presentation from june 2002 dinner meeting
TRANSCRIPT
-
8/9/2019 Presentation from June 2002 Dinner Meeting
1/17
-
8/9/2019 Presentation from June 2002 Dinner Meeting
2/17
2
Risk Management is Popular!Risk Management is Popular!
Risk management is the best of the best
practices
Then, why arent you doing it?
Risk management is just project
management for adults
If you arent doing it, you must not be
mature
Whats wrong, are you afraid to behave like
a grown-up and face your risks?
-
8/9/2019 Presentation from June 2002 Dinner Meeting
3/17
3
What could possibly be risky
about risk management?
What could possibly be risky
about risk management?
Risk/Reward Law of Economics (1)
Great gains are accompanied by taking
great risks.
If risk management is so powerful, it likelyinvolves significant risks.
Sources of risk for risk management
Human weaknesses
Model weaknesses
Implementation weaknesses
-
8/9/2019 Presentation from June 2002 Dinner Meeting
4/17
4
What is a risk?What is a risk?
Definition
A risk is an event or condition which might
occur in the future and which might result in
a negative impact or failure
Risks are:
A natural byproduct of taking on
opportunities, especially unique, creative,
innovative, unexplored opportunities
Not problems - problems are negative
impacts that have already occurred or are
certain to occur
-
8/9/2019 Presentation from June 2002 Dinner Meeting
5/17
5
Human FactorsHuman Factors
Risks are negative events (failures or
losses) which might occur in the future
Negative information is very powerful (i.e.
lessons learned, peer reviews, qualitymeasurement, testing, risk assessment) but
also very volatile
People work in competitive environments
Negative information can be useddestructively by the competition
-
8/9/2019 Presentation from June 2002 Dinner Meeting
6/17
6
People often do not deal well with negative information(2)
John M. Rusnak hid millions of
dollars of trading loses to avoid
telling his boss he made a
mistake
Irish Bank Hit by Fraud
How to Lose $750m
Human Factors - ExampleHuman Factors - Example
-
8/9/2019 Presentation from June 2002 Dinner Meeting
7/17
7
Human Factors - contdHuman Factors - contd
Some will distrust the risk management
process
Some will go overboard Chicken LittleSyndrome(3)
Impacts: failure to identify and manage important risks; reduced
benefit of risk management; potential for termination of project or
personnel
-
8/9/2019 Presentation from June 2002 Dinner Meeting
8/17
8
Mitigating Human Factor RisksMitigating Human Factor Risks
Change the culture
Develop a project and organizational culture
that deals constructively with all forms of
negative information especially risks
Include positive information to balance thenegative
Keep two sets of books
Politically correct risks vs. politically sensitive
risks undesirable but sometimes unavoidable
Dont call them risks
This is not easy and will take time and effort
-
8/9/2019 Presentation from June 2002 Dinner Meeting
9/17
9
Model WeaknessesModel Weaknesses
Probability and Impact values
are based on subjective
professional opinion
Unfortunately, there are fewother options
Potential for political influence
Impact categories are non-
linear(4)
Impact types are not
independent
Risk Radar is a typical
risk model
-
8/9/2019 Presentation from June 2002 Dinner Meeting
10/17
10
Model Weaknesses - contdModel Weaknesses - contd
Ultimate impacts are difficult to predict
Actual impact to the project can occur
through multiple decision paths some with
worse impacts than others Connection to associated opportunity is
missing
Prevents consideration of opportunity
maximization as a strategy instead of onlyrisk mitigation(5)
-
8/9/2019 Presentation from June 2002 Dinner Meeting
11/17
11
Model Weaknesses - contdModel Weaknesses - contd
Risk exposure is treated as a metric
In most cases it is not a metric
Thresholds are inappropriate
Comparison of risk exposure between
projects is unreliable
Threat time frame is not considered in
risk prioritizationImpacts: unreliable information is used in decision making;
people do not trust the model; risk management fails to provide
value to the project
-
8/9/2019 Presentation from June 2002 Dinner Meeting
12/17
12
Mitigating Model WeaknessesMitigating Model Weaknesses
Include associated opportunity when
evaluating and mitigating risk
Focus on the strengths of the model
Identification and prioritization
Recognize its weaknesses
Risk exposure is not a metric
Focus efforts on the Top N risks(6)
The purpose of the model is to help you make informed decisions
not to make those decisions for you
-
8/9/2019 Presentation from June 2002 Dinner Meeting
13/17
13
Implementation WeaknessesImplementation Weaknesses
Risks are poorly defined
Problems are misidentified as risks
Initiating event, the intermediate impacts, and
ultimate impacts are unclear
A Risk Officer or a Risk IPT is made
responsible for risk
A thankless job that deals only with negative
information
No ability to influence associated opportunities
-
8/9/2019 Presentation from June 2002 Dinner Meeting
14/17
14
Mitigating Implementation
Weaknesses
Mitigating Implementation
Weaknesses
Use If-Then format for describing risks
Use the Risk IPT to promote risk
management, not to manage risk
Risk management training and consulting
Help risk identification, prioritization and
communication
Infuse risk management throughout the
entire organization
Risk management must be performed by those responsible for
the associated opportunities
-
8/9/2019 Presentation from June 2002 Dinner Meeting
15/17
15
Purpose of risk managementPurpose of risk management
Assist proactive, rational decision
making
Temper enthusiasm with skepticism
Programmers and engineers are inherently
optimistic problem solvers
They need a reality check
Identify top threats to the project
The purpose of risk management is not to eliminate risk - if you
eliminate risk you eliminate opportunity
-
8/9/2019 Presentation from June 2002 Dinner Meeting
16/17
16
RecommendationsRecommendations
Develop a culture which deals
constructively with negative information
It will take time and will be hard to do
Do not separate risk management fromopportunity management
Risks and opportunities are inherently linked
You cannot manage one without impacting
the other
Recognize model limitations
Managing risk metrics is of little value
-
8/9/2019 Presentation from June 2002 Dinner Meeting
17/17
17
ReferencesReferences
1. Gilb, T., Principles of Software Engineering Management, Addison
Wesley, 1988. See p72.
2. Bernstein, P. L.,Against the Gods, The Remarkable Storyof Risk,
John Wiley and Sons, 1998. See Chpt 16, The Failure of Invariance,
on how negative information seriously impacts decision making.
3. Young, R., Effective Requirements Practices, Addison-Wesley, 2001.
See p164-5 for strategies to combat negativism.
4. Jones, C., Assessment and Control of Software Risks, Prentice Hall,
1994. See Chpt 5 for risks associated with artificial categories.
5. Gilb, T., Competitive Engineering, draft to be published in 2002. See
fig 1.2, the risk strategy is to maximize benefits, not minimize risk.6. McConnell, S., Software Project SurvivalGuide, Microsoft Press,
1998. See p93-101 for his very realistic risk management model,
which focuses on the Top 10 risk list. We disagree on the value of a
risk officer.