Hans Christian Anderson was on to something important and relevant to today’s risk environment … “Once upon a time there lived a vain Emperor whose only worry in life was to dress in elegant clothes. He changed clothes almost every hour and loved to show them off to his people.” Probably you know the gist of this story – flim-flam artists convinced the Emperor an imaginary fabric was actually beautiful, at least until “A child, however, who had no important job and could only see things as his eyes showed them to him, went up to the carriage.  “The Emperor is naked,” he said.”

THE EMPEROR IS NAKED
“The Emperor realized that the child was right but could not admit to that. He thought it better to continue under the illusion that anyone who couldn’t see his clothes was either stupid or incompetent.” Unfortunately many who should and could recognize software development risk see what they want to see or what they are told to see and are often afraid to speak up.

Sadly, more than a few business leaders, CIOs, and software execs, aided and abetted by various techie wizards, don’t seem to realize there is an elephant in the risk room wearing the Emperor’s new costume. Software development risk, for some reason, just does not get the attention it merits – we hear and see a lot of stuff about “IT risk”, but software development risk seems to be largely invisible at the C-level. A typical outline of IT risk areas (e.g., from KPMG) will include:

• Strategic & Governance Risk
• Regulatory Compliance
• Data Protection
• Cloud
• Social Media and Computing

Note software development risk is not explicitly in this list, although it might be thought a lower level aspect of Strategic and Governance Risk. Certainly all of these deserve to be recognized IT risk areas. In this article I will argue software development risk deserves explicit recognition as a critical risk area discrete from those commonly considered.

WHY DOES SOFTWARE DEVELOPMENT RISK MERIT GREATER VISIBILITY?

1. These risks are VERY common – a Google search on “software project failure examples” produces 10,800,000 hits – surely these include many duplicates, but many more go unreported. They occur in every segment of the economy and in every country. See https://www.google.com/search?q=software+project+failures+examples&rlz=1C1CHFX_enUS548US549&oq=software+project+failures&aqs=chrome.1.69i57j0l5.16066j0j8&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8 for one list of failures – many other lists and examples exist.
2. These risks are VERY costly – Roger Sessions, an internationally recognized expert, in his 2009 White Paper “The IT Complexity Crisis: Danger and Opportunity” said the following (my emphasis):

“IT failures are rampant in the private sector, the public sector, and the not-for-profit sector. No place is safe. No industry is protected. No sector is immune. This is the danger, and it is real.”

SURELY, THIS IS A BIT OVERDRAMATIC?
I’ll let you judge the drama of this statement. But the fact is that, worldwide, we are already losing over USD 500 billion per month on IT failure” [6.18 trillion annually], “and the problem is getting worse. If you find that figure unbelievable, I ask you to suspend judgment for a few pages. As IT professionals we have a responsibility to understand how we can prevent the continuing spiral of failures that is burying us.” I would argue not just IT professionals, but everyone concerned with ERM – software project risks are inevitably an element of virtually all significant business initiatives.

Sessions paper describes how he arrives at these numbers, and how they compare to other sources. According to Sessions estimates indirect costs, much harder to measure, are 5 – 10x greater than direct costs. As he says, “Of course, these calculations are estimates. I recommend you don’t get overly focused on the exact amounts. I could be off by ten or twenty percent in either direction. The real point is not the exact numbers, but the magnitude of the numbers and the fact that the numbers are getting worse.”

Another estimate developed by Gene Kim and Mike Orzen estimates $3 trillion worldwide. (see http://www.zdnet.com/blog/projectfailures/worldwide-cost-of-it-failure-revisited-3-trillion/15424). I developed another somewhat more conservative approach that also estimates $3 trillion, or about 2.1% of GDP – which is about $450 billion in the US alone. (My approach is available on request – email  ggack@process-fusion.net). Regardless which number is correct, these estimates should nonetheless be a wakeup call to EVERYONE concerned with ERM. This is a BIG elephant that is largely invisible among C-level execs.

Sessions suggests complexity is the key culprit and the best explanation for this sad state of affairs, and he suggests ways to measure and manage complexity, with which I largely agree. I suggest, however, that “size” (in most cases measurable in “function points”, described in an earlier article) is often a valid proxy for complexity. With the right tools size can be determined easily and early enough to recognize risk well ahead of commitment to proceed (also discussed in my earlier article).

Let’s put some clothes on this elephant! More on what to do in upcoming articles.

Bio:

Gary Gack, is the founder and President of Process-Fusion.net, a provider of Assessments, Strategy advice, Training, and Coaching relating to integration and deployment of software and IT best practices. Mr. Gack holds an MBA from the Wharton School, is a Lean Six Sigma Black Belt and an ASQ Certified Software Quality Engineer. He has more than 40 years of diverse experience, including more than 20 years focused on process improvement. He is the author of many articles and a book entitled Managing the Black Hole: The Executive’s Guide to Software Project Risk. LinkedIn profile: http://www.linkedin.com/in/garygack