Quantify Each Risk (Process Notes 7.2.2)

This task does a detailed assessment of the likely risks. Quantify each one of these risks by specifying the following risk elements, as defined by Tim Lister and Tom DeMarco:

• Risk Number: To monitor and communicate the state of the risk.

• Risk Description: One sentence describing what problem might occur (e.g., we might need to involve users from an external organization).

• Risk Weight: Number of function points involved in this risk (e.g., 200 function points).

• Risk Probability: Percentage probability of this risk materializing (e.g., 30 percent based on what we know after specifying the requirements).

• Risk Cost: Estimated cost associated with this risk materializing (e.g., $100,000).

• Risk Schedule Impact: Estimated effect on the schedule (e.g., +3 months, +6 months).

• First Indication (e.g., none of the stakeholders within our organization is prepared to define the requirements for value-based investment).

Look at each missing requirement and ask this question: Is this type of requirement relevant within the system, and would I expect to have this requirement specified? For instance, in a safety-critical system you would expect to have a detailed specification of requirements that relate to damage to people and property, whereas in an inventory control system it would be reasonable for this type of requirement to be absent. If you determine that a relevant requirement is missing, then quantify it as a risk and add it to the risk analysis.

The resulting risk analysis contains an assessment of all the risks that you have identified as a result of reviewing your requirement specification.

Diagram 7.3. Estimate Effort