#aosocal Change control and risk management are oxymorons. @ainzo @agilistapm
And this sparked a series of exchanges (my first Twitter debate!).
iesavage @ainzo @agilistapm @benevolentprof @dianaofportland Curious… How is "risk management" oxymoronic?
benevolentprof @iesavage: @ainzo @agilistapm @benevolentprof @dianaofportland Real risk, unknown unknowns, can't be managed.
iesavage @benevolentprof @ainzo @agilistapm @dianaofportland Ah - those risks. One must manage other risks (eg illness, attrition), tho.
iesavage @benevolentprof @ainzo @agilistapm @dianaofportland ...and one can make allowances for the unk/unks. Or just plan for % failures.
benevolentprof @iesavage @ainzo @agilistapm @dianaofportland Illness and attrition aren't risks. They are a predictable part of life- and can be managed.
iesavage @ainzo @agilistapm @dianaofportland @benevolentprof JFYI: My company treats attrition as a risk & mitigates.
At the heart of the debate is what is properly constituted as risk. iesavage is using the standard definition of anything that is a source of danger or a hazard. According to conventional "risk management," one must try to identify what these are and identify ways to mitigate their negative effects. It's standard practice to consider illness and attrition, so it's good and appropriate for iesavage to be dealing with them in risk management. However, my comment has more to do with what risk really is, rather than what is good risk management.
In my mind, events that can be expected to happen should not be properly be constituted as risk. Illness and accidents happen. You'd be a Pollyanna if you thought they didn't. Real risk are the ones you cannot possibly plan for.
Philip Armour wrote a book "The Laws of Software Process." (Thanks to @cdknutson for introducing it to me.) In the book, Armour introduces his Levels of Ignorance. I have found this to be an invaluable tool to explain solving information problems (such as software development and doing research).
Zeroth Order Ignorance (0OI): Lack of ignorance.
I have Zeroth Order Ignorance (0OI) when I know something and can demonstrate my lack of ignorance in some tangible form. Examples of 0OI is the answer to a trivia question and the ability to sail, which can be demonstrated when provided with a sailboat and a body of water.
First Order Ignorance (1OI): Lack of knowledge.
I have First Order Ignorance (1OI) when I do not know something and I can readily identify that fact. 1OI is basic ignorance or lack of knowledge. For example, I don't know how to speak Russian, but I know how I could learn. Expressed in another way, if you can Google for the answer, you have 1OI.
Second Order Ignorance (2OI): Lack of awareness
I have Second Order Ignorance (2OI) when I do not know that I do not know something. That is to say, not only am I ignorant of something (I have 1OI), I am unaware of what it is I am ignorant about. I do not know enough to know what it is that I do not know. I can't provide a good example of 2OI for me, because if I could name it, I would have awareness. I could provide an example of 2OI for me in the past or possibly for you right now.
Third Order Ignorance (3OI): Lack of Process.
I have Third Order Ignorance (3OI) when I do not know of a suitably efficient way to find out that I do not know that I do not know something, which is lack of a suitable knowledge-gathering process. This presents me with a major problem: If I have 3OI, I do not know of a way to find out that there are things that I do not know that I do not know. Therefore, I cannot change those things that I do not know that I do not know into either things that I know, or at least things that I know that I do not know, as a step toward converting the things that I know that I do not know into things that I know. Examples of 3OI are many design or research problems. Methods for doing software design or research are really just activities to fill the time while you overcome 2OI.
Fourth Order Ignorance (4OI): Meta ignorance.
I have Fourth Order Ignorance (4OI) when I do not know about the Five Orders of Ignorance. I do not have this kind of ignorance, and now neither do you. Knowledge is highly and intrinsically recursive-- to know about anything, you must first know about other things which define what you know.
Applying the levels of ignorance to risk, I would assert that risk can only be properly applied to 2OI and 3OI. 0OI and 1OI are not risks, they are known and can even be predictable. Consequently, risk management is an oxymoron, because it's not possible to manage what you don't know.