Health
People in industries like banking and insurance think mainly about risk measured in money. But risk isn't just money. Life is filled with non-monetary risks.
"If someone says, 'You can make it!' down a vertical mountain when you don't ski very well, think about it before launching. This can be a turning point in your life. It sure was in mine when I slammed into the mountain. I wish I'd said, 'F'getabout it, sucka,' and gone to the Kiddie Corral. Would have saved a lot of pain and surgery. Think about this. What are you really up for? Is the thrill worth the cost?" - Sandy Nathan, Numenon
I am going to argue here that risks affect the health of a thing, where the thing could be:
-
A Living Organism, such as the human body, which is exposed to health risks, such as Cardiovascular Disease.
-
A Software Product is a thing we interact with, built out of code. The health of that software is damaged by the existence of bugs and missing features.
-
A Project, like making a film or organising a dinner party.
-
A Commercial Entity, such as a business, which is exposed to various Operational Risks in order to continue to function. Businesses face different health risks than organisms, like key staff leaving, reputation damage or running out of money.
-
On a larger scale, a State is a system, the health of which is threatened by various existential risks such as revolution, climate change or nuclear attack.
What Is Health?
Health is a really universal property. I've deliberately chosen these examples to be at different scales, to demonstrate that health is not just something that applies to living things. It seems like you can talk about the health of nearly everything. I can talk about the health of soil (how likely things are to grow in it), of a table (whether it might collapse or not), a tree (whether it looks nice and is growing) or a political party (whether it's membership is strong and growing).
However, in all these cases, health refers to something slightly different, perhaps subjective. It's an overloaded term, so let's look at some specific meanings for health.
Health as Survival
The most obvious indicator of health in living things is whether they're alive or dead. But since there is no clear definition of exactly what a living thing is, scientists fall back to describing the behaviours of living things. For example, metabolism (taking in energy or other inputs, and using it to self-organise), homeostasis (having some kind of feedback loops to maintain an internal state) or adaptation (responding to changes in the environment).
When a living thing is no longer exhibiting these behaviours, it is dead. But, the same is true of our other examples too: businesses go bust, projects get cancelled, dinner parties end. At the larger end of this scale, we can say that a country or a project is alive so long as there are people participating in it: to be alive, the constituent components must be alive too.
The problem with "Alive vs. Dead" is that it is binary - there is no scope for "improving" or "worsening" health. I could be involved in an accident that severely limits my capability, but leaves me alive - my health is definitely worse though.
Health as Fitness
A different approach to judging the health of a thing might be to take measurements of it and compare it to other things. For example, we could say the health of a battery is related to the amount of charge it contains compared to a new battery, or the health of soil by the quantity and quality of crops it produces.
-
For people, you can measure health by looking at things like resting heart rate, blood pressure or lung capacity. Also, there are tools like the SF-36 which aim to capture (via survey) the general health of people, by asking them about their physical and mental functioning, emotional well-being, stress etc.
-
For a car factory (say) you could create metrics for the number of cars completed, the defect rate, or the number of workplace accidents per year.
-
For businesses in general the financial health of the firm is measured by cash flow, the balance sheet, sales, liquidity ratios and so on.
-
For a software product you could look at things like number of users, licenses, downloads or some other metric.
-
If you're in a startup, you could look at something like Burn Rate, which is how fast you are spending money.
Metrics are difficult though. Choosing the right metrics, knowing their weaknesses and being aware of what knowledge is missing is a whole other discussion which we look at in Map And Territory Risk. Taking the car plant example again, what does it mean to produce a hundred cars a day? Is it good or bad? Is this directly tied into how healthy our business is? Does it matter if the cars aren't selling?
Health as Critical Acclaim
Measuring fitness as you go along is not always possible. For a lot of projects, like dinner parties, films or construction projects, the success or failure has to be judged subjectively on completion, and not before. Essentially, the project is a bet on a future outcome.
Building a new feature on a software project fits into this category: although you can build tests, do demos and run beta-test programmes the full picture of the health of what you've built won't emerge until later.
Health as Power and Safety
Although you might not have visibility of the end result, sometimes it's enough to care about the health of the process itself. So a fourth perspective on health is: does the project/person/business control the resources it needs?
When talking about businesses, economists call these resources Factors of Production, dividing them into categories like land, labour and capital.
The resources of a state are employed to create some kind of organisation (feed armies, build roads, create currency, run governments), whether it is a democracy or a dictatorship. When the resources dry up or are stolen, the state can fall apart resulting in civil wars and anarchy. Leaders of states need to understand which resources are the sources of their power. CGP Grey's excellent Rules for Rulers video explains how this works in great detail, and covers why government doesn't always do the best things for it's subjects.
Health as Risk Exposure
We've looked at health from four alternative angles: "Survival", "Fitness", "Acclaim" and "Resources".
But this still isn't the whole story of health: Personally, I might be perfectly happy and (apparently) healthy one moment, but then fall down dead from heart failure the next due to some inherited heart condition. Or, I could live happily on an island with plenty of food but have it all washed away overnight in a storm.
Health isn't just about considering where you are now, but also how precarious the position might be.
So, we have to go further and consider - what are the health risks I am exposed to? What are the risks due to my environment, my diet, my behaviour? If I live in a high-crime area, in a high-fire-risk house, engaging in lots of dangerous activities then this should be taken into account when judging my health.
Health At Different Scales
This kind of analysis gets done at every scale. Just as we can look at personal risks to ourselves and commercial risks for a business it's possible to look at state level risks in a serious way. How healthy is the United Kingdom? As well as producing metrics such as GDP, employment, education level, etc., the UK government also produces a National Risk Register. This considers various risks (flooding, fires, pandemics, nuclear attack) and produces a matrix comparing:
- Impact This is an
A-E
scale.A
means a risk costing less than £10m and killing fewer than 8 people. AnE
impact (the largest), meanwhile has a greater than £10b cost and more than 1000 deaths. According to this reckoning, pandemics and CBRN (chemical, biological, radiological and nuclear) attacks have the greatest impact. - Likelihood: This is based on a probability out of 500, again banded into sections.
Why would they produce such a report? From their introduction:
"The 2020 National Risk Register sets out the range of risks and challenges we face which have the potential to cause significant disruption to the UK, and explains what the government and partners are doing to mitigate these risks and how we all can prepare for and respond to them" - National Risk Register 2020, UK Government
This is about the health of a nation: tracking the risks you face and then managing them are an important way to stay healthy.
Health Conflicts
The examples we've looked at so far are all at different scales, and could be nested within each other - people can work for an organisation, a state has lots of organisations operating within it.
When an organisation or a project hires an employee they are doing so in order to improve their health: make sales, fix bugs, clean the office and so on. This is a symbiotic relationship - the health of the organisation is related to the health of the employee. The health of staff, projects, departments, firms are all related. You might be working on a software product for a team inside an organisation operating in a certain country. You are probably going to have to consider the health of more than one of those things. Can a team be "healthy" if the organisation it is contained within is dying? Probably not.
Sometimes, as discussed in Agency Risk these can be in conflict with one another:
-
Putting in a heroic effort might save a project but at the expense of your personal health.
-
Lobbying is trying to push the political agenda of an organisation at the state level, which might help the health of the organisation at the expense of the state or its citizens.
-
Whistleblowers are trying to correct an organisation's illegal activity, putting the health of those affected above that of the organisation. But whistleblowers often face retaliation for their actions since they are therefore negatively impacting the health of that organisation, and therefore the staff within it.
Next
If all of these disparate domains at all of these different scales are tracking health risks, it is clear that we should be doing this for software projects too.
The health risks affecting people are well known (by doctors, at least) and we have the list of state-level risks above too. Risk-First is therefore about building a similar catalog for risks affecting the health of software development projects. Risks are in general not unique on software projects - they are the same ones over and over again, such as Communication Risk or Dependency Risk. Every project faces these.
Having shown that risk management is scale invariant, we're next going to look at general strategies we can use to manage all of these various health risks.
On to Derisking...