Is it possible to implement a fully functional risk management system in TFS 2015? Yes it certainly is and in the following post I will show you how.
One of the greatest strengths of TFS is being able to maintain all the project information in a single central repository. In TFS we have out of the box project management, requirements, source control and testing workflows. To a lesser degree we have a risk workflow. Now in a regulated environment, the implementation of a risk control process is critical. Many organizations consider implementing a specialized risk management system alongside of TFS to attain this goal. This of course leads to additional complexity of having to integrate both systems.
What if we can implement a risk management system directly in TFS? Wouldn’t that be a fantastic way to go! Below I will show you how this can be accomplished.
First off we need to add a risk work item to the system. We can simply take the CMMI risk work item and modify it so that it is line with our business process. What is important is to capture the following fields so that we are able to properly evaluate RPN scores.
1) Probability (Initial and Residual)
2) Occurrence (Initial)
3) Detectability (Initial and Residual)
The TFS interface does not support calculated fields so we will need to come up with an approach for that later. For now let’s just worry about initial and residual probability and detectability.
We will handle risk mitigation by creating a second work item called Risk Control Measure. To keep it simple it can be loosely based on a task. The idea is for us to trace whether risks have associated risk control measures and also the ability to implement a small workflow on the risk control measure itself. i.e has the risk control measure been implemented successfully. We can simply link a risk control measure to a risk in order to be able to determine whether a risk has been mitigated.
Now like I mentioned before TFS does not support calculated fields. So we are unable to create a field and have it calculate the RPN score and save it in the system. This is actually OK as a general rule we do not want to store calculated fields in the system. We should calculate them when needed. So not that we have that cleared up how should we approach this? Let’s use Excel or even SSRS to accomplish this. Simply create a report running off the data warehouse to calculate the field in a column. Voila problem solved!
The beauty of this is when we have the data in Excel we can slice and dice it however we like. Filtering on area, iteration, severity and residual RPN can be especially helpful.
Now that we have extended the ALM lifecycle to include risk management we can start to derive some interesting information from TFS.
1) How many high risks do not have associated risk control measures.
2) Which risks are not associated with requirements.
3) Which risk still have high RPN scores after mitigation