Risk-First Diagrams Explained
What’s going on in a Risk-First diagram? Let’s look at a quick example:
This is taken from the Technical Debt discussion in Complexity Risk.
What’s going on here? Let’s work left-to right.
On The Left
On the left, we can see Codebase Risk, which is The risk to a project of having a large, complex codebase to manage.
Codebase Risk is an example - it could be any risk you’ve identified in your project / work / life / whatever. It’s something you want to fix.
There are all kinds of risks we face in life, and we attach different value or criticality to them. Most people will want to take action against the worst risks they face in their lives, and maybe put up with some of the lesser ones.
In The Middle
In the middle, we see the actions you could take against the risk. So for the problem of an unwieldy codebase we could try and reduce the size of our codebase with some refactoring, or alternatively, replace the whole codebase with a commercial or open-source library.
On The Right
Nothing comes for free. On the right, you can see the downside of the action you’ve taken: Attendant Risks are the new risks you now have as a result of trying to deal with the first one.
In the first diagram, the refactoring and simplification actions lead to Schedule Risk (because they’ll take time to do), Feature-Fit Risk (because a simpler product might not meet the user’s needs so well).
It’s worth pointing out that sometimes the cure is worse than the disease.
By Taking Action you might end up in a worse predicament than you started. For example, cutting your legs off would definitely cure your in-growing toenail. We have to use our judgement to decide on the right course of action!
So Risk-First diagrams represent a balance of risk: whether or not you choose to take the action will depend on your evaluation of this balance.
Containers For Internal Models
The risks on the left and right are contained in rounded-boxes. That’s because risks live in our Internal Models - they’re not real-world things you can reach out and touch. They’re contained in things like brains and spreadsheets.
In the above diagram, you can see how Jim is worried about his job security, probably because he’s made a mistake at work. Therefore, in his Internal Model he has Funding Risks, i.e. he’s worried about money.
What does he do? His Action is to blame Bob. If all goes according to plan, Jim has dealt with his risk and now Bob has the problems instead.
There are two other marks we use quite commonly.
We put the strike through the risk to show that it’s been dealt with, or mitigated, and the cloud icon denotes Hidden Risks- those unknown unknowns that we couldn’t have predicted in advance.
Add Your Star On GitHub to receive an invite to the GitHub Risk-First team.