Based on the above risk classifications, the risk events of a software project are classified in the following four categories:
Independent and Statistically Independent (ISI): these risk events are not caused by other risk event(s); also, their impacts have no correlation with other risk event(s).
Dependent and Statistically Independent (DSI): such risk events are caused by other risk event(s), and their impacts are also dependent on other risk event(s). Their impacts may be correlated with the risk event(s) that cause them to occur or may be correlated with the risk event(s) that do not cause them to occur.
Independent and Statistically Dependent (ISD): these risk events are not caused by other risk event(s); hence, they are independent, yet their impacts are correlated with the impact(s) of other risk event(s).
Chapter -3 Software Cost and Risk 91 Dependent and Statistically Dependent (DSD): such risk events depend on other risk event(s) to occur; once they’ve occurred, their impacts are correlated with the impact(s) of other risk event(s). Their risk impacts may be correlated with the impact(s) of the risk event(s) that cause them to occur or on the risk event(s) that do not cause them to occur.
The proposed risk classification scheme qualitatively defines risk events as dependent or independent, whereas, quantitatively, the risk classification scheme defines the impacts of risk events as statistically dependent (correlated) or statistically independent (uncorrelated). For risk identification, the Software Engineering Institute (SEI) [WI99] [CR93] risk taxonomy is adopted, which helps to classify the risk events according to the proposed risk classifications. The SEI’s risk taxonomy classifies risks into classes where each class has different subsets of risks called attributes, and each attribute has multiple elements that represent risk events of software projects.
SEI provides a questionnaire-based approach called the Taxonomy Based Questionnaire (TBQ) for the systematic identification of a software project risk [WI99][CR93]. The TBQ consists of a list of questions to analyze risk in each taxonomy category. The TBQ ensures that all risk events of the software project are systematically addressed and identified. The SEI questionnaire consists of 194 questions addressing different attributes of risks of the software project.
The SEI risk taxonomy TBQ consists of three main classes. Each class is further divided into 13 elements, and each element is characterized by a set of attributes as shown in Table 3.9. All told, there are 3 classes, 13 elements and 64 attributes. The three classes of the TBQ are; product engineering (PE), development environment (DE) and program
constraints (PC).
The PE class has 5 elements namely: Requirements, Design, Code and Unit Test,
Integration and Test and Engineering Specialties, whereas the DE class has 5 elements and
the PC class has 3 elements. Further, the Requirement’s element of the PE class has these attributes: Stability, Completeness, Clarity, Validity, Feasibility, Precedence and Scale. Similarly, the elements of the other SEI classes are also characterized by different attributes. The risk events are identified through a set of TBQ questions where each attribute of the SEI class is described as a potential risk event, and each SEI class is described as a collection of risk events.
Chapter -3 Software Cost and Risk 92 Table 3.9: SEI Risk Taxonomy (classes, elements and attributes) [CR93]
Product Engineering Development Environment Program Constraints 1. Requirements a. Stability b. Completeness c. Clarity d. Validity e. Feasibility f. Precedent g. Scale 2. Design a. Functionality b. Difficulty c. Interfaces d. Performance e. Testability f. Hardware Constraints g. Non-Developmental Software
3. Code and Unit Test a. Feasibility b. Testing c. Coding and Implementation 4. Integration and Test a. Environment b. Product c. System 5. Engineering Specialties a. Maintainability b. Reliability c. Safety d. Security e. Human Parameters f. Specifications 1. Development Process a. Formality b. Suitability c. Process Control d. Familiarity e. Product Control 2. Development System a. Capacity b. Suitability c. Usability d. Familiarity e. Reliability f. System Support g. Deliverability 3. Management Process a. Planning b. Project Organization c. Management Experience d. Program Interfaces 4. Management Methods a. Monitoring b. Personnel Management c. Quality Assurance d. Configuration Management 5. Work Environment a. Quality Attitude b. Cooperation c. Communication d. Morale 1. Resources a. Schedule b. Staff c. Budget d. Facilities 2. Contract a. Type of Contract b. Restrictions c. Dependencies 3. Program Interfaces a. Customer b. Associate Contractors c. Subcontractors d. Prime Contractor e. Corporate Management f. Vendors g. Politics
The PE class deals with the software development activities in order to satisfy the specified software requirements. The risk events associated with the PE class arise from the unstable or changing requirements, poor software design, and inadequate testing coverage, which are characterized by attributes of the PE class. The DE class is concerned with the practice and the processes used to develop the software. The risk events of the DE class are due to the lack of a defined developmental process, poor process control, lack of communication and quality concerns. The PC class attributes are external events having an impact on the software project. These risk events may be beyond the control of
Chapter -3 Software Cost and Risk 93 the software project management but still contribute to the overall risk of the software project.
The SEI’s risk taxonomy classes are chosen such that the elements and the attributes of a class are related; hence, they are defined to have statistically dependent (correlated) impacts. For example, the Stability attribute of the Requirement element has two questions [CR93]:
Q.1: Are requirements stable?
Q.2: Are the external interfaces changing?
These questions help to understand the risk event that is caused by the stability of the software requirements. The Stability risk event is independent of the other attributes of the Requirement element. For example, the Completeness attribute of the Requirement element does not trigger the stability of the requirement, while the Completeness and Stability of the software project requirement are statistically dependent, as question 5 and 6 of the Completeness attribute explains:
Q.5: Does the customer have unwritten requirements? Q.6: Are the external interfaces completely defined?
The customer’s unwritten requirements, Q.5, have consequences for the Stability of the requirement, referring back to Q.1. Similarly, if the external interfaces are not completely defined as expressed by Q.6, then it causes the external interfaces to change which is referred in Q.2. Questions 5 and 6 of the Completeness element are correlated with questions Q.1 and Q.2 of the Stability attribute. Hence, the Stability and the Completeness attributes are statistically dependent as they measure the same underlying risk of the software project. Therefore, the risk impacts of attributes of a class are statistically dependent on each other. To estimate the overall risk impact of a SEI risk class, the impacts of all the risk events of that class are statistically combined.
The description of SEI classes shows that attributes (risk events) of a class are independent of the attributes of other SEI classes. Therefore, the overall risk impact of a SEI class is statistically independent of the overall risk impact of other SEI classes. Therefore, based on the risk classification, the overall risk impact of different SEI classes is identified as ISI, while attributes of a SEI class are classified as ISD.
Chapter -3 Software Cost and Risk 94 Risk classification, when implemented within the SEI’s risk taxonomy, shows that the overall risk due to each class is independent of the risks of other SEI classes; also, the risk due to different elements of a class is independent of the elements of the same class. Furthermore, the impacts of the risk events of different taxonomy classes are statistically independent, while the impacts of risk events within a taxonomy class that occur due to elements of the class are statistically dependent.