We had a discussion with some it-agile colleagues about risk management in complex domains and if there is a relevant difference to complicated domains. Here is my current understanding.
Classical risk management in software development comes from waterfall like approaches tailored for simple and complicated domains. In a nutshell you create a list of all risks at the beginning of the project. Every risk has a probability and a potential damage. Multiplying probability with damage yields a kind of “risk cost” which is then used to prioritize the risks. After that we define countermeasures or mitigations for the risks. Here is a short introduction to classical risk management.
In my experience the focus of classical risk management is on creating a plan that can be executed without big surprises. And second is focus is on avoiding the risk to ensure project success.
For this traditional approach it is crucial to anticipate cause-effect relations. That is possible in simple and complicated domains but not in complex domains. Therefore traditional risk management is of limited value in complex domains (yes, I tried it for some years).
Feedback driven approaches like Scrum have built in risk management for a lot of typical risks:
- Does the software match customer needs?
- Will we deliver in time?
- Does the software scale?
But we believe there is more to it. Let’s have a look at a story told by Don Reinertsen at the LSSC 2012 conference about fire fighting. Fire in forests behaves in a complex way. It is impossible to forecast what the fire will do in the near future. There is the influence of wind and rain and even the fire itself may create relevant wind.
The fire fighters do risk management in a when-then pattern. “When the fire crosses this boundary, then we will evacuate this town.” It is not possible to guarantee that the fire will cross this boundary. Therefore we make a plan to minimize damage not to avoid the damage completely.
We think that this pattern of risk management is applicable also for software/product development. We identify the risks that may cause critical damage and were we need to react really fast. For these risks we create a plan what to when the risks becomes reality.
This is exactly what one of my clients did when the global financial crisis started. “When sales drops below this point we will reduce costs here and use money from another business area to avoid layoffs.”
With such a plan the appropriate preparations can be done in advance (e.g. not signing long term contracts that bind a lot of money and put new investments on hold). And it creates a safe atmosphere for employees. They see that there is a plan and that this plan does not include layoffs.
In complex domains risk management ist more “when X will occur we will do Y” than “to avoid X we will do Y”. (That doesn’t imply that traditional approach had no place n complex domains. It is just less important.) But one thing stays the same: More important than risk lists are the collaborative discussions about risks with and within the team.
P.S.: I used the term “risk management” throughout this blogpost although I think it is misleading. Risks in complex domains can’t be managed. We only can prepare to be able to react accordingly. But by now I don’t have a better term. I love to see proposals in the blogpost comments.
P.P.S.: I like to thank my colleagues for the discussions about the topic, namely Arne Roock, Norbert Hölsken, Christian Dähn, Jens Coldewey, Sebastian Sanitz (and I hope that I didn’t forget anyone).