IT's Risky Business

It has been awhile since I last touch the PMBOK (A Guide to the Project Management Body of Knowledge) after passing my PMP (Project Management Professional) exam but risk is one of the terms that i can remember quite clearly. PMBOK define risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives. This fits well with the Chinese character of risk (危机) - when there is risk, there will be opportunity.

Murphy's Law - "Whatever can go wrong, will go wrong!" Well said! Positive risks need to be exploited and negative risks need to be properly managed. We can just close one eye, ignore it and it will surely come back and haunt us one day. You might not believe in gravity, but when you jump off 13th floor, gravity doesn't care.

I came across an article on Star InTech (15 July 2008) by columnist Simon Seow under Corporate IT which i think is very well written. You can't eliminate the risk factor from any equation but you can manage it. The trick is learning how. Below are some of the extraction with some of my comments for sharing:

1. Manage risk, as we can never eliminate all risks.
We want to "manage" risk because we can never eliminate all risks. The aim is not to reduce risk or to eliminate risk altogether. No risk, no gain. In an interesting scenario where a group of agricultural scientists gathered for training, the trainer asked a seemingly innocent question, "Do you guys have a way to kill all the insects that destroy crops?" "No, no, no! we don't kill insects. We manage them! No insects means no crops! No crops no food!" was the reply. Eliminating the risk of insects destroying the crops will also eliminate the crops. A more refined way was needed than simply to get rid of the cause of a risk. Hence risk management and not risk elimination.

2. Managing risk is not about handling the unpredictable
Another thing about the risk issue is that for a normal organization, we are not trying to handle the unpredictable, but the reasonable possibilities. Meteors hitting our computer centre and Martians landing are entertaining distractions but not in risk management. Until there is a reason for us to believe it could actually happen.

3. Risk analysis
We are assured by statistics that the probability of death from travelling in a motor vehicle is much higher than that from flying in an airplane. Yet, there are a lot more people who fear flying than there are who fear car travel. We make choices from perceived benefits versus costs and risks. We seldom, if ever, really consider all risks, or try to eliminate risk. In example, testing had been carried out for a complete system failure scenario but not for a single-point-of-failure scenario. It was felt then that single point failures were manageable if and when it were to happen. Perhaps it was thought that although the probability was higher, the impact based on cost and time to recover was small enough to warrant accepting the risk. Unfortunately, when it did happen, the single point of failure succeeded in making the entire system inoperable because recovery was much more complex than anticipated.

4. When risk strikes...
When risk strikes, the worst thing you can do is to put on a stern face and say that it is all too technical to explain and that the system will be ready when it is ready. The second worst thing you can do is to keep telling your users that it is only a minor issue and that things will be okay within the hour, when you yourself have no basis for making such an estimate. If it may take a whole day, say so. You will still be lashed. But at least the user will be able to make the best of the situation, and you will soon be forgiven.

That's some of the important points that i think worth sharing. Oh ya, if you are in a management position, i would think that the third don't when risk strikes will be to start pointing fingers and put the blame on your team members. That is the time they need your support the most. Keep cool, roll up your sleeves, access the situation and let's solve it together as a team. Most importantly, learn from the mistake so that you will not be bitten twice!