Mention risk analysis and you're not likely to get an enthusiastic reaction unless you've come up with a new technique for minimizing it. Unfortunately, not many software projects include risk management at all. Even the most rabid risk pundits don't claim that risk analysis will result in projects that are on time and on budget. But they do suggest that if ever there were a time to do risk analysis, it's now. Why? The impending Year 2000 crisis. According to Capers Jones, author, consultant and chairman of Software Productivity Research (SPR,, there are probably over two million Y2K problems that won't be fixed in the U.S. alone. Lloyd's of London predicts Y2K costs will ultimately top $1 trillion. And that may be conservative.

In a 1997 paper, "Fifty Questions a Chief Executive Should Ask About Software," Jones reminds management that "software and corporate executives may be held personally liable for some of the consequences of the Year 2000 problem unless prompt and energetic actions are taken to correct the problem. The Year 2000 problem may lead to lawsuits against corporate executives for violation of fiduciary duty and against software executives for professional malpractice."

Scared Voiceless

Another risk guru, Tom DeMarco, the godfather of structured analysis and design who's now associated with the Atlantic Systems Guild ( consultancy and teaches two-day seminars on risk (, observes wryly that the people who are doing risk management tend not to talk about it, while the people who aren't are probably too scared to even think about it. "They're in denial," according to DeMarco who, like Jones, is a prolific author. (By the way, Dorset House Publishing, or 212-620-4053, has a great list of software engineering and quality titles.)

The reason for this crazy state of affairs is twofold: the litigious nature of our society and a reflection of ingrained "can do" corporate cultures. If you admit there's risk associated with one of your projects, your project may be canceled or you may simply be tagged a defeatist on the fast track for the next round of pink slips ("de-allocated" has replaced downsized as the euphemism for getting laid off).

The liability issues and potential negligence lawsuits associated with Y2K, however, promise to reverse the situation. Now, if you don't talk about risk, you're opening your organization, perhaps even yourself, to tremendous liability.

There are lots of reasons not to do risk analysis and management, but the main reason is probably because it's viewed as time-consuming overhead. (Dust off your old quantitative methods book and you'll probably find a discussion of Monte Carlo simulation--one of the standard techniques associated with risk analysis. But even if you use homegrown methods on the back of a napkin or in an Excel spreadsheet, merely taking the time to think about all the things that can go wrong may save your bacon in the long run.) Another more subtle reason may be that to really get a handle on risk associated with software projects, you probably need a team that includes upper management, marketing and HR as well as development. After all, there are all kinds of categories of risk.

But, back to the Y2K problem. Refer to Jones or DeMarco's sites to get started on quantifying risk associated with Y2K to help you get funding for this no gain, high-cost task if you don't already have it. And even if you already have a Y2K project underway, sit down and do a risk analysis to find your weak points and prepare mitigation strategies. By now, you've read hundreds of articles about Y2K and probably don't need any more advice, but here's some anyway. Several months ago, I spoke with the principals of the Source Recovery Company ( and was impressed with their technology for helping companies that aren't exactly sure where all their original MVS, VM or VSE COBOL or assembly source code is. If your back is to the wall, it might be worth contacting them.

Another trend I see emerging is "knowledge management." There are already over a dozen titles on the topic, but for a fast track to the topic, point your browser to (Business Researcher's Interests). The site's a gold mine.

In my opinion, Progress Software ( doesn't get the press it deserves; in fact, it reminds me a lot of IBM's AS/400s--a low maintenance system with lots of vertical applications. This 16-year old firm, with over 2300 application partners, obtains 70 percent of its revenue through the channel. No, Progress hasn't announced any sexy object/relational or "universal" database strategy (yet), but it offers solid products for NT, Solaris, HP-UX and AIX. In version 8.2, you'll find support for replication, application partitioning and virtual system tables you can use to do performance analysis and monitoring. Progress' recent acquisition of Java development tool vendor Apptivity, promises increasing support for I*net applications (Progress already markets WebSpeed).

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access