A framework for risk management in Scrum development process

Available online at www.sciencedirect.com

ScienceDirect ScienceDirect

Procedia Computer Science 00 (2019) 000–000 Procedia Computer Science 00 (2019) 000–000

Available online at www.sciencedirect.com

ScienceDirect

www.elsevier.com/locate/procedia www.elsevier.com/locate/procedia

Procedia Computer Science 164 (2019) 187–192

CENTERIS - International Conference on ENTERprise Information Systems / ProjMAN CENTERIS - International Conference on ENTERprise Systems / ProjMAN International Conference on Project MANagement / HCist -Information International Conference on Health International Conference on Project / HCistand - International Conference on Health and Social Care MANagement Information Systems Technologies and Social Care Information Systems and Technologies

A framework for risk management in Scrum development process A framework for risk management in Scrum development process Syrine Chaoucha,a,*, Asma Mejribb, Sonia Ayachi Ghannouchia,b Syrine Chaouch *, Asma Mejri , Sonia Ayachi Ghannouchia,b a High Institute on Management of Sousse, University of Sousse,Tunisia a Laboratory RIADI-GDL, ENSI, Mannouba 2010, University of Manouba,Tunisia High Institute on Management of Sousse, University of Sousse,Tunisia b Laboratory RIADI-GDL, ENSI, Mannouba 2010, University of Manouba,Tunisia b

Abstract Abstract Since the beginning of 2000, the software industry has turned a corner to adopting agile lightweight methods that are subject to changethe at abeginning more efficient pace; addition,industry risk management explicitly addressed in agile projects. teams Since of 2000, theinsoftware has turnedisagenerally corner tonot adopting agile lightweight methods thatSo areagile subject to generally not use an intentional management approach. is Although agile tend toinmanage project risk implicitly, change at do a more efficient pace; inrisk addition, risk management generally not methodologies explicitly addressed agile projects. So agile teams it is important touse have appropriate management mechanism in agile methodologies.Therefore, in this paper framework for generally do not anan intentional riskrisk management approach. Although agile methodologies tend to manage projecta risk implicitly, integrating risktomanagement in the agile developmentmechanism projects is proposed while considering Scruminasthis anpaper agile amethod and the it is important have an appropriate risk management in agile methodologies.Therefore, framework for PMBOK asrisk a project risk management guide. The mainprojects goals ofisthis framework to improveScrum the risk mechanism integrating management in the agile development proposed whileare considering as management an agile method and the in Scrum as anda to increase Scrum project’s rate.goals of this framework are to improve the risk management mechanism PMBOK project riskthe management guide.success The main in Scrum and to increase the Scrum project’s success rate. © 2019 The Authors. Published by Elsevier B.V. © 2019 2019 The Authors. Published by Elsevier Elsevier B.V. This is an open accessPublished article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/) © The Authors. by B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/) (http://creativecommons.org/licenses/by-nc-nd/4.0/) This is an open access article underofthethe CCscientific BY-NC-ND license Peer-review under responsibility committee of the CENTERIS - International Conference on ENTERprise Peer-review under responsibility of the scientific committee of the CENTERIS -International Conference on ENTERprise Information / ProjMAN – of International Conference on Project HCist - International Conference on Health Peer-review Systems under responsibility the scientific committee of the MANagement CENTERIS - / International Conference on ENTERprise Information Systems / ProjMAN - International Conference on Project MANagement / HCist - International Conference on Information Systems / ProjMAN – International Conference on Project MANagement / HCist - International Conference on Health and Social Information Systems and Technologies Health andCare Social Care Information Systems and Technologies. and Social Care Information Systems and Technologies Keywords:Risk management; agile; Scrum; PMBOK. Keywords:Risk management; agile; Scrum; PMBOK.

* Corresponding author. Tel.: +0-021-653-665-261. address:author. [email protected] * E-mail Corresponding Tel.: +0-021-653-665-261. E-mail address: [email protected] 1877-0509© 2019 The Authors. Published by Elsevier B.V. This is an open access under the CC by BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/) 1877-0509© 2019 Thearticle Authors. Published Elsevier B.V. Peer-review under responsibility of the scientific committee of the CENTERIS - International Conference on ENTERprise Information Systems / This is an open access article under CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/) ProjMAN – International Conference Project MANagement / HCist - International Conference on Health Social Care Information Peer-review under responsibility of theonscientific committee of the CENTERIS - International Conference onand ENTERprise Information Systems / Systems and TechnologiesConference on Project MANagement / HCist - International Conference on Health and Social Care Information ProjMAN – International Systems and Technologies 1877-0509 © 2019 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/) Peer-review under responsibility of the scientific committee of the CENTERIS -International Conference on ENTERprise Information Systems / ProjMAN - International Conference on Project MANagement / HCist - International Conference on Health and Social Care Information Systems and Technologies. 10.1016/j.procs.2019.12.171

Syrine Chaouch et al. / Procedia Computer Science 164 (2019) 187–192 Syrine Chaouch et al. / Procedia Computer Science 00 (2019) 000–000

188 2

1. Introduction The complexity, the uncertainty and the extreme competition of the software and industrial environment, in which companies evolve today, are at the origin of new challenges and increasing problems. It is not uncommon to see projects lead to serious and costly failures, challenge of their main objectives (costs, deadlines and technical performance). The fact that the majority of software development organizations perceives risks in different ways and not in a complete, adequate and strategic way contributes to increased instability, inefficiency and failure of projects this is why risk management in software projects has become a major concern in recent years for many companies. As a result, software companies need an explicit risk management process, to mitigate risks, and to deal with problems before they occur and to control over the overall management of the project. Software risk management was recognized as an independent field of research in 1989, the risk-driven spiral life cycle model was the first life cycle model to incorporate risk management explicitly in it [1].From early 2000, software industry has taken a shift towards adopting agile methods being lightweight and change prone unlike traditional methods [2].Moving from traditional models, such as the cascading model, to agile methods has created new challenges in the area of risk management. Scrum and other agile methodologies, in general, do not suggest specific activities to support risk management [3]. As a result, Scrum Professionals are not fully aware of the risks, but follow an implicit risk management process. Because they think that development cycles minimize the unpredictable effects of product development, but this is not enough. This study aims to create a new framework incorporating the principles of risk management and techniques into Scrum development Framework. This will facilitate teams to manage easily the risks in the Scrum project and to improve the chances of a successful project. The remainder of this paper is structured as follows: in the next section, we highlight the background of this research. In section3 we present a description and analysis of the literature review. Then, we explain the methodology that we have followed in order to construct the proposed framework. In the last section, we present the conclusion and suggestions for future research. 2. Background and Motivation This section provides the background related to the proposed research objectives i.e., software risks, software risk management process, and agile methodology. 2.1. Risk and Risk Management in Software Development Projects A project can be defined as a temporary endeavor with clearly specified goals that are characterized by project phases, deadlines, and use of a large number of different types of limited resources. Risk is an integral part of every phase of the project and risk management is therefore an essential part of the decision-making process at every stage of the project. The success or failure of a project depends to a large extent on the potential risk approach in which the appearance of the risk could affect the productivity, quality, timeliness and / or cost of the project [4]. Furthermore, risk management in software projects describes an integrated engineering approach with methods, processes, and artifacts that continuously identify, analyze, control, and monitor risks, to reduce the risk of failure of the project. The risk management process consists of all the activities required to identify the risk that might have a potential impact on the software project [5].The fundamental software risk management consists of 4 major processes [6]: Risk identification (to identify all potential events that may have an adverse effect on the project); Risk Analysis (to assess the impact and the probability that the identified risk will lead to the undesirable outcomes [7]). ; Risk planning (to develop strategic options, to determine actions, and to enhance opportunities and reduce threats to the project’s objectives); Risk monitoring and control (to keep track of the registered risks according to the control and monitoring plans [7]). 2.2. Agile software development and Scrum Methodology Agile methodology is known as the alternative way to the traditional software development process, usually followed in software development. The use of the term "Agile" in software development stems from the "Agile Manifesto", created in 2001. Among agile methods (i.e. Extreme programming, Test-driven development, feature



Syrine Chaouch et al. / Procedia Computer Science 164 (2019) 187–192 Syrine Chaouch et al. / Procedia Computer Science 00 (2019) 000–000

189 3

driven development, Scrum) scrum framework is the widely used method. Our choice of the Scrum method is motivated by the fact that it is the most used method [8]. Moreover it allows managing the four parameters necessary for the analysis of a delivery plan: the cost, the delay, the delivered functionalities and the quality. Also nowadays it is the most documented and proven method. 3. Literature review In order to end up with an optimal model of risk management in software development, it is useful to analyze and compare different methodologies and models for risk management. Although there are plenty of applicable models, the main focus is on the most popular models used. Our study focus on publications from industrial, international and academic institutions, including: (1) international or organizational standards, e.g. (Project Management Body of Knowledge (PMBOK), 2017) [17], (International organization of standardization (ISO 31000, 2018) [21], (PRojects IN ControlledEnvironments (Prince2), 2009) [22], (2) academic and/or industrial models, such as (Boehm, 1991) [1]. PMBOK model has been selected for this research for several reasons. First, it's the largest project management organization in the world and its standards have achieved extensive exposure and worldwide acceptance [13].Also, it’s considered as a comprehensive reference book which informs practitioners about methodologies, tools and techniques [11].PMBOK is a high-level risk management framework that offers much more granular level of detail in describing the constituent processes and in its discussion of the tools, techniques, inputs and outputs associated with each. Only the recent version of PMBOK Guide includes guidance on applying good risk management practices in agile or adaptive environments [14]. 3.1. Approaches Combining Risk Management and agile development projects In [15], authors developed a framework to improve the software development in Scrum. The model consists of five phases (i.e. risk identification, risk clarification and quantification, risk response planning, risk monitor and control, risk review). The model is limited to the generic model rather than examining and developing each aspect of risk management in Scrum. In [16], authors proposed a lightweight risk-based testing methodology for Scrum framework. A case study was conducted with 6 teams to perform an empirical evaluation. Risk identification and mitigation processes for using Scrum in global software development were proposed in [17]. This framework is relevant to project managers who are seeking ways to use Scrum in their globally distributed projects. Their purpose is to identify the main risks associated with the contextual factors of the project when using Scrum in global software development projects, as well as exploring strategies to reduce these risks. In [18], authors developed a risk management model in an Agile Risk Tool where software agents are used to support identification, assessment and monitoring of risk. In [20], authors sought to discover the extent of risk management practices in agile information systems development projects using DSDM. This analysis involved a breakdown of the main elements of risk management, namely the identification, estimation and evaluation of risks. This research used a single case study to analyse current levels of identification, estimation and risk assessment in the well-known agile method, DSDM. Summarizing, literature has studies that integrate risk management in Scrum framework. The proposed works have their own pros and cons. The proposed works don't integrate a complete process which covers all phases of risk management in the agile lifecycle. However, they do not develop all aspects of risk management in agile methods. Consequently, in this work, our goal is to propose a global approach to include risk management in Scrum while taking into account all phases of the process of risk management. Our approach differs from those presented by the fact that we have tried to define and identify within each phase of risk management process, the phases of Scrum’s life cycle that corresponds to it. 4. Results and discussions 4.1. Research method The main research method in this study was a survey. The most important part of the survey process is the creation of questions that accurately reflect the opinions and experiences of the respondents. In this research, to measure attitudes, Likert scales were used. The questionnaire elements were designed in 5 Spectrum options. Likert scales can be

Syrine Chaouch et al. / Procedia Computer Science 164 (2019) 187–192 Syrine Chaouch et al. / Procedia Computer Science 00 (2019) 000–000

190 4

described as a survey where participants normally select a value that equates to a value or attitude. In their original form, the scale was: 1=strongly approve, 2=approve, 3=undecided, 4=disapprove and 5=stronglydisapprove. The structure of the questionnaire is divided into four main themes: (1)Personal and company information. (2)Scrum Risk management: (3) Scrum risk management steps(4) Additional concepts. The target group of this survey was composed of professionals who have experience on Scrum. The main participants in this research include Scrum Masters, Product Owner, Scrum Team Members and agile Coaches. It should be noted that data were collected by sharing the questionnaire in online professional social networks like LinkedIn 1.2. Survey results The questionnaire was responded by 65 professionals from 28 different countries. In analysing data from the questionnaire the characteristics of the respondents, such as their scrum role, company name, company location, the scale of company and the size of their projects. Some of the companies that were mentioned as responses to the questionnaire are now ranked in Fortune 500 †. The top major surveyed companies are Walmart which is ranked number one in the fortune 500, IBM which is ranked number 34. Concerning their countries, most of them are from India (16,92%), Egypt (15,38%),United States (6,15%)and Netherlands (6,15%).It should also be mentioned that the majority of companies interviewed have worked on medium and large size projects. 5. Proposed Model We extend the Scrum process with risk management issues as shown in Fig.1. The extended framework is obtained using the results of the survey, by applying the characteristics of the different parts of PMBOK and dimensions of the Scrum framework, all major risk management phases described in PMBOK from planning risk management to monitoring risks, are included in the model. We discuss the elements of conceptual framework with its possible use. Our synthesized risk management process model consists of six phases: Plan Risk Management: The output of this step is a risk management plan and the risk register; the definition of these aspects should involve all team members. Risks are formally included in the agenda of the Sprint planning meeting. During the sprint planning session, we propose a simple risk Management plan which includes: Risk categories, Roles and responsibilities, Timing, etc. Risk Identification: The Risk identification involves members of the Scrum team where experience and ideas are shared among them. This step is influenced by the environment and the corporate culture and knowledge of the Scrum team. The output of this activity is the development of a risk register. This is used and updated constantly throughout the Scrum life cycle. The update of risk register is done by identifying any new risks, assessing old risks, and determining and implementing appropriate response strategies, in order to manage the impact of risks on Scrum project. The risk register is a simple document with to the point information about risks. Our proposed risk register consists of the following attributes :Description (a brief description of the risk.), Date of creation(the date the risk was identified),Likelihood(how likely is that the risk will occur),Impact (measuring the consequences of risk),Severity(assessed based on the impact of the undesired event),Team (indicates the risk for which team), Teammeber(the person who will be responsible for managing the risk),Category(category or group to which the risk belongs. (E.g. Technical, commercial, etc.)), Priority (priority of risk based on some combination of likelihood and impact), Status (indicates whether the risk is open or closed or being monitored), Action (the response defined to manage/control the risk), Sprint (defines in which sprint the risk is appeared), Story (determine in which story the risk is appeared).

Fortune 500 a similar listing ranks the 500 global companies by their market capitalization level.

†



Syrine Chaouch et al. / Procedia Computer Science 164 (2019) 187–192 Syrine Chaouch et al. / Procedia Computer Science 00 (2019) 000–000

191 5

The risk register must be present to all scrum members to manage risks collaboratively throughout the Project. According to the answers of the respondents, this step can present in several stages in Scrum, the percentages are very similar, and we chose to select the highest ones. More than half confirm that this step can be done during sprint planning, also 35%think that some risks may appear during the sprint, for example in case of urgent risks with high priority and impact on the project identification is necessary. According to this 43 % confirm that certain risks such as technical risks related to development can appear and can be identified during the daily scrum. This does not mean that the identification cannot be realized at other steps.

Fig1. Scrum Risk Management Framework

Perform Qualitative and Quantitative analysis: In this step we analyzed each risk qualitatively by assessing the probability of occurrence and impact as well as other characteristics, and quantitatively by numerically analyzing the combined effect of identified risks and other sources of uncertainty on overall project objectives [14]. Each identified risk is analyzed and prioritized, and the risk analysis of each Sprint will be kept in the risk register. According to the answers of the respondents, the percentages of these two steps are probably similar, so we have to merge in one step. Over than 40% confirm that these step can be done as a part of sprint planning session, also over than 35% believe that analysis could be done into sprint. Plan Risk Response: In this step, we develop options, select strategies, and agree on actions to address risk exposure. A majority of respondents (57 %) think that this step is done during sprint planning. In sprint planning, the team through its knowledge contributes to the choice of optimal option for project risk, and then a risk implementation should be executed. 34% assert that daily scrum opens an interval where we can plan the newly identified and analyzed risk responses during the sprint. Implement Risk Response: Once a strategy has been selected it is necessary to determine concrete measures to treat the risk. 52% confirm that the implementation is done during the sprint. Also 32% believe that it can be realized in daily scrum if time is sufficient. As the project advances, new risks are identified, resulting in an iterative process of risk management. Monitor Risks: When analyzing questionnaire, 52% of the responds confirm that this step is done during the sprint and controlled by the risk owners. In addition, they are continuously supervised by the scrum master, regarding the

192 6

Syrine Chaouch et al. / Procedia Computer Science 164 (2019) 187–192 Syrine Chaouch et al. / Procedia Computer Science 00 (2019) 000–000

new risks, 50% of them believe that they are mainly identified during the daily meetings. The final risk data can be obtained after the delivery of the product. The risk register provides a view of all identified risk data where this information can be used to plan future scrum projects. 6. Conclusion and future scope Risk management being important for project success, it is not widely used in agile methodologies, and Scrum does not possess specific processes for its management, there is a need to integrate explicitly risk management. This paper proposed a model activities involved in deploying risk management processes within Scrum framework. The model has been elicited based on the questionnaire respondents' responses. The goal is to improve the methodology by mapping the principles of risk management, which can increase the success rate of the project the results have yet to be verified by testing them in a real-life development scenario. In future work, we will test the model and implement it in various scrum organizations. We also suggest adapting a risk management framework to others agile methods like xp is also becoming famous in software industry. References [1] Boehm, B. W. (1991). Software risk management: principles and practices. IEEE software, 8(1), 32-41. [2]Nyfjord, J. (2008). Towards integrating agile development and risk management (Doctoral dissertation, Institutionen för data-och systemvetenskap (tills m KTH)) [3] Moran, A. (2014). Agile risk management. In Agile Risk Management (pp. 33-60). Springer, Cham. [4]Crnković, D., &Vukomanović, M. (2016). Comparison of trends in risk management theory and practices within the construction industry. EGFOS, 7(13), 1-11. [5] Verma, B., Dhanda, M., Verma, B., &Dhanda, M. (2016). A Review on Risk Management in Software Projects. International Journal, 2, 499503. [6]Kajko-Mattsson, M., &Nyfjord, J. (2008). State of Software Risk Management Practice. IAENG international journal of Computer Science, 35(4). [7]Arnuphaptrairong, T. (2014). Software risk management practice: evidence from Thai software firms. In Proceedings of the International Multi Conference of Engineers and Computer Scientists (Vol. 2). [8]One, V. (2016). 10th annual state of Agile development survey. [9]Sutherland, J., &Schwaber, K. (2013). The scrum guide. The definitive guide to scrum: The rules of the game. Scrum. org, 268. [10]urRehman, A., & Hussain, R. (2007, July). Software Project Management Methodologies/Frameworks Dynamics" A Comparative Approach". In 2007 International Conference on Information and Emerging Technologies (pp. 1-5). IEEE. [11]El Yamami, A., Ahriz, S., Mansouri, K., Qbadou, M., &Illousamen, E. H. (2017). Representing IT projects risk management best practices as a metamodel. Engineering, Technology & Applied Science Research, 7(5), 2062-2067. [12] Hall, E. M. (1998). Managing risk: Methods for software systems development. Pearson Education. [13] Dunne, E. S. (2013). Project risk management: Developing a risk framework for translation projects (Doctoral dissertation, Kent State University). [14]Naveed, A. (2017). What is new in the PMBOK Guide® 6th edition-An in-depth comparison. [15] Uikey, N., & Suman, U. (2015). Risk based scrum method: a conceptual framework. In Proceedings of the 9th INDIACom; INDIACom-2015, IEEE Conference ID (Vol. 35071, pp. 4-120). [16] Ghazali, S. N. H., Salim, S. S., Inayat, I., & Ab Hamid, S. H. (2018). A Risk Poker Based Testing Model For Scrum. COMPUTER SYSTEMS SCIENCE AND ENGINEERING, 33(3), 169-185. [17] Hossain, E., Babar, M. A., Paik, H. Y., & Verner, J. (2009, December). Risk identification and mitigation processes for using scrum in global software development: A conceptual framework. In 2009 16th Asia-Pacific Software Engineering Conference (pp. 457-464). IEEE. [18]Odzaly¹, E. E., & Des Greer¹, D. S. (2014). Lightweight risk management in Agile projects. [19]Higuera, R. P., & Haimes, Y. Y. (1996). Software Risk Management (No. CMU/SEI-96-TR-012). CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST. [20] Coyle, S., &Conboy, K. (2009). A case study of risk management in agile systems development [21] ISO, B. (2018). 31000,(2018) Risk management–Principles and guidelines. International Organization for Standardization, Geneva, Switzerland. [22] Great Britain. Office of Government Commerce. (2002). Managing successful projects with PRINCE2. The Stationery Office.