For some time a set of ideas on ways to think about risk have been floating around here.

We are sceptical about current risk management models and approaches. Having observed risk management practices across a wide range of software projects during the last twenty years it has become clear that it is a bit of a hit and miss and often cosmetic exercise. People do not know how to make it work on software projects. They are too fluid and too uncertain for traditional risk register approaches to work. We have seen risk registers that are little more than to do lists. The registers and associated activities provide little measure of overall project risk and have less impact on the outcome of projects. If it was all abandoned it would make little difference.

The ‘big idea’ is that risk management needs a new way of thinking about risk to make it relevant. Something that prevents the behaviour that operates a ‘to do’ list, with entries like “Fred might be late delivering his interface”, whilst ignoring ‘the elephant in the room’, issues such as “no one has ever run this technology stack at this scale for this type of operation anywhere in the world”. The ideas have now been pulled together into a model of risk we call the ‘Safe Harbour’ concept. More details can be found in the paper The ‘Safe Harbour’ Concept of Risk.