Riskit-method

Riskit is a comprehensive risk management method that is based on sound theoretical principles and thus it avoids many of the limitations and problems that are common to many other risk management approaches in software engineering. As the Riskit method has been extensively presented in other publications [11,19-22], we present here only the highlights and main principles of the method. While the Riskit method can be applied in many other domains as well -- such as business planning,, marketing, and technology selection -- it has been originally developed for software development projects and its main features correspond to the risk management concepts and practices required in software projects, as discussed in the following.

1. Complete Process Definition

The Riskit method has a comprehensive process definition that supports risk management activities throughout the project [19]. The Riskit process is similar to many other risk management process descriptions with some special characteristics:

The Riskit process overview is presented in Figure 1 as a dataflow diagram. The main processes are also described in Table 1. More detailed process description is available in a separate report [19].

Riskit step	Description	Output
Risk management mandate definition	Define the scope and frequency of risk management. Recognize all relevant stakeholders	Risk management mandate: why, what, when, who, how, and for whom
Goal review	Review the stated goals for the project, refine them and define implicit goals and constraints explicitly. Analyze stakeholders’ associations with the goals.	Explicit goal definitions
Risk identification	Identify potential threats to the project using multiple approaches.	A list of "raw" risks.
Risk analysis	Classify and consolidate risks. Complete risk scenarios for main risk events. Estimate risk effects for all risk scenarios Estimate probabilities and utility losses of risk scenarios.	Completed Riskit analysis graphs for all analyzed risks. Ranked risk scenarios.
Risk control planning	Select the most important risks for risk control planning. Propose risk controlling actions for most important risks. Select the risk controlling actions to be implemented.	Selected risk controlling actions.
Risk control	Implement the risk controlling actions.	Reduced risks.
Risk monitoring	Monitor the risk situation.	Risk status information.

2. Goals and Stakeholders

Most risk management methods do not explicitly support different stakeholder perspectives [9,12,16-18,23] and those that do, often limit the number of stakeholders and assume that consensus can be reached [24]. Boehm’s Win-Win approach is the only major risk management approach that focuses on stakeholder goals [6]. The Riskit method extends Boehm's approach by maintaining links between risks and stakeholders explicitly. These links are visualized in Figure 2. The Riskit method contains templates and guidelines on how to identify, analyze and document all the elements listed in Figure 2.

When risk scenarios are defined, their impact to project is described through the stated project goals. This allows full traceability between risks and goals and on to stakeholders: each risk can be described by its potential impact on the agreed project goals, and each stakeholder can use this information to rank risks from their perspective.

3. Definition of Risk

The Riskit method supports unambiguous definition for risks. The common definition of risks, either by dictionaries or every-day usage, associate several different meanings to risk. It can refer to a possibility of loss, the actual loss that would result if the risk occurs, a factor or element that is associated with a threat, or a person that contributes to the possibility of loss [19]. While it is sometimes necessary to refer to any of these aspects of risk on an abstract level, we believe that a more analytical discussion on risk requires more precise terms. Thus, in the Riskit method the risk itself is defined on a general level as a possibility of loss, the loss itself, or any characteristic, object or action that is associated with that possibility.

The Riskit analysis graph is a graphical formalism that is used to define the different aspects of risk more formally. The Riskit analysis graph can be seen both as a conceptual template for defining risks, as well as a well-defined graphical modeling formalism.

The underlying conceptual model -- or meta-model -- of the Riskit Analysis Graph components is presented in Figure 3. This meta-model represents the underlying, conceptual elements and their relationships. Each rectangle in the graph represents a risk element and each arrow describes the possible relationship between risk elements. The Riskit analysis graphs can be drawn with a diagram editor tools and there exist a template with the Riskit symbols available for the VISIO tool [26]. Riskit analysis graph is presented in Figure 4. The Riskit analysis graph allows visual yet more formal documentation of risks, resulting in better communications and deeper, qualitative understanding of them.

4. Quantification of Risks

Most risk management approaches rely on risk estimation approaches that are either impractical or theoretically questionable. The expected value calculations [5] (i.e., risk = probability * loss) are often impractical because accurate estimates for probability and loss are seldom available and it is difficult to account for multiple goal effects and for the non-linear utility function.

Table-based risk ranking approaches [1,5,7,9,10] are often theoretically weak as they are based on performing multiplication on ordinal scale metrics – an operation that is mathematically meaningless and may result in incorrect rankings.

The Riskit largely avoids these problems by using ranking techniques that are matched to the type of information available. Expected value calculations are used when ratio or distance scale data is available. However, when only ordinal scale metrics are available for probability or loss, a specific Riskit Pareto ranking technique is used. This technique uses a two-dimensional space to position risk scenarios by their relative probability and utility loss. This technique can be explained by examples in Table 2: scenarios are positioned on the Riskit Pareto ranking table according to their rankings w.r.t. probability and utility loss. A scenario’s Pareto efficiency over other scenarios can be easily assessed in the table: it is Pareto efficient if no other scenarios are in cell above it or left of it.

Using the Riskit Pareto ranking technique results in a partial ranking of risk scenarios, i.e., priorities for some scenarios can be defined but some scenarios’ relative priority remains unknown. While the complete prioritization of scenarios would be desirable, the input data leading to the prioritization does not normally allow it.

In Table 2 scenario 1 is Pareto efficient over all other scenarios. The remaining scenarios can be only partially ranked based on the available information. The priority between scenarios 2 and 4 cannot be established but one can say that Scenarios 2 has higher priority than scenarios 3, 5, 6, and 7; and that scenario 4 has higher priority than scenarios 5, 6, and 7. The significance of these partial rankings is that they guide the focus of risk management to scenarios that have been reliably prioritized over other scenarios, given the information available. The risks should be considered for risk controlling action planning in their order of priority.

The value of the Riskit Pareto ranking technique is that it provides reliable and consistent ranking approach that only ranks risks as far as the input data allows.

5. Practical Application of Utility Theory

The importance of utility theory in decision making is well established in other disciplines [3,14,15], and while the concept has also been presented in software engineering risk management [4,9], it has not been made operational in any major risk management approach. Ignoring the impact of utility loss may seriously influence risk prioritization results. In most situations people and organizations have non-linear utility functions w.r.t. observable metric or attribute in question. In other words, the true benefit felt by a stakeholder does not have a linear function to, e.g., money, schedule or defect rate. Following example highlights the impact of non-linear utility function. Consider two bets:
· 50% chance of losing $200
· 1% chance of losing $10,000
The expected loss of these alternatives is the same ($100) but most people can clearly indicate which bet they would rather avoid. Such situations manifest the existence of non-linear utility function.

The Riskit method has incorporated the utility theory components into a straight-forward approach that can be used by practitioners without deeper knowledge of the utility theory. The risk scenario impacts are documented in effect sets in Riskit analysis graphs, as shown in Figure 4. The stakeholders are asked to compare the effect sets and indicate which ones cause the greatest utility loss to them, i.e., which effect sets would hurt them the most or cause them the most “pain”. In most situations a pair-wise comparison of effect sets will yield accurate enough ordinal rankings of effects sets. However, if the situation is complex and more precise and reliable results are needed, multiple criteria decision making tools can be used to elicit utility loss preferences from stakeholders.

6. References

[1] Anonymous, Risk Assessment Techniques. In: Defense Systems Management College Handbook, Anonymous Defense Systems Management College, 1983. pp. iv-1--25, F-1--13.

[4] B.W. Boehm. Software Engineering Economics, Englewood Cliffs, N.J.: Prentice Hall, 1981.

[5] B.W. Boehm. Tutorial: Software Risk Management, IEEE Computer Society Press, 1989.

[6] B.W. Boehm and Bose P., A Collaborative Spiral Software Process Model Based on Theory W 1994. Proceedings of the 3rd International Conference on the Software Process. IEEE Computer Society. Washington, DC.

[7] M.A. Caplan, Risk Management in Practice 1994. Proceedings of the Third SEI Conference on Software Risk Management. SEI. Pittsburgh, PA.

[9] R.N. Charette. Software Engineering Risk Analysis and Management, New York: McGraw-Hill, 1989.

[10] A.J. Dorofee, J.A. Walker, C.J. Alberts, R.P. Higuera, T.J. Murray, and R.J. Williams. Continuous Risk Management Guidebook, Pittsburgh, PA: Software Engineering Institute, 1996.

[11] H. Englund, A Case Study to Explore Risk Management Methods 1997. Kunglika Tekniska Högskolan, Stockholm, Sweden. Masters thesis.

[12] R. Fairley, Risk Management for Software Projects IEEE Software, vol. 11, pp. 57-67, 1994.

[14] S. French. Decision Theory: An Introduction to the Mathematics of Rationality, Chichester: Ellis Horwood, 1986.

[15] M. Friedman and L.J. Savage, The Utility Analysis of Choices Involving Risk Journal of Political Economy, vol. 56, pp. 279-304, 1948.

[16] A. Gemmer and P. Koch, Rockwell Case Studies in Risk Management 1994. Proceedings of the Third SEI Conference on Software Risk Management. SEI. Pittsburgh, PA.

[17] J.C. Groth, Common-sense Risk Assessment Management Decision, vol. 30, pp. 10-16, 1992.

[19] J. Kontio, The Riskit Method for Software Risk Management, version 1.00 CS-TR-3782 / UMIACS-TR-97-38, 1997. Computer Science Technical Reports. University of Maryland. College Park, MD.

[20] J. Kontio and V.R. Basili, Risk Knowledge Capture in the Riskit Method 1996. Proceedings of the 21st Software Engineering Workshop. NASA. Greenbelt, Maryland.

[21] J. Kontio and V.R. Basili, Empirical Evaluation of a Risk Management Method 1997. Proceedings of the SEI Conference on Risk Management. Software Engineering Institute. Pittsburgh, PA.

[23] J.V. Michaels. Technical Risk Management, Upper Saddle River, NJ: Prentice Hall, 1996.

[24] G. Pandelios, Software Risk Evaluation and Team Risk Management 1996. Tutorial Presentations at the 1996 SEPG Conference. Software Engineering Institute. Pittsburgh, PA.

[26] Visio Corp., VISIO Technical, ver. 4.0, rel. 1995. Visio Corporation. IBM compatible PC. MS-Windows, Windows 95.