presentation from june 2002 dinner meeting

8/9/2019 Presentation from June 2002 Dinner Meeting

1/17


2/17

2

Risk Management is Popular!Risk Management is Popular!

Risk management is the best of the best

practices

Then, why arent you doing it?

Risk management is just project

management for adults

If you arent doing it, you must not be

mature

Whats wrong, are you afraid to behave like

a grown-up and face your risks?


3/17

3

What could possibly be risky

about risk management?

What could possibly be risky

about risk management?

Risk/Reward Law of Economics (1)

Great gains are accompanied by taking

great risks.

If risk management is so powerful, it likelyinvolves significant risks.

Sources of risk for risk management

Human weaknesses

Model weaknesses

Implementation weaknesses


4/17

4

What is a risk?What is a risk?

Definition

A risk is an event or condition which might

occur in the future and which might result in

a negative impact or failure

Risks are:

A natural byproduct of taking on

opportunities, especially unique, creative,

innovative, unexplored opportunities

Not problems - problems are negative

impacts that have already occurred or are

certain to occur


5/17

5

Human FactorsHuman Factors

Risks are negative events (failures or

losses) which might occur in the future

Negative information is very powerful (i.e.

lessons learned, peer reviews, qualitymeasurement, testing, risk assessment) but

also very volatile

People work in competitive environments

Negative information can be useddestructively by the competition


6/17

6

People often do not deal well with negative information(2)

John M. Rusnak hid millions of

dollars of trading loses to avoid

telling his boss he made a

mistake

Irish Bank Hit by Fraud

How to Lose $750m

Human Factors - ExampleHuman Factors - Example


7/17

7

Human Factors - contdHuman Factors - contd

Some will distrust the risk management

process

Some will go overboard Chicken LittleSyndrome(3)

Impacts: failure to identify and manage important risks; reduced

benefit of risk management; potential for termination of project or

personnel


8/17

8

Mitigating Human Factor RisksMitigating Human Factor Risks

Change the culture

Develop a project and organizational culture

that deals constructively with all forms of

negative information especially risks

Include positive information to balance thenegative

Keep two sets of books

Politically correct risks vs. politically sensitive

risks undesirable but sometimes unavoidable

Dont call them risks

This is not easy and will take time and effort


9/17

9

Model WeaknessesModel Weaknesses

Probability and Impact values

are based on subjective

professional opinion

Unfortunately, there are fewother options

Potential for political influence

Impact categories are non-

linear(4)

Impact types are not

independent

Risk Radar is a typical

risk model


10/17

10

Model Weaknesses - contdModel Weaknesses - contd

Ultimate impacts are difficult to predict

Actual impact to the project can occur

through multiple decision paths some with

worse impacts than others Connection to associated opportunity is

missing

Prevents consideration of opportunity

maximization as a strategy instead of onlyrisk mitigation(5)


11/17

11

Model Weaknesses - contdModel Weaknesses - contd

Risk exposure is treated as a metric

In most cases it is not a metric

Thresholds are inappropriate

Comparison of risk exposure between

projects is unreliable

Threat time frame is not considered in

risk prioritizationImpacts: unreliable information is used in decision making;

people do not trust the model; risk management fails to provide

value to the project


12/17

12

Mitigating Model WeaknessesMitigating Model Weaknesses

Include associated opportunity when

evaluating and mitigating risk

Focus on the strengths of the model

Identification and prioritization

Recognize its weaknesses

Risk exposure is not a metric

Focus efforts on the Top N risks(6)

The purpose of the model is to help you make informed decisions

not to make those decisions for you


13/17

13

Implementation WeaknessesImplementation Weaknesses

Risks are poorly defined

Problems are misidentified as risks

Initiating event, the intermediate impacts, and

ultimate impacts are unclear

A Risk Officer or a Risk IPT is made

responsible for risk

A thankless job that deals only with negative

information

No ability to influence associated opportunities


14/17

14

Mitigating Implementation

Weaknesses

Mitigating Implementation

Weaknesses

Use If-Then format for describing risks

Use the Risk IPT to promote risk

management, not to manage risk

Risk management training and consulting

Help risk identification, prioritization and

communication

Infuse risk management throughout the

entire organization

Risk management must be performed by those responsible for

the associated opportunities


15/17

15

Purpose of risk managementPurpose of risk management

Assist proactive, rational decision

making

Temper enthusiasm with skepticism

Programmers and engineers are inherently

optimistic problem solvers

They need a reality check

Identify top threats to the project

The purpose of risk management is not to eliminate risk - if you

eliminate risk you eliminate opportunity


16/17

16

RecommendationsRecommendations

Develop a culture which deals

constructively with negative information

It will take time and will be hard to do

Do not separate risk management fromopportunity management

Risks and opportunities are inherently linked

You cannot manage one without impacting

the other

Recognize model limitations

Managing risk metrics is of little value


17/17

17

ReferencesReferences

1. Gilb, T., Principles of Software Engineering Management, Addison

Wesley, 1988. See p72.

2. Bernstein, P. L.,Against the Gods, The Remarkable Storyof Risk,

John Wiley and Sons, 1998. See Chpt 16, The Failure of Invariance,

on how negative information seriously impacts decision making.

3. Young, R., Effective Requirements Practices, Addison-Wesley, 2001.

See p164-5 for strategies to combat negativism.

4. Jones, C., Assessment and Control of Software Risks, Prentice Hall,

1994. See Chpt 5 for risks associated with artificial categories.

5. Gilb, T., Competitive Engineering, draft to be published in 2002. See

fig 1.2, the risk strategy is to maximize benefits, not minimize risk.6. McConnell, S., Software Project SurvivalGuide, Microsoft Press,

1998. See p93-101 for his very realistic risk management model,

which focuses on the Top 10 risk list. We disagree on the value of a

risk officer.

presentation from june 2002 dinner meeting

Documents