Skip to main content

Just Risk

In this section, I am going to propose the idea that everything productive you do on a software project is Risk Management.

All Work is Managing Risk

Think about your development process at work. Maybe it involves weekly releases, a continuous-integration system, unit-testing and beta-testing. All these activities have a part to play in managing different risks. They work to manage risks before they create bigger problems in production.

Can we go further? Is it just those parts of our development process that manage risk, or is it actually all of them?

Lets look at one of the tools in the Project Manager's tool-box, the RAID Log, and observe how risk-centric it is. Then, we'll generalise from there.


Many project managers will be familiar with the RAID Log. It's simply four columns on a spreadsheet: Risks, Actions, Issues and Decisions.

AssumptionDocumentation prior to approvalHIGH
RiskSupply Delivery TimeProject ScheduleMEDIUM
IssueMaster data inconsistencyMEDIUM
DecisionGo/No Go with ABC Ltd.Internal HiringLOW

The table above shows a sample RAID log. A real one might well be more elaborate. Let's keep things simple for now and put the following item into the RAID Log:

"Debbie needs to visit the client to get them to choose the logo to use on the product, otherwise we can't size the screen areas exactly."

  • So, is this an action? Certainly. There's definitely something for Debbie to do here.
  • Is it an issue? Yes, because it's holding up the screen-areas sizing thing.
  • Is it a decision? Well, clearly, it's a decision for someone.
  • Is it a risk? Probably. Debbie might go to the client and they still don't make a decision. What then?

This example is deliberately chosen to be hard to categorise. Normally, items are more one thing than another. But often, you'll have to make a choice between two categories, if not all four.

This hints at the fact that at some level it's all about risk:

Every Action Attempts to Manage Risk

The reason you are taking an action is to manage a risk. For example:

  • If you're coding up new features in the software, this is managing Feature Risk (which we'll explore in more detail later).
  • If you're getting a business sign-off for something, this is managing the risk of everyone not agreeing on a course of action (a Coordination Risk).
  • If you're writing a test, then that's managing a type of Implementation Risk.

Every Action Has Attendant Risk

  • How do you know if the action will get completed?
  • Will it overrun, or be on time?
  • Will it lead to yet more actions?
  • What Hidden Risk will it uncover?

Consider coding a feature. The whole process of coding is an exercise in learning what we didn't know about the world, uncovering problems and improving our Internal Model. That is, flushing out the Attendant Risk of the Goal.

And, as we saw in the Introduction, even something mundane like the Dinner Party had risks.

An Issue is Just A Type of Risk

  • Because issues need to be fixed...
  • And fixing an issue is an action...
  • Which, as we just saw also carries risk.

One retort to this might be to say: "an issue is a problem I have now, whereas a risk is a problem that might occur. " I am going to try and break that mind-set in the coming pages, but I'll just start with this:

  • Do you know exactly how much damage this will do?
  • Can you be sure that the issue might not somehow go away?

Issues then, just seem more "definite" and "now" than risks, right? This classification is arbitrary: they're all just part of the same spectrum, they all have inherent uncertainty, so there should be no need to agonise over which column to put them in.

In a way, this is a blessing because it means if you are maintaining a backlog (the Scrum term) or tracking work in an issue-tracking tool such as GitHub Issues then you're tracking risks.

A selection of issues from a GitHub project

Let's look at a real-life example. The above image shows a selection of issues logged in GitHub for an open source project called FDC3. The first one, "Adding debugging information to help app developers trace broadcast storms" is written as if it's a piece of work to be done (an action to take). However, there's an implicit risk being addressed by this piece of work: the risk that developers using the project are under-served by the functionality of it, and will be dissatisfied by the project. This issue was likely written by developers facing this problem, unable to move forward due to this lack of functionality around debugging information.

Goals Are Risks Too

In the previous sections, we introduced something of a "diagram language" of risk. Let's review it:

Risk-First Diagram Language

Goals live inside our Internal Model, just like Risks. Functionally, Goals and Risks are equivalent. For example, the Goal of "Implementing Feature X" is equivalent to mitigating "Risk of Feature X not being present".

Let's try and back up that assertion with a few more examples:

Risk of someone breaking inFeeling of safetyInstall a home security system
Risk of looking technically inferior during the cold warFeeling of technical superiorityLand a man on the moon
Risk of the market not requiring your skillsJob securityRetrain

There is a certain "interplay" between the concepts of risks, actions and goals. On the Risk Landscape, goals and risks correspond to starting points and destinations, whilst the action is moving on the risk landscape.

Starting PointMovementEnd Point
Goal, riskActionAttendant risk, achieved goal

From a redundancy perspective, if you know any two of the start, end or movement you can figure out what the third would be. At different times, people like to focus on different parts of this. Sometimes, humans are very goal-driven: they like to know where they're going, and are good at organising around a goal (like "landing a man on the moon"). However, by focusing on goals ("solutionizing") it's easy to ignore alternatives. Sometimes, we focus on the risks. As politicians know, fear is a great motivator for voting.

But risks, goals and actions are deeply connected. By focusing on "Risk-First", we don't ignore the reasons we're doing something.


A Risk-First diagram represents a starting point (a risk, a goal), some movement (an action to take) and a destination (mitigated risk, completed goals, new attendant risks). But frequently our usual tools will only show us one of these parts: the RAID log is focusing on the starting point, and some actions (decisions). Issues (in an issue log) often focus on the action and possibly the risk. In a way, this is fine as you can derive the third by knowing the other two.

However, where this becomes problematic is when trying to decide what work to do: is the expected destination worth the effort of the action?

So next, let's look at how we should Consider Payoff when we choose what to do next.