The key to risk management is the identification and mitigation of all true risks or the development of a contingency plan in case the potential risk becomes a reality (Charette, 1989). The process of risk management and risk mitigation is connected with preventing huge losses in software development. Risk management should focus on risk reduction and prevention. Software risk management is defined as practice for managing risks that occur in a software development project (Hall, 1998). Risk management should continuously assess possible problems on a software development project and define potential risks, determine what risks are important to deal with and implement strategies to deal with those risks. This means that the global project picture is required for successful risk identification, but every project member should assess and identify risks in project areas defined by his role in the project. There are four basic steps in risk definition: identification, assessment, mitigation and conclusion (Capers, 1994).
The first step in risk definition is risk identification, which is responsible for the recognition of potential losses and their causes. In order to implement successful risk management, project team members should have a global perspective on the software development project. Risk assessment should determine the level of exposure to potential loss caused by risk materialization (Jones, 1994). The mitigation step is responsible for the creation of a risk avoidance plan, while the conclusion step describes the execution of risk avoidance and mitigation plans. These steps will lead to a complete description of all risks, which should be captured in a formal document called the Risk List. This document should contain all risks with the description of definition, consequence, likelihood, risk ranking, indicators, risk mitigation strategy and contingency plan for every possible risk on a software development project.
The process of risk management should start with risk identification. The purpose of risk identification is to discover all factors that could lead to project failure (Hall, 1998). These factors are connected with the technology used on the project, software development process and organizational factors. These areas should be observed and assessed in order to capture all of the potential risks. It is necessary to capture details connected with the discovered risk, like risk description, probability of risk occurrence, costs connected with materialized risk and possible risk solutions and avoidance strategies.
The second step of the risk management process is to assess the level of exposure for each risk. In this step, discovered risks should be ranked in levels according to risk impact (Capers, 1994). Risks should be classified according to the degree of impact in order to choose important risks to be solved first. Risks with a devastating impact should be assessed before risks with a low impact. This is important because risks with a huge impact should be considered in the early development phases, when the costs connected with risk materialization and project failure is smaller than in later development phases (Booch, Rambaugh & Jacobson, 2001).
After risk assessment, risk mitigation is the next step in the risk management process. Risk mitigation is an attempt to avoid or prevent the consequences of risk materialization (Ould, 1998). There are three main strategies of risk mitigation: risk avoidance, risk reduction and risk transfer (Hall, 1998). Risk avoidance is the best possible answer to risk materialization, but there are times when it is very difficult to avoid risks on a software development project. The best way to avoid risks is to completely reorganize the software development project, which is sometimes impossible. If risks cannot be avoided, they can be reduced or transferred. Risk reduction is connected with re-planning the software development project in order to reduce the probability of risk occurrence. Risk transfer could be described as a project reorganization strategy in order to forward the risk to areas where it would cause less damage. Risk mitigation plans should be defined as soon as possible for every identified risk.
The final step in the risk management process is risk conclusion. This step is taken after the definition of a risk mitigation plan and includes all the actions needed for risk avoidance or actions, which are required after the risk materializes. The actions taken in the conclusion step should be defined in the contingency plan. The contingency plan should describe actions, which are taken once a risk becomes a reality.