Waltzing with Bears: Managing Risk on Software Projects [Paperback]

It may be surprising where DeMarco & Lister start from, explaining what risk is, why we need to accept it and why we must manage it, but they explain how common attitudes in the IT industry, which they correctly term "pathologies", can make it almost impossible to properly acknowledge and manage risks.

Maybe it's my background as a physicist, but I assumed that most project managers understand the concept of uncertainty in estimates of cost, timescale and benefits. The authors clearly start from the opposite position. This may be a little off-putting for some readers, but will definitely help those to whom this is a new concept, while the use of "uncertainty diagrams" (probability profiles) will be a useful addition to the toolkit even for those more familiar with the underlying ideas.

The book is very strong on how risk impacts budget and schedule, and how to more scientifically make goals and committed targets more realistic. There's a very good discussion of how to assess deadlines using probability theory, which shows the folly of trying to manage large efforts by single deadlines. The book also includes a very good section on brainstorming and analysing different stakeholders' "win" conditions to identify potential risks.

One weakness is the almost total lack of discussion of risk prevention - actively working to prevent a risk materialising, or at least to reduce its probability as well as mitigating its impact. For example they quote the example of an operating system upgrade which is incompatible with a "make or break" product development. Any sensible manager would work with the OS vendor and its developer information programmes to actively prevent this, rather than just worrying about its possible impact.

When it comes to combining the effects of multiple risks, the authors rely entirely on Monte-Carlo simulation and the "black box" outputs from a spreadsheet (which is downloadable from a web site for the book). This will be a useful tool, but a simple worked example showing the mathematical principles at work would be much better (see www.andrewj.com/thoughts/combining risks.htm for my attempt at this).

The book is dismissive of time-constrained scheduling as "schedule flaw", and there is only limited consideration of methods such as Agile Modeling and eXtreme Programming which aim to mitigate or even prevent the effects of requirements change. However there is a good section on the use of incremental delivery to mitigate risk, but possibly somewhat unrealistic in relying on very complete requirements and design before the incremental delivery plan can be completed.

The approach to benefits, and the importance of properly assessing and measuring benefit is excellent. As DeMarco and Lister state, you can't do any meaningful risk management or prioritisation unless costs and benefits are estimated, measured and controlled to almost exactly the same degree. Conversely, if you can build realistic models of both cost and benefit in risk terms, you have a very powerful but relatively simple model for project prioritisation.

Overall this is a good book which I can recommend, but not the definitive answer I expected from the authors of "Peopleware".

Risk has been become a vogue word in software development. Everybody talks about it, and says that it is being considered. However, a large part of the discussion is lip service. What is apparent is that 'risk' is not a small subject, and any discussion on this subject will invariably involve weighty matters. How can benefits be calculated? How are costs determined?

So is risk inherently wrong? Risk involves uncertainty. Halfway down the first page of Chapter 1 is a wonderful statement, summing up the gains to be claimed by embarking on a risky venture. "If a project has no risks, don't do it". The authors slay a few myths along the way. It is not wrong to be uncertain. Risk is about trying to minimise the uncertainties, or rather to minimise the damage caused by events that you hope will not happen. Therefore, if you don't know, ask questions about what you do not know. That is very different to some work places, where it is considered bad form to raise items on the risk register. There are instances when blindingly obvious risks have not been considered. "Oh, you mean THAT train" - as it speeds towards you. Projects that negotiate dark railroad tunnels will find trains hurtling towards them. FACT. It is the nightmares that need to be addressed, not the petty worries.

The book is very good about imposed deadlines. By all means perform estimates based upon everything happening correctly, and on time (in other words, 'downhill with a following wind'). However, this is not sufficient for implementing REAL projects, in real timescales. In order to achieve this, it is necessary to add in the uncertainties. Add these in before publishing the figures. There is a tool available on the associated web-site that enables some of the classic uncertainties to be factored in. This uses some industry standard figures to indicate the effect of, say, key staff leaving. The big no-no of software development is also discussed - what if the project fails? Figures indicate that a significant number of software projects fail (the authors quote 15%, but others may use different figures). Therefore failure has to be a risk on any project.

The authors discuss 'Earned Value Running' [EVR] as a way of measuring progress. Using such a measure moves away from the "90% complete" problem, and also enables the 'bells and whistles' of a project to be seen for what they are; items that are nice to have, but not item that are part of the core functionality. Such concepts as EVR can make a difference, and examples are provided from real life projects about many of the items discussed.

Much concerning 'risk' is involved with sharing knowledge, be this what is known or what is unknown. It is only when there is a culture of openness that there is a freedom to share risks (it is after all a risky business to discuss the items that would cause your department to fail to deliver to schedule). There a large variety of items that can follow on from an effective risk management strategy. One of these is what the authors call 'proactive incremental delivery'. This is equated with playing the loosing hands from your bridge hand first. However, what is written is not a prescriptive approach. After all, that would be risky!

There is one final point I wish to mention with this volume. There is a discussion of when NOT to share your risks with others. It takes a good deal of confidence to argue in part against the central thesis of a practical book. This is a VERY good, practical book, whose authors are not afraid to advise when not to use the ideas within.