4. The Case for Risk Management

“No plan survives contact with the enemy.”

—Field Marshal Helmut von Moltke

What our industry can learn from the DIA example is the potential cost of not managing risk. If the previous chapter succeeded, it has left you feeling that you definitely don’t want to not do this thing called risk management. But still, that may leave you a bit short of actively wanting to do it.

What may be required now is a carefully reasoned review of the case for risk management. Presented below is our definitive list of the reasons risk management deserves to be an integral part of your management toolkit.

Of course, there is a chance that the client will walk away when you reveal the extent of the unknown. He or she may be so used to hearing impossible promises—delivery dates guaranteed with great precision at project inception—that your failure to provide one just seems weird.

In the past, you may have resorted to some little white lies to deal with this situation. But people who have been lied to before tend to become cynical. They come to understand that even the most confidently stated outcome is just a shot in the dark. That’s the bad rep we software project managers have earned.

To understand how this affects a project’s chance of getting started, reverse the situation for a moment. Put yourself in that client’s place. Now you’re the one seeking someone else to build software for you, software that you urgently need. The project manager who’s proposing to do this for you is a likable chap, but he often promises to deliver on a given date and then fails to make it. When he says, “Fine,” you hear, “Unlikely.” Well, maybe you can live with that. Maybe the uncertainty that you automatically attach to whatever he says is acceptable to you for this project. But suppose not. Suppose the downside of lateness is just too great. What recourse do you have but to choose not to do the risky project? Another opportunity lost.

Project managers often tell us that their clients would never do any projects if they understood the downside. Such managers see themselves as doing a positive service to their clients by shielding them from the ugliness that lies ahead. Concealing the potential for delay and failure, as they see it, is a kindness that helps clients marshal sufficient gumption to give the go-ahead. Then, the project can very gently introduce them to bad news, a little bit at a time, as it happens.

The problem is that such clients have memories. They remember other projects that started off with rosy scenarios and soon went sour. The result is that they expect the worst and become risk-averse.

Instead, imagine that a software project manager approaches you and makes a clean breast of his uncertainty about your proposed project: “Look, there are unknowns here, and we have catalogued the following eleven of them.” (Here, he shows you his risk list.) “Taken together, these unknowns give us a fairly wide window of uncertainty around the delivery date. Some of the dates within this window will probably be unacceptable to you. But here is our plan—already decided—for how we will act to contain and minimize the various downside risks, and here is how you will know at any point in the project how we’re faring.” If, in addition, he could show you past project records that showed how actual results conformed to the uncertainty assessments for those projects, you could begin to believe what you were hearing.

Now at least you know where you stand. You’re taking a risk, but you know how much risk. You can say yes. Your willingness to commit to a risky project is a direct function of how well you can logically conclude that the risks have been assessed, quantified, and confronted.

Risk management makes a limited amount of can’t-do thinking okay. When you put a structure of risk management in place, you authorize people to think negatively, at least part of the time. Companies that do this understand that negative thinking is the only way to avoid being blindsided by risk as the project proceeds.¹

¹ We are indebted to our late colleague Paul Rook for his elegant observation that “risk management decriminalizes risk.”

Sufficiently jaded stakeholders take steps ahead of time to assure that these failures don’t particularly inconvenience them. In fact, what the project perceives as a failure may be a success to the stakeholders (more later about this unfortunate dynamic). To project personnel, though, it still looks like a botch. People have little heart for work that leads them from one failure to another. The cost in morale, burnout, and poor employee retention is substantial.

So often, we see “failed” projects where there is good reason to believe that the managers are able and their people are competent to do the work they’ve been asked to do. If they weren’t, they all would have been shown the door long ago. When one project after another is declared a failure, that just proves that setup conditions for those projects were flawed. Risk management is a way to break this grim cycle by providing a set of meetable goals and schedules and engendering successful projects that look and feel successful from beginning to end.

If, on the other hand, you have credible evidence that a hundred thousand of your fellow soldiers crossed this field without injury, and the score of bodies you see around you were the only casualties, that changes things substantially. There are still risks, but with such evidence, you can make a thoughtful and informed decision about how to proceed.

Bounded uncertainty may be daunting—it’s frightening to come to grips with how little we can be sure of!—but in its absence, we have something worse: boundless uncertainty. Boundless uncertainty makes people either risk-averse or foolhardy. Both are disasters.

A risk reserve is, by definition, time and money that you may not need. It takes guts to put a risk reserve into your schedule and budget. But not having one to deploy—as in the case of DIA—means that you will pay far more for the risks that do materialize.

In the absence of risk management, subtle transfers of risk responsibility may often go unnoticed. For example, when a client negotiates away a contingency fee that was meant to cover certain risks, responsibility for those risks has likely migrated from the contractor to the client.

Who needs to work for a company that doesn’t afford regular opportunities for growth? You won’t lose everyone because of this factor—only your best people.

What problems have beset projects that you were on, where you could honestly report that nobody could have seen them coming? Damn few, we’ll bet. There is almost always some warning before a problem crops up. We have trained ourselves not to look out for these warnings; risk management is trying to undo that training.