Application Risk Management

Definition

Application risk management is the risk management subactivity consisting of the cohesive collection of all tasks that are primarily performed to lower an application’s significant risks to acceptable levels.

Goals

The typical goals of application risk management are to:

• Reduce application risks to acceptable levels.

Objectives

The typical objectives of application risk management are to:

• Identify and understand the major risks to the application.
• Avoid the risks that can be avoided.
• Mitigate the impact of risks that cannot be avoided.

Examples

Typical examples of application risk management include the management of risks on a:

• Small, simple, low-criticality application.
• Large, complex, distributed, business-critical application.

Preconditions

Application risk management typically may begin when the following conditions hold:

• The application is started.
• The application teams are:
  • Initially staffed.
  • Adequately trained in risk management.

Completion Criteria

Application risk management is typically complete when the following postconditions hold:

• The application is retired.

Tasks

Application risk management typically involves the following teams performing the following tasks in an iterative, incremental, parallel, and time-boxed manner:

• The application teams, which perform:
  • Risk Analysis
  • Risk Control
  • Risk Identification
  • Risk Management Planning
  • Risk Monitoring

Environments

Application risk management is typically performed using the following environment(s) and associated tools:

• TBD
  • Risk management tool

Work Products

Application risk management typically results in the production of all or part of the following work products:

• Risk Management Plan
• Risk Analysis
• Risk Monitoring Report

Phases

Application risk management tasks are typically performed during the following phases:

Guidelines

• The importance of a risk is the product of its probability and its impact.
• It is typically better to avoid a risk that to mitigate its damage once it has occured.
• Risks can be divided into the following categories:
  • Business Risks:
    • Requirements Scope Creep
    • Changing Market Pressures
    • Loss of Market Share
    • Bad Public Relations
    • Loss of Life or Property
    • Litigation
  • Financial Risks:
    • Cost Overrun
    • Inadequate Cost Estimates
  • Resource Risks:
    • Inadequate Staffing
    • Inadequately Trained Staff
    • Inadequate Staff Productivity
    • Inadequate Development Tools
  • Schedule Risks:
    • Unrealistic Schedule
    • Inadequate Schedule Estimates
    • Upgrades to COTS components and tools not available when promised (vaporware)
    • Excessive Time To Market
  • Technical Risks:
    • The application will not provide all required functionality.
    • The application’s transactions will not be auditable.
    • The application will not adequately support internationalization.
    • The application will not provide personalization.
    • The application will contain excessive defects.
    • The application’s outputs will be inadequately accurate or precise.
  • This activity is documented using the typical configuration for large projects. It is intended to be configured (i.e., instantiated, extended, and tailored) to meet the needs of specific projects.
  • The preconditions of this activity should be the union of the preconditions of its constituent tasks.
  • The completion criteria for this activity should be the union of the postconditions of its constituent tasks.