Managing the Risks of

Risk Management

INCOSE Meeting
John E. Moore, Ph.D.
June 2002
2002

1
Risk Management is Popular!

• “Risk management is the best of the best

practices”
– Then, why aren’t you doing it?
• “Risk management is just project
management for adults”
– If you aren’t doing it, you must not be
“mature”
– What’s wrong, are you afraid to behave like
a “grown-up” and face your risks?

2
What could possibly be risky about
risk management?
• Risk/Reward Law of Economics (1)
– Great gains are accompanied by taking great
risks.
– If risk management is so powerful, it likely
involves significant risks.
• Sources of risk for risk management
– Human weaknesses
– Model weaknesses
– Implementation weaknesses

3
What is a “risk?”

• Definition
– A risk is an event or condition which might
occur in the future and which might result in a
negative impact or failure
• Risks are:
– A natural byproduct of taking on opportunities,
especially unique, creative, innovative,
unexplored opportunities
– Not problems - problems are negative
impacts that have already occurred or are
certain to occur

4
Human Factors

• Risks are negative events (failures or

losses) which might occur in the future
– Negative information is very powerful (i.e.
lessons learned, peer reviews, quality
measurement, testing, risk assessment) but
also very volatile
• People work in competitive environments
– Negative information can be used
destructively by the competition

5
Human Factors - Example

Irish Bank Hit by Fraud

How to Lose $750m
'Mr Mi
John M. Rusnak hid millions of d dl e Am
dollars of trading loses to avoid erica'
telling his boss he made a
mistake
oc k ed
rk et R
ck Ma
St o Rogue trader meets F
BI

People often do not deal well with negative information(2)

6
 Human Factors - cont’d

• Some will distrust the risk management

process
• Some will go overboard – “Chicken Little
Syndrome”(3)

Impacts: failure to identify and manage important risks; reduced

benefit of risk management; potential for termination of project or
personnel
7
Mitigating Human Factor Risks
• Change the culture
– Develop a project and organizational culture
that deals constructively with all forms of
negative information – especially risks
– Include positive information to balance the
negative
• Keep two sets of books
– Politically correct risks vs. politically sensitive
risks – undesirable but sometimes unavoidable
• Don’t call them “risks”
This is not easy and will take time and effort
8
Model Weaknesses
• Probability and Impact values
are based on subjective
“professional” opinion
– Unfortunately, there are few other
options
– Potential for political influence
• Impact categories are non-
Risk Radar is a typical
linear(4) risk model

• Impact types are not

independent

9
Model Weaknesses - cont’d

• Ultimate impacts are difficult to predict

– Actual impact to the project can occur
through multiple decision paths – some with
worse impacts than others
• Connection to associated opportunity is
missing
– Prevents consideration of opportunity
maximization as a strategy instead of only
risk mitigation(5)

10
 Model Weaknesses - cont’d

• Risk exposure is treated as a metric

– In most cases it is not a metric
– Thresholds are inappropriate
• Comparison of risk exposure between projects is unreliable
• Threat time frame is not considered in risk prioritization

Impacts: unreliable information is used in decision making;

people do not trust the model; risk management fails to provide
value to the project
11
 Mitigating Model Weaknesses

• Include associated opportunity when

evaluating and mitigating risk
• Focus on the strengths of the model
– Identification and prioritization
• Recognize its weaknesses
– Risk exposure is not a metric
• Focus efforts on the Top N risks(6)

The purpose of the model is to help you make informed decisions

– not to make those decisions for you

12
Implementation Weaknesses

• Risks are poorly defined

– Problems are misidentified as risks
– Initiating event, the intermediate impacts, and
ultimate impacts are unclear
• A Risk Officer or a Risk IPT is made
responsible for risk
– A thankless job that deals only with negative
information
– No ability to influence associated opportunities

13
 Mitigating Implementation
Weaknesses

• Use “If-Then” format for describing risks

• Use the Risk IPT to promote risk
management, not to manage risk
– Risk management training and consulting
– Help risk identification, prioritization and
communication
– Infuse risk management throughout the entire
organization

Risk management must be performed by those responsible for

the associated opportunities
14
 Purpose of risk management

• Assist proactive, rational decision

making
• Temper enthusiasm with skepticism
– Programmers and engineers are inherently
optimistic problem solvers
– They need a “reality check”
• Identify top threats to the project

The purpose of risk management is not to eliminate risk - if you

eliminate risk you eliminate opportunity

15
Recommendations

• Develop a culture which deals

constructively with negative information
– It will take time and will be hard to do
• Do not separate risk management from
opportunity management
– Risks and opportunities are inherently linked
– You cannot manage one without impacting
the other
• Recognize model limitations
– Managing risk “metrics” is of little value
16
References

1. Gilb, T., Principles of Software Engineering Management, Addison

Wesley, 1988. See p72.
2. Bernstein, P. L., Against the Gods, The Remarkable Story of Risk,
John Wiley and Sons, 1998. See Chpt 16, “The Failure of Invariance,”
on how negative information seriously impacts decision making.
3. Young, R., Effective Requirements Practices, Addison-Wesley, 2001.
See p164-5 for strategies to combat “negativism.”
4. Jones, C., Assessment and Control of Software Risks, Prentice Hall,
1994. See Chpt 5 for risks associated with artificial categories.
5. Gilb, T., Competitive Engineering, draft to be published in 2002. See
fig 1.2, the risk strategy is to “maximize benefits, not minimize risk.”
6. McConnell, S., Software Project Survival Guide, Microsoft Press, 1998.
See p93-101 for his very realistic risk management model, which
focuses on the “Top 10” risk list. We disagree on the value of a “risk
officer.”

17