The book tells how things really are: People like tales more than reality, nobody likes bad news. People are 10 times more prone to believe things they like. The odds are against risk management. It is surprising if anybody can do it properly:
"We are like a primitive tribe that tries to hold the devil at bay by refusing to say his name." [p.113]"The Ethics of Belief" by William Kingdon Clifford, which is mentioned in the book is well worth reading on its own.
[p.23-24] "Suppose you had an utterly perfect process for delivering software. Would that remove all uncertainty from your projects? In fact, is the software building process even one of the sources of uncertainty? We suggest not. Among the more important sources of uncertainty are these:
1. Requirement: What exactly is it that the system has to do?
2. Match: How will the system interact with its human operators and other peer systems?
3. Changing environment: How will needs and goals change during the period of development?
4. Resources: What key human skills will be available (when needed) as the project proceeds?
5. Management: Will management have sufficient talent to set up productive teams, maintain morale, keep turnover low, and coordinate complex sets of interrelated task?
6. Supply chain: Will other parties to the development perform as hoped?
7. Politics: What is the effect of using political power to trump reality and impose constraints that are inconsistent with end-project success?
8. Conflict: How do members of a diverse stakeholder community resolve their mutually incompatible goals?"
[p.31] "Without the explicit infrastructure of risk management, announcing a risk (particularly one that questions the fondest wishes expressed from high) can put the announcer in an uncomfortable situation. He may be written off as a whiner, as someone with insufficient buy-in, or as a defeatist."
[p.33] "Boundless uncertainty makes people either risk-averse of foolhardy. Both are disasters... When you know the uncertainty, you know how much reserve you'll need in order to give yourself sensible protection. The reserve is what you spend on mitigation plus what you hold back to fight fires when they occur."
[p.37] "People who don't have the requisite talent fall back on a host of mechanical approaches, such as Management By Objectives, Parkinsonian scheduling, and a "culture of fear" to scare their subordinates into performing. Though these things are not easily defensible some managers and some entire organizations are addicted to them. These practices are incompatible with any risk management scheme."
[p.39] "A careful assessment of potential causes of delay should oblige you to admit something like this: "Delivery can be expected sometime between Month 18 and Mont 29, with an 85-percent confidence factor date of Month 24"... Some organizations are so desperate to belive they're in complete control that if they realize they aren't, they settle for the illusion of control instead. The most common symptom of this is a ridiculous precision (a very narrow window of uncertainty) attached to estimates that subsequently turn out to be very inaccurate."
[p.40] "Telling the truth where optimism (lying) is the norm puts the truth teller at a terrible disadvantage."
[p.41] "People understand that promising big is more important than delivering, and everybody learns to act accordingly. If you work at this kind of organization, you might as well go with the flow and keep your risk assessments to yourself."
[p.48] "What usually happens is that everyone works very hard; and then, when people see that they won't make it, they are shocked, disappointed, and deeply dismayed."
[p.57] "The intersection of the curve with the horizontal defines the first date that has a nonzero probability. But it's not very nonzero. This intersection is N, the "nano-percent date", since delivery by that date is about nano-percent likely. [You can obtain the nano-percent date by assuming you know everything at the start, that nothing will go wrong and estimate the date under these assumptions]"
[p.59] "For the software industry as a whole, window size is in range of 150 to 200 percent of N... Pretending otherwise won't help."
[p.61] "Run a few postmortems of projects good and bad and look for ways in which they deviated from their initial expectations. Trace each deviation back to its cause and call that cause a risk."
[p.63] "...sufficiently exasperated upper managers have a reduced need to understand why the risk has gone away, as long as it's gone [Reminds me of the Challenger disaster]"
[p.64] "Risk management is not the same thing as worrying about your project."
[p.109] "While it is possible to specify a product ambiguously, it is not possible to build a product ambiguously."
[p.113] "We are like a primitive tribe that tries to hold the devil at bay by refusing to say his name."
[p.114] "Don't articulate a problem unless you want its immediate solution to become your responsibility."
[p.131] "Those parts of the system that depend on pulling off techical wonders should be pushed into the early versions. That way, if the wonders don't get pulled off, you maximize your options for fallback. If you do this early enough, you may be able to suffer the loss in relative private, whereas the same defeat late in the project would be immediately apparent to everyone."
[p.149] "...the company's biggest risks are value-related: wasted effort on low-value projects, and the opportunity cost of missing high-value projects... In the 1990's, many of my clients got fixated on improving the wrong process. They were all hung up on the how-projects-are-built process. The one that really matters is the process that determines which projects are worth doing. Ironically, in some of the most process-aware companies I know, there is no defined process for project initiation - it's all done by fiat."
[p.160] "When the stakes are high, it's worth running even serious risks. When the stakes are low, almost no risk should be tolerable."
[p.176] "The question of right or wrong has to do with the origin of his belief, not the matter of it; not what it was, but how he got it; not whether it turned out to be true or false, but whether he had a right to believe on such evidence as was before him."
[p.177] "No real belief, however trifling and fragmentary it may seem, is ever truly insignificant; it prepares us to receive more of its like, confirms those which resembled it before, and weakens others; and so gradually it lays a stealthy train in our innermost thoughts, which may someday explode into overt action and leave its stamp upon our character forever."
[p.180] "If a man, holding a belief which he was taught in childhood or persuaded of afterwards, keeps down and pushes away any doubts which arise about it in his mind, purposely avoids the reading of books and the company of men that call into question or discuss it, and regards as impious those questions which cannot easily be asked without disturbing it - the life of that man is one long sin against mankind."