Proceedings of the Second International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC 2018)

IEEE Xplore Part Number:CFP18OZV-ART; ISBN:978-1-5386-1442-6

Propagation of Risk across the Phases of Software

Development
Raghavi K Bhujang Dr Suma V
Assistant Professor,
Dean, Research and Industry Incubation Centre, Professor,
School of Computer Science and Applications,
Department of Information Science and Engineering,
REVA University
Dayanand Sagar College of Engineering
[email protected]
[email protected]

Abstract— Software development is a process of well planned The challenges or the uncertainties which are likely to cause
and defined steps that contains many series of systematic tasks to catastrophic results (if not managed at the right time) that
deliver the expected product or service to the client. While doing would hamper the delivery of the end product or services are
the same, it is likely that there can be many ups and downs in the deemed to be risks. Hence, risk is a potential failure that
tasks that are defined starting from the planning stage to probably might occur in the later stage of the project but
completion of deliverable. Also, the series of planned tasks
definitely obstructs the development process. These risks can
related to product/service delivery in the software development
process is likely to fluctuate in terms of Cost, Time, People and be measured in terms of most affected (in all the development
Process due to various external factors. These fluctuations should phases) parameters in the project, which are Cost, Time,
be taken care at the right time with the right mitigation strategy People and Process - CTP2 [1].
as it spans up further ending with serious obstructions. This Risk management being a crucial area in software
paper focuses on how the risk propagates further through the development, an extensive research has been going since the
phases of software development with the increase in level of time of the first generation of evolution of Software
severity. A sample of empirical data taken from existing software Engineering. Various researchers have analyzed the risks,
development projects throws more light on propagation of have tried to witness the causes and sources of the risks and
severity from the lowest to the highest. This knowledge further
have suggested mitigation and management strategies to make
aids software personnel and all potential stakeholders to
accordingly formulate strategies to effectively manage risk. the project development smooth and successful. According to
Keywords — Software Engineering, Risk Management, these researches, the causes and sources are various and need
Software Quality, Customer Satisfaction, Software Project absolute attention so that the disastrous effects do not span
Management further. Therefore, it is always better to maintain a checklist of
the known risks or likely risks that will help further by easing
up the risk identification stage. Thus, it was proven that
I. INTRODUCTION requirement misunderstanding, lack of management
The software development process starts with commitment, planning, support and control are the areas
gathering the business requirements of the potential which are prone to risks [2].
stakeholders. These requirements are then understood,
designed, built and tested to make sure that the outcome as a
product or service satisfies the met requirements. This process II. LITERATURE SURVEY
of development involves many more influential factors in the According to the authors of [3], the risk is defined to
environment of coding, testing and user acceptance. be a combination of probability and impact of an adverse
Success of software industry is absolutely dependent event. They have investigated a different aspect of technical
on managing the software development projects from different risks and provided a definition of risk assessment to make the
aspects. These aspects include the methodology, process development process smoother [3].
involved, the software, advanced technologies, resources Based on a literature review and case study in a
being utilized and many more that are considered from both project-based organization, the authors of [4] have conducted
internal and external factors. These factors play a major role in an in-depth research in identifying the key performance
bringing the software development process to an end with indicators of the project risk management system. They have
customer satisfaction or rejection. Planning and designing the also suggested a framework for evaluating the same.
various process modules along with the influencing factors Authors of [5] have carried out a survey on project
with day to day advancement of technologies is highly data which is collected from 200 different resources at various
challenging. This challenge induces more complexity and levels like project managers, IT managers, IT analysts. Survey
interdependency among the development components of the results indicated that the differences in organizational types
software projects. affected the success of IT projects in all aspects, while the

978-1-5386-1442-6/18/$31.00 ©2018 IEEE 508

 Proceedings of the Second International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC 2018)
IEEE Xplore Part Number:CFP18OZV-ART; ISBN:978-1-5386-1442-6

differences in organizational sizes affected the success of IT such a sample, random sampling was carried out in order to
projects in terms of the aspect of product performance as well investigate and analyze risk and their impact on the quality of
as total aspects. the software product.
Further, a systematic approach has been presented by These data from these projects were collected based on
authors of [6] to identify risks based on risk patterns. This template via emails, data centers of the organization and also
approach is applied using RUP as the reference model. This from face to face communication in addition to telephone
approach is also validated by an experimental strategy with conversations. The data thus obtained were investigated in
software project risks. order to analyze risk, its occurrences, their impact on project
Authors of [7] have carried out research on risks success factors and their severity level.
related to incubated technology-based companies. They have
said that the research on the likelihood of failures in such A. Empirical Investigation
companies is scarce and it is very much necessary to identify Risks need to be categorized upon identification, this will
the main risk factors to eliminate or reduce the risk in software bring down the complexity of risk management at most. There
development projects in incubated technology-based are several ways suggested by the researchers and
companies. practitioners in IT industry to identify and categorize the risks
Subsequently, risk management framework for based on the phase of occurrence and the cause of the
software development projects from the developers’ occurrence. However, yet another method to categorize the
perspective is presented by authors of [8]. They have used a risks is based on the impact. In this method, based on the
combined qualitative and quantitative technique with the integral and most affected parameters of the project that is
active involvement of stakeholders in order to identify, CTP2, risks are categorized as Communications Risk, Quality
analyze and respond to risks. Risk, Technological Risk, System Configuration Risk and
Authors of [9] have proposed a metric called ‘Risk Estimation Risk [13].
Point’ that helps in decision making and risk monitoring In communications risk, the area having high
during project life cycle. The purpose of this identifier is to proneness of risk is communication i.e. project information
serve in the multiple project development environment. flow as there are high chances that the project might get a
However, authors of [10] have carried out an hazardous end thereby affecting CTP2. However, in quality
investigation on finding the success rate of software risk, the CTP2 parameters might get adverse impact due to
development projects in South Africa compared to the success lack of quality norms followed in the project. Due to changes
rate of software projects in the developing world. They have or untrained resources or advancement in the IT market or any
also found that the success rate of software development other external factor, risk in technology might impact the
projects increases if there is a risk management strategy CTP2 parameters. However, variation in configuration and
compared to the success of the projects without risk estimation might also impact these most affected parameters
management strategy. that would bring a dangerous influence on the software
Thus, continual research in the area of risk development project. Consequently, the impact of risk is not
management is always taking place in order to effectively just measured based on the type but needs to be measured in
manage risk and deliver high-quality software. Nevertheless, terms of their severity with respect to each of the identified
there is still need for process improvement in the risk types of risk. Thus, Table 1 illustrates the effect of the risks is
management strategies. measured in terms of severity which can be of four different
types.
III. RESEARCH METHODOLOGY TABLE1. NATURE OF RISK
The main objective of this research is to comprehend Nature of Risk Description of Level of Impact
Nature
risk and its impact on project success factors. Hence, an Catastrophic Work Stopper 1
empirical investigation was carried out in addition to literature High Deployment/Syntax 2
survey made on the aforementioned topic of interest. error
Accordingly, several leading software industries were looking Moderate Recoverable failure 3
Cosmetic Cosmetic 4
for and selectively sampled few of them which were in CMMI
Level 5 process maturity. The intention behind such a
selection is to understand the effectiveness of risk Table 1 infers the nature of risk in terms of its
management strategies. severity impact. Catastrophic risks are the work stoppers
where the project cannot move further until they are resolved.
From the sampled industries, selectively sampled projects High risks are the ones that cause the run-time errors and
were investigated. These projects were in the domain of hence they need equal attention. Moderate risks are the errors
healthcare and telecom as they are critical projects and risk that can be recovered easily and Cosmetic risks are the risks
management is mandatory for them. However, due to the that would have the lowest impact on the project [13].
huge population of those projects, further, this research Risks if not managed at the right time in the project
narrowed down to once again selective sample projects which are likely to grow in terms of unsafe impact. Hence, the
were developed from 2015 onwards. From the population of occurrence phase and the impact phase of the befallen risk will
have a different severity level starting from lower to

978-1-5386-1442-6/18/$31.00 ©2018 IEEE 509

 Proceedings of the Second International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC 2018)
IEEE Xplore Part Number:CFP18OZV-ART; ISBN:978-1-5386-1442-6

higher/catastrophic nature. Sampled risks were taken from the Table 2 indicates that R1 to R10 is a list of sampled risks
real-time empirical projects and from leading IT industries to collected from various software development projects. The
investigate the same as explained in Research Methodology table further indicates the type of the risk identified along with
section. Table 2 elucidates the increase in the severity of risk risk description and the phase in which the risk was injected
in the later stages of software development compared to the and the phase in which it got detected. Mitigation which is a
stage where it occurred. measure taken to resolve the risk is also put forth in the table.

TABLE2. PROPAGATION OF RIS B. Inferences from Table 2

Risks Type of Risk Risk Risk Mitigation  The phase of occurrence of risk is completely
Risk Descripti Injected Exposed
on Phase Phase different from the phase at which impact is seen.
R1 Technolo Change Phase 2 Phase 4 Rework of  The severity of the risk is low at the time of
gical in API the design
Risk design
occurrence.
R2 Technolo Conflicti Phase 1 Phase 5 Rebuild  If the risk is ignored at the time of identification, it
gical ng
gets propagated to the further phase with its impact.
Risk Requirem
ents  The nature of the risk being low at the time of
R3 System Replacin Phase 2 Phase 5 identification, the intensity of hazardous impact
Configur g the Rework of
ation wrong the design becomes high/catastrophic if it is tolerated to
Risk system propagate.
compone
nt
R4 System Addition Phase 2 Phase 4 Rework of Table 3 shows the propagation of the risks with its impact
Configur of the design level from the phase of occurrence to the phase at which
ation external impact is seen.
Risk compone
nt in
TABLE3. TABLE OF RISK SEVERITY
system
Risk Require Design Code Test Imp Support
environm
ment Phase Phase Phase Phase Phase
ent
Phase
R5 Commun No Phase 1 Phase 5
ication Transpar Rework
R1 0 3 2 1 1 NA
Risk ency in
Commun R2
ication 4 3 2 2 1 NA
R6 Commun Undocum Phase 6 Rework R3 0 4 4 3 2 NA
ication ented Phase 1
Risk changes R4 0 4 3 2 2 NA
R7 Quality UI does Phase 1 Phase 5
Risk not have Client R5 4 3 2 1 1 NA
same Rejects
R6 4 4 3 3 2 1
control
over R7
every 4 3 2 1 1 NA
page R8 0 4 3 2 2 NA
R8 Quality No Phase 2 Phase 4 Rework on
Risk Periodica the changes R9 4 3 2 2 2 NA
l Review
on the R10 4 3 2 1 1 NA
process R1 to R10- Risks, 4 – Cosmetic,3 – Moderate,
R9 Estimatio Wrong Phase 1 Phase 4 Re-plan
n Risk Estimatio and 2 – High, 1 – Catastrophic, 0 – No Risk
n of Rework Table 3 clearly indicates that the severity of the risk
Compone increases in terms of disastrous impact if the risk is ignored at
nt build the time of occurrence. It may be noted that the risks R1 to
time
R10 Estimatio Risk Phase 1 Phase 5 Reallotmen
R10 are the risks identified from Table 2. The severity of risks
n Risk Manage t of work is assigned to each of the identified risks based on Table 1.
ment on the
Task resources
missing C. Inference from Table 3
in WBS
Risk propagation is directly proportional to increase in the
Phase 1 – Requirements Analysis, Phase 2 – Design, Phase 3 – level of severity of the risk.
Build and Code, Phase 4 – Testing, Phase 5 – Implementation,
Phase 6 – Maintenance and Support Risk propagation α Severity level of Risk (1)

978-1-5386-1442-6/18/$31.00 ©2018 IEEE 510

 Proceedings of the Second International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC 2018)
IEEE Xplore Part Number:CFP18OZV-ART; ISBN:978-1-5386-1442-6

However, measurement of the impact is assessed This work acts as a travel light to project personnel in order to
with the affected parameters. Hence, most affected parameters formulate strategies to overcome risk propagation.
being CTP2, gets intolerable variations when the risk starts
getting transmitted. Table 4. shows the parameters that are
getting influenced with unacceptable impact, on a phase-wise
basis when the risk starts getting propagated. REFERENCES

TABLE4. RISK AFFECTED PARAMETERS [1] Raghavi. K. Bhujang, Suma. V, “A Study of Risk and CTP2 during
Risk Risk Propagation Affected Parameters Software Development Process", IEEE International Conference on Advanced
Cost Time People Process Research in Engineering and Technology(ICARET) 2013, February 8th – 9th
R1 Phase 2  Phase 4 --- √ --- √ 2013, Andhra Pradesh, India. Web Link: http://www.icaret12.com/Accepted-
Research-Manuscripts.php, Index: IEEE.
R2 Phase 1  Phase 5 √ √ √ √ searchdl.org/public/book_series/AETS/2/136.pdf.
R3 Phase 2  Phase 5 √ √ √ --- [2] Tharwon Arnuphaptrairong, "Top Ten Lists of Software Project
R4 Phase 2  Phase 4 √ √ √ --- Risks: Evidence from the Literature Survey", Proceeding of the International
MultiConference of Engineers and Computer Scientists 2011, Vol 1, March
R5 Phase 1  Phase 5 √ √ √ √ 16 - 18,ISBN: 978-988-18210-3-4, IMECS2011, Hong Kong.
R6 Phase 1  Phase 6 √ √ √ √ http://www.iaeng.org/publication/IMECS2011/IMECS2011_pp732-737.pdf.
[3] Vard Antinyan, Miroslaw Staron, Wilhelm Meding, Anders
R7 Phase 1  Phase 5 √ √ --- √ Henriksson, Jörgen Hansson and Anna Sandberg, "Defining Technical Risks
R8 Phase 2  Phase 4 √ √ √ --- in Software Development", Computer Science and Engineering, University of
Gothenburg, Chalmers, Ericsson, Sweden, AB Volvo, Sweden, SE 412 96
R9 Phase 1  Phase 4 --- √ √ ---
Gothenburg. http://web. student.chalmers.se/ ~vard/files/Defining technical
R10 Phase 1  Phase 5 --- √ √ √ risks.pdf.
[4] Amir-Hossein Khameneha, Alireza Taheri, Mahmood Ershadia
R1 to R10- Risks, √ - Indicates that parameter is affected "Offering a framework for evaluating the performance of project risk
management system", 29th World Congress International Project
Table 4 shows that when risk starts getting propagated from Management Association (IPMA) 2015, Panama, Procedia - Social and
Behavioral Sciences 226 ( 2016 ) 82 – 90, Science Direct.
phase to phase, parameters of the such as CTP 2, starts getting [5] Daranee Pimchangthonga, Veera Boonjing "Effects of Risk
undesirable variations. For each of the risk given in the table, Management Practice on the Success of IT Project", 7th International
it is observed that every time there are a proliferation and Conference on Engineering, Project, and Production Management, Procedia
CTP2 (Cost, Time, People, Process) is affected. Engineering 182 ( 2017 ) 579 – 586 Thailand.
[6] Jakub MILER, Janusz GÓRSKI "RISK IDENTIFICATION
Hence, from the above empirical investigation, it is apparent PATTERNS FOR SOFTWARE PROJECTS", Foundations of Computing and
that risk if not identified at the point of its origin, it propagates Decision Sciences, Vol.29, No 1-2, 2004, pp. 115-131, proc. of 5th National
and has its ripple effect on the project success parameters. Conference on Software Engineering, Poland.
Hence, it is always recommended to ensure that point of risk [7] Sandra Miranda Neves, Carlos Eduardo Sanches da Silva, "Risk
management applied to software development projects in incubated
origin and point of risk detection is very close thereby technology-based companies: literature review, classification, and analysis",
eliminating risk impact amplification and its adverse impact Gest. Prod., São Carlos, v. 23, n. 4, p. 798-814, 2016.
on the quality of the software product. http://dx.doi.org/10.1590/0104-530X472-15.
[8] Prasanta Kumar Dey, Jason Kinch, Stephen O. Ogunlana,
IV. CONCLUSION "Managing risk in software development projects: a case study", Industrial
Management & Data Systems, Vol. 107 No. 2, 2007, pp. 284-303, q Emerald
The success of software industry is completely dependent on Group Publishing Limited, 0263-5577, DOI 10.1108/02635570710723859.
the development and management techniques included in the [9] Miguel Wanderley, Julio Menezes, Cristine Gusmao, Filipe Lima,
process. Software development being a crucial process in the “Proposal of Risk Management Metrics for Multiple project software
development”, Procedia Computer Science, Volume 64, 2015, Pages 1001-
IT market, it needs expertise, decisive practices to deal with 1009, Conference on Enterprise Information Systems/International
the challenges and complexities with the projects getting Conference on Project Management/Conference on Health and Social Care
developed. Software risk management being one of those Information Systems and Technologies, CENTERIS/ProjMAN / HCist 2015
challenges needs proficiency in identifying and managing October 7-9, 2015.
[10] B. de Wet & J.K. Visser, "An Evaluation of Software Project Risk
them at the right time. If proper measures are not taken at the Management In South Africa", South African Journal of Industrial
time of identification, these risks will definitely increase in Engineering, May 2013, Vol24(1), pp 14-28.
terms of dangerous impact by propagating to the further [11] Raghavi K Bhujang, Suma V, “Graphical Visualization of Risk
phases of development. This paper provides an empirical Assessment for Effective Risk Management during Software Development
Process” - International Joint Conference on Emerging intelligent sustainable
investigation carried out on several projects from leading Technologies (EISTCON-2012), May 3-4, (2012), Bangalore.
software industries. The investigation results indicate that risk [12] Raghavi K Bhujang, PrabhavathiRaju , Nirmala R, Shruthi R,
propagates with ripple effects if not identified and eliminated. Ravindra A, Suma V, "Risk Prevention Technique In Software Development"
This paper limits the impact of risk on major project success - International Conference on Electrical, Electronics and Computer
Engineering, ISBN NO: 978-81-927147-3-8, Article NO:19, Page no:86-90,
parameters such as Cost, Time, People and Process (CTP 2) (2013).
upon Healthcare and Telecom domain projects. Further [13] Raghavi K Bhujang, Suma V, “ Risk Measurement with CTP2
research is opened to formulate metrics and models which can Parameters in Software Development Process” - ICT and Critical
meticulously identify the risks and for various applications. Infrastructure: Proceedings of the 48th Annual Convention of Computer
Society of India- Vol II, Advances in Intelligent Systems and Computing

978-1-5386-1442-6/18/$31.00 ©2018 IEEE 511

 Proceedings of the Second International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC 2018)
IEEE Xplore Part Number:CFP18OZV-ART; ISBN:978-1-5386-1442-6

Volume 249, pp 491-498, (2014).

http://link.springer.com/chapter/10.1007%2F978-3-319-03095-1_52.
[14] Raghavi K Bhujang, Suma V, “Risk Impact Analysis across the
Phases of Software Development” - ICSIE 3rd International Conference on
Software and Information Engineering, Singapore, (2014).
[15] PrabhavathiRaju ,Nirmala R, Shruthi R, Ravindra A, Raghavi K
Bhujang, Suma V, "Risk Identification Tool for Cost and Time Parameters in
Software development" - International Conference on Computer Science and
Engineering, ISBN NO:978-93-83060-05-4, Article NO:28, Page no:128-132,
Sponsored: IRNet, (2013).
[16] Raghavi K Bhujang, Suma V, “ A Comprehensive Solution for
Risk Management in software development projects” International Journal of
Intelligent Systems Technologies and Applications Inderscience Publishers
Ltd. Indexed in Scopus, (2017).
[17] Raghavi K Bhujang, Suma V, “Alleviation of Risk in Software
Development”, National Conference on Research Aspects in Management
Prospects & Entrepreneurship Development Perspectives, by National
Foundation for Entrepreneurship Development (NFED) & Saveetha School of
Management (SSM), Saveetha University – Chennai, (2015).

978-1-5386-1442-6/18/$31.00 ©2018 IEEE 512