Software Contract Administration Services (CAS) Risk Matrix

Service Set: Software Acquisition Management Services

Process Area: Software Acquisition Management

RISK CATEGORY PERFORMANCE SCHEDULE (Project Tracking) COST (Project Tracking)

HIGH (3)
--The Software process is out of control or performance data casts significant doubt on the capability of the system or key process to meet requirements. A major disruption is highly probable and the likelihood is the supplier will not meet the performance, schedule or cost objectives.
Note: Some Software high-risk indicators contain parenthetical expressions as an aide in determining how the indicators relate to the provide links to various Software Capability Maturity Model Key Process Areas as an aide in determining process risks.

Sound Systems/Software Engineering practices are not performed (Organization Process Focus, Organization Process Definition)

Poor coordination among suppliers (Subcontract Management)

Solutions to technical software problems are still under analysis at an inappropriate stage in the software development lifecycle (Requirements Management)

Critical and/or Derived Software requirements/functions are ill-defined or non-existent at an inappropriate stage in the software development lifecycle (Requirements Management)

Systems/software interfaces poorly defined at an inappropriate stage in the software development lifecycle (Intergroup Coordination)

Systems/software integration planning inadequate or not evolving as appropriate with system/software development (Project Planning)

Peer review process inadequate or peer reviews seldom performed. (Peer Review)

Software products and activities are seldom reviewed by the software quality assurance group Software quality assurance group seldom reviews software products and activities or no software quality assurance group exists. (Software Quality Assurance)

High turnover of critical personnel, Inexperienced or lack of sufficiently trained resources on project (Training Program)

Technical support for critical areas, if needed, is not available

Critical tools are either not available or are not utilized (Software Product Engineering)

Software Risk Management is not performed (PP Ac13, PTO Ac10, IM Ac10)(Project Planning, Project Tracking and Oversight, Integrated Software Management)

Supplier past performance on similar projects was poor

Software controls not established (Configuration Management)

Major Software schedule impacts occur frequently during program execution (Note that the later in the development life cycle that the schedule is impacted, the more difficult it is to recover.)

Software Schedules do not exist or the budgeted cost of work scheduled exceeds budgeted cost of work performed resulting in a negative schedule variance exceeding 8% (PP Ac10)Project Planning)

PERT or other critical path management tools are not used (IM Ac9Integrated Software Management)

Software schedule, as planned, is virtually unobtainable (Project Planning)

Software development schedule is not derived from historical data for similar projects and/or recognized software cost model estimates (Project Planning Ac10)

Significant Software cost impacts have occurred during program execution

The actual cost of work performed exceeds the budgeted cost of work performed resulting in a negative Cost Variance of 8% or greater (Project Planning Ac10)

Planned cost targets for software do not exist or virtually unobtainable

Software development cost estimates are not derived from historical data for similar projects and/or recognized software cost model estimates (PP Ac10_Project Planning)

Contingency plans do not exist to obtain funding for unforeseen cost growth

MODERATE (2)
--There is moderate software process variance and the trend is adverse. Performance data casts doubt on the ability of the system or key process to consistently meet requirements. Not only is it probable the supplier will encounter delays in meeting the performance, schedule, or cost objectives, but if concerns are not addressed, the process may progress to high risk.

Sound Systems/Software Engineering practices are performed sporadically

Limited coordination among suppliers

Some Critical and/or Derived Software requirements/functions are ill defined or non-existent at an inappropriate stage in the software development lifecycle

Some systems/software interfaces poorly defined at an inappropriate stage in the software development lifecycle

Limited systems/software integration planning is available and/or is inconsistent with system/software development

Peer review process adequate but limited peer reviews performed.

Limited review of software products and activities by the software quality assurance group.

A limited number of trained/experienced resources are available, and there is some turnover of these personnel

Technical support for critical areas, if needed, is limited

Systems/Software tools are not uniformly provided or used and technical support is limited

Software Risk Management is limited

Individual Systems/Software development processes within a program are not managed consistently

Establishment of Software Controls is limited (CM)

Limited Software schedule impacts occur (Note that the later in the development life cycle that the schedule is impacted, the more difficult it is to recover.)

Budgeted cost of work scheduled exceeds budgeted cost of work performed resulting in a negative software schedule variance between 5% to 8%

Some software elements on the critical path are slipping

Slipping the software schedule is used to compensate for cost overruns

Tradeoffs consistently favor cost or performance

There have been limited software cost impacts

The actual cost of work performed exceeds the budgeted cost of work performed resulting in a negative Cost Variance of 5% - 8%

Tradeoffs consistently favor performance or schedule

LOW (1)
--Software Performance data provides confidence in the capability of the system or key process to meet requirements. Minimal or no impact will occur in meeting Software performance, cost or schedule objectives.

Sound Systems/Software Engineering practices are adequately performed and managed

Coordination among suppliers exist

Critical software requirements/functions are defined as appropriate for the stage in the software development lifecycle

Systems/software interfaces are defined at an appropriate stage in the software development lifecycle

Systems/software integration planning is available and/or is consistent with system/software development

Peer review process is adequate and peer reviews are performed on critical software products.

Critical software products and activities are reviewed by the software quality assurance group.

Adequately trained and experienced resources are available and assigned to the project

Adequate software technical support is available

Adequate tools are available and used

Software Risk Management is performed adequately

Software Control is established and adequate (CM)

Solutions are analyzed against evaluation criteria

Very few impacts to software development schedule occur

The budgeted cost of work scheduled compared to the budgeted cost of work performed results in a software schedule variance under 5%

No slippage of software elements on the critical path

Software schedule not compromised for other development areas

Software schedule is based on best available data from similar projects and/or estimates based on recognized software cost models

Software schedule is continuously updated, as required, throughout the development lifecycle based on available data/lessons learned and/or estimates using recognized cost models

Critical path elements have not slipped and either cost impacts have not occurred or have been minor

The actual cost of work performed compared to the budgeted cost of work performed results in a negative Cost Variance under 5%

Software cost estimates are continuously updated, as required, throughout the development lifecycle based on historical data/lessons learned and/or estimates using recognized cost models

Cost As an Independent Variable (CAIV) is used adequately

RISK CATEGORY	PERFORMANCE	SCHEDULE (Project Tracking)	COST (Project Tracking)
HIGH (3) --The Software process is out of control or performance data casts significant doubt on the capability of the system or key process to meet requirements. A major disruption is highly probable and the likelihood is the supplier will not meet the performance, schedule or cost objectives. Note: Some Software high-risk indicators contain parenthetical expressions as an aide in determining how the indicators relate to the provide links to various Software Capability Maturity Model Key Process Areas as an aide in determining process risks.	Sound Systems/Software Engineering practices are not performed (Organization Process Focus, Organization Process Definition) Poor coordination among suppliers (Subcontract Management) Solutions to technical software problems are still under analysis at an inappropriate stage in the software development lifecycle (Requirements Management) Critical and/or Derived Software requirements/functions are ill-defined or non-existent at an inappropriate stage in the software development lifecycle (Requirements Management) Systems/software interfaces poorly defined at an inappropriate stage in the software development lifecycle (Intergroup Coordination) Systems/software integration planning inadequate or not evolving as appropriate with system/software development (Project Planning) Peer review process inadequate or peer reviews seldom performed. (Peer Review) Software products and activities are seldom reviewed by the software quality assurance group Software quality assurance group seldom reviews software products and activities or no software quality assurance group exists. (Software Quality Assurance) High turnover of critical personnel, Inexperienced or lack of sufficiently trained resources on project (Training Program) Technical support for critical areas, if needed, is not available Critical tools are either not available or are not utilized (Software Product Engineering) Software Risk Management is not performed (PP Ac13, PTO Ac10, IM Ac10)(Project Planning, Project Tracking and Oversight, Integrated Software Management) Supplier past performance on similar projects was poor Software controls not established (Configuration Management)	Major Software schedule impacts occur frequently during program execution (Note that the later in the development life cycle that the schedule is impacted, the more difficult it is to recover.) Software Schedules do not exist or the budgeted cost of work scheduled exceeds budgeted cost of work performed resulting in a negative schedule variance exceeding 8% (PP Ac10)Project Planning) PERT or other critical path management tools are not used (IM Ac9Integrated Software Management) Software schedule, as planned, is virtually unobtainable (Project Planning) Software development schedule is not derived from historical data for similar projects and/or recognized software cost model estimates (Project Planning Ac10)	Significant Software cost impacts have occurred during program execution The actual cost of work performed exceeds the budgeted cost of work performed resulting in a negative Cost Variance of 8% or greater (Project Planning Ac10) Planned cost targets for software do not exist or virtually unobtainable Software development cost estimates are not derived from historical data for similar projects and/or recognized software cost model estimates (PP Ac10_Project Planning) Contingency plans do not exist to obtain funding for unforeseen cost growth
MODERATE (2) --There is moderate software process variance and the trend is adverse. Performance data casts doubt on the ability of the system or key process to consistently meet requirements. Not only is it probable the supplier will encounter delays in meeting the performance, schedule, or cost objectives, but if concerns are not addressed, the process may progress to high risk.	Sound Systems/Software Engineering practices are performed sporadically Limited coordination among suppliers Some Critical and/or Derived Software requirements/functions are ill defined or non-existent at an inappropriate stage in the software development lifecycle Some systems/software interfaces poorly defined at an inappropriate stage in the software development lifecycle Limited systems/software integration planning is available and/or is inconsistent with system/software development Peer review process adequate but limited peer reviews performed. Limited review of software products and activities by the software quality assurance group. A limited number of trained/experienced resources are available, and there is some turnover of these personnel Technical support for critical areas, if needed, is limited Systems/Software tools are not uniformly provided or used and technical support is limited Software Risk Management is limited Individual Systems/Software development processes within a program are not managed consistently Establishment of Software Controls is limited (CM)	Limited Software schedule impacts occur (Note that the later in the development life cycle that the schedule is impacted, the more difficult it is to recover.) Budgeted cost of work scheduled exceeds budgeted cost of work performed resulting in a negative software schedule variance between 5% to 8% Some software elements on the critical path are slipping Slipping the software schedule is used to compensate for cost overruns Tradeoffs consistently favor cost or performance	There have been limited software cost impacts The actual cost of work performed exceeds the budgeted cost of work performed resulting in a negative Cost Variance of 5% - 8% Tradeoffs consistently favor performance or schedule
LOW (1) --Software Performance data provides confidence in the capability of the system or key process to meet requirements. Minimal or no impact will occur in meeting Software performance, cost or schedule objectives.	Sound Systems/Software Engineering practices are adequately performed and managed Coordination among suppliers exist Critical software requirements/functions are defined as appropriate for the stage in the software development lifecycle Systems/software interfaces are defined at an appropriate stage in the software development lifecycle Systems/software integration planning is available and/or is consistent with system/software development Peer review process is adequate and peer reviews are performed on critical software products. Critical software products and activities are reviewed by the software quality assurance group. Adequately trained and experienced resources are available and assigned to the project Adequate software technical support is available Adequate tools are available and used Software Risk Management is performed adequately Software Control is established and adequate (CM) Solutions are analyzed against evaluation criteria	Very few impacts to software development schedule occur The budgeted cost of work scheduled compared to the budgeted cost of work performed results in a software schedule variance under 5% No slippage of software elements on the critical path Software schedule not compromised for other development areas Software schedule is based on best available data from similar projects and/or estimates based on recognized software cost models Software schedule is continuously updated, as required, throughout the development lifecycle based on available data/lessons learned and/or estimates using recognized cost models	Critical path elements have not slipped and either cost impacts have not occurred or have been minor The actual cost of work performed compared to the budgeted cost of work performed results in a negative Cost Variance under 5% Software cost estimates are continuously updated, as required, throughout the development lifecycle based on historical data/lessons learned and/or estimates using recognized cost models Cost As an Independent Variable (CAIV) is used adequately