I just finished reading Tom DeMarco’s book, Slack: Getting Past the Myth of Burnout, Busywork and the Myth of Total Efficiency. In his chapter on Risk and Risk Management, he outlined a nine-point test that he used to determine whether an organization was practicing risk management. I wanted to share the nine points and then ask a couple of questions.
His nine-point test:
- Is there a published census of risks? Does the list contain the major causal risks, not just the few outcome risks that we all fear? Is the risk list visible to all who are working on the project? Are there enough risks on the list to indicate careful risk analysis?
- Is there a mechanism in place to elicit discovery of new risks? Is it safe for all involved to signal a risk?
- Are any of the risks on the list potentially fatal? Risk management that concentrates only on risks that can be handled makes a mockery of the notion of risk management. It’s the fatal ones that need your most careful attention.
- Is each risk quantified as to probability and cost and schedule impact?
- Does each risk have a transition indicator allocated to it to spot materialization? Is each transition indicator being monitored?
- Is there a single person responsible for risk management? Where the attitude is that everybody is responsible for managing risks, nobody is responsible for it, since all those people have got Real Work on their plates
[Side note: Up to this point, I was feeling pretty good about my previous place of work. We were on point and fairly focused on mitigating risk. We were making progress toward the final three indicators by using Monte Carlo simulation to forecast project completion and mitigate risk, but we weren’t there yet.]
- Are there tasks on the work breakdown structure that might not have to be done at all? The absence of such conditional tasks are a sure sign of no risk management at work.
- Does the overall effort have both a schedule and a goal, where the schedule and the goal are markedly different? If the schedule is the goal, there is no risk management at work. The earliest date by which the work could conceivably be done makes an excellent goal, but an awful schedule.
- Is there a significant probability of finishing well before the estimated date? If there is not – if there is no reasonable probability of finishing 20 or 30 percent ahead of schedule – the schedule is a goal, not an estimate.
I love reading about risk management, so finding his nine-point test was exciting and eye-opening at the same time. Then I wondered how many organizations would actually meet this standard.
- My question to you is whether you know of any organizations that would meet Mr. DeMarco’s test of risk management?
- How did they communicate the schedule to the customer?
- How successful were their projects?