Laurent Bossavit's Incipient(thoughts): essay on defining risk reminds me of some discussion I have read about risk in the context of finance. The risk of a portfolio of investments is often measured in terms of volatility compared to some reference portfolio (the so-called
beta). Usually, a portfolio with a higher average return also has a higher variance, which means it more likely to be higher or lower than you expect.
In software, the type of risk that comes closest is the risk of using new, unproven technology. In an ideal world, that would be the only risk that mattered. In the real world, projects often fail for reasons that have nothing to do with technology per se. In the worst cases, an IT project seems to amplify whatever dysfunction exists in the host organization.
Portfolio management as a tool for risk mitigation should work for technology risk. However, it can't help with the risk that the normal risks that cause a project to fail:
- doesn't meet the deadline
- overruns its budget
- doesn't deliver what was expected
- delivers software to spec that turns out to be less useful than anticipated