Array

Enterprise risk evaluation and continuous mitigation using the Fuzzy-Multi-attribute decision making ' A conceptual approach

                                        BY Niraj Kumar                

                                          Abstract

 Software development processes generally follows easily identifiable stages and become increasingly more challenging.  It differs from traditional manufacturing project stages in various ways which makes them very risky and uncertain. Traditional software risk management practices are more focused towards qualitative judgment and experiences; however with exponential growth in the size of the software companies and complexity of projects require effective scientific methodology for risk management.  The main objective of this study is to increase the effectiveness of risk detection and mitigation practices in the software development process.  Another objective is to analyze these practices, identify the areas for improvements, and develop a mechanism for their quantification.  We also aim to identify the processes which are causing most of the problems and suggest strategy to eliminate or reduce the harmful effect of these processes in minimum possible cost and time. Analytical Hierarchy Process and Fuzzy set theory were suggested as effective tool to achieve this objective.

Key words: Risk Management, AHP, Fuzzy Set Theory, Software Engineering, CMM.

 

 1. Introduction

Software development processes generally follows easily identifiable stages like project planning, requirements definition, design, development, testing, integration, installation, acceptance and support.  However it differs from traditional manufacturing project stages in various ways. Firstly, we need to give time and cost estimates to the customers in advance without actually knowing its exact nature, which make software projects very risky and uncertain. Secondly, to judge the requirements in diverse domain areas with almost same set of manpower requires lot of flexibility on the part of employees and management. Then fast rate of changes in technologies, customer requirements, possibility of unexpected number of employees leaving the organization make our task even more complicated.  Integrating the complete solution, implementing it in successful ways, and making understand the end user about the software and  changes in the traditional processes are all part of the software development life cycle.  More and more global companies are outsourcing their software development projects to offshore software development destinations like India which are throwing new challenges in terms of requirements specifications, cultural differences, effective communications, security of valuable information, more rigorous legal, and governance and compliance standards.

Due to challenges posed by software development risks many approaches has been proposed to improve the development process. These approaches include various Computer aided Software Engineering (CASE)  tools, Enterprise project management tools,  Conceptual tools like various quality, coding,  process standards, models, and frameworks, and various software engineering models like traditional waterfall and spiral model.

Some of the case tools currently widely used include modeling and design tools like Rational Rose [19, 20], versioning control tools like CVS, various testing and bug tracking tools like Bugzilla, Integrated development environment and automatic code generation tools like Visual Studio, Jcreator, Dream weaver and others. Requirements development and management have always been critical in the implementation of software systems.  Some automated tools were also available to support requirements management. The use of these tools not only provides support in the definition and tracing of requirements, but it also opens the door to effective use of metrics in characterizing and assessing testing. Metrics are important because of the benefits associated with early detection and correction of problems with requirements [21].

Enterprise Project Management Tools were found to provide a wide range of functions. Among these functions are scheduling, resource allocation, and cost estimating, budgeting, and collaborating. Because enterprise project management tools are usually built on centralized data repositories, their operation enables the synchronization of these functions at multiple sites. They also allow enterprise-wide views of all the projects in an organization as well as access to anyone involved in setting up, maintaining, updating or browsing to come in contact with the project information needed to make informed decisions. These tools assist in disseminating and sharing project knowledge that relates to resource skills, project-related policy documents, templates, threaded discussions,  time and expense reports. It is important to note that enterprise project management tools emphasize project performance relative to resource consumption within a given set of time constraints (i.e., progress and dates). Some of the popular enterprise project management tools include the Welcome product suite, Microsoft project 2002,  Primavera P3e suite. These tools provide functionality such as enterprise project scheduling and resource management, Cost and Earned Value Management Software, and platform independent project collaboration, project stat using, and project portal functionality. While interest and investment in CASE and Project Management tools are rising steadily, actual experiences with tools have exhibited more ambiguity.  There has been no systematic examination or formulation of the organizational changes surrounding CASE tools [17].  The major challenge is to develop quality software in a reliable and repeatable manner while improving productivity [16].     

On the conceptual front all these challenges gradually led to development of Capability Maturity Model and concept of "Balanced Scorecard". The concepts of "Balanced Scorecard" [23] developed in the early 1990’s by Drs. Robert Kaplan (Harvard Business School) and David Norton represented an advance in the field of measuring enterprise performance, providing a framework for companies to evaluate both financial and "non-financial," or "extra-financial" measures such as quality, customer and employee satisfaction. This framework was widely used for enterprise level planning, control and monitoring by software companies.  However this framework suffers from limitations of over reliance on expert judgments for decision making.

The Capability Maturity Model (CMM) [3] was developed in early 1990's by Carnegie Mellon Software Engineering Institute. Since then many versions of this model came and were widely accepted as most rigorous and best standard by software industry throughout the world. What leads to instance success of this model is its ability to focus not only on external processes but also provide a framework for continuous improvements of internal processes in the company.  The CMM establishes a yardstick against which it is possible to judge, in a repeatable way, the maturity of an organization’s software process and compare it to the state of the practice of the industry. The CMM can also be used by an organization to plan improvements to its software development processes.

                                                      Five levels of CMM [3]

However implementing the CMM framework is very challenging problem for three fundamental reasons. First is the issue of recognizing all input/output parameters in real time which influence various key process areas. Second, methodologies for quantification, optimization, and continuous improvements of these processes are vague. Third is the issue of synchronization of these processes with overall organizational objectives, profitability, efficiency, and growth. 

 Our primary focus in this study is to develop a model for analyze risk management (CMM level 3), quality management (CMM level 4), Quantification of processes (CMM level 4), defect prevention, continuous improvement and optimization (CMM level 5). Then based on analysis we also suggest improvement into various processes, which should be cost effective and suited for particular organization culture.

Software development process analysis is an important first step towards making the process more efficient and profitable. However,  analysis is difficult not only due to its complex nature because of large number of subsystems involved and dynamic interaction and influence of one over another, but also because it is difficult to quantify their contribution and influence on the software development process  as a whole. For example, technical expertise of manpower and quality of software developed are two important factors affecting any software company. However, technical expertise in itself can play an important role in the quality of software delivered, at the same time it may also lead to cost and time overrun, which may have negative consequences for the project. Similarly, quality of software also depends upon what the processes adopted for quality control and how much time and cost available for the project.  Also, the resources of an enterprise are limited so not all sources of risk can be immediately eliminated and priorities need to be established. Studying the various processes of a software development life cycle and measuring their impact in quantitative terms is one of the important objectives of this study.  Again identification of key sources of risk and the ability to measure the level of its harmfulness on the system as a whole is another important objective of this study.  In this paper various risk sources for a software enterprise were identified and a new approach based on Analytical Hierarchy Process [1,11,12]  and Fuzzy set  theory [1, 13, 14, 15]  were suggested as effective tool for enterprise risk evaluation and continuous mitigation. 

4.  Proposed Methodology

Methodology to be adopted for this study is four fold ' first to identify the major risk factors, then able to quantify most of them , to prioritize the factors based on their potential for causing risk to the organization and finally developing a general purpose risk management software. These four stages can be summarize as 

·                 Identification of the various sources of risk in the organization

·                 Quantification of these sources and estimation of their effect on the software development system as a whole.

·                 Prioritization of these sources according to their affect and importance in causing harm to the   organization. Then, suggesting means to their elimination or reduction according to practical feasibility and requirement of the management.  

·                 Development of a general purpose software, which by giving suitable input, able to quantify and priorities various risk sources.  Also, it will able to give estimates about how much elimination of any particular risk source expected  to benefit the management and how much cost it is likely to incur.    

6. Summary and Conclusion

Enterprise risk management is one of the most important strategic business tools to more effectively manage a variety of risks to gain competitive advantage and add value to the firm.   This study has identified the various external and internal risk sources in a software enterprise. We proposed a scientific model based on AHP and Fuzzy set theory to prioritize various risk sources and   developed a framework for their continuous elimination by adopting enterprise specific strategy. We also emphasize the dynamic interactions between these factors and suggested importance of quantification of these factors to judge their impact on the software enterprise as a whole.  Our model is highly flexible and customizable according to specific enterprise need. Then using fuzzy clustering we propose to cluster risk factors which are closely correlated with each other and likely to have common source of problems to enable their effective mitigation.  However to develop a  model to quantify various risk sources in monetary terms and how much improvements is required for effective mitigation  can be some of potential  future directions in which this work can be extended.

Based on  preliminary attempt of model validation with a CMM level 5 company revealed that   uncertain requirements, change in requirements, reactive approach of security, non conformance with the specification and ineffective utilization of available resources are some of the major risk sources for this enterprise.  It can be inferred that software enterprise can apply this new approach in their project and enterprise risk management to improve their efficiency, performance, profitability and to meet rising enterprise management challenges.