Risk is an inexorable and an unavoidable part of a software development process, which constantly evolves throughout the course of a project, affecting a project or software or both. Thus, it arise the necessity to deal and manage these risks in an efficient and effective manner.
In the field of software engineering, risk management is a methodology or a mechanism, carried out throughout the development process to identify, manage and control risks evolved before and during the development process.
Basically, three types of activities are covered under the risk management process.
It is the first step of a risk management process, which involves the identification of potential risks that may affect a software product or a development project, and accordingly documenting them along with their characteristics.
It is a constant process, which is carried out throughout the development due to the fact that as the development process progresses, the more we get to know about the software product and based on it, we may able to explore and identify more unvisited or hidden risks.
Generally, this phase helps in identifying the two types of risks, product risk and project risk.
In this phase, usually client, stakeholders, business manager, project manager and test manager, collaborate and participates in brainstorming or small sessions, study and analyze the project documentation plan, etc., to make out the probable list of risks associated with the software development. Some commonly known techniques to identify risks may include risk templates, project retrospective, Failure Mode and Effect Analysis (FMEA), Failure Mode Effect and Criticality Analysis (FMECA), etc.
The next stage of a risk management process is risk analysis, which involves the assessment of the risks identified during the risk identification stage.
This stage usually involves the analysis and prioritization of the risks, i.e. possible outcomes of each identified risk is being assessed based on which risks are categorized and accordingly, prioritized.
Based on the degree of impact, possessed by each risk, they are being assigned severity levels, namely 'High', 'Medium' and 'low'. And based on their severity, they are prioritize i.e. High risks are considered as top priority whereas the low risk is regarded for the bottom most priority.
During this stage, risks are managed, controlled and mitigated, based on their priority so as to achieve the desired results. It is generally divided into three activities which may be seen below.