Waltzing with Bears: Managing Risk on Software Projects

Read this unsystematic and occasionally glib book (I concede this point to other reviewers) and you will suddenly realize that you, your colleagues in development, your technical leads, and your CEO have probably all been lying to yourselves and to each other about every single "milestone". Risk analysis is not merely done badly most of the time. It's usually not done at all. I learned enough from this book on a Sunday to return to work the next day and successfully persuade my colleagues that our project plan was worthless, and we needed to come up with a new one *now* that properly took account of the risks. No, I'm not a risk analyst, but merely the effort of thinking about risk in a different way had a payoff. Before this, we were just driving blind.

There are some very sensible, eminently implementable ideas in this book, even if you have nothing to do with risk management. It is not just about risk, and neither is it just about software projects. Yes, there are strong elements of both, but the discussion is not exclusive. Some of the practical matters discussed include being able to recognise a 'dead' project before it finally rolls over and is declared dead. If there is no life in the beast, then it is no use preserving the carcass. Risk has been become a vogue word in software development. Everybody talks about it, and says that it is being considered. However, a large part of the discussion is lip service. What is apparent is that 'risk' is not a small subject, and any discussion on this subject will invariably involve weighty matters. How can benefits be calculated? How are costs determined? So is risk inherently wrong? Risk involves uncertainty. Halfway down the first page of Chapter 1 is a wonderful statement, summing up the gains to be claimed by embarking on a risky venture. "If a project has no risks, don't do it". The authors slay a few myths along the way. It is not wrong to be uncertain. Risk is about trying to minimise the uncertainties, or rather to minimise the damage caused by events that you hope will not happen. Therefore, if you don't know, ask questions about what you do not know. That is very different to some work places, where it is considered bad form to raise items on the risk register. There are instances when blindingly obvious risks have not been considered. "Oh, you mean THAT train" - as it speeds towards you. Projects that negotiate dark railroad tunnels will find trains hurtling towards them. FACT. It is the nightmares that need to be addressed, not the petty worries. The book is very good about imposed deadlines. By all means perform estimates based upon everything happening correctly, and on time (in other words, 'downhill with a following wind'). However, this is not sufficient for implementing REAL projects, in real timescales. In order to achieve this, it is necessary to add in the uncertainties. Add these in before publishing the figures. There is a tool available on the associated web-site that enables some of the classic uncertainties to be factored in. This uses some industry standard figures to indicate the effect of, say, key staff leaving. The big no-no of software development is also discussed - what if the project fails? Figures indicate that a significant number of software projects fail (the authors quote 15%, but others may use different figures). Therefore failure has to be a risk on any project. The authors discuss 'Earned Value Running' [EVR] as a way of measuring progress. Using such a measure moves away from the "90% complete" problem, and also enables the 'bells and whistles' of a project to be seen for what they are; items that are nice to have, but not item that are part of the core functionality. Such concepts as EVR can make a

Risk is everywhere, so we cannot avoid it, only manage to deal with it in the best possible manner. In software development, the most valuable projects are always the most risky. Therefore, the decision to go forward with any project must include an honest assessment of the locations of the virtual land mines. There are two general areas in which risk can be categorized. Some of the risks are known, either precisely or within a range of parameters. For example, the cost per day for each category of worker involved in the project is well-known. This type of risk is not difficult to manage, and most managers have a great deal of experience handling them, so very little of the book deals with them. The second category are those risks that are largely unknown. These are items like the risk of mission critical software suffering a catastrophic failure to large, unexpected cost overruns. It is this category that is examined in detail in this book. Of course, the boundaries between these categories are extremely subjective and situation dependent. A small company with limited financial resources would consider a smaller cost overrun to be critical than a company more capable of taking a large financial risk. After the initial explanation that risk management is necessary, the next step is trying to quantify the risks. This involves charts of likelihood of delivery time that resemble normal distribution curves. Using such charts allows any prediction to include some natural ?wiggle room?, which eliminates one of the most recurring and frustrating problems. Development managers are commonly asked to give a date for product delivery, and that date becomes fixed in stone. Upper echelons are notorious for hearing only the ?we can deliver on August first? part of the message and ignoring the remaining, ?provided all the planets are in alignment, there is no snow in January and no one takes a day off? part of the message. Expressing the date in a diagram of this form means that it is impossible to see the date without also seeing the estimated range. The authors have also developed a risk assessment tool called RISKOLOGY, which can be freely downloaded from the companion web site. While the tool is not described in complete detail, there is enough background for you to be able to use it quickly. Chapter 13 deals with the core risks of software projects. The five risks listed are:* Schedule flaw.* Requirements inflation.* Personnel turnover.* Specification breakdown.* Under-performance. None of these risks is any surprise to experienced managers, although including them was necessary and the authors do a good job in explaining them. Chapter 14 puts forward a process for discovering risks, which is excellent and in the realm of ?how to learn what it is that you don?t know.? It is this approach that will separate those who succeed from those who must resort to faking success. The greatest and most dangerous risks are those never considered as possible events.

Reading Tom Demarco and Tim Lister is a pleasure. It is so clear that these two authors set out to teach something they believe to be valuable, and all of their effort is directed toward making that valuable thesis accesible to the reader. There is no showing off, no saying, "Look how smart I am." Their books clearly say, "Our many years of experience have taught us some useful stuff and provided us with lots of valuable data. We have put a lot of effort into analyzing that data and we will try as hard as we can to help you understand our analysis. Our objective is make it as clear and as entertaining as we can," and they do. Their explanations are always clear. Their examples are invariably both helpful and entertaining.What they have to say is always important. "Walzing with Bears" is no exception, and even if you should disagree with parts of the book, their arguments will force you to think about critical aspects of management that you may not have previously considered.Reading the first few chapters, my only criticism was that they seemed to be oversimplifying some issues. Reading on, I realized that it was a deliberate and brilliant part of their teaching technique. In later chapters, the book carefully added the complexities that covered more and more of my early reservations in ways that made them easily understandable.It's a terrific book.