Tuesday, February 10, 2009

Risk Management, are you getting your money's worth?

For the first time in the better part of a decade, I'm tech lead on a new project for my current employer. For the intervening years I've been working for other employers, other projects.... I wasn't slacking, honest!

Anyways, it gives me a perfect opportunity to compare and contrast the organization of 10 years ago with today.

Holy Cow! It takes them way to long to start up a project. They spend too long deciding what to do, and not enough time actually doing it. Of course, this is all in the name of "risk mitigation".

I'm finding it both extremely frustrating and hilarious. It makes me want to throw things. The company is going to spend well over 30k to make sure that the 150k they spend on the project is a success. Even before writing the SRS. They are going to spend 30k writing a Product Concept Document, Project Definition Workshops, Project Initiation Gate Meeting, and a Product Scoping Document with estimates. I'm even willing to bet that I am underestimating how much they've spent on this.

The funny thing? All that work will be thrown out as soon as the SRS is written.

The next shock was the testing cost. For every day of development, there is a day of testing, more risk mitigation. Then there's another day added for "overhead". So, that small 100 day project? It's actually 300 days.

So, I looked at it from a math point of view. First the project budget:

  1. Pre-SRS work - 45k
  2. SRS - 45k
  3. Development effort - 100k
  4. Testing effort - 100k
  5. Management overhead - 100k
Total Project cost: 390k
Risk of complete failure: 10%

Even worse, the calendar time and effort are unrelated. The calendar time for steps 1+2, 3, 4 are all the same.

Now, let's have a look at a riskier way of doing it:

  1. Pre-SRS work - 15k
  2. SRS - 7k
  3. Development effort - 75k
  4. Testing effort - 50k
  5. Management overhead - 50k
Total Project cost: 197k
Risk of complete failure: 50%

We've gotten rid of all of the risk mitigation. Not only that, we've shrunk the time in steps 1+2 by 75%! That's a huge time to market win.

Let's see if the risk reward makes sense.

The cost of a failure is 50% (odds of failure) * the cost of the project:
  Risky Way: 197k * 0.5 = 95k
  Safe Way: 390k * 0.1 = 39k

Therefore, the amortized cost of a project using the:

  Risky Way: 197k + 95k = 292k
  Safe Way:  390k + 39k = 429k

What failure rate would be needed to justify the extra cost? 70%? 80%? 90%? To justify the extra money spent (assuming 0% the safe way), the failure rate would have to be:

390k - 197k
----------- = 97%
   197k

Failure is the cost of total failure, as in the project has to be thrown away and started over.

Add in the time to market benefits (on the order of 30% for these assumptions), and it starts to look pretty convincing.

Everyone wonders why so many businesses are CMM level 0/1. Have you considered that they might actually be right?

1 comment:

Determinist said...

Ultimately, products and businesses (and projects) are in a Darwinian evolution.

You've said it - why are so many businesses CMM 1/0? Are they winning out or not?

CMM 4/5 is a compelling meme I guess.

Maybe there is actually a way to find a balance.