Who Owns the Risk?

WRITTEN BY Mike Cottmeyer

Back in my late 20’s I was a project manager in a pretty good sized IT shop. I worked under a great VP that put me in situations that were really beyond my abilities.  He fundamentally believed that I’d do a good job for him. He trusted that I’d learn what I needed to learn and use good judgement about when to ask for help. There was a point in my career where everything interesting on my resume was a direct result of some project this guy had me lead.

One of those projects was a pretty significant identity and access management initiative where we were building out a corporate LDAP infrastructure. The goal was to establish an integrated authentication engine so clients could basically sign-on to any of our web properties with a single login ID and password. Our company didn’t have any expertise in this area, so I ended up with about a quarter of a million dollars to spend to bring in some consulting expertise.

We ended up bringing in a large, well known consulting firm to help… they were really, really good but as you might expect, very expensive. I decided to negotiate a fixed scope, fixed price contract under the assumption that it would mitigate my risk. My goal was to shift all the delivery risk to the consulting firm so that I would be assured of delivering my project on time and and on budget. Had we had perfect knowledge of what was required, that might have been a good strategy.

As you might have guessed, these guys knew way more about contracts, and way more about delivering LDAP solutions than I did. I imagine they anticipated we would need services not specified in the contract, but they also knew I had a not-to-exceed budget, and I’m sure they wanted the business. When the inevitable happened, and we realized that we needed services not specified in the original agreement, they created a change request document… actually several of them… and I had to go round up additional funding if I wanted the additional work.

While I was unsuccessfully trying to mitigate my risk with a fixed price, fixed scope, fixed time contract; they were successfully mitigating their risk by aggressive contract management and holding me accountable for everything that wasn’t explicitly called out in our original agreement. At the end of the day, who really absorbed the risk? It was me and my company, I just didn’t know it at the time because I was certain that I had asked for everything I needed up front. It wasn’t until we started building the solution that I realized I was wrong.

Now… let’s tie this back to my previous post on estimating.

When customers ask you for an estimate, they are most likely, either directly or indirectly, trying to shift the delivery risk onto the development team. They want to tell you everything they want, or at least what they think they want now, have the development team tell them what it will take to deliver it… and provided they can meet your time and cost demands… make development 100% responsible for delivery. Since we know that the customer doesn’t know everything they need up front, we aggressively manage scope to protect ourselves from the risk.

Based on the feedback on my estimating post… we all seem to agree that estimates are generally poor indicators of what it will take to actually deliver the product.  We all agree there is a pretty good chance any estimate we provide will be misused by management. We know that making commitments based on bad estimates leads to an unacceptable level of risk for the development team. In response, we suggest that we shouldn’t even attempt to estimate. If we go this route, we are basically asking our customers to assume all the risk associated with the delivery.  We are asking for unlimited time and money and maybe the customer will get what they need.

We assume that as long as the developers ‘do the best they can do, and deliver as much value as possible’ the customer should just take a chance they’ll get what they need, but if they don’t… and quite often thats their reality, they are left with no options because all the time and money ran out. Just because the development team delivered the highest-value-potentially-shippable-product-as-possible… doesn’t mean that your customer has something they can sell to get a reasonable return on their investment. Aside from the fact this conversation is a non-starter with most business leaders I work with… it doesn’t feel like a very good way to run a business.

To me the answers lies not in the either-or proposition of fixed scope, time, and cost… or alternatively establishing no estimates and making no commitments. Both put all the risk on the other party, shifting risk fully to one side or the other. To me, the answer lies in creating a culture of shared risk between the customer and the team. Both sides have to have skin in the game. Both sides have to realize the constraints the other is operating under. Both sides have to realized that estimates are just that… estimates.  Both sides need to be partners in the delivery process.

The estimating process establishes the shared understanding we just talked about and the numbers we come up with give us a planning baseline to measure the progress we are making (or aren’t making).  The development team estimates, but customers realize that estimates have to be managed, assumptions have to be validated, issues have to be dealt with, risks have to be mitigated, and yes… sometimes requirements have to be descoped, or dates have to change, or costs have to go up.  In an environment of shared understanding, shared accountability, and shared risk; everyone is on the hook for managing the delivery process.

Sharing risk means that we trust in the other’s abilities and intentions, we deal with reality when it doesn’t meet with our preconceived notions about what should be… or should be possible. This is not currently the default place in most organizations… our default place seems to be to shift as much risk as possible to our counterparts in the other parts of the business. Creating a culture of shared risk, and having the tools in place to manage that risk, is really the key to make all this stuff work. Insisting someone else assume all the risk doesn’t encourage the behavior we want or need between people that need to operate as partners.

If we don’t estimate, we don’t have any way to know how far we’ve come and how far we’ve got left to go.  It’s that simple to me… I suspect some of you guys out there might disagree.  Looking forward to the conversation.

leave a comment

Leave a comment

Your email address will not be published. Required fields are marked *

7 comments on “Who Owns the Risk?”

  1. Gary Reynolds

    Really great post! The sharing of risk between customer and development is something I’ve rarely experienced in practice. You talk about creating a culture of shared risk – do you have any specific suggestions on how to do this? It it as simple as having both parties involved in the estimation process from the outset?

    Reply
    • Mike Cottmeyer

      You know, it depends. Sometimes it comes down to just having an open conversation about it. Sometimes its a matter of helping the customer understand that they aren’t *really* reducing risk for themselves, just shifting blame. Other times, you leverage their shared experience with late delivery and build a case that agile allows them more *control* over what gets delivered when. Most reasonable people see what I am talking about. It gets unreasonable when the external pressure to deliver is so great and people’s careers are on the line. In a case like that, the cultural challenges are much deeper, and to be candid, I am not sure I can really help.

      Reply
  2. andrew fuqua

    Ah, nicely put. mike. Nice to see you blogging again. Like you, most projects I see need an estimated cost to gauge net value of the project. And if a budget is involved, someone is going to want to shift blame and responsibility.

    Reply
  3. Mike Cottmeyer

    Thanks Andrew… not making any sweeping promises… to myself or anyone else about how long I’ll be able to maintain energy around writing, but I’m optimistic. I just don’t see any other way to baseline an effort so we know where we are or what we’ve got left to do. The only problem with estimates is that sometimes management and/or customers, don’t treat them as estimates.

    Reply
  4. Paul Jackson

    I worked on a large project in partnership with an external company. We recognised that we’d wear all the risk unless we did something about it. So we organised a “partnership” day, with an external facilitator. We invited representatives from both sides, at all levels of the organisation and we worked together to come up with a shared Charter which expressed the shared goals and risks. We included how we would deal with issues and celebrate success. The resulting Charter was signed by both CEOs and the most junior employees from each organisation to emphasise the shared ownership and then worked to try and live up to the Charter. Sometimes it got a bit sticky and stressful but in most cases this early recognition of a shared goal helped us to avoid the blame culture.

    Reply
  5. Luna Abualhaj

    Thanks Mike for a great article! Although it was posted long time ago, it yet covers a major issue most companies and contractors deal with. I do believe in the shared risk and how both sides should learn how to trust each other, and to create this shared culture, leading to a unified goal to attain.
    Would you think an organization would go for a shared risk when they can come up with good estimates of what the customer expects? Answering my question, I think in order for an organization to achieve that, we should think of partnerships and future collaborations and how to build up good relationships and reputation, we have to make sure people embrace such concepts and principles! If this is achieved at a certain point, I (may) agree with you on the last sentence of having no estimates is pretty not having not idea of how far we are going. The problem with your last sentence though, is that most companies cannot go for projects with unknown costs or lack of at least rough estimates, and this goes for both sides! As much fun as it sounds, as more risky and scary it is!

    Reply