Thursday, August 19, 2010

Traditional Risk Management Doesn't Work

Last week I attended a presentation on Risk Management, given by Karel de Bakker from the University of Groningen. Mr. De Bakker is doing research on "the effectiveness of risk management practices on perceived successfulness in software development projects". The one thing that struck me most was the following comment in his presentation:

The traditional rational decision model for risk management does not seem to work well.

The first thing that came to my mind was: Well of course, I would have been surprised if it did!

The standard risk management process (risk identification, planning, mitigation, etc.) seems to assume that there is some sort of linear relationship between identifying potential problems and solving them. First, you identify a risk. For example: there's a slight chance that your software developers run off and join the Church of the Flying Spaghetti Monster, all of them at the same time. Second, you weigh the chance (small) and its impact on the project (huge). This results in a risk list with priorities for risk mitigation. Third, you will then try to mitigate this risk (or another one if it has a higher priority), assuming that this will move your project into a less risky situation.

I think this approach is a little too simplistic. Managing risks is more difficult than that. Software projects are complex systems, and therefore the system dynamics are nonlinear. This means that any attempt to change one part of this system will often have unexpected effects in other parts. And quite often you will not know if the new situation is going to be better or worse than the old one. Your attempt to block the web site of the Flying Spaghetti Monster may very well lead to other risks that are much worse, like the risk of your developers running off and becoming Creationists.

There are many well-known examples of unintended consequences of risk management in complex systems. Before any attempt at rewriting the rules for risk management in software projects, I think we first need to see and learn how risks are managed in those other systems.

No comments:

Post a Comment