Risk Analysis in Open Source Community Driven Projects

Question

I'm looking for perspectives on how risk analysis is performed when there's not precisely a "dollar value" associated with the risk, as in an Open Source project. Traditionally, risk analysis takes the form of

Asset Value X Annual Probability of Loss X Probable Outcome of Loss = Risk

Open source community driven projects provide great value to people, and their development faces significant risks, both from a project standpoint (ranging from wasted developer cycles to failure to ever deliver) and from a product standpoint (users could not like the product, and update could make people leave or a security hole could leave millions of systems vulnerable to a nasty malware attack). Nevertheless, it doesn't quite lend itself to this formula.

Who is responsible for identifying and managing these risks in Open Source community driven projects? How does the team decide which risks are most significant to the outcome of the project? Are there any official standards or approaches in this area?

In the case of adopting Open Source, I believe this question has some solid answers:

https://www.federalreserve.gov/boarddocs/srletters/2004/SR0417a1.pdf https://opensource.com/article/17/3/risks-open-source-project-management

On the other hand, I don't see any literature or voices speaking to this aspect of the creation of such software. Any input from people actively involved in this community?

Answer 1

In risk analysis, value is not necessarily expressed in dollar value. Often the risk is expressed in time. You can use risk analysis to accomodate the risk in your project schedule. I learned that risk exposure is calculated by:

risk exposure = loss * probability

Where loss and risk exposure can be expressed in $ or time (or some other measure of value). For example, if the lead contributor gets sick about once a year and you're working on an estimate for a 3 month milestone, the risk exposure of lead contributor getting sick could be expressed as:

2 weeks * .25 = .5 weeks

For open source projects where money is not directly invested, it's more useful to analyze risk in terms of the project milestones.

The reason why I think it's not very common for open source projects to conduct risk analysis are:

• Not all software developers know what risk analysis is, how to do it, or why it's useful.
• When measured against all the possible activities, open source developers prioritize other activities over risk analysis. Simply there are limited developer resources and limited time, so it's more useful to contribute code, tests, and docs over risk analysis.
• Many open source projects lack sufficient organization. This is the same reason why I think many open source projects don't have a process.

Who is responsible for identifying and managing these risks in Open Source community driven projects?

Open source projects are heterogenous. Risks would likely be managed by a community member that understands the project and the milestones well. The project owner perhaps or the creator of the project would likely do it.

How does the team decide which risks are most significant to the outcome of the project?

That's where the risk exposure formula comes in. All risks hold some significance to the outcome of the project, but they are weighted by their probability. You can identify the top risks by enumerating all risks and their exposure and ordering by decreasing risk exposure.