Skip to main content


Risk management in software projects: Is it good enough?


Paul Bannerman

NICTA, Sydney, Australia
UNSW, Australia


This presentation reports recent research on risk and risk management in software projects, and draws implications for software process practice. Software projects tend to be complex, highly uncertain ventures. Risk management is recognised as an important process in ensuring software quality and successful project outcomes. High variability in software project performance, however, raises questions about the suitability and effectiveness of risk management prescriptions and practices. The theory and practice of risk and risk management in software projects are reviewed. It is found that risk management research lags the needs of practice and risk management practice lags the prescriptions of research. As a step toward filling these gaps, a proposal is made for moving beyond methodology-based risk management to capability-based threat management.

The notion of risk in software project literature is examined and found to be narrowly conceived for the needs of practice. For example, it focuses on foreseeable threats for which a probability can be determined. Unforeseeable threats are not directly accommodated. The strengths and weaknesses of the three main risk management approaches (checklists, analytical frameworks, and process models) are also discussed.

A study of software project management and risk management practices in a sample of Australian public sector agencies is described. Ten major risk factors are found and compared with private sector experience. The study findings challenge some conventional conceptions of risk and project management. For example, it was found that software projects do not conform to a uniform structure, as assumed in much of the literature. This introduces variations in the risk and project management challenges they face. Findings also suggest that formal project management may be neither necessary nor sufficient for project success.

An integrated threat management framework is proposed to extend current conceptions and improve software project outcomes. The framework integrates issue management, risk management and crisis/disaster management in a way that enables projects to manage a broader spectrum of uncertainty than is possible under risk management as it is currently conceived. Building a real-time threat sense and respond management capability offers a way for software developing organisations to improve their capacity to manage uncertainty. Practical steps to move beyond risk management to threat management are outlined.

BibTeX Entry

    booktitle        = {Software and Systems Engineering Process Group (SEPG 2008)},
    author           = {Bannerman, Paul},
    month            = aug,
    year             = {2008},
    title            = {Risk Management in Software Projects: Is it Good Enough?},
    address          = {Melbourne, Australia}


Served by Apache on Linux on seL4.