The art of risk management, Cthulhu and aeon long death

The secret thoughts of every SharePoint architect

"The nethermost caverns are not for the fathoming of eyes that see; for their marvels are strange and terrific.”– The Festival – H.P. Lovecraft

It’s reported today in the Washington Post and the ever fascinating IO9.com that the latest attempt to explore Lake Vostok is a mere 40ft or so from breaching the ice cap which has sealed the lake off from the rest of the world for the last twenty million years, you can read about it here exploration of lake Vostok and here Russian scientists prepare to enter sub glacial lake. Lake Vostok is the largest Antarctic sub glacial lake, it’s the size of Kuwait and it’s been buried under four kilometres of ice for between fifteen and twenty mega-years. This is a pristine and potentially utterly alien environment. The ice cover keeps it dark yet heavily oxygenated and the pressure and insulating qualities of the sheer volume of ice above it keep it liquid even though the average temperature of the water is below freezing point.

The Russian teams have been attempting to drill down to the lake and explore it with ROV’s for the last few years, last year they abandoned the attempt a mere 100ft from the bottom of the ice cap when the weather closed in. Lake Vostok isn’t in a particularly hospitable part of the world and the precautions being taken to prevent contamination of the lake by modern environmental actors take time and precision to complete. This year they will attempt to drill/melt through the remaining fifteen metres of ice and explore the lake/take samples.

Apart from the scientific wonder of literally being able to explore a lost world from over eight hundred thousand generations ago, does anyone else detect a shiver of real dread? We’ve all read stories which start like this one and this just screams to be the plot of a SyFy B movie, in fact it’s damn near the plot of the thing and its prequel currently in cinemas.

This brings me in my usual round about manner to my point (you’d never guess I learned my rhetorical style from late night religious TV broadcasts by earnest Scottish pastors, you know, the ones which start “as I was playing dance dance baby on the playstation I suddenly thought, what would Christ say about my high score?)

The risk management  measures the Russian teams are undertaking are focused on mitigating the risks they perceive to their exploration and experiments, the risks of contamination etc and the usual health and safety of their teams. I will happily wager a pint or three that “there is a risk of triggering the extinction of the human race by awakening an elder abomination from its aeon long frozen death sleep by poking it in the arse with a hot drill” isn’t in their risk log anywhere.

We tend to focus on specific risks when we plan. We tend not to think about systemic or large scale rare risks as they “are out of our scope” or “someone else’s problem”. Now most of the time this slightly blinkered if pragmatic approach doesn’t cause much in the way of problems. There usually aren’t many hidden “accidentally invoke Cthulhu” moments when you are deploying SharePoint and we all know it. But it is possible to screw up and damage our clients in our work. Most large scale IT projects come with a real risk of “breaking the client” if they don’t work. But you’ll be surprised how infrequently that risk appears on project or programme risk logs. It’s as if we forget they the stuff we’re doing can be utterly critical for our clients and failure can often terminate their businesses.

It’s to do with the four methods of mitigating risk. Tolerate, terminate, treat or transfer. Most project managers will either tolerate or transfer risks. Treatment and termination are almost never discussed. Treatment costs more than transfer and termination usually means game over for part of the project or even the whole project. So we build in risks which we mitigate against by throwing money or resources at them. Often we don’t link up with our clients risk view, they’re risks are more focused and should care about systemic issues but usually don’t. I’ve never seen a risk register where “if we fail we go bust” is spelled out. this blindness to large scale risks is complimented by our ignorance of rare/unlikely but devastating risks. Horrible events can and do happen and we rarely factor in “can’t move due to snow storm” into our plans, at best we’ll argue for 12.5% contingency rather than 10% and most of the time our sales leads will can than to hit their perceived win price. Don’t even get me started on risk chains or catastrophe curves. No risk manager out there ever thinks in terms of risk multiplication or random event clustering. Primarily because most risk managers out there deal with things like SharePoint projects where the penalty is mostly described in terms of time cost and quality not “and then the reactor core went critical and now Kent glows at night”.

This short-sightedness can bite us all in the arse, the risk managers behind collateralised debt objects didn’t foresee their risk transfer would cause a financial meltdown. The engineers who designee Fukushima didn’t factor in earthquake, tsunami and running out of diesel for the backup-back-up cooling pumps (though to be fair they did bloody well). The one time we do think properly and large scale for Y2K, we did the job far too well and managed to get ripped off so all executives think we’re crying wolf. Being a later day Cassandra is just as much fun as it was for her the first time around but remember risk managers of the world. Every time you transfer a risk you increase systemic risk. Every time you tolerate a risk, you increase the risk of failure. Treat or terminate. No other approaches should be allowed for projects over a certain scale or for risks where the full impact = game over. Bio weaponry, asteriod mining, Bose-Einstein condensate factorisation, nuclear policy, environmental assay, geo-engineering, anti matter research, ultra high density energy based research and perhaps poking an aeon dead lake with a hot needle too.

I know it’s silly, non pragmatic and way over the top, but if I were high in the Russian command sphere, I’d have something large and MIRV-ey targeted on the site right now, a few kinetic harpoons in the orbital neighbourhood, a squad of Spetsnaz troopers in the locale and constant radio contact maintained with the team and the first time it went quiet I’d ……..

“take off and nuke the site from orbit. It's the only way to be sure” – Ripley – Aliens 1986