Optimizing the cost / effectiveness ratio in risk management in information systems development

Abstract

The paper is devoted to the issues of risk management.
In risk management, each risk is characterized by "the magnitude of risk." For each risk, two plans can be assigned: a risk prevention plan and a risk response plan. Each of these plans is costly to implement. Several different plans may be proposed for the same risk.
The paper proposes a methodology to simplify the risk management process through the use of simple and effective visual analytics tools. The technique allows:
1. Assess the validity of the plans; identify risks, the costs of which do not correspond to the severity of the threat of this risk for the project (overestimated or underestimated).
2. If there are several plans for one risk, choose the most suitable one.
In both cases, decision making is based on optimizing the cost / effectiveness ratio.
The paper proposes to compare the magnitude of the risk and the cost of plans for its prevention and response. If the risks are insignificant, their plan should be cheap. Only plans designed to deal with significant risks can be expensive.
To visualize the results, it is proposed to use charts of four types.
The plans are designed to reduce the magnitude of the risk. For comparison of several plans, it is proposed to compare the cost of the plan and the reduction in the magnitude of risk that this plan provides. It is logical to choose a plan in which such a decrease will be greatest.
The described methodology can be applied to risk management not only in the computer science, but also in other subject fields.