Risk Management in Complex Domains

We had a discussion with some it-agile colleagues about risk management in complex domains and if there is a relevant difference to complicated domains. Here is my current understanding.

Classical risk management in software development comes from waterfall like approaches tailored for simple and complicated domains. In a nutshell you create a list of all risks at the beginning of the project. Every risk has a probability and a potential damage. Multiplying probability with damage yields a kind of “risk cost” which is then used to prioritize the risks. After that we define countermeasures or mitigations for the risks. Here is a short introduction to classical risk management.

In my experience the focus of classical risk management  is on creating a plan that can be executed without big surprises. And second is focus is on avoiding the risk to ensure project success.

For this traditional approach it is crucial to anticipate cause-effect relations. That is possible in simple and complicated domains but not in complex domains. Therefore traditional risk management is of limited value in complex domains (yes, I tried it for some years).

Feedback driven approaches like Scrum have built in risk management for a lot of typical risks:

  • Does the software match customer needs?
  • Will we deliver in time?
  • Does the software scale?
  • etc.

But we believe there is more to it. Let’s have a look at a story told by Don Reinertsen at the LSSC 2012 conference about fire fighting. Fire in forests behaves in a complex way. It is impossible to forecast what the fire will do in the near future. There is the influence of wind and rain and even the fire itself may create relevant wind.

The fire fighters do risk management in a when-then pattern. “When the fire crosses this boundary, then we will evacuate this town.” It is not possible to guarantee that the fire will cross this boundary. Therefore we make a plan to minimize damage not to avoid the damage completely.

We think that this pattern of risk management is applicable also for software/product development. We identify the risks that may cause critical damage and were we need to react really fast. For these risks we create a plan what to when the risks becomes reality.

This is exactly what one of my clients did when the global financial crisis started. “When sales drops below this point we will reduce costs here and use money from another business area to avoid layoffs.”

With such a plan the appropriate preparations can be done in advance (e.g. not signing long term contracts that bind a lot of money and put new investments on hold). And it creates a safe atmosphere for employees. They see that there is a plan and that this plan does not include layoffs.

In complex domains risk management ist more “when X will occur we will do Y” than “to avoid X we will do Y”. (That doesn’t imply that traditional approach had no place n complex domains. It is just less important.) But one thing stays the same: More important than risk lists are the collaborative discussions about risks with and within the team.

P.S.: I used the term “risk management” throughout this blogpost although I think it is misleading. Risks in complex domains can’t be managed. We only can prepare to be able to react accordingly. But by now I don’t have a better term. I love to see proposals in the blogpost comments.

P.P.S.: I like to thank my colleagues for the discussions about the topic, namely Arne Roock, Norbert Hölsken, Christian Dähn, Jens Coldewey, Sebastian Sanitz (and I hope that I didn’t forget anyone).


  1. Hi Stefan,

    i do not yet have a clear understanding of the difference between traditional risk management and ‘the new way’. In the old world, even in the most traditional environment like Pharma, the risk planning always involved – besides what you said (a risk description, potential damage and probability) – the so called risk mitigation strategy: ‘If that risk happens to set in we will do XXX’

    Isn’t that what you said for the new approach? Also, I understood Don’s talk in a completely different way. In fact, to me the key sentence in the fire scenario was ‘You don’t just say this is a complex adaptive problem so we can’t create a plan’. So, this is where he built the bridge to a classical problem, enabling the people involved to work rationally on the problem – by ‘reducing’ the complexity.

    I kind of get a grasp of what you want to say, but I don’t yet get it from the description?

    All the best


  2. @Markus: These are just ideas/thoughts and I still try to get things more clear for me. So I don’t know exactly what I want to say 🙂
    I struggle with the mismatch between the theory and my personal experiences over the last 10 years, were classical risk management didn’t provide much value. (And of course it my be the case that I and the persons I worked with just did it wrong.)
    Perhaps risk management is just like classical risk management with a slightly different fokus.

  3. As an add-on, here is a nice, short summary of Don’s talk, which in parts shares your conclusion on ‘risk management’ (he calls risk ‘uncertainty’:

    “Don Reinertsen rocked the main stage with his talk on decentralizing control. Taking examples from the US military and the forest fire service, there are too many takeaways to list, but here are my top three:

    The important communication is lateral, and not from the top.
    You have a duty to disagree if you believe otherwise.
    If you think you can eliminate uncertainty, you’re delusional.”

    Taken from David Anderson’s website:

  4. As with many things, I think ‘reasonable’ old school guys did many things right, even in risk management. Idiots did the right things blatantly wrong. Today we see good guys doing agile things right and idiots doing great agile things wrong. Your best example, I guess is the symptom of the ‘Scrum Schauspieler’ 😉

    Shameless PR: I guess Arne and me will have to to the Project vs. Product’ talk somewhere where you can share it, we talk a lot on how could we come from doing the wrong things better to doing the right things right 😉



  5. Pingback: Based Buzz Blog
  6. Stefan, I like your article, especially the conclusion “risk cant be managed”. The blogpost makes me think about:

    * It is likely that activities such as “risk management” disproportionately affect complex system than they prevent risks.

    * “risk management” reminds me of the “Culture of fear”:

    Click to access fearessay-20070404.pdf

    * bycicle helmets seems to be an interesting example – this still puzzles me: http://www.youtube.com/watch?v=07o-TASvIxY

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s