Risk Mitigation Costs Too Much

“I have not failed. I’ve just found 10,000 ways that won’t work.”

- Thomas Edison

Many large organizations work exceptionally hard minimize risk. Ironically, by working so diligently to reduce risk they are paying for it anyway, and reducing innovation at the same time.

From Joel Spolsky’s Camels and Rubber Duckies: (with some minor editing)

Software is priced three ways: free, cheap, and dear.

Free: Open source, etc. Many big companies are still apprehensive about open source. They want someone responsible with deep pockets who will take their call when something goes south. Open source feels risky because there is no one else to blame.

Cheap: $10 – $1,000, sold to a very large number of people at a low price without a salesforce. Most shrinkwrapped consumer and small business software falls into this category.

Dear: $75,000 – $1,000,000+, sold to a few big companies using a team of slick salespeople that do six months of PowerPoint meetings just to get one sale. The Oracle model.

All three methods work fine. Notice the gap? There’s no software priced between $1,000 and $75,000.

The minute you charge more than $1,000 you need to get signoffs. You need a line item in the budget. You need purchasing manager involvement and competitive bids and paperwork and approvals. So you need to send a salesperson out to the customer to do PowerPoint, with his airfare and $19.95 movies at the Marriott. The cost of making one successful sale is going to average about $50,000. If you’re sending salespeople out to customers and charging less than $75,000, you’re losing money.

Big companies desperately want to avoid risk when choosing commercial software. In order to sell to them you need competent sales people who can spend weeks just to get a one hour meeting; People who understand how to build consensus and can “tick all the boxes” for security, compliance, internal audit, business continuity, etc.

Enterprises protect themselves so well that they drive up the cost of enterprise software, some of which goes towards the cost of jumping over all the hurdles that they have set up to minimize risk.

Is it worth it?

Controls gone wild

Risk Management 101: “The cost of the control should never exceed the cost of the risk”. Where companies struggle is quantifying the risk adequately so they can estimate if the control is worth it. It's way too easy for people to over-estimate the risk, and under-estimate the cost of the control. Worse, there is no good mechanism to push back -- no senior executive will stick their neck out and say "we have too many controls!". The employees grumble and point out how slow and bureaucratic the process is and executives will say "we have to follow the process". Later, of course, they will also say "we need to be more efficient".

A relevant example is the software development process. It became a became a magnet for controls, a convenient framework for risk and audit folks to attach an ever-increasing burden of business and technology controls. A burden that digital companies had to shed to speed up delivery - so, along came Agile development. They said we need just enough controls in Agile to support going fast.

Embrace risk to lower cost and increase innovation

It seems counter-intuitive - but in many companies one way to lower cost and increase innovation is to embrace a little risk. Lower the hurdles. Lower the “shame” of failure and innovation can thrive. Companies with too many controls, that won’t take risk and punish failure, tend to be the least innovative – and even worse their costs aren’t any lower either.