Foreword:
Running Toward Risk

Running away from risk is a no-win strategy. Unless your organization has been sound asleep for the past 30 years, all the relatively risk-free opportunities have long since been exploited. The remaining high-opportunity areas are rife with risk. It is in these areas and these alone where you need to focus your attentions, skills, and resources.

Consider, for example, projects that implemented the first Web-based stock trading systems: E*TRADE, e.Schwab, and Fidelity’s Web Xpress. These endeavors forced their respective teams into previously uncharted waters. They had to come to grips with Java and PERL, secure sockets, 128-bit encryption, CGI scripts and server-side technology, multiplatform support, help desks, and hitherto unimagined kinds of audits and checks. Their competitors glanced uneasily at these horrors and decided to pass: “Um, let’s just convert another one of our back-office systems to client-server mode instead; that is something we’ve finally learned to do pretty well.” In the short run, that decision might have seemed sensible, but in the long run, it is a disaster. It is only by coping with risks today that you have a chance of achieving market distinction tomorrow.

Moving aggressively after opportunity means running toward rather than away from risk. But running successfully toward risk requires more than just competent process and an ability to think on your feet. It requires discipline. The discipline that enables you to prosper in such circumstances is called risk management.

Like other uncertainty-based disciplines, risk management is somewhat anti-intuitive. That means you cannot count on common sense alone to guide you. Common sense, for example, might suggest that positive thinking is the key to achieving anything really ambitious, but risk management schools us to consider certain forms of negative thinking as well. Common sense might suggest that the bigger and more ambitious the effort, the more essential it is to “plan the work and work the plan.” But risk management tells us something entirely different: the plan will never work. It is only by accepting and quantifying the essential fallibility of our plans that we gain effective control over the effort.

Since it is more than just common sense, the newcomer to risk management needs an intelligent guide. It is in this role that Elaine Hall’s Managing Risk: Methods for Software Systems Development excels. This book provides a set of practical and well-delineated processes for implementation of the discipline.

I end with an observation about the linked nature of risk and challenge. When software people tell me about what matters to them in their work, they almost always mention challenge. Work without challenge, they seem to be saying, would be as unsatisfactory as work without pay. But there can be no real challenge without risk. Risk management, in this light, is seen for what it really is: a tool for taking on challenge. Managing Risk: Methods for Software Systems Development will be just that for you; it will enable you to confront greater challenges than you might have without it, and it will give you the confidence and capability to achieve them.

Tom DeMarco
The Atlantic Systems Guild Inc.
Camden, Maine