Tuesday, May 22, 2007

Is there a difference between Risks and Risk Sources?

Hello Jeff,
Thank you for your blog which is very instructive and useful for all of us.
I’m part of a quality team as a trainee in an IT company in France, and working on a risk management tool.
After having studied risk sources and risks categories in both CMMI - RSKM and SEI risk taxonomy, I found that most of the time, a given risk may also be a source of risk.
Lack of Human resources may be a risk, but also a source for the risk “Product not delivered on time”;
The element “Uncertain requirements” is present in both RSKM risks sources and risk taxonomy categories.
My question is: "is there a distinction between risks and sources possible, and is it useful to build a risk management tool or plan?"

First of all, let me congratulate you on your obvious level of knowledge about Risks, as well as your knowledge of the CMMI model. Excellent for a trainee! I'll be looking forward to YOUR Blog in the future!

Second, let's step back for a second and try to view the CMMI as a set of guidelines, and the examples in the model as a set of suggestions. In doing that, we see that identifying risk sources is a neat way to ensure that we capture most of the important risks, by providing us with "memory joggers" to help us identify the important ones. You have done so with great clarity.

As to a distinction between risks and sources, you're right! Some risks and sources are related, and some risks can become sources themselves. Should you treat these things differently? I would say "no" and here's why. It's very difficult to get people to adopt a process of any kind, primarily due to the culture change. Add to that the complexity of tailoring guidelines (which force the Project Manager to interpret the process and make decisions about what is appropriate) and it becomes, in some cases, nearly impossible.

As I always am conscious to keep my "Agile" hat on (I believe "Agile" is a philosophy as well as a family of methods) I am always looking for simplicity and an opportunity to streamline as much as possible. In the spirit of this philosophy, I would argue that it would be better for the organization as a whole to deploy a simple set of "risk sources" and not muddy the waters with the maddening and circular discussion that would inevitably take place once you introduce the "source or risk?" conversation. Believe me, I've been tortured through many a similar discussion.
That's what I think anyway. Others may (and probably will!) disagree.

1 comment:

Anonymous said...

Hello Jeff,

The risk management process in my organisation still requires some improvement. I am proposing to have a risk taxonomy for our project managers to identify the risks for their projects. I am going to prepare a drafted document with a proper guidelines and checklists in using taxonomy-based risks. I request for your expertise in guiding me to prepare a simple and easy to use document for this matter. Thank you.