EJB 3.1: Concurrency Management and (Avoiding) Synchronization
Door Avisi / mrt 2012 / 1 Min
Door Avisi / / 3 min
Risk Management is arguably one of the most important disciplines ever to master. The ability to accurately assess risk and effectively implement risk treatment measures is what makes or breaks any project or initiative. It is applicable to anything, whether you are building a house, treating a patient or developing software. In this blog, I will discuss our top lessons learned which you can apply directly in your own risk management efforts.
At Avisi, we apply risk management to everything we do. Focusing on our software development projects, our aim is to develop robust software. We do this by identifying typical software risks - such as security, privacy and scalability risks - early on in the software development process. This allows us to mitigate such risks at an early stage, preferably in the software design stage. This has many benefits over uncovering and having to mitigate risks later on in a project, when revisiting earlier decisions can be much more complex and costly.
In our approach to risk management, we have devised our own risk management method, adopted from and building upon the well-known Kinney & Wiruth method. Based on best practices and our personal experiences, we shaped our risk management method with features such as a visual risk heat map and a direct tangible relation between risks and measures.
Practice at our organization has provided ample opportunity to proof and hone our method, given that Avisi is a typical umbrella organization with many distinct and different teams. In the first six months of this year, we have already applied our method 16 times. You will find our top lessons learned outlined below.
Understanding risks and measures are one thing, but conducting a risk assessment and building a risk treatment plan are in a different league. Knowing which steps to take and in which order is key in making the process understandable and repeatable. This results in consistent reports and a capable organization. Write up a risk assessment and treatment process that properly explains how to conduct each step along the line.
This one is obvious, but it's still worth mentioning. Processes and templates go hand in hand, as each process step covers a specific part of the template. Furthermore, using a template makes it easier for your teams to understand what needs to be done when assessing risks and devising measures. The biggest advantage, however, is consistency. Using templates will not only make risk management reports look consistent between teams, which will make them more readable. The reports will also be consistent over time, which allows for easier comparison between this year's and last year's risks and measures.
Where should you start when writing down risks? In our early days, we would generate a list of all information systems involved in a given project and write down any risk that we could imagine, given the content of that list. This blinded us from risks that were not directly related to an information system. This led us to change over to a process-oriented approach. At the start of every risk analysis, we summarize all key processes in-scope (e.g. writing code, testing software and releasing software) and then add the information systems involved. From there on, we start thinking about possible risks that can occur anywhere in each process. We have found that this exercise helps teams to adopt a holistic view of their work, yielding increasingly more specific risks and measures.
Weighing risks can be a time-consuming aspect of the risk analysis, but it doesn't have to be. A pitfall in any risk analysis is to be overly deterministic about the exact weight of the likelihood, exposure, and effect of a risk. This consumes a lot of time and can lead to disagreement among team members, while the benefits are negligible. Instead, you should estimate weights by approximation. The goal should be to distinguish between low, medium and high risks. Estimation works best to do just that.
Risk assessment reports tend to become cluttered as more risks are documented. Each risk comes with a description, risk category, weight, and measures. This makes risk overviews quite information-dense where information can be hard to find. We overcome this by color coding risks by their severity level (low risk is green etc.). Furthermore, we plot our risks on a heat map, which visually indicates both absolute risk severity and relative risk severity compared to other identified risks. Visualizing risks helps us to quickly shift focus to the risks that require the most attention.
An example of a risk heat map
The key to any effective risk assessment is to directly link an identified risk to a measure that can mitigate that risk. However, that measure is of little value if it is not formulated SMART.
Make the measure...
A risk in itself is that measures - once formulated - tend to become passive and disappear on a team's backlog. They are only recovered when next year's risk analysis is due, only to find those measures in the exact same state as when they were formulated: unresolved. Formulating SMART measures is already a huge step in activating these measures as this provides every measure with an owner and a deadline. Make your measures even more actionable by securing commitment through appointing a "risk champion" from the team where the risk analysis was conducted. Frequently discuss the state of the measures with that risk champion in order to keep the measures activated and to stay updated as a risk manager about the progress of your teams.
Just like in project management, effective organization is indispensable for risk management. The right tooling can make all the difference in the organization of your risks and measures, allowing you to e.g. dashboard the status of measures and collaborate on measure implementation. At Avisi, we practice what we preach by using Confluence for documenting our risk assessment process, template and reports and by using Jira to manage and collaborate on measure implementation.
Last but not least, it is imperative to train and guide your teams in their risk management efforts. While you are best at the risk management method, they are best at the risk management content. By enabling your teams to conduct a proper risk assessment, you allow them to combine knowledge on method and knowledge on content, resulting in the best possible outcome.
| Security
Door Avisi / okt 2024
Dan denken we dat dit ook wat voor jou is.