Software risk management : foundations, principles and empirical findings

The study examines the management of risks during software development. More generally, this work is related to problem solving behavior in the management of uncertain and complex activities. Three interrelated research aspects are deployed to increase our understanding of software risk management - theoretical foundations, risk management principles, and empirical evidence. The study views software risk management as a problem solving process in which managers pay attention to incidents that increase the likelihood of a failure or undesirable outcomes. Such incidents can become targets of inquiry and intervention as a result of risk management practices that seek to manage them. The study outlines a framework of how to address risky incidents and develops concepts to understand software risks. The study draws upon concepts of risk theory, socio-technical theory and decision making. It also synthesizes earlier empirical software risk management research. The results show that normative risk models differ in their focus, and therefore apply in different situations. Furthermore, the analysis shows that empirical findings are centered on potential software risks, whilst they leave other important areas in risk management, like aspiration levels and intervention planning, weakly investigated. Moreover, empirical research uses too simple research designs and does not seek to corroborate developed theories. The study uses survey methods to investigate risk management practices and their effectiveness, and a longitudinal research design to study the content and dynamics of risky incidents and associated management interventions. The analysis identifies continuous requirement changes and unrealistic budgets and schedules as the most common risks, and in addition extracts six components of software risk. The results show that some risk management practices facilitate the management of these risks, but that many environmental conditions influence their effective management. Furthermore, the study shows that the phase of development process has an influence on the frequency and sociotechnical characteristics of identified risky incidents. The majority of risky incidents seem to relate to uncertainty and complexity within project structure and task, and take place during early project phases.