Defect Prevention Process
Once the critical risks are identified, the financial impact of each risk should be estimated. This can be done by assessing the impact, in dollars, if the risk does become a problem combined with the probability that the risk will become a problem. The product of these two numbers is the expected impact of the risk. The expected impact of a risk (E) is calculated as E = P * I, where:
|
|
|
|
|
P
|
=
|
Probability of the risk becoming a problem and
|
|
I
|
=
|
Impact in dollars if the risk becomes a problem.
|
Once the expected impact of each risk is identified, the risks should be prioritized by the expected impact and the degree to which the expected impact can be reduced. While guess work will constitute a major role in producing these numbers, precision is not important. What will be important is to identify the risk, and determine the risk's order of magnitude.
Large, complex systems will have many critical risks. Whatever can be done to reduce the probability of each individual critical risk becoming a problem to a very small number should be done. Doing this increases the probability of a successful project by increasing the probability that none of the critical risks will become a problem.
One should assume that an individual critical risk has a low probability of becoming a problem only when there is specific knowledge justifying why it is low. For example, the likelihood that an important requirement was missed may be high if developers have not involved users in the project. If users have actively participated in the requirements definition, and the new system is not a radical departure from an existing system or process, the likelihood may be low.
One of the more effective methods for estimating the expected impact of a risk is the annual loss expectation (ALE) formula. This is discussed below:
The occurrence of a risk can be called an "event."
Loss per event can be defined as the average loss for a sample of events.
The formula states that the ALE equals the loss per event multiplied by the number of events.
For example, if the risk is that the software system will abnormally terminate, then the average cost of correcting an abnormal termination is calculated and multiplied by the expected number of abnormal terminations associated with this risk
For the annual calculation, the number of events should be the number of events per year.
|