Closing your eyes is not a risk management technique

When it comes to investing in IT, would you categorise yourself as a rather ignorant and cowardly lion, or an informed and knowledgeable meerkat that is constantly on the look out for new risks.

In finance, there are three categories of investor. These are:

• The risk averse.
• The risk neutral.
• The risk takers.

The irony is that the behaviour of risk averse individuals increases their risk. An example of a risk averse investor is one that invests in a low risk pension fund. They are so afraid of finance that they give their money to someone else to invest. Normally they do not even know the name of the fund manager investing their money, or the instruments that they invest in. It is unlikely they would know the historic performance of the fund manager. In effect, they close their eyes and hope the person selling them their services knows what they are doing. They are happy with an annual update. The risk averse investor’s approach to risk is to bury their head in the sand and hope it goes away.

A risk neutral investor does not take a risk position, they simply buy and sell at the same time making a profit from the difference between the two. Examples of risk neutral investors are shops and warehouses where they buy in bulk from remote locations and sell individual items in a location convenient to the buyer. In effect, the retail buyer pays a fee for the service they provide. Quite often the seller will sell an item (e.g. a television) to a buyer and then buy it from the manufacturer.

A risk taking investor would typically invest in a hedge fund or invest on their own behalf. They would probably know the hedge fund manager personally, know their track record, and would have regular, probably daily, updates on the composition of the investment portfolio. They would study the individual investments and have a solid understanding of the types of investment being used. They would challenge the hedge fund manager if they were unhappy with the investment strategy. The risk taking investor’s approach to risk is to actively manage it and continual seek to better understand it.

The Risk Averse IT executive

The risk averse IT executive lives by the maxim “No one ever got sacked for buying IBM!”. Their goal is to avoid being the slowest antelope. They are looking for someone else to blame if they have made a bad investment. These IT executives will only buy services from a company that their boss, the CEO, has heard of. They will never buy services from a niche specialist consultancy or an individual because their boss will still hold them responsible. That responsibility is transferred to the CEO if they use a household brand such as:

• MacKinsey
• Accenture
• KPMG
• Deloitte
• Microsoft
• IBM

The risk averse IT investor (lets call them lion) would typically make deals on the 19th hole of the golf course when they meet a partner (lets call them Salazar) from one of the above organisations.

• Lion: I’m worried that I will become the slowest antelope.
• Salazar: I always have your back, remember how I sold you that NHS database and the Taurus system. How can I help?
• Lion: I want some Agile just like my competitors.
• Salazar: We can’t do Agile. We have no experience and the people with experience wont work for us.
• Lion: Do you have anything to help me?
• Salazar: We have SAFE or the Scaled Agile (Academic) Framework for the Enterprise.
• Lion: Wonderful. Because it is called SAFE, it must be safe because you only have my best interest at heart.
• Salazar: Yes. We take our waterfall consultants and combine them in the SAFE structure. A few days of training, and out pops a bunch of SAFE consultants.
• Lion: Good, it sounds like that  CDO you advised me to buy where you take junk bonds and turn them into “AAA” rated securities.
• Salazar: Exactly, you can trust me. If it doesn’t work, our firm will take responsibility for the failure… for a fee of course.

The Risk Managing Executive

The risk managing executive lives by the maxim “We want to deliver value, reduce lead time with continuous quality and transparency”. Their goal is to be better, continually improving. Lead time is a risk measure for IT investments. Transparency is one of the most effective risk management strategies where culturally everyone makes sure the best person to manage a risk is actively made aware of it. Continuous quality ensures that development teams do not engage in risky short termism at the expense of long term costs and failures. The maxim can be rewritten as “We want to deliver value, reducing risk, with long term risk management and everyone involved in risk management.” That is because the risk managing executive understand that the most effective way to deliver value is to manage risk. Rather than avoid risk, they actively look for it so that they can manage it.

Rather than trust others, they take responsibility for their own decisions. In order to do that, they study the available approaches and decide which are appropriate for their context. Lets consider some exemplars of risk managing IT executives:

1. When I met Lee Nicholls in his office I was intimidated to see that he had bookshelves containing several hundred books on Agile, Lean and Software Development. In our discussion, it was clear that he had studied them, including obscure books like “Commitment”. He did not want me to tell him a solution, rather he wanted to know about my experiences so that he could understand how to apply it in his context. He understood that experiences were more important than opinions. Lee had a number of well known Agile experts working for him to give him access to the wisdom of the agile community.
2. My first conversation with Mark Gillett was whilst we were waiting for the kettle to boil just outside his office at Skype. Our short conversation on user stories indicated he had done extensive research on the subject, and he had given it considerable thought. Also, it was clear Mark was regularly engaged with a number of leaders in the agile community. Mark successfully implemented Scrum across the whole of Skype, invented the metrics hierarchy, and created a culture of collaboration that allowed capacity planning to emerge to solve the portfolio problem. Capacity planning has now successfully been replicated across several organisations.
3. My current boss was the head of a IT department of 750 people. In order to better understand devOps, he learnt how to develop using extreme programming techniques. Now as the head of devOps, he has coached one of the development teams in extreme programming. Rather than rely on the opinion of others, he has hands-on experience of why various tools and practices are important.

Neither Lee, or the two Marks relies solely on the opinion of others. When making investment decisions, they have done the necessary research, sought expert advice and gained the experience to effectively manage the risk. They would never do what someone else advises simply because they work for a big brand consultancy that their boss has heard of. They manage the risk involved in IT investments rather than avoid it.

This week I was told me that on average a SAFe transformation fails after 14 months. If you are a CEO and your CIO says they want to implement SAFe using a traditional consultancy, you need to consider whether you want a cowardly lion in your team. After all, is “burying your head in the sand” really the risk management technique you want your IT department to adopt?