Ever since developing the SARM spreadsheet tool, I’ve been uncomfortable about its use of a calculated average risk score for aggregating risk. On its own, an average score for risk is almost completely meaningless – a larger number of low risks does not, in any way, diminish the significant of existing high risks. Provided the underlying base is the same, it can provide a decent basis for comparison, which is how it is used in the SARM spreadsheet. But the numbers cannot be compared between different SARM models – the number of requirements/scenarios will affect the spread of average risk scores, so comparison will only be valid within the same model. Anyone who has attended the Architecture Analysis course will be aware of these concerns – I repeatedly warn participants of the danger of looking at average scores.
So I’ve finally decided to explore how best to aggregate risk scores from scenarios to sub-characteristics to characteristics, and to stakeholders and to an overall conclusion, without using averages. I have a good prototype – still excel based. It goes back to the traditional way of using a risk model, with tolerance thresholds determining whether an individual risk score is Red, Amber or Green. The model is defined by the user in a separate tab.
To read more about the differences between “New SARM” and “Old SARM”, click here.
If you want to give it a try, please reach out to me at info [at] sarm [dot] org [dot] uk.