Home | Login | Recent Changes | Search | All Pages | Help

NotesSessionFour025

Hey, It?s 2004. Why is Risk Management Still Avant-Garde?
TimLister

Tim has been a commercial arbitrator for systems disputes for the last 20 years. All the disputes he arbitrated have been foreseeable; all had problems on both sides.

In our personal lives, we usually acknowledge and deal with risk. In a business environment, talking about risk is often taboo.

How much risk to assume depends on how big the reward for success is. We have no more certainty than weather forecasters, but their changing graphs are accepted, and they update the graphs more often than we do.

People do things that they see as making their lefes better. Many organizarions will embrace the illusion of control if they don't have control. In a "can do" organization, it is more important to make a commitment than to keep one. You may be told that you do not have a schedule because the end date is unacceptable. No try, no maybe, no negotiation. Enthuiasm is valued over reality. Can't cope with uncertainty. Demand clarity and certainty when they do not exist. Risk management is determing when is the best time to make a decision; it may be before you must make it. Make a decision at the most effective point, not the last possible one. At the point where you have all the information needed to make a decision, most of the choices will have disappeared.

If you don't manage risk, time will manage it for you.

Identify risks, not symptoms of risk or possible outcomes.

If the risk is enormous, it may be treated as an assumption: "this situation will not happen". An assumption is a risk which must be handled at a level above you.

In the office, we deny the possibility of failure, and therefore of risk. In reality, the earlier we kill the failures, the better off we are.

What are the alternatives to leaving and doing nothing?

Risk Patterns:

XP/Agile:

  • extreme incrementalism
  • rapid feedback
  • no schedule risk (no overall schedule)
  • all steering and no projectile
  • change control risk is handled
  • ability to discuss what is true
  • down side - architecture emerges rather than being planned. The client does not know the technology well enough to always know best.

Games:

  • about 1 time in 5 a game is delivered to the market
  • motion to the board
  • rough prototype
  • clean prototype
  • develop
  • market
  • can cancel and cut losses at any point
  • recognize that they do research and develop work
  • at each stage, there is a real go/no go decision
  • failure is not demotivating here
  • they play competitors games all the time, while staff watch all the features, not just the main action. What do thecompetitors do that you can't? The risks here are from the competitors.
  • they recognize that 1 success pays for several failures.

We are willing (even happy) to work on risky projects IF the risks are recognized and acknowledged, and failure is acceptd as a possibility.

Management wants a "toast model" - we give you bread, heat and time, you produce toast on schedule.

The risk of the customer or staff not accepting the system is seldom acknowledged. Political risks are seldom identified or acknowledged.

It is not risk management unless you plan to do something.

Naming a risk often confers ownership.

If an assuption is false or becomes false, someone above you must decide and or act. May need to assign ownership. Ask questions in interviews to identify how a company handles or blocks risk and to find any box they want you to stay in or only look into.

SherryHeinze 2004.11.16

Updated: Tuesday, November 16, 2004