Highly recommended.
I’ve worked all my professional life on medical devices. Risk management is a vital ingredient of software development in regulated industries. The author of this book has a background in finance, which is also a heavily regulated industry. While human lives are not at risk in this domain, the stakes are still high. In my line of work, there are mainly two types of risk that are made explicit: risk to patients and operators and risk to the project. In this book, you find a much more detailed taxonomy of the risks in software development.
Often, when we discuss trade-offs of our decisions, we have these risks in mind but do not clearly name them. It does not suffice to say “it depends”. On what does your decision depend? How do the risks for each choice compare? This book provides a common language to talk about risks. It makes it easier to talk to teammates and stakeholders about your decision process.
There are three parts to the book. First, the role of risk in software development is discussed. Then follows a glossary of the most important risks. They are introduced by a worked example, fleshed out with example threats and practices that address the risk, and finished off with fascinating anecdotes. In the third part, risk management is applied to AI and to technological progress in general. What’s missing in my view is a coverage of risk analysis, that is, how you actually identify harms and risks.
Highlights are the discussion of de-risking strategies, the examination of agile tropes such as YAGNI in terms of risk management, and the explanation of the Lindy effect, of which I had never heard before.
Throughout the book, diagrams are used to visualise the impact of actions on the risk landscape in order to reach a goal. Which risks are mitigated, which new risks emerge? I’m not a visual person, so I don’t see much benefit compared to a simple table, but I appreciate the effort.
As a nitpick, the term ‘risk’ is only formally defined on page 71. Before that, the author relies on the intuitive understanding of the word. Risk is determined by the probability of a threat and the amount of harm caused by the threat. This adds important nuance to conversations about risk.
As a bonus, there is a website packed with most of the material of the first two parts of the book and additional content (https://riskfirst.org/).
As mentioned in the preface of the book, there isn’t much new to learn for experienced engineers. Even so, it highlights the ubiquity of risk management in an engaging way and describes a pattern language of risk management. For junior engineers, this book is a cheap and fast way to learn what it really takes to develop production-grade software, beyond of what you are taught at the university. I highly recommend that you read this book, especially if you otherwise would read a more technical book such as about a new programming language or framework. There are not that many general books about software development, and this one is worthwhile.
Website: https://pragprog.com/titles/rmrfsd/risk-first-software-development-second-edition/
