Categorisation and formulation in risk management : Essential parts of a future Experience based Risk Management model within software engineering

Abstract: This software engineering thesis addresses three main issues. When creating the risk documents for this master thesis project, we became even more aware of the problems with categorization and formulation of risk statements and the scope is now focusing on categorization and formulation as a necessity for Experience based Risk Management (EbRM). The EbRM process is the foundation of the thesis and the categorisation and formulation parts had to be solved before implementing the EbRM model. To give the reader a notion about the background of this work, a brief introduction to the Experience based Risk Management model is given in the thesis. The thesis is based on literature studies, experiences and experiments. The formulation system is gathered from the Software Engineering Institute (SEI) and is called the CTC-format (Condition, Transition, Consequence). This format allows you to separate conditions and consequence of the risk and thereby provides you with easier categorisation and understandability. The categorisation system used is the SEI Taxonomy Based Categorisation (TBC). A categorisation system built as a search tree where each leaf represents a rather narrow risk domain. In order to evaluate those two different systems we performed an experiment showing that the combination thereof gave a much higher match in sorting risks between different groups. The conclusions of this work are that the TBC in connection with the CTC structure forms a very good basis for risk management when it comes to categorisation and formulation. In addition to properly formulated and tagged names and a thorough process when identifying and documenting risks, the risk management will be facilitated by using our conclusions in further risk management. Oral information must as well be on a sufficient level to gain full benefits from a risk management process.