References on Software Risk Management




• “Managing Risk”, Risk is the theme for entire issue of IEEE Software, May/June 1997.


• “The New Risk Management”, Robert Charette, Cutter Consortium, Executive Report, Business-IT Strategies Advisory Service, Vol. 3, 2000.  A 35-page treatise by the Father of RM for software.


• “Risk Management for Software Projects”, Richard Fairley, IEEE Software, May 1994.  The best 10 page introduction to the topic.


• “New Denver Airport Impact of the Delayed Baggage System”, GAO Report,  GAO/RCED-95-35BR, October 1994.  Carry-on.


• “Information Systems and Organizational Change”, Peter Keen, Communications of the ACM, January 1981. For those of you wanting to focus only on technical risk, a primer on customer/organizational risk.  For every implementation, expect at least one counter-implementation. An oldie, but a goodie!



Software Engineering Risk Analysis and Management, Robert Charette, McGraw-Hill, 1989.  Not the easiest read, but the most detailed treatment. Really interesting stuff, once you get going.


Assessment and Control of Software Risks, Capers Jones, Prentice Hall, 1994.  Interesting coverage of the most common risks by system type. Stun your boss with amazing statistics!


Practical Risk Assessment for Project Management, Stephen Grey, John Wiley & Sons, 1995.  A Brit on RM; he is from ICL in England. Straightforward, this book also discusses software support for RM.  It uses the package, @risk for its examples.


Rapid Development, Steve McConnell, Microsoft Press, 1996.  650 pages of readable, sensible advice on “taming wild software schedules.” Includes an entire chapter on risk management, and ties it cleanly into his rapid development theme.


The Deadline, Tom DeMarco, Dorset House Publishing, 1997.  A project management novel...yes, a novel, with a real risk; if the manager can’t bring in the project, he will die.  A terrific management and risk book, in a very readable form. Yes, Tim wrote these words.


Managing Risk, Elaine Hall, Addison Wesley, 1998.  Another solid primer on software risk. This also describes in detail the stages of organizational maturity towards risk.


Critical Chain, Eliyahu Goldratt, The North River Press, 1997.  An amazing novel about project management, and why all projects are always late, and what we should do about it. We don’t know if we agree entirely, but a mind-boggler just the same.  It will make you re-think everything.


Project and Program Risk Management: A Guide to Managing Project Risks and Opportunities, Max Wideman, editor, Project Management Institute, 2001.  The folks at PMI have integrated RM into their PMBOK. This is the risk guide in their 9 volume series.


Books on Incrementalism


Extreme Programming Explained: Embrace Change, Kent Beck, Addison Wesley, 2000.  If you have not read about XP or the other agile methodologies, start here.


Planning Extreme Programming, Kent Beck and Martin Fowler, Addison Wesley, 2001. XP when viewed as a set of RM strategies makes all kinds of sense. The two-week planning and delivering cycle determined by the customer is a built-in late-delivery risk mitigation strategy with customer-defined value. In XP “A good customer is willing to accept the ultimate responsibility for the success or failure of the project.” (Pg 18.) Can that happen where you work?


Principles of Software Engineering Management, Tom Gilb, Addison-Wesley, Wokingham England 1988.  Gilb is one of the strongest, and earliest, advocates for incremental development, what he calls "evolutionary delivery."


Related Books

To Engineer is Human: The Role of Failure in Successful Design, Henry Petroski, Barnes & Noble Books, 1982, 1994. Petroski is a professor of civil engineering at Duke.  This book is about how real engineers deal to great advantage with real risk. A classic.


Against the Gods: The Remarkable Story of  Risk, Peter L. Bernstein, John Wiley & Sons, 1996.  “The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk: the notion that the future is more than a whim of the gods and that men and women are not passive before nature.”


Total Risk: Nick Leeson and the Fall of Barings Bank, Judith H. Rawnsley, Harper Business, 1995. How does a 28 year old take down a mighty financial institution? One bad bet after another, and nobody bothering to watch! A tangible result of the absence of RM. You just can’t make this stuff up.


Managing Transitions: Making the Most of Change, William Bridges, Addison Wesley, 1991. Why getting people to change their ways is so darn hard (hint: it is always emotional), and what you can do to help the change happen.


Warfighting: The U.S. Marine Corps Book of Strategy, U.S. Marine Corps, Currency Doubleday, 1994.  What??!? Yes, this is a terrific little book about fighting wars and succeeding at software projects. Yes, it is absolutely relevant to you.


 The Challenger Launch Decision, Karen Vaughan, U. of Chicago Press, 1996. The public history says that the Challenger was lost because of political and economic pressure overwhelming reasonable risk management. This book, a serious and scholarly work, proposes something much more subtle, and much more worrisome for all organizations.


Other Valuable Sources

IEEE Standard for Software Life Cycle Processes – Risk Management, IEEE Std 1540-2001, The accepted process standard from the IEEE.


Taxonomy Based Risk Identification, Report No. SEI.93-TR-006, This report includes the SEI risk taxonomy; a risk identification starter kit of some 194 questions.


• Guidelines for Successful Acquisition and Management of Software Intensive Systems, Version 3.0, May 2000,

Much more than just risk management, but a very good job on this topic. Risk management is Chapter 6 of 14.  The whole or part set is free for the download)...U.S. tax dollars at work, and worth it.


  Reports citing Risk Management from DoD Software Acquisition Best Practices Initiative, Software Program Managers Network Website:

We have been active in this initiative being run for the DoD by the Navy.  Many interesting (free) handouts covering risk management among others. Risk Radar, a RM tool is free for the download, too.


  Cutter Consortium’s Risk Management Intelligence Network Directed by Robert Charette, this pay site has articles, Q&A, and on-going discussion groups.


The WinWin Spiral Model

  Information from B. Boehm at:


• “Identifying Quality-Requirements Conflicts,” Boehm and In, IEEE Software, Vol. 13 No.2, March 1996.



References for Root Cause Analysis


  Hoshin Planning Research Report, published by: Goal/QPC, 13 Branch St, Methuen, MA 018444 (800) 207-5813. See Chapter4: “Affinity Diagrams and the KJ Method.”


  A New American TQM, Shiba, Graham, and Walden, Productivity Press, Portland OR, 1993.


  Apollo Root Cause Analysis: A New Way of Thinking, Gano et. al., Apollonian Publications, 1999.


Root Cause Analysis: Simplified Tools and Techniques, Andersen (editor) American Society for Quality, 1999.


References for Brainstorming


  Lateral Thinking: Creativity Step by Step, de Bono, Harper Collins, re-issued 1990.


Six Thinking Hats, de Bono, Little Brown & Co., paperback, 1999.


A Whack on the Side of the Head: How You Cab Be More Creative, Von Oech,  Warner Books, revised, 1998.


References for Postmortems


• “A Defined Process for Project Postmortem Review,” Collier, DeMarco, and Fearey, IEEE Software, Vol.13 No. 4, July 1996.


Project Retrospectives: A Handbook for Team Reviews, N. Kerth, Dorset House Pub. Co., New York, 2001.

VCAA home page
Back to Links Web page home page