|
One of the world's leading resources for project management expertise is the Software Engineering Institute (SEI). Sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University in Pittsburgh, Pennsylvania, SEI has been researching and documenting best practices in software development since 1986. One of its most recent contributions is the Continuous Risk Management Guidebook, released in 1996. Among the many tools and techniques included in its 552 pages is the Taxonomy Based Questionnaire (TBQ), otherwise known as a risk profile, an excellent model for any firm developing a rigorous risk assessment process.
The TBQ's structure is designed to systematically probe all aspects of a software project. Its core is the Software Development Risk Taxonomy, which separates potential risk categories common to software projects.
Each element has from three to seven attributes, for a total of 64 different risk attributes for a software project to judge. This detailed framework allows a series of questions about each attribute—the questionnaire included in SEI's guidebook has 194!
Not only has SEI produced a model others can imitate, but the institute has also answered the most common objection to detailed risk analysis: "194 questions about risk is too many for my project!" While Chapters A-32 through A-34 in the guidebook present the complete taxonomy, questionnaire, and guidelines for their use, Chapter A-25 has a short set of questions to indicate which, if any, of the TBQ questions to skip.
The 194 questions cover a wide range of topics, for example:
Requirements. (Are they stable? Are they feasible?) Interfaces. (Are they clearly understood?) Management methods. (Are periodic status reports being produced?) Work environment. (Questions about team morale and communication among all stakeholders.) Budget. (Is it adequate? Is funding stable?) Politics. (Are politics affecting the project or any significant stakeholders?)
Consistently using the Software Development Risk Taxonomy to identify and categorize risks has two benefits:
Risk identification becomes more systematic, leading to better identification of potential risks and more accurate assessment of their probability and impact. Risk mitigation strategies become associated with particular risk categories. Over time, this leads to a better understanding of the effectiveness of a particular mitigation strategy on a specific risk.
Project managers in the software development and information technology worlds can pick up the taxonomy and questionnaire and start using them right away. Project managers in other industries can use the taxonomy and questions as a model for developing their own risk identification process.
Source: Software Engineering Institute, Continuous Risk Management Guidebook (Pittsburgh, PA: SEI, 1996), pp. 439-442, 471-509.
| 
