The purpose of this book is to identify, examine, understand, and manage risks associated with the development of computer-based information systems (CBIS). The first part of the book is a basic discussion of risks within system engineering and business environments as they relate to CBIS development. The second part deals with safety, security, subjective perception of risks, and future risk issues. As part of future risks, the author discusses a nonlinear model for software development used to address development risks.

In the first chapter, Charette concludes that risk analysis and management must be based not only on the problems inherent in the development methodology but also on problems in its business environment. Risk has to be understood from both the business perspective and the technological perspective. He states that “risk is caused by the lack of information, the lack of control, and/or the lack of time” (p. 19). Risks associated with systems development come from underperformance, undercapitalization, and an inadequate understanding of risk as it concerns the interrelationship between the CBIS and its business environment.

With the first chapter as its foundation, the second chapter examines risks within the business domain as they relate to software development. The third chapter looks exclusively at risks within the software development process itself. Since the business domain is an important source of risk, the fourth chapter investigates the types of risks associated with databases, decentralization, and control as they apply to relationships between the system and its business environment. The fifth chapter reviews risks in software safety, security, and operational and disaster recovery. The sixth chapter deals with the individual and subjective issues of risks. The final chapter looks at future risk issues and provides a complete overview of all major topics within the book.

The book is aimed at the software development practitioner and can be used as a guidebook within any software development methodology. It walks a fine line between literature aimed at practitioners and material for academics. It would be an important addition to the reading list of any advanced course in software development. The extensive list of references at the end of each chapter could be used to compile readings for a class. The author includes a series of questions that could be used for class discussion or individual research. The section on the future of risk engineering could be useful for research projects. Considered as a guidebook for practitioners, the author’s simple and elegant writing style along with the book’s content make it a complete reference for risk management. In addition, the detailed issue overview in chapter 7 enables the reader to quickly locate particular topics and would be welcomed by the busy practitioner. This book should be valuable to both groups.

Chapter 6 is devoted to a qualitative discussion of the perception and politics of risk. As the author states, “the concept of risk revolves much more around subjective perception frequently infused with emotion than objective reality” (p. 433). The chapter begins with specific examples in which risk was subjectively defined and relates the consequences. It includes a discussion, based on the work of cognitive psychologists, of 27 different perception biases. As a solution, the author proposes using the Delphi technique and probability encoding to filter these biases. He also discusses the risk-taking personality and the political perspective on risk.

Another theme that runs through the book is the contrast between the product and process development methodologies. The product methodology is typified by the waterfall methodology, in which specific phases are clearly defined and a linear progression from phase to phase is based on clearly identified products. The process methodology recognizes that no specific definition of system requirements exists and that the development can be specified by a spiral or nonlinear process. This discussion is concluded in the final chapter, where the author presents his methodology, which will address development risks. Both practitioners and academics will eagerly await a sequel in which the author can fully develop this methodology.

The book is a thorough treatment of risks associated with software development. It contains a wealth of references useful for following particular lines of argument. The book contains extensive quotes and examples, allowing the reader to follow the discussion easily. I agree with CharlesW. McKay that this book “presents pragmatic, proactive, decision-making guidelines for identifying, analyzing and managing opportunities and risks in the computer systems and software engineering of automated systems and their applications” (p. xiii).