What Is Risk Management In Software Engineering?

Risk Management in software engineering involves assessing the depth of factors, that can influence, objective attainment procedures, and treatment of these factors is known as its management. Risk in software engineering is assessed using characteristics such as costs, benefits, and risks. Risk management routine involves Recognizing risks, Investigating risks, Organizing risk, Tracing risk, Administering risk, and Conveying risk.

In Software development, delay in delivery, budget overrun, and bad technical support and performance are common issues. These issues arise due to inappropriate assessment of factors that are involved in the development of the software. There must be a systematic way of assessing factors such as Hardware, Software, Schedule, People and Cost as these are involved in the development of the software.

Risk is the degree of probability and degree of severity of unwanted influence of factors such as Hardware, Software, Schedule, People, and Cost on software development. It might be possible that software may not meet-up its required functionalities and performance benchmark.

Risk management is a complex process and its complexity increases with the increase in the complexity of the software. A software having complex functionalities may overrun in its cost and schedule limits. Thus systematic methods must be devised and tools must be used that will assist in estimating the risk factors. Tools in risk management are used to assess risks that humans can not. Risk in software development is involved in multifacet dimensions. It happens that risks are not assessed till they evolve into noticeable issues. Thus it becomes necessary to assess risk before it takes shape that can not be technically solved. To do this structured risk management technique must be used.

Most of the used procedures and risk management techniques are ad hoc, not documented and not complete. Risk management is one of the least focused software development phases. One of the risk management programs is SEI. SEI risk management has following procedural steps that need to be carried out –

  • Identify
  • Analyze
  • Plan
  • Track
  • Control
  • Communicate

There exists different aspects that are associated with software risk management. To assess risk completely it is necessary to evaluate the complete life cycle of the software development process. Software-intensive systems are increasing. As the complexity of software intensive systems increases, difficulty in managing these systems increases. But one single model can not be used to assess risk associated with software development. A software has multiple functionalities and it can not be described by any single function. The same is true for software risk management. Software risk is assessed using different techniques and using different tools. There exists at least three visions of software risk management and these visions are: temporal, methodological and functional.

Risk based methodology improves software development process. Risk assessment is mostly done by analysts. To assess risk analyst try to find answer to the following questions –

  • What can go wrong in the software development process ?
  • What is the probability that the identified wrong factor will go wrong ?
  • What will be the consequences if the identified wrong factor goes wrong ?

When an analyst finds an answer to these questions the analysis gets a picture of risk involved in the software development process. Analysts perform further risk analysis using the following set of questions:

  • What are the measures to be taken ?
  • What choices are available?
  • What are the factors that balance costs, benefits and risks in software development?

Answers to these questions are used to assess risk involved in the software development process in a broader perspective.

There are three groups of practices that are used in software risk management. These are:

  • SRE
  • CRM
  • TRM

These practices are based on the following three risk management constructs:

  • The Risk Management Paradigm
  • The Risk Taxonomy
  • The Risk Clinic

Below is given the models of risk, practices of risk and constructs of risk that are used in assessing risk involved in the software development process.









Human Dimension is also one of the factors that need to be considered in assessing risk in the software development process. Insufficient training, lack of knowledge, low level skills, not showing commitment to the project, lack of loyalty towards organization, and not trying to raise the quality of the software product are few factors that are used to assess the risk in the early development stage of software.

Quality of the software is also influenced by human factors.  

Methodologies used in Risk Management

There exists a taxonomy that can be used to assess risk in software development processes. The taxonomy is used to assess software development issues. The taxonomy is represented as a paradigm as “Basic Construct to Risk Management”. 

Risk Management Construct

Seven risk management principles are:

  • Cooperative vision of product
  • Group Work leading to teamwork
  • Developing perspective that will be global in nature
  • Futuristic view
  • Communication
  • Management
  • Process continuation

Risk assessment is a continuous process. In Risk management communication is used as a medium through which information flows and is often the major hindrance in risk management. Basic risk management structure is given below:

  • Identify: Identify is the identification process that is used to find the risk involved in the process of software development. Systematic processes must be used to assess risk.
  • Analyze: Analysis is done to find the correct risk that may be used in the risk management decision  making process. 
  • Plan: Data is analysed to find the risk involved in the software development process. An analyst makes plans to tackle risk issues, carry-out risk actions, and creating and managing risk plans. Analysts may develop different plans to handle different risk management  issues.
  • Track: Risk is tracked using risk metrics. Risk metrics is used to evaluate the risk management plan.
  • Control: Plan is made to provide guidelines to assess risk in the software development process. Control is used as a measure to find the amount of deviation from the risk plan. Control work in the direction of improving the risk management process.
  • Communicate: Risk management process is effective only when the communication is effective. For proper analysis and management of risk making communication is critical.

Risk taxonomy is based on questionnaires. The questionnaire is used to find the risk factors that may adversely affect software products. The questionnaire may be used to raise software development risks.


Risk management in software engineering is used to assess the risk involved in the development of software. Risk management in software engineering is a methodology used for SRM that is software risk management. SRM is developed at SEI software engineering institute.