When COVID hit last year, it popularised the Black Swan theory which describes surprise events that have a major impact, but in retrospect could have been foreseen and mitigated. Fast forward eighteen months and we have a few events that are having a major impact (shortage of HGV/fuel/gas) that obviously could have been foreseen and mitigated, however much the powerless-that-be protest.
Although we may tut at the incompetents in charge, we should reflect on our own records on managing risk. Who’s brave enough to state that they have never been caught out by a gotcha that they knew about but didn’t think would happen?
Nothing To See Here
Like all responsible managers, especially in IT, you all studiously update and manage your departmental risk registers (you know, that dusty spreadsheet the audit committee insist on seeing once a quarter/year/blue moon). Obviously, the only risks you list are ones you are happy to admit to because:
- They’re not too serious (definitely no High Impact/High Probability red flags here!)
- You have already mitigated them
- They’re someone else’s problem – you just want to point that out to embarrass them
- You need some risks on the list or it look like you’re not taking risk seriously. Which you’re not
Wearing my RACI CARDI
If you’re running a project, you will have a full-blown CARDI (Concerns, Assumptions, Risks, Dependencies, Issues) to populate and explain. Unless you have no Concerns in which case you can get away with a simple RAID. And don’t confuse this with the RACI (Responsible, Accountable, Consulted, and Informed), or the HARI KARI you’ll be asked to perform when it all goes tits-up.
Risky Strategy
Most people’s risk strategy consists of:
- Nothing to see here – everything’s under control
- I need more budget, so I’ll panic management with a technical risk they don’t understand but sounds scary (e.g., AI drone-bot Qubit attack prevention)
- If sh-IT happens, blame your suppliers/users/subordinates/whoever’s currently on holiday
- Swear blind it couldn’t have been anticipated and you were just ‘unlucky’ (to be caught napping)
Don’t Panic
Of course, it would also be foolish to list every possible risk to your operation, detail all possible mitigation options, and get approval for sufficient staff & budget for the worst case. So, my guileful guide to gaming Risk Management consists of the following:
- Understand that lots of small risks will crystalize into issues, but that’s your day job – otherwise they wouldn’t need someone in your role
- Expect something big and nasty to happen sometime during the year, so have some emergency cash and/or capability squirrelled away in your budget to deal with it
- Put all the medium risks on the risk register with hooks for extra cash to fix them when they occur, or in next year’s budget
- Pray regularly to whichever higher being you believe in, although it’s unlikely Taylor Swift or Elon Musk will respond in time
John “Take A Chance on” Moe
Recycled Bullsh-IT 
Leave a comment