Risk management in software engineering is tightly connected with general management of the company and recognized as its key element involving processes, methodologies and instruments used to address threatens at the different phases of software design. This role of risk management is determined by the fact that potential risks can lead to company losses associated with software product quality, its increased costs and time taken to complete a project, broken deadlines, and dropping the company reputation and its share of the market [ 1 ]. On the other hand, correct risks identification and tracking of the potential threatens helps to enhance project success rate and feasibly obtain quality software product [ 2 ]. A well-founded and thought over risk management plan allows the team to evaluate the entire software project, build a strategy for its successful completing, meet deadlines, interact effectively with stakeholders, and allocate resources to eliminate significant risks losses.

In recent studies there are different understanding and interpretations of risk definition which are significant to realize its essence in terms of effective risk management. Risk is understood as an uncertain event can lead to a negative (or positive) effect on one or more of the project objectives [ 1, 2 ]. The ISO 31,000 standard defines risk as the effect of uncertainty on the achievement of objectives [ 3 ]. Risk is also expressed in terms of the combination of the consequences of an event and the probabilities of its occurring [ 4, 5, 6 ]. At the same time, it will also depend on how threats are perceived, and on how great their influence on the company objectives is [ 5 ]. According to ISO 12,207 standard of software life cycle processes, an objective may be associated with various aspects including health-related, financial, security-related, and environmental ones [ 7 ]. In practically-driven guides [ 1, 5 ], risk is understood as a complex of factors that can affect the success of a digital project. They can arise both internally as a result of situations inside the company) and externally (when they are caused by external influence).

Thus, according to studies, risk may arrive at different levels of the software design (at project level, product and process one), and arise as a result of internal or external factors that may influence the probability of risk and its impact on company objectives [ 7 ]. Risk management plays an important role, so that strategies to mitigate risk at the proper level may be taken and reduce possible losses [ 8 ].

Risk management is defined in the practical and theoretical studies as a complex of coordinated activities which allow the company to be directed regarding risk [ 1, 9, 10, 11 ]. Software risk management is recognized as a strategy that focuses on the identification, analysis, and mitigation of the risk factors in the software development lifecycle. Such a strategy needs for (1) systematic and well-thought application of principles and approaches to the tasks of risk identification, evaluation, planning and implementation of proper responses to potential threatens, as well as to the communication with customers regarding the activities carried out [ 9 ]; (2) the objectives are to identify, direct and avoid software risk factors before they occur and become potential threats to the project success or delay in development [ 9, 10, 11 ].

There are different models of risk management [ 12 ], among which the Carnegie-Mellon Software Engineering Institute (SEI) model, which contains standard requirements [ 3, 7 ], as well as known best practice recommendations for their prevention or disposal.

However, despite the existing theoretical and practical achievements in the lines of software design risk management, their effective use in the domain of software project management under the current Ukrainian business realities is complicated by some circumstances. First of all, this applies to standards developed by foreign organizations and intended for use in large IT companies, whose experienced specialists have received appropriate training and have mastered contemporary risk management methods [ 12, 13 ]. Besides, the standard developers directly point out that the risk identification must be carried out by independent experts [ 7, 13 ].

Therefore, domestic risk-oriented IT companies need a certain adaptation of the content of these documents to their production activities [13]. In addition, the successful implementation of software projects by domestic IT companies requires thorough scientific research on the improvement of risk management methods and techniques and their detailed analysis [13,14], which would be based on international experience, as well as take into account the peculiarities of crisis situations in the country.

It is also emphasized that the proposed by the standards risk management models mostly contain recommendations that are not formalized, lack specific instructions based on quantitative estimations, and can allow ambiguous interpretation, which can lead to insufficient results. In addition, the practice of modern software companies requires relatively simple and reliable instruments for risk losses estimation and minimization. Thus, the topic of our research is relevant and important.

The goal of the work is to build formalized model for minimizing risk losses and to implement it into practice of the software project design.

As we mentioned above, there are different models for software design risk management, among which the SEI (Software Engineering Institute) model, proposed by the Carnegie-Mellon Software Engineering Institute, has become the most widely used. This model contains both the requirements of the standards of software development, as well as the known best practical recommendations for preventing and mitigation the risks of software project implementation. However, the SEI model is presented in the form of text recommendations and their performance. Therefore, it causes its specific use and free interpretation of the obtained results, which calls the needs for more strict and formal methods application.

In this context, the special focus in the recent studies is made on the issues of formalization of the risk management processes and the ways of such formalization [ 9, 12, 13 ]. The researchers and practitioners develop different approaches to building mathematical models for the efficient risk management in software design with their potential implementation.

Understanding the risk as a probability of a situation that can lead to a loss of expected profit, or an event that can threaten the success of a software project realization, the researchers [14, 15] detailed the typical stages of the software risk management (risks identification, analysis, planning, and monitoring) and managed to build formalized model of the process of risk management at software design. The researchers shaped the set of possible sources of potential software development risks and defined the probability of their identification: { { ̅̅̅̅̅̅̅̅ } ̅̅̅̅̅̅̅̅ }, where

is a probability of identification of the j-th source of potential risk arriving from their ith set; 0(0,01)1 – the range of the probability values from 0 to 1 with the step 0,01; is a number of the sources of potential risk arriving in the i-th set; and is a number of the sets of the existing sources of potential risks arriving at the software design.

Based on that it was built a formalized model of identification of potential risk events of the relevant set at software development: ̃ {

̅̅̅̅̅̅̅} Then, it was obtained a formalized model of identification of total potential risk events: ∑

∑ ∑ (1) (2) (3) (4) (5) where is a probability of identification of risk events from the i-th set. Finally, it allowed to build the model of total probability of all potential risk events identification:

It was also shown that at the stage of the risks analysis, it is necessary to examine identified risks and to range them in terms of their importance. The probability of arriving of each risk event is estimated, and the consequences of their possible damages are evaluated in 10-balls scale. Their product characterizes the importance of each risk event. It was built formalized model for determining the total probability of occurrence of potential risk events:

where is the average value of the probability of occurrence of the risk events of the i-th set of them.

Thus, for the stage of risks analysis, there were built the formalized models for: determination of the probability of occurrence of potential risk events; distribution of the realization costs the software project according to the set of potential risk events; revealing the share and amount of possible losses from the arriving of potential risk events as a mathematical expectation of loss. The rules for setting priorities for responding to a potential risk event in software designed have also been suggested.

In similar way, there was formalized risk management processes at the stages of planning, and monitoring [15], which allowed to specify the measures for prevention or neutralization software development risks; to improve the methodology for determining the probability of reducing various risk events; to determine the rules and policies of software project implementation.

Different approach to building formalized models for the efficient risk management in software design is offered in [16, 17, 18]. In particular, it is suggested logical and algebraic modeling approach which enables to obtain the model for risk impact estimation. Understanding risk estimation as a complex of measures to anticipate the possibility of getting additional income (or some damage from the risk event arriving) followed by the measures to prevent the risk, the researchers [16, 17] present the model for risk impact estimation as a function F of assessment of the consequences of a risk event F = f (Pr, C) with the arguments Pr (probability of a risk event arriving) and C (potential consequences of a risk occurrence). This enabled to formalize the algorithm of risk estimation and to reveal the problems of the instability of risk factors and needs for deep analysis of the initial information and the risk factors as well.

In the context of our research, there is also relevant to consider the works devoted to the formalization of risk reduction and building its model. For instance, the works [ 9, 19 ] present the way of modeling, based on the identifying risk factors by introducing different observational and involvement factors of software design.

The researchers emphasize that involvement factors (cost, time, amount of involved human and computational resources) are deterministic and refer to the complete software development cycle, whereas the observational factors have limited scope. The presented risk reduction model offers different combinations of resources distribution and effectively handles the software design risks even for large-scale projects. It was investigated and proved that the reduction of software failures positively affected the software development environment [19].

The learning of recent studies on the problems of modeling and formalization of risk management in software design testifies the high importance of the issues of costs saving and optimal resources distribution on purpose of losses reduction on condition of risk events occurrence [18, 20, 21, 22]. In particular, it is emphasized the importance of quantitative methods application to the stage of the risk analysis. Among the quantitative methods special attention of the practitioners is focused on the optimization method [ 11, 12, 22, 23 ], which causes the importance of optimization models building, implementation and investigation.

There are studies where optimization methods are discussed in terms of their application to the risk estimation and analysis. In particular, the researchers prove the relevance of linear programming using for the building of risk assessment models and demonstrate the efficiency of this approach for the exact cases of risk estimation. For example, the case in software academic projects is presented and analyzed in [24], where linear programming technique for risk estimation focuses on the project cost and workforce of the project, ensuring that budget do not exceed computed cost index. The efficacy of the technique in risk minimization on software based projects was tested and confirmed, which allows to conclude the relevance of such an approach to manage risks on software based projects.

Other related papers present successful using of linear programming technique for optimization of resources distribution on purposes of common risk management [25] along with the analysis of the built mathematical model, emphasizing the issues of the model sensitivity, the ways of its testing and investigation [26, 27].

Thus, the held analysis of recent studies and practical evidence, confirm the urgency of the formalization of the risk management process and make necessary theoretical background for building and implementation of optimization models for risk management in software design.

Based on the approaches to the of formalization of the risk management processes and the ways of such formalization covered in the recent related works and highlighted above [15, 16, 24, 25], in our work it was formalized the task of minimization of potential risks losses at the software design and development.

As a quantitative method of risk analysis which is provided after the risks identification, it was used the optimization method with the application of linear programming technique, based on the conclusions and cases presented in [24, 25].

The general problem of linear programming is formulated as follows: it is necessary to find the vector x = (x₁, x₂, n..). wхhich provides the extremum (maximum or minimum) value of the objective function f (x), provided that the components of the vector x (decision variables) belong to some domain G. In terms of linear programming, the objective function f (x) is a linear function, and domain G is determined with a system of constraints (the limitations for decision variables expressed in the mathematical form regarding available resources) [26].

Based on the general formulation of a linear programming problem, the problem of minimization of risk losses for the improvement of software design processes should be formulated as follows.

Let us consider the vector x which consists of decision variables that are resources (x₁, x₂, ...n) oxf a software project.

Let us also define:  Pi as a probability of risk occurrence for the i-th resource,  Ci as a value of losses per unit of the i-th resource associated with the risk occurrence,  i as a number of a project resource.

Then, total risk estimation R can be expressed as , (6) and we obtain the vector R=(r1, r2,…rn) of the risks associated with the resources project.

Thus, mathematical model of the problem of risk losses minimization is formulated in such a way. It is necessary to determine the amount of each resource to be allocated for the project so that the objective function F(x) (the cost of compensation for the risks consequences (risks losses)) is minimal (7). x₁n,ofxt₂h,e ... x

At the same time, a system of constraints on the availability of resource reserves (ARi) and their ratio which is formulated for each specific project based on its scale and features as well as on the basis of the analysis of identified risks, must be implemented. The system of constraints is formulated in the form of inequalities, which can be generally presented, for example as (8).

( ) (7) (8)

We would like to emphasize that the system of constraints for each specific project has to be built in accordance with the essence of decision variables, projects peculiarities, and results of the risks identification, which will be clarified in terms of exact problem.

In terms of the scope of the built general mathematical model, it can be used to solve exact practical tasks of risk losses minimization in the course of software development.

The general mathematical model of the problem of risk losses minimization at the software design (presented above) was implemented into the risk management practice of the exact project of an application development.

As a case of such a project, it was taken Team Stream mobile platform for online yoga and fitness classes which provides coaches and trainees with necessary facilities. The said software project was developed according to the iterative model in which the development is conducted based on initial requirements that are clearly defined, and subsequent features are added to this base software product through iterations until the final product is completed. The iterative development model expects splitting a major project into smaller chunks [ 5, 13 ]. It allows to start with the minimum requirements and iteratively design a portion of the software product. Then, the prototype is examined again for any extra requirements and the rest of the planning, requirement analysis, deployment, and maintenance are provided. According to studies, this helps in identifying and mitigation risks associated with the requirements at early stages.

At the initial stage of risk management, the risks were identified based on the SWOT-analysis of the Team Stream project and understanding the risk as a probability of a situation that can lead to a loss of expected profit, or an event that can threaten the success of the project realization.

There were revealed the set of the threatens along with the relevant project resources which are associated with the said threatens (Table 1).

After the risks identification, the probability Pi of their occurrence in the project for each of the resources xi and the costs of risk losses Ci per unit of each resource were estimated using the method of expert evaluations. Among the involved experts there were project manager, customer representative, business analyst, test manager, and lead developer. The evaluations (probabilities of occurrence and costs of risk losses) of potential threatens collected in an interactive mode from each of the experts were stored in a database, which can be accessed using the appropriate software tool.

Obtaining evaluations from the experts was done in the form of their survey using a ranked scale for each potential threaten of the project development, taken into account through the corresponding coefficients of their importance weigh.

The results of the experts evaluations of the probability Pi of the risks occurrence in the project for each of the resources xi and the costs of risk losses Ci per unit of each resource are given in the Tables 2-3.

At the next stage of the risk analysis of the project design, the obtained experts evaluations were used in order to calculate the coefficients ri of the objective function F(x) on the general mathematical model of the problem of risk losses minimization (presented above). According to the formula (6), there was obtained vector R = (6, 10, 15, 10,5, 12).

In such a way, the general model was implemented for the case of our project: it is necessary to determine the amount of each resource to be allocated for the project so that the objective function F(x) (the cost of compensation for the risks consequences (risks losses)) is minimal (9).

At the same time, the system of constraints (10) for all the resources xi (characterized in Table 1) has to be fulfilled:

Here it is essential to emphasize that the system of constraints (10) was built based on the analysis of the availability of resources reserves on the project, their ratio and regarding their economic and physical meanings:  all resources must be positive (constraint 10.1)

P2 0,22 0,75 0,53 0,5 0,2 0,44

C2 36 25 14 34 16 25

P3 0,75 0,23 0,5 0,33 0,7 0,5 C3 24 36 30 20 40 30 ( ) ₁ x₁ x₁ x₁ x₃ x₂ x₂

x₃ x₂ x₂ x₂ x₂

x₄ x₅ x₃ x₅ x₄700 x₃ x₅ x₄500 x₃ x₅ x₄

The paper is devoted to the important issues of risk management at software development and urgency of formalization of this process stages. The recent studies analysis testified that the proposed risk management models mostly contain non-formalized recommendations, do not provide specific instructions based on quantitative estimations, which allow ambiguous interpretation and can lead to insufficient results. Besides, the practice of modern Ukrainian software companies requires relatively simple and reliable instruments for risk losses estimation and minimization.

In the progress of work, based on the relevant theoretical framework, the problem of risk losses minimization of software design is formalized, and the general mathematical model of such a problem is built in terms of linear programming: the vector of decision variables (software project resources) is determined, the objective function as the cost of compensation for the risks consequences (risk losses) is built, and the system of constraints is shaped. In terms of the scope of the built general mathematical model, it can be used to solve different practical tasks of risk losses minimization in the course of software development, which makes its essential scientific contribution.

In particular, the said general model was implemented in the practice of the risk management of real software project. The results of the model implementation are highlighted. The project risks are identified along with project resources associated with them. The probabilities of risks events occurrence and costs of potential risk losses are determined. The specific objective function for exact software project is defined, and the certain system of constraints is built based on the analysis of the availability of resources reserves on the project and regarding their ratio and economic meanings.

The obtained linear programming task was solved, which allowed to get relevant project resources allocations to minimize the costs of potential risk losses. The results analysis was held which testified unambiguity of quantitative estimates that meet the project requirements in terms of the resources availability and ratio, and does not contradict iterative model of software development chosen for the considered project. The said quantitative estimations for the project resources allocation enable to elaborate specific strategy for risks responses and mitigation of potential risks associated with each of the project resources.

Thus, in the progress of work there were achieved its goals. The scientific value of the work is seen in the obtained by the authors formalized general mathematical model of the problem of risk losses minimization in software design. Besides, it is demonstrated how the general model can be implemented in practice of risk management process of the real domestic IT company. The results of the built model probation on exact case of software project development proved its relevance and efficiency.

The prospects of the research are outlined in the lines of estimation of the general model sensitivity to all risk factors.

[13] Yu. Hrytsiuk, E. Nemova, Peculiarities of formulation of requirements to the software,

Scientific Bulletin of UNFU 28(7) (2018) 135–148. doi:10.15421/40280727. [14] Yu. Hrytsiuk, M. Zhabych Risk management of implementation of program projects,

Scientific Bulletin of UNFU 28(1) (2018) 150–162. doi:10.15421/40280130. [15] V. S. Dalyavskyy, Yu. I. Hrytsiuk, Formalization of the risk management process of software development, Scientific Bulletin of UNFU 28(11) 2018 135-153. doi: 10.15421/40281124. [In Ukrainian]. [16] K. Al-Husseini, A. Obaid, Analysis and risk management in software development using the logical-algebraic model, International Journal of Engineering Technologies and Management Research 5(10) (2018). 117-122. doi: 10.5281/zenodo.1491903. [17] M. A. Akbar et al., Improving the quality of software development process by introducing a new methodology–az-model, IEEE Access 6 (2018) 4811-4823. doi: 10.1109/ACCESS.2017.2787981. [18] K. O. Al-Husseini, A. H. Obaid, Development of risk management tools in questionanswering based software design environment, International journal of computer science and mobile computing IJCSMC 7 (6) (2018) 165 – 174. [19] B. Shahzad, Fazal-e-Amin, A. Abro, M. Imran, M. Shoaib, Resource optimization-based software risk reduction model for large-scale application development, Sustainability 13 (2021) 2602. doi:10.3390/su13052602. [20] A.S. Filippetto, R. Lima, J. L. Barbosa, A risk prediction model for software project management based on similarity analysis of context histories, Information and Software Technology 131 (2021) 106497. doi:10.1016/j.infsof.2020.106497. [21] I.A. Papazoglou, O.N. Aneziris, L.J. Bellamy, B.J. Ale, J. Oh, Multi-hazard multi-person quantitative occupational risk model and risk management, Reliability Engineering and System Safety 167 (2017) 310—326. doi: 10.1016/j.ress.2017.06.019. [22] A. Pitangueira, P. Tonella, A. Susi, R. Maciel, M. Barros, Risk-aware multi-stakeholder next release planning using multi-objective optimization, Requirements Engineering: Foundation for Software Quality 9619 (2016). doi: 10.1007/978-3-319-30282-9-1. [23] M. Sepczuk, Z. Kotulski, A new risk-based authentication management model oriented on user's experience, Computers & Security 73 (2018) 17—33. doi:10.1016/j.cose.2017.10.002. [24] O. Aru, K. Adimora, Application of linear programming for the optimization of software risk assessment model (OSRAM), Journal of Research and Innovations in Engineering 5 (1) (2020) 118-126. [25] D. Ridley, F. Llaugel, I. Daniels, A. Khan, Study on linear programming in risk management, Novel Research Aspects in Mathematical and Computer Science 1 (2022) 151161. doi:10.9734/bpi/nramcs/v1/15923D. [26] D. Ridley, A. Khan, Randomized constraint limit linear programming in risk management, Journal of Applied Mathematics and Physics 8 (2020) 2691-2702. doi: 10.4236/jamp.2020.811199. [27] M. Panik Linear Programming and resource allocation modeling. John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA, 2019.