smaller companies. You probably would not be able to dictate to the team or members to the team that they must be inoculated even if you had the means to contribute the inoculation.
Enhancing the opening should contribute a benefit to the scheme in terms of money, time, feature set, or quality. Let's take the example we used in defining the approach. Let's say we engaged the senior programmer to code the significant path application addition our chances of getting to shop with our software in develop of our planned set in motion date. Investing in a marketing campaign which takes benefit of our early set in motion date should generate extra sales. Just how many more sales it would generate would be impossible to forecast. You would need the help of a shop investigator to forecast the increase as accurately as possible. The decision then becomes will the cost of the marketing campaign (or the change to the existing campaign), plus the cost of the senior programmer be less than the forecast wage increase? Would there be a wage increase without an supplementary marketing campaign (or change to the existing one)? Would that wage increase exceed the cost of the senior programmer?
Transference
I used the example of purchasing insurance to elucidate this coming to risk. insurance is beyond doubt not the only selection for this strategy, you could change the risk by challenging a seller or sub-contractor to make an application using a new technology that is a core competence of the vendor. You could also change the risk of introducing bugs into the User Acceptance Test environment by challenging your fellowships quality insurance group to do Qa testing before turning the ideas over to the user community. You will need to weigh the cost of transference against the benefits that will be gained by the transfer.
Sharing is similar to change in that you engage a third party to increase the likelihood of the event happening or addition the repaymen if it does. Let's use the example of the new technology again. Our competent crew of programmers could beyond doubt devotee the new technology with the allowable training, if your scheme has the time to escort the training. Outsourcing the development of the part of the ideas that uses the new technology would allow you to perfect that part of the scheme in less time than could be staggering if it were done in-house. That savings in time may allow you to get your ideas to shop quicker which would increase sales. Outsourcing the development becomes a "sharing" strategy in that case.
Keep in mind that transferring a risk does not mean you have no supplementary accountability or actions to take. Would you abandon all driving security measures just because your car is insured? Stop wearing a seat belt? Exceed the speed limit? Pass cars when you can't see the oncoming traffic? Of procedure not, you'll still take these precautions to avoid an crisis because your insurance company will only cover the monetary costs of an accident, they can't deal with the pain, suffering, or loss of life an crisis may cause. Risk avoidance and mitigation strategies must still be monitored when a risk is transferred. Unit, function, and ideas testing must still be diligently done by the programming team even if you have transferred accountability for Qa testing to an external organization.
Contingency
Contingency planning requires an extra element that none of the other strategies employ: a trigger. The other strategies are designed to be implemented before the risk event occurs whereas a contingency plan is designed to be implemented as soon as the risk event happens (or the opening happens). The contingency plan requires a means of alerting the scheme owner to the risk event. The trigger should be something that the scheme owner will observe periodically to check for the risk event.
For this strategy, let's use a building scheme as an example. Your building scheme is an office building and the dry wallers union covenant ends August 31st. That date occurs right in the middle of the premise of the interior walls for your building. You can't do much to replace the dry wallers if there is a strike; employing non-union dry wallers would risk a walk-out of all the trades on the scheme and you can't afford that risk. There is a product however, that can be installed in place of dry wall and can be installed by carpenters. The cost would be just about the same as dry wall making it an appropriate substitute. Your contingency plan is to order the substitute product and engage the extra carpenters. You would only do this in the case of a strike, it would be far too high-priced to purchase the substitute product and engage the carpenters just in case there is a strike. You need to pick an appropriate trigger, one that will avoid unnecessary cost but will implement the substitution in time to maintain the scheme end date.
Unions must contribute a assault deadline by law in most countries, states, or provinces. This deadline does not necessarily mean a assault will happen; there is still the possibility of a negotiated settlement at any time up to the last minute. It would be appropriate to define that assault announcement as a trigger. You will issue a purchase order for the substitute product in case of the notification, in fact you could have your purchaser get ready the order in develop and then issue it to the seller when you receive the notification. You will also issue the order for your carpenters to the appropriate union hall, etc. When you receive assault notification.
The key to implementing an sufficient contingency plan is to pick a trigger that will contribute you with enough time to implement the plan and is cheap enough to make the plan cost effective. Let's use an example from the software business now. Let's say you have a senior programmer working on an application on the significant path and that programmer is in the Reserves. They may be called up at any time and will be lost to the scheme if they are. The reservist will be given one week's notice before they have to narrative (please keep in mind these are hypothetical situations) which would leave you one week to find a replacement. The skill set the programmer has is in short contribute so you can't recognize person in your society to replace them. You could hire a covenant programmer to fill the position. You would use the call-up notice as a trigger to implement the contingency plan. The trigger leaves you with a reasonable estimate of time to implement the plan and won't need you to pay a contractor while the reservist is still on the job.
Contingency Reserve
The strategies described above are all intended to deal with the risks identified with the project, but is it reasonable to expect every inherent risk to be identified? The rejoinder is no, it isn't. The risks we don't know about have the inherent of de-railing our scheme even if we effectively avoid every risk we have identified. So how do we deal with the unidentified risks?
Unidentified risks are sometimes called the unknown unknowns. That term stems from the statement "I don't know what I don't know". Since you don't know anything about them, what the event is, how likely it is to happen, or what the impact would be if it does happen, none of the strategies described above will be sufficient in dealing with them. The only strategy ready for dealing with the unknown unknowns is a contingency reserve. The contingency maintain can be either monetary or time.
When the contingency maintain is defined in terms of time the maintain may be called a buffer. You need to safe this buffer from the scheme stakeholders. There will be a strong temptation to fund requested changes from this buffer, resist this. The buffer should be monitored throughout the life of the scheme to ensure it is enough to carry the scheme through to completion. The buffer may be broken down into individual amounts for scheme phases, stages, or deliverables. The contingency maintain may also be calculated in this way. The maintain needed for the build phase of the scheme is likely to be greater than the maintain needed for design. The contingency maintain is depleted each time an unanticipated risk event occurs. The maintain will also be depleted if the avoidance or mitigation strategy for an staggering risk proves ineffective.
Managing scheme Risk DRYWALL SETTLEMENT
No comments:
Post a Comment