Managing Organizational Risk Knowledge
Luciana de Landa Farias
(Federal University of Rio de Janeiro – COPPE, Brazil firstname.lastname@example.org)
Guilherme H. Travassos
(Federal University of Rio de Janeiro – COPPE, Brazil email@example.com)
Ana Regina Rocha(Federal University of Rio de Janeiro – COPPE, Brazil firstname.lastname@example.org)
Abstract: Risk planning requires an organization global view, as it is strongly centered in the experience and knowledge acquired in former projects. The larger the experience of the project manager the better will be his ability in identifying risks, estimating their occurrence likelihood and impact, and defining themitigation and contingency plans. However, project manager risk knowledge cannot stay in an individual level, but it must be made available to the organization. This paper describes an approach to risk planning in software projects based on the organizational risk knowledge reuse. A risk management process focused on the capture and utilization of organizational knowledge together with a support casetool make part of this approach. An experimental study of the relations between risk-causing facts and risks of software projects was accomplished and its results used to define such a tool. Keywords: Risks Management, Knowledge Management, Risks Planning. Categories: D.2.0, D.2.9
It is becoming more difficult to manage project risks due to the size and complexity of currentsoftware products [Garvey et al., 1997]. Project managers can inadvertently repeat past mistakes simply because they do not know the mitigation actions which have been successfully applied or even because they do not value risks caused by certain project restrictions and characteristics. Inefficient risk knowledge management contributes to maximize this problem. One of the reasons is the fact thatproject information concerning risk management is in individuals’ minds or distributed among various documents, making its reuse difficult. In a project, risks are those conditions or events whose occurrence is not certain, but whether they occur may adversely affect the project. Three aspects associated to a risk can be identified [Pfleeger et al., 2001]: (i) the loss associated with the event;(ii) the likelihood that the event will occur; and (iii) the degree to which event consequences may be changed. Risks can be generic or project–specific. Generic risks are those common to all software projects, such as requirements misunderstanding, key personnel losing, or insufficient time for testing. Project specific risks are threats that result from the particular vulnerabilities of thegiven project and organization. For
de Landa Farias L., Travassos G.H., Rocha A.R.: Managing Organizational Risk ...
example, a vendor might promise to deliver some necessary network software at a particular date, but there is some risk that the software will not be available on time. The lack of documentation on the success or failure of past experiences is one of the reasons forinefficient risk management utilization or non-utilization in software development organizations. Besides risk management knowledge, the past experiences analysis is fundamental to help project managers plan and control risks. Statz [Statz, 1999] discusses the importance of learning from the experience obtained in organization’s former projects, and proposes the lessons learned documentation in softwareprojects. Similarly, Markkula [Markkula, 1999] considers the project experiences the most important source of knowledge in software engineering, and describes the need of identifying and sharing the acquired experience. Risk planning can be enriched by using knowledge and experience acquired by the various managers while working on the several organization projects. In order to do that, it is...