Severity, Priority, Impact and Likelihood - Managing Defects and Risks

By -
Defects and Risks are often dealt with in a subjective, emotional way.  That's unfortunate, because among all the things a software development team deals with, those are two that can be handled in a more constructive and empirical way.

First, a couple definitions.
Defect Severity: the degree of impact a defect has on system operation. A defect is something observed, so impact can be empirically quantified.
Risk Severity: the degree to which a hypothetical event, should it occur, would impact system operation. A risk event is something that has not occurred, so impact must be estimated or extrapolated.

The common element in both Risk Severity Assessment and Defect Severity is Impact on Revenue.  The FMEA framework that AKF recommends uses 1 = Low, 3 = Med, and 9 = High, to represent the exponential effect of a high impact risk or defect

Impact on Revenue

  1. No payments being collected and/or payment data security compromised (Critical)
  2. Payment collection being delayed by minutes (Major)
  3. Payment collection being delayed by at least 2x SLA (Major)
  4. Revenue impact is secondary (Minor)
  5. No impact on revenue (Trivial)

Defect Categorization
One of the differences between Defects and Risks, is the number of people affected, which can be ascertained during defect triage.
Number of people affected

  1. Everyone
  2. Most (or, all in a specific geographic region/market)
  3. Many
  4. Some
  5. Few or one
You can add the System Function row to a matrix to help align parts of the system with Revenue Impact.  That gets subjective, but it helps promote discussion and alignment (this table is incomplete and intended only as an illustration):
Defect Severity Matrix
Number of People Affected
Everyone
Critical
Critical
Critical
Critical
Critical
Major

Most (or all in a specific region)
Critical
Critical
Critical

Major


Many
Critical
Critical
Major
Major
Minor
Minor
Trivial
Some
Critical
Critical
Major
Major
Minor


Few or one
Major
Major
Major
Minor
Minor
Trivial
Trivial

Revenue Impact
High  -----------------------------------------------------------------      Low
System function / feature
Checkout / Pay

Login
Shop
Enroll
Commissions
Reports
Email
Etc. . . .

It can be useful to have the Severity Level be derived from a set of variables.  So, you would start with Impact on Revenue, include Number of People Affected, and then add things like Frequency and Available Workaround. When you calculate Severity using multiple variables, then you want to use a weighted scale to assign greater weight to Impact on Revenue (like that 1, 3, 9 scale AKF recommends)
Frequency

  1. Persistent
  2. Multiple times per day
  3. Multiple times per week
  4. Multiple times per month
  5. Happened once; cannot be reproduced
Workaround

  1. None, or very expensive
  2. Complex and totally manual
  3. Complex with systems (e.g., excel, email, fax, etc.)
  4. Complicated
  5. Simple
Risk Assessment
With Risk Assessment, you combine Revenue Impact and Likelihood or Probability:

  1. Certain (observed)
  2. Highly likely (greater than 80% probability)
  3. Likely (at least 50% probability)

Nothing less than 50% probability is worth noting as a risk.


Comments

Post a Comment

Popular posts from this blog

Enterprise Agile Framework: The Entrepreneurial Operating System (EOS)

By -
Image
Brian Rabon introduced me to the Entrepreneurial Operating System (EOS) as the framework he uses to manage his company, The Braintrust Consulting Group (TBCG). EOS is the missing element in organizations that are having some success with Agile at the team level, but not succeeding with change at higher levels or outside software development. As Charlie Rudd points out in his post The Third Wave of Agile , there is broad consensus on the value of Agile practices at the team level, but all types and sizes of businesses are struggling to scale Agile and to increase agility across their organization.  I think EOS addresses those challenges. EOS is comprised of the EOS Model : Having a model like this in place allows teams to function optimally as self-organized units that share the vision and goals of the organization.  Teams are able to align themselves with the organization's objectives, and can see how their outcomes affect the organization's performance. The EO
Read more

Chatbot Code of Ethics

By -
A  NYTimes article  describes efforts by a consortium of the largest technology companies to create ethical standards for AI. A related article in MIT Technology Review is titled  AI Wants to Be Your Bro, Not Your Foe . Artificial Intelligence has reached a level of sophistication, and is on the brink of being so pervasive, that we can have these serious conversations. In my work developing AI-powered chatbots to assist with learning, I work within the bounds of these 7 precepts: Right View - our chatbots honor humanity, human dignity, and the human quest for knowledge, understanding and technological innovation Right Intention - our chatbots promote human progress in the areas of intellectual pursuits and personal ethical development Right Speech - our chatbots use encouraging, prudent, and situationally appropriate language Right Action - our chatbots perform with integrity toward the aforementioned right view and intention Right Live
Read more