Risk management is all about predicting the future, and we're really bad at predicting
It's a running joke with the secretary at my dentist's office: "Mr. Donath, can we see you at 8:00 am on Tuesday in 6 months?" "Well, I'll have to check, not sure what I'm doing them." "Oh, I know what you'll be doing, you'll be here!" Usually when she asks this question the season will be the opposite of what it is now. If it's summer, there will be 2 feet of snow on the ground then. That's the trick right? The context then will be totally different. Heck, I could have a different job, could be living in a different, house,... Hey, I could be dead! Crazy? It happens. Predicting the future is tricky. In the book, The Black Swan, Taleb cites an example where some government agency was predicting the price of a barrel of oil for 25 years. If I'm not sure what I'm doing at 8:00 am on Tuesday 6 months from now, how is someone going to predict the price of oil 25 years from now? Stop for a moment and catch the seriousness of this: here's a government agency with a bunch of very smart people who are paid to know oil and the US energy sector is watching these predictions closely (and there probably a whole chain of people watching the energy sector). So what these guys say has a big impact. They said that oil wouldn't go over $27 a barrel over that 25 year time period. Wait for it. The price went over $27 in the first 6 months. We are really bad at predicting.
Which leads me to risk management. I'm speaking of risk management on IT projects. We're told to predict (1) the probability of occurring, (2) probability of impact, and (3) timeline for impact. There are other things to capture, but let's start with that. Let's just pick one, probability of occurrence. In the oil example above, they gave the probability of occurrence of going over $27 / barrel in 25 years as low. It turned out to be very (VERY) high. We are really bad at predicting. If we are, how do we perform risk management? There's a lot to talk about here, but let's start with who should do the predicting. Don't confuse this with who can identify a risk, anyone on a project can identify a risk. We'll talk more about that in another posting, but let's talk about who should do the predicting. Apgar's book, Risk Intelligence, has five criteria for assessing someone's ability to identify risk and the first is "How frequently do your experiences relate to the risk?" Let's say the risk has to do with system performance on a cloud solution. Do you have experience with cloud solutions? Do you have experiences with performance problems? Do you have experience with measuring performance in a cloud environment? If your a project lead, then finding someone who scores higher on this assessment will be important. If you have the experience, go for it. If you have a general feeling about the technology, better find someone who has more experience. Yes, experience can be hit by a black swan too, but it is a step in weeding out possible error and refining the risks.