Waltzing With Bears: Managing Risk on Software Projects

This is the latest incredible book by Tom De Marco and Tim Lister that was on my Amazon wishlist for almost 5 months now until Chris reminded me with a recommendation about it. Now being at aprox. 75% I can just agree with Edward Yourdon (Creator of the incredible Death March: The Complete Software Developer's Guide to Surviving 'Mission Impossible' Projects (Yourdon Computing Series) ) that this will become the bible for IT Project Managers.

It not only adresses the "Reason why" to cope with risk management in your projects, but for instance the anti-thesis, the "Reason why not" (if you live in a culture of fear for instance...).

Tom DeMarco and Timothy Lister provide an enjoyable to read, with great examples and their typical, somewhat sarcastic, view on the general issue of project management and the fact that a project - whatever risks it might impose - typically extends the first and most optimistic schedule by 150 to 200 % (that is 3-4 times more!).

Managing risks does not mean to manage the resulting problems or catastrophes alone, but simply the probabilities of these with adequate safety buffers and alternative strategies.

The visualization of a risk - a "we could maybe not make it"-issue is the first and probably most important step they motivate you to. Many organziations simply obey the "can do"-super-hero approach (I would call it CMM level zero) where not the infantile project plans and the resulting schedule and effort slips and therefore money and people loss are sanctioned, but the "questionable" behaviour to ask for possible bad outcomes and problems during the project path to take care of. (the organizations where there is always another dude with a "Hey Boss, I will deliver in your {impossible} schedule 100 pro, let me do it!")

From the practical viewpoint they even provide an easy to understand arithmetic approach to probabilty calculations aswell as some tools (Excel based) you can download from their web-page. Not the most important issue in my opinion but nice for the more detailled analysis.

If you only plan to read one PM book this year, get this one!

Rating:
Summary: Analyzing the Risk for Projects Just Got Real!
Review: For anyone who's work life consists of leading and managing projects - technical or non-technical, it doesn't matter - Waltzing with Bears is best read slowly and thoughtfully at home over a weekend, then brought to work and kept within easy reach - you'll want it right there come Monday morning! Laser-accurate insight, philosophically and experientially grounded, hard truths encapsulated in good humor - this book has it all! (Why would we expect less from these guys!) What I adore about DeMarco and Lister's latest effort is that it is rock-solid methodology delivered, as always, in some of the deftest, most readable prose around. Great management best practice and a good read to boot. Holy Smokes!

Rating:
Summary: This is the book!
Review: It is a rare pleasure to find a book that exactly articulates something you have always known but never recognized. This is such a book. It first of all points out that you never will go anywhere without assuming risk. Projects without risk are usually worthless. Given that, you have to then manage risk. Many of us as project leaders would rather simply pretend that risk doesn't exist--and then are upset and annoyed when things go wrong.

Messrs. DeMarko and Lister then proceed to explain exactly how to recognize and deal with risk productively. Their ideas are (and have always been) essential for any project to succeed.

Rating:
Summary: Getting Back to Basics
Review: It never ceases to amaze me how easily impressed the masses are by well-expressed views expounded by eminent personalities with a proven track record for impressing. So strong is this effect that even when the views expressed are fundamentally flawed one rarely sees the offenders brought to account. Here, with 'Waltzing With Bears' we have a prime example: a book crammed with seemingly good advice on how to evaluate risk but which commits the cardinal sin of applying frequentist probability theory to model epistemic uncertainty. As a result we have yet another pair of consultants jumping on the bandwagon and promoting an aleatory method (Monte Carlo Simulation) without any regard for the second order uncertainties that bedevil software development projects. Why is this important? Because all the results you get will be wrong; very impressive but useless. I don't know about you, but I think that this is a serious drawback.

I believe it behoves renowned experts to do their homework and get the basics right before they pollute the education system with their half-baked 'wisdom'. Do yourself a favour, ignore what the book says about risk analysis and go and by a good book on Bayesian Methods and Decision Theory. You don't have to take my word for this, just type in 'epistemic uncertainty and Monte Carlo' into your Internet search engine and take it from there. In the meantime, here are some background notes to help explain my remarks:

•There are two types of uncertainty: epistemic and aleatory.
•As the name suggests, epistemic uncertainty results from gaps in knowledge. For example, one may be uncertain of an outcome because one has never used a particular technology before. Such uncertainty is essentially a state of mind and hence subjective.
•Aleatory uncertainty results from variability that is intrinsic to the behaviour of some systems (alea is the Latin for die). For example, I can be confident regarding the long term frequency of throwing sixes but I remain uncertain of the outcome of any given throw of a dice. This uncertainty can be objectively determined.
•There are two branches of probability theory: Frequentist and Bayesian.
•Frequentist probability theory is used to analyse systems that are subject to aleatory uncertainty.
•Bayesian probability theory is used to analyse epistemic uncertainty.
•For most risk assessments a Project Manager has to undertake, there is both epistemic and aleatory uncertainty but epistemic uncertainty is always significant due to the novelty of the situation under assessment.
•Standard Monte Carlo Simulation uses frequentist probability theory to analyse risk.
•When Monte Carlo is used to model schedule risk, the schedule uncertainties are being treated as if they are aleatory, even though they are predominantly epistemic. This is now considered to be unrealistic and is known to give incorrect results. The main problem is that the second order uncertainties are often too large to be ignored, i.e. the required shape for the chosen probability distribution curves is more important than the tool vendors would have you believe and yet they are usually imprecisely known.
•Using standard Monte Carlo to analyse schedule risk also requires unrealistic assumptions to be made regarding the correlations between the probabilities for the individual outcomes, e.g. that there are no correlations or that they are all of the same nature. In practice, there are correlations to be considered when analysising schedule risk and they are of both a positive and negative nature.
•As a result of the above drawbacks many expert authorities are warning against the use of Monte Carlo Simulation where the historical data upon which the analysis is premised is incomplete. For example, its use in ecological and economic models is now controversial (see the World Congress on Risk website).
•In software development there is a growing appreciation of the importance of Bayesian Methods in analysing problems in software quality assurance.
•Bayesian methods are appropriate in situations where there are gaps in information (i.e. where there is epistemic uncertainty). They involve the creation of Bayesian Belief Networks (BBNs) to model causal relationships. Data is fed into the model to enable the probability of specified outcomes to be calculated given the current body of knowledge.
•Even more interesting, Bayes Theorem can be used to assess the likelihood that pre-conditions exist in the light of outcomes becoming known.
•BBNs can be used in any situation where one is trying to calculate the likelihood of an outcome, or an unknown situation, when there is only limited information. It is useful in Decision Theory when a risk-based decision is required in the face of epistemic uncertainty.

Rating:
Summary: Enjoyable and Valuable
Review: Reading Tom Demarco and Tim Lister is a pleasure. It is so clear that these two authors set out to teach something they believe to be valuable, and all of their effort is directed toward making that valuable thesis accesible to the reader. There is no showing off, no saying, "Look how smart I am." Their books clearly say, "Our many years of experience have taught us some useful stuff and provided us with lots of valuable data. We have put a lot of effort into analyzing that data and we will try as hard as we can to help you understand our analysis. Our objective is make it as clear and as entertaining as we can," and they do. Their explanations are always clear. Their examples are invariably both helpful and entertaining.

What they have to say is always important. "Walzing with Bears" is no exception, and even if you should disagree with parts of the book, their arguments will force you to think about critical aspects of management that you may not have previously considered.

Reading the first few chapters, my only criticism was that they seemed to be oversimplifying some issues. Reading on, I realized that it was a deliberate and brilliant part of their teaching technique. In later chapters, the book carefully added the complexities that covered more and more of my early reservations in ways that made them easily understandable.

It's a terrific book.

Rating:
Summary: A must for software development managers
Review: Risk is everywhere, so we cannot avoid it, only manage to deal with it in the best possible manner. In software development, the most valuable projects are always the most risky. Therefore, the decision to go forward with any project must include an honest assessment of the locations of the virtual land mines.
There are two general areas in which risk can be categorized. Some of the risks are known, either precisely or within a range of parameters. For example, the cost per day for each category of worker involved in the project is well-known. This type of risk is not difficult to manage, and most managers have a great deal of experience handling them, so very little of the book deals with them.
The second category are those risks that are largely unknown. These are items like the risk of mission critical software suffering a catastrophic failure to large, unexpected cost overruns. It is this category that is examined in detail in this book. Of course, the boundaries between these categories are extremely subjective and situation dependent. A small company with limited financial resources would consider a smaller cost overrun to be critical than a company more capable of taking a large financial risk.
After the initial explanation that risk management is necessary, the next step is trying to quantify the risks. This involves charts of likelihood of delivery time that resemble normal distribution curves. Using such charts allows any prediction to include some natural 'wiggle room', which eliminates one of the most recurring and frustrating problems. Development managers are commonly asked to give a date for product delivery, and that date becomes fixed in stone. Upper echelons are notorious for hearing only the 'we can deliver on August first' part of the message and ignoring the remaining, 'provided all the planets are in alignment, there is no snow in January and no one takes a day off' part of the message. Expressing the date in a diagram of this form means that it is impossible to see the date without also seeing the estimated range.
The authors have also developed a risk assessment tool called RISKOLOGY, which can be freely downloaded from the companion web site. While the tool is not described in complete detail, there is enough background for you to be able to use it quickly. Chapter 13 deals with the core risks of software projects. The five risks listed are:

* Schedule flaw.
* Requirements inflation.
* Personnel turnover.
* Specification breakdown.
* Under-performance.

None of these risks is any surprise to experienced managers, although including them was necessary and the authors do a good job in explaining them.
Chapter 14 puts forward a process for discovering risks, which is excellent and in the realm of 'how to learn what it is that you don't know.' It is this approach that will separate those who succeed from those who must resort to faking success. The greatest and most dangerous risks are those never considered as possible events. Catastrophe brainstorming followed by scenario analysis is the strategy that the authors put forward.
As a mathematician, I was pleased to see that the concept of probability is used to perform the risk analysis. Probability charts are used throughout the book to demonstrate the concepts and of course this more accurately describes our knowledge of the future. Nothing in life is certain, so the probability limits need to be placed around every event.
The software project without risk is so dull and uninteresting that no one with any talent would go near it. So, if you have talent, gear up by buying this book and plunge forward to take on the enormous challenges of making software that matters to the world.

Rating:
Summary: Especially recommended for experienced entrepreneurs
Review: The collaborative effort of Tom DeMarco and Timothy Lister, Waltzing With Bears: Managing Risk On Software Projects is a hard-hitting guide to braving greater risks for greater rewards in the exciting, challenging, competitive, and rapidly advancing field of software development. From advice on the pros and cons of risk management techniques; to successful value quantification; to tests for risk management and knowing when to go back to basics, Waltzing With Bears is a very savvy guide especially recommended for experienced entrepreneurs who know their specialized markets and want a better feel for when and what would be an acceptable risk in pursuit of marketplace success.

Rating:
Summary: World-Class Advice on Managing Projects
Review: The traditional methods for dealing with risk are typically:

(1) Ignore it.
(2) Pretend it does not exist.
(3) Look upon the messanger as "Not a Team Player" and finally ...
(4) Pressure

DeMarco and Lister blow the lid off this approach by making a compelling argument that 1-4 are irresponsible and unethical, then pointing to a better way.

The "toolset" that DeMarco and Lister provide is very specific and will help, but I think they are getting to something deeper. Ever since "PeopleWare", the impression I have of these authors is that they are trying to get IS folks to think for themselves - to have a very large toolbox and to pick the right tool for that particular job, instead of "Standardized Procedure where you do everything by the book."

The fact is, IS people can add value and clarity by knowing that we can't do everything and picking the highest ROI items to work on. (Or helping Sr. Management to decide what to work on ... however you want to word it.)

The book can help your organization deal with reality, instead of hoping for fantasyland. If you struggle with projects with unrealistic deadlines and artificially compressed schedules (because if the project was scheduled in a sane way, the ROI wouldn't make it worth doing) - this book can help.

Rating:
Summary: World-Class Advice on Managing Projects
Review: The traditional methods for dealing with risk are typically:

(1) Ignore it.
(2) Pretend it does not exist.
(3) Look upon the messanger as "Not a Team Player" and finally ...
(4) Pressure

DeMarco and Lister blow the lid off this approach by making a compelling argument that 1-4 are irresponsible and unethical, then pointing to a better way.

The "toolset" that DeMarco and Lister provide is very specific and will help, but I think they are getting to something deeper. Ever since "PeopleWare", the impression I have of these authors is that they are trying to get IS folks to think for themselves - to have a very large toolbox and to pick the right tool for that particular job, instead of "Standardized Procedure where you do everything by the book."

The fact is, IS people can add value and clarity by knowing that we can't do everything and picking the highest ROI items to work on. (Or helping Sr. Management to decide what to work on ... however you want to word it.)

The book can help your organization deal with reality, instead of hoping for fantasyland. If you struggle with projects with unrealistic deadlines and artificially compressed schedules (because if the project was scheduled in a sane way, the ROI wouldn't make it worth doing) - this book can help.

Rating:
Summary: Useful for managers of medium to large groups of people
Review: There are a ton of wonderful anecdotes and motivational examples for doing risk management. Also, he takes a very pragmatic approach towards what's actually possible in different corporate climates. Rather than only telling you what right thing to do is, he helps you decide what the appropriate thing is.

The explanation of the relationship between risk and benefit analysis was both insightful and seemed like it would be useful. It provides a pragmatic framework for a lot of what are considered 'good engineering practices', such as incremental deliverables that can be measured and verified in meaningful ways.

The only downside is that it's very difficult to understand how to take advantage of some of the frameworks he provides without being in a management position already. Individual contributors won't get a lot out of this.