Managing Real Risks

Tom DeMarco says knowing how to manage project risks enables companies to take bigger ones

To get big payoffs, you need to take big risks, says Cutter Consortium analyst Tom DeMarco. In his most recent book, Waltzing With Bears, he and co-author Timothy Lister explain how project managers can help their businesses embrace risk and reap the rewards. He told Kathleen Melymuka why risk management is an idea whose time has finally come.

CIO: You and Tim Lister have written about many topics over the years. Why risk management now?

DeMarco: We have moved from a focus on risk control to a focus on risk-taking. When you're trying to enable people to take risks, then you really need to use a much more disciplined approach that allows you to assess and track the risk. It sounds paradoxical, but it's the change in mind-set from, "Make this go away" to "Make it possible for me to take some really big risks without betting the farm on them". All the systems that are changing the world are very risky systems, but the payback is enormous. So we need much more methodical ways to take risks.

CIO: You call risk management "adult project management". Why?

DeMarco: Children are allowed to maintain a blase presumption that there is nothing bad in the world. Adults worry about the bad things that can happen. In pushing aside any consideration of failure, the can-do management philosophy is intrinsically childlike. We need to move past that. Can-do is a recipe for being able to take only small risks.

CIO; What are some of the benefits of good risk management?

DeMarco: It makes risk-taking possible. It doesn't oblige you to abandon your stretch goal; it only causes you to consider your fallback plans for if that goal is not reached. It builds a much more healthy relationship between builder and buyer, in which people are able to talk maturely about uncertainty instead of pretending they're certain when they haven't got a clue. It's a way to scrub out the little white lies that are so much a part of the builder/buyer relationship.

CIO: What's the hardest thing about managing risk in an IT project?

DeMarco: Risk is an abstraction: something that may or may not happen. We are not used to dealing with abstractions on project plans. Every activity on a project plan has to be done. Any that might have to be done are not on the plan. The whole notion of uncertainty is hard to wrap your mind around. It's anti-intuitive and also countercultural in some places. There are some places where you can be wrong but you're not allowed to be uncertain.

CIO: Risk management seems so obvious. Why are IT groups so averse to it?

DeMarco: There's a presumption built into the heart of IT project planning that starting a project off toward unrealistic goals does no harm. But if you've been through a project that was done that way, you know it does terrible harm. It causes you to do things in the wrong order and leave out things that need to be done. But still, we figure out the most optimistic possible scenario and plan according to that.

CIO: Are IT people ready to do real risk management?

DeMarco: There is a class of person who is reluctant to open this book. They know it will tell them about managing uncertainty in a reasonable way, and a lot of people don't want to hear that. It's like going for a colonoscopy. You know it's good for you, but you keep putting it off because you don't want to face the possibility of bad news.