Risk Management for Software

Learning to Contain, Mitigate and Manage the Uncertainties of Software Development

Risk Management for Software is a two-day seminar, developed by Tom DeMarco and Tim Lister.

Who Should Attend:

Intended for software managers and senior developers, and anyone sharing responsibility for success in the presence of risk.


Building and maintaining software is a risky business. Since software permeates and controls so much of the present-day enterprise (and its products), lateness, cost excess and failure to perform can have far-reaching consequences. A common response to such risk is to ignore it entirely. We justify this as "positive attitude," the heart and soul of a Can-Do management philosophy. But when real risks turn into real problems and send our projects down in flames, we can see that our past "positive attitude" was little more than Denial. There must be a better way.

The purpose of this seminar is to prepare participants to apply the budding discipline of Risk Management to software efforts. They will learn to identify and quantify the specific uncertainties that threaten success. For each uncertainty so identified, participants will learn to contain, mitigate or eliminate its impact.

Welcome to the Real World

Good luck on your next software project . . . but don't count on it. A healthy, positive attitude should allow you to expect a few decent breaks along the way, but expecting no bad breaks at all just doesn't make sense. It doesn't make sense, yet it is more or less the standard today in managing software efforts. We plan our projects based on tasks that must be done, without so much as a nod of the head toward tasks that might have to be done. Such plans reflect how the effort would proceed if nothing ever went wrong. No wonder we're plagued with time and cost overruns and quality shortfalls. Something always goes wrong.

Planning the core activities, the must-be-dones of software development, is a necessary but not sufficient beginning. Since projects never run exactly to optimal plan, we also need Risk Management. Risk Management is project management for adults. It focuses your attention constructively on the very aspects that, ignored, could lead to project debacle.

Running Away from Risk is a No-Win Strategy

A strategy of risk aversion leads us to become more and more efficient and doing things that are less and less worth doing. The projects that deliver real benefit are bound to be full of risk. Instead of running away from risk, we need to school ourselves to run toward it . . . but very, very carefully.

Since high benefit endeavors are always risky, we have to develop ways to discover the lurking risks, estimate their impact, optimize our response, and monitor for change. These are the essential skills of Risk Management.

The Opposite Of Risk Management Is Reckless Management

Just exactly what is it that we manage on software projects if not the risks? Project management IS risk management. The risk aware manager can show you a substantial list of causal risks (not just the end-result risks of lateness or overrun, but the root causes of such outcomes). He/she can tell you the likely cost in time or money should the risk materialize, and point to a specific set of materialization indicators and contingency plans to protect the project. In the absence of such sensible Risk Management, those who are counting on project success have no better strategy than to cross their fingers and hope for the best.



The statistical inevitability of risk. The link between risk and opportunity. Creating a no-fault attitude toward risk. Managing software projects by managing their risks. Risk aversion. Building a risk base. Role of the postmortem. The risks of Denver International Airport as an example.


Building a census of risks. Separating resultant and root causal risks. Object analysis of risk. Quantitative analysis of each risk. Exposure calculation. Tracking for transitions. Mitigation strategies. Simple scheme for risk declaration.


Three steps to risk discovery. Roles during the discovery process. Performing backward root cause analysis. Making risk discovery safe for all hands. Alternate strategies: the spiral Win-Win model, risk and Win-Win conflicts, linking risks and requirements.


Defining and calculating exposure for risks in sets. Time and cost exposure. Interpreting exposure as an indication of project health. Independence of risks. Dealing with non-binary risks Modified risk declaration scheme (with both binary and non binary risks) A modified syntax of risk declaration.


Spreadsheet methods. VBA tools. Survey of available commercial tools. Starter toolkit for risk management.


The common risks of software development efforts, quantified and applied. The beginners' Risk Management database. Sources of tailored risk data.


Conflict as a source of risk in software projects. Building conflict detection and resolution skills. Common conflict scenarios and how they play out. Negotiation and mediation. Mediation within the project. Leading from a position of no power.


Coping with the risks of risk identification. Using risk analysis to tailor project plans and to form a modified process. Safety issues. Risk Management and process improvement.


Using a modified Earned Value metric based on successive builds to track closure. Risk blocking. Progressive commitment of risk mitigation cost. Mid- and late-project de-rail strategies.