Tuesday, September 14, 2010

Why risk management is an oxymoron

Yesterday, I tweeted the following.

#aosocal Change control and risk management are oxymorons. @ainzo @agilistapm

And this sparked a series of exchanges (my first Twitter debate!).

iesavage @ainzo @agilistapm @benevolentprof @dianaofportland Curious… How is "risk management" oxymoronic?

benevolentprof @iesavage: @ainzo @agilistapm @benevolentprof @dianaofportland Real risk, unknown unknowns, can't be managed.

iesavage @benevolentprof @ainzo @agilistapm @dianaofportland Ah - those risks. One must manage other risks (eg illness, attrition), tho.

iesavage @benevolentprof @ainzo @agilistapm @dianaofportland ...and one can make allowances for the unk/unks. Or just plan for % failures.

benevolentprof @iesavage @ainzo @agilistapm @dianaofportland Illness and attrition aren't risks. They are a predictable part of life- and can be managed.

iesavage @ainzo @agilistapm @dianaofportland @benevolentprof JFYI: My company treats attrition as a risk & mitigates.

At the heart of the debate is what is properly constituted as risk. iesavage is using the standard definition of anything that is a source of danger or a hazard. According to conventional "risk management," one must try to identify what these are and identify ways to mitigate their negative effects. It's standard practice to consider illness and attrition, so it's good and appropriate for iesavage to be dealing with them in risk management. However, my comment has more to do with what risk really is, rather than what is good risk management.

In my mind, events that can be expected to happen should not be properly be constituted as risk. Illness and accidents happen. You'd be a Pollyanna if you thought they didn't. Real risk are the ones you cannot possibly plan for.

Philip Armour wrote a book "The Laws of Software Process." (Thanks to @cdknutson for introducing it to me.) In the book, Armour introduces his Levels of Ignorance. I have found this to be an invaluable tool to explain solving information problems (such as software development and doing research).

Zeroth Order Ignorance (0OI): Lack of ignorance.
I have Zeroth Order Ignorance (0OI) when I know something and can demonstrate my lack of ignorance in some tangible form. Examples of 0OI is the answer to a trivia question and the ability to sail, which can be demonstrated when provided with a sailboat and a body of water.

First Order Ignorance (1OI): Lack of knowledge.
I have First Order Ignorance (1OI) when I do not know something and I can readily identify that fact. 1OI is basic ignorance or lack of knowledge. For example, I don't know how to speak Russian, but I know how I could learn. Expressed in another way, if you can Google for the answer, you have 1OI.

Second Order Ignorance (2OI): Lack of awareness
I have Second Order Ignorance (2OI) when I do not know that I do not know something. That is to say, not only am I ignorant of something (I have 1OI), I am unaware of what it is I am ignorant about. I do not know enough to know what it is that I do not know. I can't provide a good example of 2OI for me, because if I could name it, I would have awareness. I could provide an example of 2OI for me in the past or possibly for you right now.

Third Order Ignorance (3OI): Lack of Process.
I have Third Order Ignorance (3OI) when I do not know of a suitably efficient way to find out that I do not know that I do not know something, which is lack of a suitable knowledge-gathering process. This presents me with a major problem: If I have 3OI, I do not know of a way to find out that there are things that I do not know that I do not know. Therefore, I cannot change those things that I do not know that I do not know into either things that I know, or at least things that I know that I do not know, as a step toward converting the things that I know that I do not know into things that I know. Examples of 3OI are many design or research problems. Methods for doing software design or research are really just activities to fill the time while you overcome 2OI.

Fourth Order Ignorance (4OI): Meta ignorance.
I have Fourth Order Ignorance (4OI) when I do not know about the Five Orders of Ignorance. I do not have this kind of ignorance, and now neither do you. Knowledge is highly and intrinsically recursive-- to know about anything, you must first know about other things which define what you know.

Applying the levels of ignorance to risk, I would assert that risk can only be properly applied to 2OI and 3OI. 0OI and 1OI are not risks, they are known and can even be predictable. Consequently, risk management is an oxymoron, because it's not possible to manage what you don't know.


Anonymous said...

iesavage here...

While I grok the risk associated with higher-order ignorance, I contend that claiming "risk management" to be oxymoronic *introduces* a large risk for the general sw industy.

IME some companies ignore their duties to manage the lower-order risks because they (errantly) believe that all risk is unpredictable - totally dependent on chance - so they fail to allocate any resources for contingencies. Big failures result from this arrogance.

Being a QA lifer, I've seen innumerable test schedule compressions* that could have easily been prevented by simple risk management.

1. "Waltzing With Bears..." - Lister & DeMarco
2. "Slack..." - DeMarco

* Not to be confused with tester chest compressions as we contend with the unsustainable pace thusly created.

Best regards, Ian

Anonymous said...

Ah...this blog has me stirred up a bit. Real risks may not be what you can plan for...but you can have contingencies...even in an agile world.

If no one saved for their retirement, took their umbrella along when rain is forecast, or replaced their tires before they were entirely bald, it would be a sad state of affairs.

There is real "risk" in cutting corners, given what we know.

Scott said...

I saw this debate go by on twitter and thought I would jump in.

I would argue that risk, even with the definition provided here, can be managed. There are definitely elements that you don't know you don't know, but thats why you have ways of discovering your ignorance. It is the process of discovering your ignorance which is true risk management.

An example: entrepreneurs are forced to do this all the time, especially when entering domains they aren't intimately familiar with. They realize they are ignorant, they just don't know what they are ignorant of (20I). This is why they surround themselves with an extensive support network. They learn from other's mistakes, and are made aware of the areas they did not consider. That act, the act of establishing the network, of establishing a process of discovering your ignorance, is an example of risk management. True, the network wouldn't know everything, but they will know something that you did not know, and by learning of any of your own ignorance, you've mitigated your risks.

Armour hinted at this with "Third Order Ignorance (3OI): Lack of Process". For this group risk management would be impossible.

As an aside, this argument changes with a more lax definition of the word "risk". For example, if we accept that anything that does not have a 100% probability of a single outcome as a risk, there are very tangible ways of mitigating it. Saving money for a rainy day. Buying car insurance in case you get into an accident.


catenary said...

I think Scott is exactly right. And let's not forget that another risk management strategy is prevention: avoid those paths for which more things could go wrong (that you know of). You could still get bitten, of course.

However, I think Susan's point is that there's a level of hubris in claiming that we are managing risks, as if we'd cajoled them to do as we wished.

Mausburger said...

Thanks for the great commments!

I think we have more agreement than disagreement. I completely agree that companies should be thinking ahead and making plans for what might happen in the future.

But... It doesn't make sense to me to consider the future to be a risk. The same goes for illness, attrition, car tires, rain, and retirement. You're not really managing illness or rain. You can only manage your responses to them, i.e. the contingencies in your plans.

Mausburger said...

Yes! What Catenary said.

Pascal Pinck said...

There has been a lot of smart thinking in the CAS (complex adaptive systems) community about risk.

Among the concepts that I have found useful is the notion of differentiating between robustness and resilience.

Dave Snowden has good stuff on this including