Skip to main content

Evidence-based risk management in global software development projects

Final Report Summary - E-RISK (Evidence-based risk management in global software development projects)

The E_Risk project ( has the following overall aims: (1) support project managers in assessing the risks involved in Global Software Development (GSD) projects and to determine suitable risk mitigation practices including the provision of a project management tool; the risks and mitigation practices are to be identified through the use of a systematic literature review (SLR) , (2) train the incoming research fellow in evidence-based techniques (SLRs) and transfer the fellow’s knowledge in global software project management risk to the host institution, and (3) assess the extent to which expertise in a Software Engineering topic can be successfully combined with expertise in the SLR technique.

A major element of the first part of the project was the training of the incoming research fellow in evidence-based techniques through performing an extensive pilot SLR to gain experience in essential SLR techniques. This pilot study, a tertiary SLR, was a more extensive and time consuming piece of research than had been envisaged when the project was proposed as the number of SLRs in GSD had escalated in the period between the project application and its actual start. A conference paper [3], was the major outcome of this part of the study though three technical reports were also prepared [4-6]. The second year of the E_Risk project consisted of the following activities; (1) preparation, submission, and revision of a journal paper for a special issue of Information and Software Technology [7]; this was an extension of a conference paper presented at EASE 2012 [3]; (2) research collaboration and the preparation of a research paper with a group of Brazilian researchers [8] described further below; and (3) development of the SLR protocol [9], identification of appropriate papers, and data extraction for the global software development (GSD) SLR.

During the training study, as a result of meeting other GSD researchers we collaborated with a group of Brazilian researchers who had also developed a tertiary GSD SLR [1]. As the research they were conducting was very similar to our training study we decided to collaborate on joint research. The Brazilians had used a very limited search for their SLR. The identification of the research they included was through the use of a single search engine, SCOPUS; in comparison we had used seven digital libraries and search engines, in our training study. We were interested to compare their results with ours and to discover if it was possible to obtain similar results with a limited search strategy. Accordingly the collaboration resulted in a comparative research paper [8] which is yet to be submitted to a journal. The research showed that all appropriate GSD SLRs could be identified with the use of two search engines, SCOPUS and Google scholar. Hence for our main study we use just these two search engines plus snowballing for the identification of our GSD primary studies.

The main part of our research i.e. development of a SLR to identify risks and mitigation in global software development projects in order to provide advice to project managers within the EU has the following objectives:

1) To identify risks (challenges) relating to outsourced global software development within different contexts;
2) To provide advice for risk mitigation, i.e. strategies to minimise or mitigate risks.

Work on the earlier training study, which mapped GSD research, and provided a preliminary review of GSD risk and risk mitigation identified several factors that required exploration and precise definitions for our research protocol if we were to properly identify risks and mitigation strategies appropriate for a particular project. These included: (1) research quality. GSD literature is of rather mixed quality and primary papers of interest (i.e. those that may identify GSD risks and mitigation strategies) can be classified as case studies, surveys, lessons learned or experience reports. Poor quality research may not provide reliable results thus we needed criteria to classify the quality of GSD research papers included in the SLR with appropriate quality assessment criteria for each type of research paper. We were unable to identify any research that provided quality categorisation for the types of research of interest hence we developed our own quality criteria as shown in the protocol; (2) project context. Little attention has been paid to the identification of project contextual data, and hence we required a definition of ‘development context’ including a description of contextual factors that needed to be extracted. A paper by Smite et al [2] was identified as providing a useful basis for the classification of GSD context.

The protocol for the main SLR study was developed with particular emphasis on development context, quality assessment of primary studies and strength of evidence. Items of interest in GSD context definition include (1) organizational context including, location, type of legal entity involved (contractual or insourced), geographical distance, time zone difference; and (2) project context including size and type of software developed, type of development process (incremental, agile, waterfall etc), degree of success of the project, client motivation for GSD, number of sites, location of each site, rationale for division of software/components between development sites, work assigned to each site, contract/agreement type and contract details, and degree of success of the project. We are not be able to collect all of this data as much is not available in published papers hence we have restricted ourselves to size and type of project, type of software developed, development process and project activity by site (where possible).

For the SLR our research questions are defined as:
RQ1 How does outsourced GSD organizational and project context affect the occurrence of types of risks and project success? What is the empirical evidence for the relationship?

RQ2 For outsourced GSD projects what general risk mitigation strategies were effective for dealing with specific types of risk, and which mitigation strategies were effective for dealing with multiple types of risk? What is the evidence for these risk mitigation strategies?

The search string developed is (global OR distribut* OR outsourc* OR offshore* OR virtual OR nearshor*) AND (software engineering OR software development) AND (risk OR challenge OR problem) AND (case stud* OR lesson* OR experience report OR survey), and the search used two search engines, Scopus and Google scholar, followed by snowballing.

The inclusion criteria went through a number of fairly time consuming iterations. Initial searches identified over 1500 possible primary research studies. This was too great a number of research papers to deal with within the time available and with the project resources. Hence the inclusion/exclusion criteria were modified so that we only included GSD projects with a client company that outsourced its development to a different legal entity. The first part of the search process has been completed and 77 research papers have been accepted for inclusion. To date, data (risks and risks mitigation strategies) has been extracted from half of these papers by two researchers working independently.
The project will benefit the entire community by helping with risk identification and mitigation strategies for GSD projects enabling risks to be mitigated or avoided through the development of a set of risk guidelines with allied mitigation strategies. It will also contribute to European excellence in GSD project management leading to fewer large IT project failures. Indeed, it is expected that European organizations will be outsourcing more and more of their software development to vendors outside of Europe. The project will significantly impact on the high number of failures currently reported for GSD projects, the root cause of which is often related to project management. Hence, the project can assist European organisations in gaining business benefits by competing better internationally.
[1] A. B., Marques, R., Rodrigues, T Conte ( 2012) Systematic Literature Reviews in Distributed Software Development: A Tertiary Study. IEEE ICGSE, September, Brazil, pp. 134 – 143.
[2] D. Šmite, C. Wohlin, T. Gorschek, R Feldt, (2010) Empirical evidence in global software engineering: A systematic review, Empirical Software Engineering, 15 (1), pp. 91-118.
[3] J. M. Verner, O. P. Brereton, B. A. Kitchenham, M. Turner, and M. Niazi (2012) Systematic literature reviews in global software engineering development: A tertiary study. Proceedings of EASE 2012 Ciudad Real, May, IET, pp. 2-11.
[4] .J M. Verner, O P Brereton, B A Kitchenham, M Turner, and M Niazi (2012)Evidence-based Global Software Engineering Risks Extracted from Systematic Literature Review, TR-2012-01. ISSN 1353-7776. February .
[5] J. M. Verner, O. P. Brereton, B. A. Kitchenham, M. Turner, and M. Niazi. (2012c) Risk Mitigation Advice for Global Software Development from Systematic Literature Reviews, TR-2012-02. ISSN 1353-7776. February.
[6] J. M Verner, O P Brereton, B A Kitchenham, M Turner, and M Niazi. (2012) Protocol for Training Study: A Tertiary Study of Global Software Development Systematic Literature Reviews, TR-2012-03. ISSN 1353-7776. June.
[7] J. M. Verner, O. P. Brereton, B.A. Kitchenham, M. Turner, M. Niazi (2012) Risk and Risk Mitigation in Global Software Development: A Tertiary Study , In Press, IST, June 2013 doi:
[8] J. M. Verner, A. B. Marques, T. Conte, R. Prikladnicki, and O. P. Brereton (2013) A Comparison of Independent Tertiary Studies of Global Software Engineering Research, to be submitted to a journal.

Pearl Brereton
Professor of Software Engineering
School of Computing and Mathematics
Keele University, Keele, Staffs ST5 5BG UK
Tel: +44 (0) 1782 733079