Health and Risk
People in industries like banking and insurance think mainly about risk measured in money. But risk isn't just money. Life is filled with non-monetary risks.
"If someone says, 'You can make it!' down a vertical mountain when you don't ski very well, think about it before launching. This can be a turning point in your life. It sure was in mine when I slammed into the mountain. I wish I'd said, 'F'getabout it, sucka,' and gone to the Kiddie Corral. Would have saved a lot of pain and surgery. Think about this. What are you really up for? Is the thrill worth the cost?" - Sandy Nathan
I am going to argue here that risks are things that affect the health of a thing, where the thing could be:
A Living Organism, such as the human body, which is exposed to health risks, such as Cardiovascular Disease.
A Software Product is a thing we interact with, built out of code. The health of that software is damaged by the existence of bugs and missing features.
A Project, like making a film or organising a dinner party.
A Commercial Entity, such as a business, which is exposed to various Operational Risks in order to continue to function. Businesses face different health risks than organisms, like key staff leaving, reputation damage or running out of money.
On a larger scale, a State is a system, the health of which is threatened by various existential risks such as revolution, climate change or nuclear attack.
What Is Health?
Health is a really universal property. I've deliberately chosen these examples to be at different scales, to demonstrate that health is not just something that applies to living things. It seems like you can talk about the health of nearly everything. I can talk about the health of soil (how likely things are to grow in it), of a table (whether it might collapse or not), a tree (whether it looks nice and is growing) or a political party (whether it's membership is strong and growing).
However, in all these cases, health refers to something slightly different, perhaps subjective. It's an overloaded term, so let's look at some specific meanings for health.
Health as Survival
The most obvious indicator of health in living things is whether they're alive or dead. But since there is no clear definition of exactly what a living thing is, scientists fall back to describing the behaviours of living things. For example, metabolism (taking in energy or other inputs, and using it to self-organise), homeostasis (having some kind of feedback loops to maintain an internal state) or adaptation (responding to changes in the environment).
When a living thing is no longer exhibiting these behaviours, it is dead. But, the same is true of our other examples too: businesses go bust, projects get cancelled, dinner parties end. At the larger end of this scale, we can say that a country or a project is alive so long as there are people participating in it: to be alive, the constituent components must be alive too.
The problem with "Alive vs. Dead" is that it is binary - there is no scope for "improving" or "worsening" health. I could be involved in an accident that severely limits my capability, but leaves me alive - my health is definitely worse though.
A different approach to judging the health of a thing might be to take measurements of it and compare it to other things. For example, we could say the health of a battery is related to the amount of charge it contains compared to a new battery, or the health of soil by the quantity and quality of crops it produces.
For people, you can measure health by looking at things like resting heart rate, blood pressure or lung capacity. Also, there are tools like the SF-36 which aim to capture (via survey) the general health of people, by asking them about their physical and mental functioning, emotional well-being, stress etc.
For a business (say, a car factory) you could create metrics for the number of cars completed, the defect rate, or the number of workplace accidents per year.
For a software product you could look at things like number of users, licenses, downloads or some other metric.
If you're in a development team which is working on new software, you could look at something like Burn Rate.
Metrics are difficult though. Choosing the right metrics, knowing their weaknesses and being aware of what knowledge is missing is a whole other discussion which we look at in Map And Territory Risk. Taking the car plant example again, what does it mean to produce a hundred cars a day? Is it good or bad? Is this directly tied into how healthy our business is? Does it matter if the cars aren't selling?
Measuring fitness as you go along is not always possible. For a lot of projects, like dinner parties, films or construction projects, the success or failure has to be judged subjectively on completion, and not before. Essentially, the project is a bet on a future outcome.
Building a new feature on a software project fits into this category: although you can build tests, do demos and run beta-test programmes the full picture of the health of what you've built won't emerge until later.
Power and Safety
Although you might not have visibility of the end result, sometimes it's enough to care about the health of the process itself. So a fourth perspective on health is: does the project/person/business control the resources it needs?
When talking about businesses, economists call these resources Factors of Production, dividing them into categories like land, labour and capital.
The resources of a state are employed to create some kind of organisation (feed armies, build roads, create currency, run governments), whether it is a democracy or a dictatorship. When the resources dry up or are stolen, the state can fall apart resulting in civil wars and anarchy. Leaders of states need to understand which resources are the sources of their power. CGP Grey's excellent Rules for Rulers video explains how this works in great detail, and covers why government doesn't always do the best things for it's subjects.
We've looked at health from four alternative angles: "Survival", "Fitness", "Acclaim" and "Resources".
But this still isn't the whole story of health: Personally, I might be perfectly happy and (apparently) healthy one moment, but then fall down dead from heart failure the next due to some inherited heart condition. Or, I could live happily on an island with plenty of food but have it all washed away overnight in a storm.
Health isn't just about considering where you are now, but also how precarious the position might be.
So, we have to go further and consider - what are the health risks I am exposed to? What are the risks due to my environment, my diet, my behaviour? If I live in a high-crime area, in a high-fire-risk house, engaging in lots of dangerous activities then this should be taken into account when judging my health.
... For A Commercial Entity
Just as human health-risks are relatively well-known and documented, an understanding of the risks to commercial entities has been built up over time. Accounting requires a certain set of measurements (all measured in monetary units), which are the same for all companies:
- A Balance Sheet, showing what the company owns and owes. This is used for reporting Funding Risk - that is, does the company have too much debt, given its assets?
- A Profit and Loss Statement, showing whether the company is making or losing money from the deals it does. This kind of transparency helps reduce Agency Risk for investors.
- A Cash Flow Statement, shows the company's cash position and how much cash is entering and leaving the company. This is important for managing Liquidity Risk - the short-term requirement of cash on-hand to keep the business running.
All of these are measured in monetary amounts, but each addresses a different risk.
A healthy commercial entity will be managing all of these kinds of monetary and non-monetary risks. Just looking at metrics doesn't tell you whether your business is about to be obsoleted by a new invention, or whether your factory is about to turn into a human tragedy (such as in the Bhopal Disaster).
...For A State
How healthy is the United Kingdom? As well as producing metrics such as GDP, employment, education level, etc., the UK government also produces a National Risk Register. This considers various risks (flooding, fires, pandemics, nuclear attack) and produces a matrix comparing:
- Impact This is an
Ameans a risk costing less than £10m and killing fewer than 8 people. An
Eimpact (the largest), meanwhile has a greater than £10b cost and more than 1000 deaths. According to this reckoning, pandemics and CBRN (chemical, biological, radiological and nuclear) attacks have the greatest impact.
- Likelihood: This is based on a probability out of 500, again banded into sections.
Why would they produce such a report? From their introduction:
"The 2020 National Risk Register sets out the range of risks and challenges we face which have the potential to cause significant disruption to the UK, and explains what the government and partners are doing to mitigate these risks and how we all can prepare for and respond to them" - National Risk Register 2020, UK Government
This is about the health of a nation: tracking the risks you face and then managing them are an important way to stay healthy.
...For Software Projects
Over time, as a species, we have built up a detailed body of knowledge on the risks that afflict human health, commercial entities and countries like the UK have started modelling risk at state level.
If all of these disparate domains are tracking health risks, it not clear that this is a good practice to perform at the level of a software project?
The purpose of Risk First is to try to build that body of knowledge for software development. Risks are in general not unique on software projects - they are the same ones over and over again, such as Communication Risk or Dependency Risk.
Every project faces these.
The examples we've looked at so far are all at different scales, and could be nested within each other.
At other times, the health of the elements are going to be related: you might be working on a software product for a team inside an organisation operating in a certain country. You are probably going to have to consider the health of more than one of those things. Can a team be "healthy" if the organisation it is contained within is dying? Probably not.
The next two sections focus on how to do this: in the next section, Cadence we will look at the importance of feedback loops on monitoring the risks you face. Then in De-Risking we will look at general strategies for managing risks on software projects.
On to Cadence...