ProjectRiskManagement Developments in Managing and Exploiting Risk Volume I: Safety Risk Management Volume II: Project Risk Management Volume III: Organizational Risk Management Volume IV: Socio-Political Risk Management Editor-in-Chief Kurt J. Engemann Volume 2 Project Risk Management Managing Software Development Risk Edited by Kurt J. Engemann and Rory V. O’Connor ISBN978-3-11-064823-2 e-ISBN(PDF)978-3-11-065232-1 e-ISBN(EPUB)978-3-11-064829-4 LibraryofCongressControlNumber:2020949254 BibliographicinformationpublishedbytheDeutscheNationalbibliothek TheDeutscheNationalbibliothekliststhispublicationintheDeutscheNationalbibliografie; detailedbibliographicdataareavailableontheInternetathttp://dnb.dnb.de. Chapter“Managinglayersofrisk:Uncertaintyinlargedevelopmentprogramscombiningagile softwaredevelopmentandtraditionalprojectmanagement”©TorgeirDingsøyrandYvanPetit ©2021WalterdeGruyterGmbH,Berlin/Boston Coverimage:German-skydiver/iStock/GettyImagesPlus Typesetting:IntegraSoftwareServicesPvt.Ltd. Printingandbinding:CPIbooksGmbH,Leck www.degruyter.com InMemoryof RoryV.O’Connor DearFriendandEsteemedColleague Kurt J.Engemann Advances in project risk management Introduction Managing risk is important for any organization and there often appears to be an increasingemphasisonfocusingonthedownsideaspectofrisk.However,continu- ouslyconcentratingonthenegativecharacteristicsofrisk,withoutbearinginmind thepositiveattributes,maybeunwise.Significantopportunitiesmaybewastedby alwayschoosingthesecureroad. TheobjectiveofProjectRiskManagement:ManagingSoftwareDevelopmentRisk, is to provide a distinct approach to a broad range of risks and rewards associated withthedesign,development,implementationanddeploymentofsoftwaresystems. Thetraditionalperspectiveofsoftwaredevelopmentriskistoviewriskasanegative characteristicassociatedwiththeimpactofpotentialthreats,thedevelopmentofrisk mitigation plans and the avoidance of potential adverse consequences for software projectobjectives.Theperspectiveofthisbookistoexploreamorebalancedviewof softwaredevelopmentrisks,includingthepossibilityofpositiveaspectstoriskasso- ciated withpotentialbeneficial opportunities, and present a view thatrisk does not alwaysreflectonly negativeconsequences.Onthe contrarysomepositiverisksmay actuallyrepresentpreviouslyunexploredbenefitstoasoftwaredevelopmentproject and provide opportunities. Therefore, a balanced approach is required, where soft- wareprojectmanagersapproachnegativeriskswithaviewtoreducethelikelihood andimpactonasoftwareproject,andapproachpositiveriskswithaviewtoincrease thelikelihoodofexploitingthepositiveopportunities. Thisvolumeexploressoftwaredevelopmentriskbothfromatechnologicaland business perspective. Issues regarding strategies for software development are dis- cussedand topicsincludingrisksrelated totechnical performance,outsourcing,cy- bersecurity,scheduling,quality,costs,opportunitiesandcompetitionarepresented. Bringingtogetherconceptsacrossthebroadspectrumofsoftwareengineeringwitha project management perspective, this volume represents both a professional and scholarlyperspectiveonthetopic. In this overview, we preview the book which consists of two parts: chapters coveringfundamentalconceptsandapproaches;and,chaptersillustratingapplica- tionsofthesefundamentalprinciples. https://doi.org/10.1515/9783110652321-202 VIII KurtJ.Engemann Fundamentals Cyber-physicalsystemsaresystemsthatsimultaneouslyactinthephysicalanddigi- talspace,comprisingbothphysicalandcomputationalprocessesandinvolvingpeo- ple (Lee 2008). Examples include drones, robots, autonomous vehicles and smart grids.Itisoftenunclearasanewcyber-physicalsystememerges,whattherisksand opportunitiesare.Withtheadvancesindigitalization,thebalancebetweensoftware- related risks and opportunities is becoming a key decision, but without a thorough insightintothepossibilitiesandliabilitiesofsoftware,thisisadifficultsteptotake. Hence, companies more commonly follow an approach of product evolution, and avoid large-scale changes in the system. The software architecture of a cyber- physical system is one of the main factors that determine its sustainability from thepointofviewofdevelopment,maintenance,andevolution.However,asoftware architectureisnotinherentlygoodorbad,itisjustmoreorlessfitforpurpose,and software architecture assessment is an effective way to establish its fitness. In their chapter,Tuovinen,Christophe,Kettunen,MikkonenandMännistösharetheirexperi- ences of using a series of software architecture assessment workshops as a mecha- nismtoidentifyrisksandopportunitiesofanexistingcyber-physicalsystemsoftware productlineandtohelpinplanningtherenewalofthesoftwaresystemaccordingly, takingintoaccountthe evolutionary lineofnewfeaturesaswell aspotentialfuture disruptive technologies. The assessments take place at a company that provides in- dustrialautomationsolutionsandthattakestheusualrisk-orientedviewtosoftware engineering. The factors under study include feature creep, sensitivity for control points, and scaling the current product line to meet changing customer demand. They conclude that architecture assessment is an effective way of uncovering risks thatbearonarchitectures’capabilitytosupportbusiness. Traditionalapproachesinsoftwaredevelopmentassumethatitispossibletoan- ticipateacompletesetoftherequirementsinanearlyphaseoftheprojectlifecycle, however,theseapproachesdonotdealwellwithchanges.Agilemethodsemerged as a response to the bureaucracy of traditional complex methods, the increasing changes in the business environment requiring faster changing, and the growing demand for efficient software development (Pavlič and Heričko 2018). Agile ap- proachesare embraced widely as an answer to the failureof the traditionalplan- drivenwaterfall-basedapproach(Gupta,George,andXia2019).An agilecoachis an experienced user of agile methodologies, who can guide others through em- phasizing best software engineering practices. In their chapter, Sánchez-Gordón and Colomo-Palacios discuss the role of the agile coach, and carry out a multivocal literaturereviewdevotedtoidentifytherisksofintroducingsucharolebyinvesti- gating both research and professional literature, including not only the negative consequences,butalsothepositiveaspectsthatcouldleadtopotentialbeneficial opportunities.Theirchapteraimstobenefitbothresearchersandpractitionersby providingacomprehensiveandbalancedviewofthetopic. Advancesinprojectriskmanagement IX Agilepracticesasserttheapplicationofasoftwareprojectriskmanagementac- tivity.Nevertheless,softwareprojectdelays,costsoverruns,andfailedprojectsare still reported in the literature, and Tavares et al. (2019) report that agile develop- mentpracticeslackriskmanagementactivities.Agilesoftwareprojectriskmanage- ment projects have largely ignored decision support analytics to assist with its implicitmanagement,planning,monitoringandevaluationofrisks.Incontrast,an- alyticsarewidelyusedinmanybusinessdomains,asillustratedbyadecisionana- lyticmethodologytoaddressunintendedconsequencesofnewtechnologies(Miller and Engemann 2019). The goal of the chapter by Mora, Wang, Phillips-Wren and Gómez is to create awareness of the usefulness and value of decision-making sup- portsystemsanalyticsinsoftwareprojectdevelopment.Thereareopportunitiesfor fostering wider use of these analytics tools in both plan-driven and agile software projectapproacheswhichwouldassistinriskmanagementactivities. Riskmanagementisknowntoproduceanumberofbenefits,including:identi- fication of favourable alternative courses of action, reduced surprises, and more preciseestimates(Bannerman2008).However,recentresearchhasalsoshownthat these practices are not widely used in software development projects (Odzaly and Des Greer 2014). In their chapter, Dingsøyr and Petit present an exploratory case study of uncertainty management in a large software/hardware development proj- ect,withafocusonproject/subprojectandworkpackagelevels.Theydescribeex- plicitandimplicitpracticesforuncertaintymanagement,andrecommendpractices to mitigate uncertainty. These exploratory findings offer opportunity for planning largerdevelopmentprojects. Withinthelastfewyears,agilesoftwaredevelopmenthasbecomethemainstream softwaredevelopmentparadigm.Amongtheexistingagilemethods,Scrum,whichisa projectmanagementframework,isthemostpopular.However,Scrumdoesnotexplic- itlyrecommendanapproachtomanagerisk.Furthermore,Scrumismainlybasedon tacit knowledge, which limits the reuse of information for risk management. In their chapter,Perkusich,Neto,Nunes,Gorgônio,AlmeidaandPerkusichproposetofillthis gap by introducing a knowledge-based risk management approach for Scrum-based software development projects,focusingonrisks(both positive andnegative) related to the product delivery process. Ward and Chapman (2003) discuss that viewing risk managementasuncertaintymanagementenhancesthefocusonopportunitymanage- ment,therefore,bringingbalanceonfocusingonbothtypesofrisks(i.e.,positiveand negative). The proposed approach is based on a knowledge-based risk management framework, supported by a Bayesian network that models the main aspects of the Scrum product delivery process, which has been evaluated on industry projects in termsofitspracticalutility.Withtheuseoftheproposedapproach,riskmanagement ofScrumprojectschangesfrombeingbasedoninformalandtacitknowledgetobeing based onempiricalevidence, asregistered inthe knowledge base.Therefore,instead of depending onthe intuitionofthe project team,risk management decisionsare in- formedandbasedondata.