Risky Business

One of the items on my list of 2007 To Do's at work is to help make our organization better at handling risks: identifying them, having mitigation plans for some, knowing the cost of each risk if it occurs, and tracking them. As chance would have it, I'm reading a Time magazine article on that topic, albeit more about personal risk than project-related business risk. But some of the sentiments still apply. Here's an excerpt that struck me as being particularly dead-on:

"We agonize over avian flu, which to date has killed precisely no one in the U.S., but have to be cajoled into getting vaccinated for the common flu, which contributes to the death of 36,000 Americans each year. We wring our hands over the mad cow pathogen that might be (but almost certainly isn't) in our hamburger and worry less about the cholesterol that contributes to the heart disease that kills 70,000 Americans annually."
- Jeffrey Kluger, "Why we worry about the things we shouldn't.. and ignore the things we should", Time magazine Dec 4/06

I remember reading something similar in Waltzing with Bears by Lister and DeMarco. In their book, they were talking about how often they see risk management take the following form (paraphrasing from memory, so Caveat Emptor!): The risks that are least likely to occur are the ones that will be written down under "Risks" on the Project Charter, while the handful of almost-certain-to-happen dangers weren't even mentioned, simply because people didn't want to deal with those. For example, "Extended national blackout" or "Data Centre hit by asteroid" might be covered, whereas items like "Vendor fails to deliver on time" and "New equipment incompatible with old" showed up nowhere. This resonated with me, from the twenty plus years I've been doing this sort of thing. Of course, my personality is such that I worry about both categories of doomsdays!

In our endeavours in Going Agile and creating more-empowered, self-organzing teams, this is most definitely an area that's gotten very little consideration so far. Risks, if they were even considered before, were previously the sole domain of the project management folks, most or all of whom were among the management ranks. Now it's up to the men and women on the ground, so to speak, to identify the upcoming risks as they plan out Iterations. Considering that our risk experts didn't traditionally do an outstanding job at this - and I'm counting myself in that group of under-achievers - how reasonable is it to expect great results from everyone else, most of whom have never taken a risk management course or even thought in those terms before?

Quite the challenge, I'd say. As always, kind wishes and prayers can be sent to this location!