Risk, What is it good for?

Firstly lets clear up any ambiguity, this blog is about the concept of risk in software systems not about the excellent board game [half the readership has now left].

I’ve spent large parts of my career working in large corporate organisations. In these companies I frequently hear the phrase “We won’t try that as [insert major financial institution or Government dept here] are too risk averse”.

I just want to examine that statement for a moment.

In some cases this response has come from the suggestion of introducing a new technology that has been trialled by ‘bleeding edge’ companies for more than two years. In three organisations I’ve heard this response to the suggestion that the code base be refactored as it has become too unwieldily to change and is not well tested.

The risk that is being referred to here is the risk of spending money on something that may break when shipped to production. It’s fair to highlight this risk but this glib response doesn’t consider the risk of doing nothing.

What is the risk to the organisation if the competition delivers on to that new technology or platform ahead of it?

What is the risk to the organisation if the code base becomes so large and difficult to reason about that even superficial changes to it become a mammoth expensive project (with it’s own risks of miscommunication and error due to the number of people and resources involved)?

Or that changes are so difficult to test that code is changed in ‘edit and pray’ mode and deployment involves more finger crossing and sleepless nights than celebration of success?

I would argue that it’s better to have small focussed and measured initiatives to trial new technology fast and, if necessary, fail early before too much money is burnt?

Wouldn’t investment on refactoring or even rewriting parts of the code base pay off in future with cheaper and safer changes?

Seems like common sense to try these incremental approaches to change?

However, the cynical part of me sees the real drive for this ‘risk aversion’ reaction as being the next bonus or the next promotion for the manager quoting it. They are rewarded for delivering over the next 2-3 month horizon and penalised for missed deadlines. No one loses their job over following the establish technologies and patterns rubber stamped by the ‘architecture department’.

You can’t blame the manager for reacting in a way determined by the way they are incentivised.

You can blame the organisational leadership for measuring them this way!