Gorilla Risk Impact- The "what" is more important than the "if"

OR: Probability just tells you how likely it is to hurt, not how bad it will hurt.

 “We have to fix it!” Carlos leaned forward in his seat, hands griping the table.
Decaf, man, decaf, I thought. “We’re a week from launch. Making changes to the code now is absolutely impossible.”
As Carlos turned beat red and began to splutter, I wondered if it was a common trait of Customer Service people or something they learned on the job. I’d lost track of the number of frothing support folks I’d dealt with in my time.
Carlos managed to keep his voice calm. “It’s a severity one issue. Complete and irrecoverable data loss. They get taken to bare metal. Support can’t approve this release.”
“Carlos,” I said, putting on my best “teacher” voice. “It would have to be a blue moon, in Australia for this bug to happen. It’s such a fringe case it makes the guy on the street corner with ‘The world will end tomorrow’ sign seem like a sure thing.” I closed the lid of my laptop and began to stand up. “I think we can put a pin in this one and move on, don’t you?”
I left Carlos spluttering at the table. He was saying something about stopping the release. I didn’t really pay attention. After all, he was in support, no one was going to stop the release over something customer support said.
I was opening the door to my office, when I heard a voice from within yell, “Duck!”
The paper airplane smacked me right in the eye, before I could even register what was happening.
“Ow! Hogarth!” I never realized how well those two words went together.
Through tear streaked eyes I saw my gorilla lumber towards me. “Hey, sorry about that. What are the odds of that happening, eh? I mean, here you are, back from your meeting ten minutes early. That never happens. Who would think you’d open the door just as I tried to hit it with a paper airplane.”
I shouldered past Hogarth (okay I bounced off Hogarth, into the door jam and then into the room. He is an 800 pound gorilla after all) and strode to my desk. “Well you should have thought! You could have put my eye out. Anytime you’re dealing with possible life and limb you should be planning for it.”
Hogarth turned to follow me. I could feel his eyes on me and I just knew I’d been set up. It always happened this way. “Here’s a question for you,” he said. “What are the odds a rain storm will cause a mud slide on Devil’s Slidethis winter?”
“Close to 100%, there is always mud coming down off the hills.”
Hogarth nodded, “Okay and what’s the impact to your commute?”
I rubbed my chin, trying to see where he was going. “An hour, maybe and just one time. They have crews on standby just for that contingency.”
Hogarth smiled, “And what’s the probability of an 8.0 or greater earthquake hitting the region?”
I shrugged, “Who knows, once in every fifty years, maybe.”
“I see,” Hogarth picked something from his fur and popped it into his mouth. “And what would the impact be?”
“Ugh!  An 8.0 would be huge. It took years to recover from the Loma Prieta. It was only a six nine and look what it did.” 
Hogarth’s eyes twinkled, “So which one do you want to build a survival kit for? The one hour traffic delay, or the life changing earthquake?”
Damn it! He’d done it again.


Tell me if you’ve heard this before, “It’s a fringe case,” “There’s a low probability of it occurring,” “What are the odds of that happening?”
I was once poor Carlos. When I worked in global support organizations I faced risk all the time. I learned a lot about risk management, how to plan for it, how to communicate it, how to mitigate it and most of all, I learned that most of the time the focus wasn’t on the “What” it was focused on the “If.”
“If that happens, we’ll have issues.”
“If the user pushes that button, sure it will crash.”
“If they are using Windows NT, who uses that anymore?”
Taking this approach is like lumping a $500 payout lottery scratcher ticket with winning the $500 Million Powerball lottery. The odds of both are slim indeed. Only if you win the $500 Million lottery, the impact of the win is going to be MUCH different.
To often we focus on “If” something will happen, when we really need to start with “What will happen.” If the odds of a database crash are only 15%, that might seem like it is fairly minor. If the database crash will cause a cascading network failure that brings the entire eBay auction site to its knees, eBay isn’t going to care if the risk only happens 15% of the time. It happened to them.
In my years I’ve come up with two tools to help with properly addressing Risk Impact.
LIKELIHOOD CHART: The first is more visual and is designed to get agreement and understanding from the team (see the image, below. Click to zoom in). The Likelihood Chart was something I came up with while still working in support. It mapped customer Severity to the Likelihood of the problem occurring. Then cells then had what the action item was for each combination of four severities and four Likelihoods.
This snapshot is an example of one use of the chart. The Likelihood meters can be adjusted up or down depending on the companies risk tolerance, Severity can be replaced by any impact scale the team agrees on and the action plan for each cell can be changed to suit the project and team agreement. What shouldn’t be flexible, is when you set this up. This should be agreed to as part of the project charter/kick off. Get everyone to agree before you have show stopping bugs.
RISK REGISTER WEIGHTING: The second was a simple bit of math I applied to my risk tracking spreadsheet.
 On the surface, this looks like an ordinary risk register. Impact and Probability are both a ten point scale with 0 being the highest impact/probability (unknown being riskier than any known because you don’t know) and 10 being no impact/mitigated. The magic is in the Total Risk Score. Here’s the “math.”
As you can see in this next image, Impact gets a higher weighting score than Probability. This means you can have a 100% risk even with a probability score of 4-Med. (For those doing the math, I have an excel formula that limits the maximum number in the Total Risk Score column to 100).
These are not silver bullets. I keep telling you, there are no silver bullets. Besides the one day you actually find the silver bullet will be the day you end up facing a vampire (you need wooden bullets for vampires). What they are, are two tools I’ve used in helping to make sure Impact (Severity) is the first thing the team focuses on.
Remember,  if their data center is an oozing puddle of goo, eBay doesn’t care if it was only a 15% chance edge case
The patient Gorilla: When Risk Management means you wait

“Listen, Jake, I need something here.” I leaned in over his desk, doing my best convincing look..

The development manager shook his head. “We’re in the middle of a sprint. When the sprint is over I can pull Eric from the team for the next sprint and have him focus on this.”
I sighed. He was right. No matter how important this was, we were in the middle of a development sprint. We couldn’t pull someone from the team like that. I nodded, “Thanks, Jake. I’ll touch base with you next week, after the Sprint Demo.”
I sulked back to my office, chewing my lip. In a week things could change completely. In a week it might not matter or worse it might be a total disaster. I turned around twice, intent on demanding Jake do something right now. Each time I only made it two steps before turning back. There wasn’t anything that could be done right now, not without tossing the entire project into chaos. But… But…But… There was no way I’d be able to concentrate on anything else for the rest of the week.
With an ulcer slowly building I walked into my office. Hogarth was sitting in the corner, a branch from my nearly dead fichus held limply in one hand and a parchment gripped in the other. Making a mental note to buy a new fichus I dropped into my chair. “What’s with the royal decree? ” I waved towards the parchment in Hogarth’s hand.
He looked up. Pointing with the hand holding the branch, he nearly impaled the parchment. “It’s a notice of my reality review. It’s tomorrow.”
“Reality review?”
Hogarth nodded. “Every year. It determines if I continue to exist. Or, if like Descatres when he was asked if he wanted another drink and said “I think not,” I disappear in a puff of unreality.”
I blinked trying to wrap my head around the absolute ludicrous idea that Hogarth could just vanish in a puff of smoke. It was as absolutely incomprehensible as… I looked at my personal gorilla again and shook my head. Right, as unreal as a manifestation of my own conscience as a physical gorilla.  With my brief bout with reality past I returned my attention to Hogarth.
“But, that means you might not be?”
Hogarth nodded. “Ayup.”
“What can you do?”
Hogarth shook his head. “Nothing, the review is based on my past years existence. This is just the findings, they’ve already made their decision.”
Neatly avoiding the whole “who are they?” issue, I said. “Nothing?” Oh, that was brilliant! Way to state the obvious.
Hogarth nodded. “Yep.” And then he calmly rolled up the paper, put it away (don’t ask, I know he doesn’t have pockets and I try not to think about that) and began pealing the bark from the fichus branch. “Oh well, I’ll find out tomorrow.”
I blinked again. ‘Oh well?..’ “How can you not be stressed about this? What are you going to do?”
Hogarth shrugged, “Right now? Nothing.”
“Nothing?” I yelled. “How can you sit there and do nothing? Your very existence is on the line.”
Hogarth nodded. “Yep.”
“And you’re going to do nothing?”
Hogarth rubbed his chin with a leathery hand. “You know, you’re right. There’s this new vegetarian Vietnamese  place down on 5th. Maybe I’ll give that a try.”
My first response was almost over powered by the desire to ask how a gorilla intended to be served in a public restaurant, but the first response won out. “Dinner? How can you be thinking about eating right now? We need a plan, we need to do something!”
Hogarth gazed at me with his deep-brown eyes. “Do what?”
“Well, umm… Ahh.” 
Hogarth said, “Can I do anything about it right now?”
I struggled to find a different answer, but in the end I shook my head. “No. The review is tomorrow and they already made their decision.”
Hogarth nodded, “Yep. So I’m going to go have a nice dinner. Tomorrow will come, when it comes and I’ll find out then.”
Just like the sprint would end at the end of the week…
Managing risk can be a study in Pepto-Bismol. So many factors can impact a project that one can go quite literally risk blind with all the potential impacts to your project. Even if you avoid the “acts of nature” like earth quakes, terrorist attacks, total global meltdown, you can quickly spiral a risk register into the dozens of entries, all of them a major potential impact.
This post isn’t about risk management. While I have a lot to say on the subject, this post deals with risk management gone wrong. Once you’ve done your risk management, you have to have a certain amount of trust in your work. Okay, you’ve identified a major potential risk. If it happens, it will happen in three months. You’ve put in place a mitigation plan, you’ve put in avoidance plans. Now what?
It’s three months away, stop worrying about it. Review it during normal risk reviews, but don’t let it consume you.
This extends beyond just traditional risk management. It goes to every aspect of a project that you have no control over.
If we had four new headcount, that would solve our schedule issue. But you know that there is no way on earth the company will hire four new heads right now. So stop lamenting and move on.
You won’t know if the build works until the compile is done. It’s going to take six hours and finish at 2:00 AM. Go home, have dinner, go to bed and find out if it compiled when you get to the office at 8:00 AM.
You put an offer down on a house. The bank is considering the offer, but it’s Friday and Monday is a holiday so it will be Tuesday before you have an answer. Don’t sit by the phone all weekend and worry. Go out and have a normal weekend.
It’s by no means a new concept. Reinhold Niebuhr came up with the Serenity Prayer in 1937 and it has become an oft quoted and parodied prayer. No matter your religion (or lack of) the core concept remains the same.
Grant me the serenity to accept the things I cannot change,
Courage to change the things I can, And wisdom to know the difference.
If you can’t change it, don’t sweat it. Go have dinner and focus on something you can change.
