In many ways modern civilization is defined by its ability to understand and control risk. Prior to established methods of addressing project risks, chance often dictated success, and history overflows with the results of that type of planning. It is actually quite surprising how long it took for the mathematical basis for systematic treatment of risk to emerge. Less shocking is the initial impetus for the development, which was to win more often at gambling. From its inception the concept of risk management has centered on preventing the loss of resources.
The leap from games of chance to financial instruments took the concept of risk mitigation with it. Options and futures were two of the earliest mechanisms for reducing risk for commodity buyers. Insurance was another financial tool designed to shield people from monetary loss. These foundations have evolved into many focused risk management strategies, but the underlying motives have always been increasing profit and reducing or eliminating loss. Unfortunately risk management is frequently underestimated, especially in the software development industry.
As technology and organizations became increasingly complex, risk management strategies adapted to meet new challenges with varying levels of success. Methodologies went from simply indentifying risk factors to performing detailed risk analysis. As these analyses became more refined, tools such as probability matrices were developed to gauge the impact of various risks. Modeling techniques like decision trees further expanded the discipline, allowing greater accuracy in planned risk responses. The goal of risk management progressively became monitoring and controlling risk factors to the extent that they could be rendered incapable of preventing the success of a project. Although this ultimate end cannot truly be achieved in our uncertain world, the success rate of project risk management is astonishing when implemented properly.
This progression from simple methods of increasing the odds of winning a bet and safeguarding investments to full-blown analysis for the sake of controlling risk demonstrates a steady shift in the attitude taken toward the phenomenon of uncertainty in systems. Before risk management methodologies emerged, incertitude was considered a certainty. As systems grew, opinions about the inevitability of adverse risk were questioned. The concept that risk could be anticipated to a certain degree took hold and became prevalent. The contemporary stance regarding risk management is that risk can be assessed, publicized, and effectively eliminated by revealing its root cause.
This gradual transformation of assumptions concerning risk has produced approaches to risk management that allow project managers to prevent much of the chaos that formerly threatened projects. Methodologies currently available can reduce risk management to what essentially amounts to a checklist. Exceptional software solutions such as Monte Carlo simulation programs remove the guesswork by developing models and testing scenarios for risk analysis. Development of these advancements has been motivated by the belief that risk can be conquered. The benefits are difficult to refute, but there is a potential danger.
Rich Pethia, director of Carnegie Mellon University's Computer Emergency Response Team, warns against what he calls "check-the-box compliance" when it comes to implementing information security technologies. Information security, especially online security, is one of several increasingly unpredictable systems that does not respond well to cookie-cutter approaches to handling risk. Pethia goes on to say that even measuring risk management progress in terms of benchmarks is difficult when it comes to security. The attitudes that led to current risk management strategies may very well need to be reversed to avoid serious failures in systems that are changing too quickly to assess all the potential risk factors.
Information security systems are only one case of emerging technologies that have the potential to disrupt the established models of risk management. Another prime example is social media. At present, Facebook is the king of the hill, but the brief history of online social media has demonstrated a fickleness that must occasionally terrify the project risk managers of that company. Some aspects of risk management are certainly fundamental and thus will always apply, but in systems that are being defined on a daily basis certain traditional elements of planning for risk will surely fall short.
The key to navigating the uncertainty inherent in systems that are constantly metamorphosing will be cultivating a realistic understanding of what risk management is capable of. The determination that brought about the successful methodologies utilized today must be channeled into flexible mindsets prepared to react to changes as they occur. Stubborn adherence to prevailing approaches could prove to be just as detrimental to success as the now obsolete view that risk cannot be managed at all. Over the centuries, the beliefs held about risk have shaped our responses to it. This principle will continue to govern the degree of success those responses will deliver.