0

I'm looking for perspectives on how risk analysis is performed when there's not precisely a "dollar value" associated with the risk, as in an Open Source project. Traditionally, risk analysis takes the form of

Asset Value X Annual Probability of Loss X Probable Outcome of Loss = Risk

Open source community driven projects provide great value to people, and their development faces significant risks, both from a project standpoint (ranging from wasted developer cycles to failure to ever deliver) and from a product standpoint (users could not like the product, and update could make people leave or a security hole could leave millions of systems vulnerable to a nasty malware attack). Nevertheless, it doesn't quite lend itself to this formula.

Who is responsible for identifying and managing these risks in Open Source community driven projects? How does the team decide which risks are most significant to the outcome of the project? Are there any official standards or approaches in this area?

In the case of adopting Open Source, I believe this question has some solid answers:

https://www.federalreserve.gov/boarddocs/srletters/2004/SR0417a1.pdf https://opensource.com/article/17/3/risks-open-source-project-management

On the other hand, I don't see any literature or voices speaking to this aspect of the creation of such software. Any input from people actively involved in this community?

Purpose CyberSpace
  • 9
  • 1
  • 2
    I think you have to clarify what kind of project you are talking about. Open Source simply refers to the license the code is released under. Open Source projects range from company-driven projects that are developed exactly like proprietary closed-source ones, except in the end the code is released under an OS license instead of a proprietary one, to completely free and open, fully community-driven projects where there *is no* "team" and nobody is "responsible" for anything, to anything in between. – Jörg W Mittag Jul 09 '17 at 21:33
  • 1
    you were given a [poor advice at Stack Overflow](https://stackoverflow.com/questions/44999725/risk-analysis-for-open-source-community-driven-projects#comment76973566_44999725 "'This question is likely more suitable for Software Engineering SE..'") - sorry about that – gnat Jul 09 '17 at 22:01
  • Great question @JörgWMittag. In my case, I'm a student still learning about the topic. I was thinking about an open source project such as [MyNewt](https://mynewt.apache.org) – Purpose CyberSpace Jul 09 '17 at 23:07
  • @gnat I'll try to write better questions in the future. I've been trying to get a good answer for this question for a while; hopefully the community will be able to help out. If not, I'll continue searching outside of the 'exchange. – Purpose CyberSpace Jul 09 '17 at 23:10

1 Answers1

1

In risk analysis, value is not necessarily expressed in dollar value. Often the risk is expressed in time. You can use risk analysis to accomodate the risk in your project schedule. I learned that risk exposure is calculated by:

risk exposure = loss * probability

Where loss and risk exposure can be expressed in $ or time (or some other measure of value). For example, if the lead contributor gets sick about once a year and you're working on an estimate for a 3 month milestone, the risk exposure of lead contributor getting sick could be expressed as:

2 weeks * .25 = .5 weeks

For open source projects where money is not directly invested, it's more useful to analyze risk in terms of the project milestones.

The reason why I think it's not very common for open source projects to conduct risk analysis are:

  • Not all software developers know what risk analysis is, how to do it, or why it's useful.
  • When measured against all the possible activities, open source developers prioritize other activities over risk analysis. Simply there are limited developer resources and limited time, so it's more useful to contribute code, tests, and docs over risk analysis.
  • Many open source projects lack sufficient organization. This is the same reason why I think many open source projects don't have a process.

Who is responsible for identifying and managing these risks in Open Source community driven projects?

Open source projects are heterogenous. Risks would likely be managed by a community member that understands the project and the milestones well. The project owner perhaps or the creator of the project would likely do it.

How does the team decide which risks are most significant to the outcome of the project?

That's where the risk exposure formula comes in. All risks hold some significance to the outcome of the project, but they are weighted by their probability. You can identify the top risks by enumerating all risks and their exposure and ordering by decreasing risk exposure.

Samuel
  • 9,137
  • 1
  • 25
  • 42