In the Agile blogosphere, we sometimes hear practitioners debate if traditional risk management techniques are relevant to Agile projects. Some people claim that traditional controls, such as risk matrices, are more or less orthogonal to agile techniques and when applied provide complementary value. Others vehemently exclaim that risk controls are inherent in standard agile practices and applying traditional risk controls is best case unnecessarily redundant.
Frank Knight, the economist, made a distinction between risk and uncertainty that helps us understand when the Agile approach to risk management is fundamentally different from more traditional approaches. Understanding this distinction is key to understanding why Agile methods often work so much better, especially when it comes to software development projects.
With risk, although you may be unsure whether or not a specific event will occur, you do know the probability that it will occur. For example, when you roll a pair of dice, you don’t know if you will roll a seven but you know that the probability that you will roll a seven is one in six. You also know that there is a five in six chance that you will not roll a six. This allows us to calculate (as we may remember from school) the expected value: when you quantify the potential payout or loss of a specific event by multiplying the payout/loss amount times the probability that it will occur. So the expected value of a single roll of the dice would be calculated at $1.00, if the payout when a 7 is rolled is $6.00. If it costs less than a dollar for each throw of the dice, we would call throwing the dice a good bet. As we can see, with risk, you can make rational decisions about whether or not to take a risk because you can measure the magnitude and probability of the risk (and reward). The opportunity to make rational choices by no means implies that we will do so. Human decision-making is predictably biased and to an illogical degree risk adverse. For example, we value the possibility of losing a dollar more than the possibility of winning one (T&K). It takes discipline and rigor to act rationally when provided an opportunity to do so.
Although in the real world we generally don’t know with 100% certainty the likelihood of events, as we do in a (fair) game of dice, we often know enough to take calculated risks. For example, we leave the umbrella at home even though we can’t prove the probability that it won’t rain, because the facts that the sun is shining and that it rarely rains in August gives us the confidence to assume that we don’t need our umbrella.
Knightian risk is the domain of traditional risk management. We assume we have sufficient knowledge to make calculated risks.
We presume that the risks we need to concern ourselves with are discoverable, countable, and calculable. Although we don’t know everything, we believe we have sufficient knowledge to make calculated risks. We also believe we know what we don’t know. Or in different words the magnitude and the potential cost of our ignorance is bounded.
However, what about when things are so uncertain that we don’t have sufficient knowledge to effectively calculate risk? Is our only recourse to hunker down and avoid any engagement? This will be the topic of my next post: Knightian Uncertainty.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 United States License.