Mitigation

 

2009 International Conference on Information and Multimedia Technology

Software Risk Identification and Mitigation in Incremental Model Basit Shahzad Department of Computer Science King Saud University Riyadh, KSA [email protected] 

Ihsan Ullah

 Naveed Khan

Department of Computer Science King Saud University Riyadh, KSA [email protected]

Department of Computer Science King Saud University Riyadh, KSA  [email protected]

 Abstract   — S Software oftware

risk are hard to find and harder to manage. This paper focuses on the identification of software risk in incremental model of software development. A thorough handling and avoidance strategy is proposed for the identification of risk factors when the incremental model is used for software development. The risk factors identified may also exist in other software development processes but there existence in incremental model is not only obvious and justified, and hence, have been discussed for avoidance and mitigation.

I. 

I NTRODUCT  NTRODUCTION ION

Software risk management has proven its importance by attracting a huge attention in the last decade. In order to help the software industry to succeed in the projects, the researchers have devoted their efforts to investigate the risk factors that have the impact on software development life cycle. Huge contribution in this domain has been made by identifying the relative impact ratio technique of risk management [5] and also many others have worked in the area ofInsoftware risk management by paper using 26 therisk waterfall model. the proceeding sections of the factors, specially related to incremental model of software development have been identified and discussed. II. 

RISK  IDENTIFICATION AND MITIGATION

In the proceeding subsections, we discuss the risk factors identified by literature survey and the mitigation strategies are also proposed.  A.   Few Requirement Description It has been observed through experience that the customer is unable to describe all the requirements in the  beginning of the project. As a consequence the requirements keep on originating during the software developing process as well. The studies show that even learned customer can not explicitly mention more than 60% of requirement before the  project starts [1,2]. This risk factor can have a very high impact on the Software Development Life Cycle (SDLC).

978-0-7695-3922-5/09 978-0-7695-3 922-5/09 $26.00 © 2009 IEEE DOI 10.1109/ICIMT.200 10.1109/ICIMT.2009.104 9.104

Following measures are proposed to either avoid or militate against this risk factor. Taking in to consideration the disability of mentioning all the requirements at one time is proposed teams can come to a conclusion to it determine that that howboth much the  project can change change over a spec specific ific period of time time and also the  broader outlines outlines of the so software ftware may also be deter determined. mined. The development team must clarify that the changes disturbing the architecture of the system will only be done on additional payment. The requirement provider/customer should have adequate knowledge of the domain and should be able to describe about his requirements about the software. The customer and development team must insure the usage of Facilitated Application Specification Technique (FAST) / Joint Application Development (JAD). The usage of FAST/JAD helps in identifying requirements about the system under consideration. The customer must allow the development team to have a flexible schedule if the requirements are expected to change during the SDLC.  B.   Project size estimation The experienced professionals, available in the development firm can help in identifying the actual scope of the project and ensure that it is not under estimated. [1].At the same time the capabilities of the development team must not be over estimated. The availability of reusable code must be adequately estimated to ensure the smooth working of SDLC. Software size estimation tools/matrices may be used to determine the exact scope of the project. The development team may find itself unable to scrub the requirements [12] once they have been finalized by both sides. C.   Project Funding Uncertainty The in-time development would ensure that the development team is not required to beg any favors from the

366

 

The employer depending on its available resources may arrange tri-annually or biannually family gatherings. The employee must be provided with the over time if the organization is using his services for extra time. The employees must be allowed to use his extra time in consultancy, teaching, teaching, etc. if his job is not disturbed.

customers, neither in terms of time nor in terms of requirements scrubbing [12]. The development team may wish to have adequate commitments from the funding agencies in the beginning of the projects so that the development team does not face any financial circumstances in case the customer plans to with draw from the project at a latter stage. The development team must try to maintain cordial relations with the customer.

 F.  Change in working circumstances by management In order to cope with dynamic problems, the manager has

The customer must be updated continuously about the achievement and problems being faced at any point in time and the development team must provide a helping picture of the project so that the customer may know about the development of the project and can continue funding for the  project.

to change the circumstances of the project under consideration. A good manager must insure that maximum requirements are gathered before project starts. In extreme circumstances, with out the will of the employee, the manager should not force him to work for more than his designated time. The work by force doesn ’t yield a product and rather costs for nothing. Before assigning a new project the employer must ask the employee about his availability throughout the duration of the project. The project must only be assigned to the employees who are available for the life time of the project. The role definition for each individual should be clear and precise to show the management about the schedule of every individual.

 D.  Staff Inexperience Organization must not miss an opportunity to hire an experienced person only for the sake of saving money, in contrast the experienced person can help in returning much more revenues then being incurred on him. The organizations must arrange seminars in the reputed universities/institutions in order to hire potential graduates from the universitie universities. s. The organization may arrange biweekly or monthly visits of the reputed professionals from within the country or even from the world (if resources allow). The firm must arrange the programming tutorials about the latest developments in the development environment. The employees must be provided short trainings and meetings to share their thoughts with experienced  professional and learn from them in a pra practical ctical manner [3]

G.  Staff Inexperience The employees must be restricted for not taking out the code / official documents out side the office to ensure that documents are not unlawfully transferred to the outside environment. The back up of data must be taken on daily  basis and at multiple sites. The organization may deploy the recovery engineers. The organization may opt to use the backup monitoring system to ensure that backups are taken regularly and updates are made on daily basis. Proper backup systems for power shortage should be arranged so that no problem is caused due to electricity failures. The employees may be provided with the electronic entrance cards and biometric identification may be used in order to restrict any unlawful entry in to the organization. Organization must have fire alarm to report smoke or fire in the building.

 E.   Rapid Change Of Job The employees must be trusted and provided adequate training so that they don’t think of changing the job just  because of stressful and less motivated motivated environme environment. nt. The organization must ensure that the experienced people do not leave the organization by offering attractive perk and  privileges to the employees which may include bonuses housing allowance, medical allowance etc. A uniform grading system may be implemented organizatio organization n wide for may providing benefits [9].schemes to The organization opt toextra originate loans the employees in order to facilitate them in any circumstances. The employer must be aware of the current and up to date salary packages being offered in the market. The employer and junior employees must provide adequately respectable behavior for the experienced team leaders. The role definition for each individual should be clear and pr écised. This not only helps in asserting the responsibility but also convince the employee to work hard for the justification of his role [9]. The employees must be given importance by developing cordial relations with them. The employees must be given access to digital library or literary resources to keep themselves updated.

The organization must follow some process model depending on the need and specialty of the organization. This will help in making the project documented and restart able if a problem arises at any time and point.  H.   Low estimation of time and cost The analyst may identify the level of variation identified in the initial requirements and in the final product. This estimate can be used for the current project to propose the timeline for the completion of the project. The organization must always be optimistic about the completion of the project. This can be done by having ultimate faith on developers and by giving them confidence. But at the same time the scope of the project should not be under estimated. The experienced workers should be given a chance to try the best of their abilities and complete more work in less

367

 

time. Any such effort, if successful, must not only be appreciated but rewarded as well. The organization may opt to scrub the requirements in consultation with the customer. If the customer doesn’t allow requirement scrubbing scrubbing the iterative project scheduling can be used to complete the project with in time [12]. The programmers, analyst and team members must be invited to contribute their opinion and understanding in defining the scope of the project. The management team can

 possible values, conditions that software is expected to accept. The programmers are generally considered responsible for unit testing their code that they have produced. The presence of errors not only delays the testing process itself but also delays the software development, as a new iteration of module correction begins after the errors have  been identified. identified. This costs costs both time and resources. resources. If time allows, multiple testing techniques should be

also help in this regard to estimate the project scope properly [10]. Organization should keep backup teams which can occupy the space and can help in reducing the burden on  prime developers, developers, if needed. needed.

applied in iterations to identify identify and remove all the errors. The correctness of errors should be done with minimum changes in design. For this purpose it is proposed that software architecture must be flexible to accommodate minor changes.

 I.   Hardware Default Changes

 L.  Technology Change

The leader ship must be able to forecast the technological advancement in the hardware and computational resources. Any commitment about the software development made now must also be able to run/execute on the hardware platform available for several years [6,7] The organization may only suggest the customer to keep the forecasted hardware changes in mind which may increase the cost of developing that software. High budget and time should be allocated to handle such  problems dynamically. dynamically. In incremental model [11] the organization must categorically define the hardware developments expected to  be available till the completion of the product. The customer may or may not opt to adhere to the suggested opinion but the responsibility of the organization is delivered by informing him about the technological advancement.[7]

The programmer should be encouraged to have competence in more than one tools. They must also be smart thinkers to recognize the coming trends and practices in future software development and must also equip themselves with future software tools [3]. The organization must not impose some projects of new or unknown technique to the employees. For the purpose of training, during the training session the employees may be given technical assignments in order to help them learning the tool and evaluating them in terms of abilities to learn and suitability for the larger projects.  New programmers who are expert in advance  programming languages / environments environments may be hired to work on new projects. In an effective team structure  programmer working on orthodox languages/ environments will be benefited.

 J.   Requirement Postponement

 M.   In sufficient data handling due to over whelming acceptability of the business.

Requirements are difficult to identify and any identified requirements should not be delayed for inclusion in the coming increments. Every possible circumstances must be estimated from the  beginning of the iteration so that neither neither a requirement is left nor extra load is put on the development team. Every increment should be properly tested and all the  bugs/errors must be fixed and must not be left for the

The development team must try to utilize all computational advancement in resources available. It is appropriate that development team also considers the fact about the management of data incase the acceptability of the  product is over over whelming. whelming. The architecture of the system should be flexible enough to handle changes dynamically and meet any expansion needs at software runtime. must be designed in a way that it can easily The  be linked with other database software as well. In order to cope with the emerging needs of the data management.

consequent increments. Adequate increment progress monitoring mechanism should be in placed to keep a log of the development/effort done for the completion of the increment. The mile stone definition with in the increments can help in achieving the ultimate target more easily and in a calculated manner. In a team structure the manager may use the homework  pattern to complete the work in time. The employees employees may be given sub tasks in the beginning of the week and by the week end their work may be checked for completion and any  possible errors errors that it m may ay contain.

 N.   Design and tool independence In software architecture, the architects strongly encourage the high cohesiveness and discourage high coupling of the modules. Loosely coupled module can be easily modified with out affecting the functionality of the system. [3]. The design of system should be independent of any tool and platform in order to generalize the design of the system for usage against all software tools. The project must be designed and implemented in a way that it can work on the system with ease and does not require extra hardware or software resources to work.

 K.   Impact full presence of bugs/errors An effective and comprehensive test of a system ensures that the system presented to the outside world is free of bugs. It is therefore important that a system is tested against all

368

 

O.   Risk of Intruders (hackers, viruses, Trojan horse)

 R.   Misleading estimation about skills of workers

The testing team must ensure the error free implementation of the system. The mechanism should be developed to restrict any friendly or unfriendly software to access the system without permission. Licensed and updated antivirus should be installed for security purposes so that the risks of intruders or other unwanted activities can be minimized. The antivirus or spy ware software must be registered with the organization so that no one can copy or use it with out permission. Spy ware detection software should be installed in order to identify and report the presence of any spy in the system. Scanning of the system must be done on daily/weekly  basis to handle handle any threa threatt present in the system system..

The management should have a concrete description about the capabilities of each member of development team while estimating for the scope, size, and cost of the project the abilities of the programmers should be known adequately to help the estimation process become more realistic. The management should not be doing an optimistic estimation and rather do a realistic estimation if not the pessimistic. In informal meetings with the programmer it can be investigated that which specific tasks he can do at his best. The efficiency of the programmer will increase if he is assigned a task in his area of specializati specialization. on. The programmers may be provided trainings and access to digital resources to polish themselves and to prove their suitability to work in a project.

 P.   Risk of delayed implementation

S.   Lack of technical feed back

Although documentation is considered highly essential for the success of any project yet the time and resources spend on documentation should not exceed from the  balanced amount amount of resou resources rces required for the docum documentation entation  purposes [4]. [4]. In incremental model [11] precisely, the delay of one increment delays the whole system. Therefore it is of utmost importance that only already calculated amount of time is

The requirement gathering process requires a thorough consideration and effective communication communication at the level of the team leader/analyst and technical people at the customer side. The head of organization must not sign a contract without consulting his technical team to minimize the chance of loss. It should be tried by development team to cover all requirements in the first iteration and do not leave any requirements un addressed.

spent on each phase of the project. If in extreme circumstances some members of the development team may become unavailable the manager should try to convince the available developers to work more in order to compensate the loss incurred by he developers leaving the organizatio organization. n. The reusable code and CoTS (Commercially of the Shelf Components) should be used to minimize the development and testing time. Requirement scrubbing and task iteration can also works in specific circumstances [12]. The development team must have the surety and should get funding according to the already agreed schedule; the delay in such schedule may affect the delivery schedule of the product itself.

T.  Compromise on profit to save name A failed project not only harms the revenues of the firm  but also disturbs the reputation as well. Therefore the firms try their hard not to let a project fail and even at the cost of financial losses they would like to save their name to maintain the reputation and goodwill of the market. Adequate planning about the start and completion of each increment should be done so that no other project is affected because of the failure/delay of the current project and vice versa. The milestones and deliverable of an increment should be managed according to the schedule to accomplish the assigned task on or before the due date. It is imperative to state that a risk should always be identified before it actually starts harming the system. Once the risk has shown his presence it doesn’t remain in isolation and invites other risk factors to make a mesh and insure the  project to delay delay if not fa fail il at all.

Q.   Market Acceptability The development team even before starting working on a  project must get a market feedback feedback about the acceptability acceptability of the proposed system and the system should only be developed if the system is highly acceptable by the local market. The experienced professionals can use their intuitions to guide the development team about the future software  products that may have high impact and acceptability in the market. If a product fails in public the development team may add certain features that may increase the acceptability of the product in the market. The markets in different localities/cities may have different behavior and it is not necessary that a product which is less acceptable in one market also remains less acceptable in others.

U.   Risk of Economy Distortion The management of software development firm must try to commit advance payment from the customer if the economic situation of the country/market country/market is not stable. In the economic crisis the firm must try maximizing its profit and should try to provide benefits to the employees to enable them to face the poor economic situation. The deep care of the business should be kept not only by keeping the active interaction with the customer but also some spending should be done to help the market becoming out of the financial circumstances.

369

 

[5]  Basit Shahzad, Tanvir Afzal, “Enhanced risk analysis and relative impact factorization”, 1st ICICT, IBA Karachi, August 27-28, 2005 ,pp 290-295.

III.  CONCLUSION It is strongly believed that success of a risk management system lies in the identification of all possible risks for the software under consideration. The risks, in this paper, have  been identified after thorough discussion with software team leaders, academicians, and developers. The mitigation and avoidance strategies have been advised for each risk factor. These strategies are expected to provide a helping hand for the avoidance or mitigation of a risk factor. Utmost effort has  been made to address all possible risk factors, present till now. The list of identified risk factors may grow in future and so can be the mitigation and avoidance strategies. strategies.

[6]  Basit Shahzad, Javed Iqbal, “”Software Risk Management  –   Prioritization of frequently occurring Risk in”, 2nd International Conference on Information and Communication Technology (ICICT2007), Dec. 16-17, 2007, IBA Karchi. [7]  Roger S. Pressman, “Software engineering: a practitioner ’s approach”, 5th ed, McGraw-hill, pp 151-159. [8]  Borland, the open alm company, A Load Testing Strategy, white  paper, April 2006,pp6 2006,pp6 [9]  Duport, “how to control and manage the staff turnover ”http://www.duport.co.uk/guides/staff%20issues/Controlling %20and%20managing%20staff%20turnover.htm, %20and%20managing%2 0staff%20turnover.htm, May 2006. [10]  Magic intuition, “definition intuition ”http://www.magicintuition.com/intuition.html”, 2009

R EFERENCES EFERENCES  

of

[1]  J. Rothfeder, “It’s Late, Costly, and incomplete-But Try Firing a Computer System, “ Business Week, November 7, 1988, pp. 164-65.

[11]  Roger S. Pressman, “Software engineering: a practitioner ’s approach”, 5th ed, McGraw-hill, McGraw-hill, Chapter 1.

[2]  Coper Jones, “ patterns of software success and failure”, 1996.

[12]  Javed Iqbal, Basit Shahzad, Iterative project Scheduling: A time  bound technique, International conference on computing and informatics, June 6th -8th 2006, Kuala Lumpur, Malaysia..

[3]  Roger S. Pressman, “Software engineering: a practitioner ’s approach”, 5th ed, McGraw-hill, pp 151-159. [4]  Barry W. Boehm,  practices”, pp 13.

“software

risk management: principles and

370