Dependency Risk | Risk-First (2024)

Dependency Risk is the risk you take on whenever you have a dependency on something (or someone) else.

One simple example could be that the software service you write might depend on hardware to run on: if the server goes down, the service goes down too. In turn, the server depends on electricity from a supplier, as well as a network connection from a provider. If either of these dependencies aren’t met, the service is out of commission.

Dependencies can be on events, people, teams, work, processes, software, services, money and pretty much any resource, and while every project will need some of these, they also add risk to any project because the reliability of the project itself is now a function involving the reliability of the dependency.

In order to avoid repetition, and also to break down this large topic, we’re going to look at this over 7 sections:

This first section will look at dependencies in general, and some of the variations of Dependency Risk.
Next, we’ll look at Scarcity Risk, because time, money and staff are scarce resources in every project.
We’ll cover Deadline Risk, and discuss the purpose of Events and Deadlines, and how they enable us to coordinate around dependency use.
Then, we’ll move on to look specifically at Software Dependency Risk, covering using libraries, software services and building on top of the work of others.
Then, we’ll take a look at Process Risk, which is still Dependency Risk, but we’ll be considering more organisational factors and how bureaucracy comes into the picture.
After that, we’ll take a closer look at Boundary Risk and Dead-End Risk. These are the risks you face in making choices about what to depend on.
Finally, we’ll wrap up this analysis with a look at some of the specific problems around depending on other people or businesses in Agency Risk.

Why Have Dependencies?

Luckily for us, the things we depend on in life are, for the most part, abundant: water to drink, air to breathe, light, heat and most of the time, food for energy.

This isn’t even lucky though: life has adapted to build dependencies on things that it can rely on.

Although life exists at the bottom of the ocean around hydrothermal vents, it is a very different kind of life to ours and has a different set of dependencies given its circ*mstances.

This tells us a lot about Dependency Risk right here:

On the one hand, depending on something is very often helpful, and quite often essential. (For example, all life seem to depend on water).
Successful organisms adapt to the dependencies available to them (like the thermal vent creatures).
However, as soon as you have dependencies, you need to take into account their reliability. (Living near a river or stream gives you access to fresh water, for example).So, dependencies are a trade-off. They give with one hand and take with the other. Our modern lives are full of dependency (just think of the chains of dependency needed for putting a packet of biscuits on a supermarket shelf, for example), but we accept this risk because it makes life easier.
There is likely to be competition for a dependency when it is scarce (think of droughts and famine).

Let’s look at four types of risk that apply to every dependency: Fit, Reliability, Invisibility and Complexity.

Fit Risk

In order to illustrate some of the different Dependency Risks, let’s introduce a running example: trying to get to work each day. There are probably a few alternative ways to make your journey each day, such as by car, walking or by bus. These are all alternative dependencies but give you the same feature: they’ll get you there.

Normally, we’ll use the same dependency each day. This speaks to the fact that each of these approaches has different Feature Fit Risk. Perhaps you choose going by bus over going by car because of the risk that owning the car is expensive, or that you might not be able to find somewhere to park it.

But there are a couple of problems with buses you don’t have with your own car, as shown in the above diagram. A bus might take you to lots of in-between places you didn’t want to go, which is Conceptual Integrity Risk and we saw this already in the section on Feature Risk. Also, it might not go at the time you want it to, which is Feature-Fit-Risk.

Reliability Risk

This points to the problem that when we use an external dependency, we are at the mercy of its reliability.

“… Reliability describes the ability of a system or component to function under stated conditions for a specified period of time.” - Reliability Engineering, Wikipedia

It’s easy to think about reliability for something like a bus: sometimes, it’s late due to weather, or cancelled due to driver sickness, or the route changes unexpectedly due to road works.

In software, it’s no different: unreliability is the flip-side of Feature Implementation Risk. It’s caused in the gap between the real behaviour of the software and the expectations for it.

There is an upper bound on the reliability of the software you write, and this is based on the dependencies you use and (in turn) the reliability of those dependencies:

If a component A depends on component B, unless there is some extra redundancy around B, then A can’t be more reliable than B.
Is A or B a Single Point Of Failure in a system?
Are there bugs in B that are going to prevent it working correctly in all circ*mstances?

This kind of stuff is encapsulated in the science of Reliability Engineering. For example, Failure Mode and Effects Analysis (FEMA):

“…was one of the first highly structured, systematic techniques for failure analysis. It was developed by reliability engineers in the late 1950s to study problems that might arise from malfunctions of military systems. “ - FEMA, Wikipedia

This was applied on NASA missions, and then in the 1970’s to car design following the Ford Pinto exploding car affair. But establishing the reliability of software dependencies like this would be hard and expensive. We are more likely to mitigate Reliability Risk in software using testing, redundancy and reserves, as shown in the diagram above.

Additionally, we often rely on proxies for reliability. We’ll look at these proxies (and the way in which software projects signal their reliability) in much more detail in the section on Software Dependency Risk.

Invisibility Risk

Dependencies (like the bus) make life simpler for you by taking on complexity for you.

In software, dependencies are a way to manage Complexity Risk. The reason for this is that a dependency gives you an abstraction: you no longer need to know how to do something, (that’s the job of the dependency), you just need to interact with the dependency properly to get the job done. Buses are perfect for people who can’t drive, after all.

Dependencies And Complexity

In Rich Hickey’s talk, Simple Made Easy he discusses the difference between simple software systems and easy (to use) ones, heavily stressing the virtues of simple over easy. It’s an incredible talk and well worth watching.

But: living systems are not simple. Not anymore. They evolved in the direction of increasing complexity because life was easier that way. In the “simpler” direction, life is first harder and then impossible, and then an evolutionary dead-end.

Depending on things makes your job easier. But the Complexity Risk hasn’t gone away: it’s just transferred to the dependency. It’s just division of labour and dependency hierarchies, as we saw in Complexity Risk.

Our economic system and our software systems exhibit the same tendency-towards-complexity. For example, the television in my house now is vastly more complicated than the one in my home when I was a child. But, it contains much more functionality and consumes much less power and space.

Managing Dependency Risk

Arguably, managing Dependency Risk is what Project Managers do. Their job is to meet the project’s Goal by organising the available dependencies into some kind of useful order.

There are some tools for managing dependency risk: Gantt Charts for example, arrange work according to the capacity of the resources (i.e. dependencies) available, but also the dependencies between the tasks. If task B requires the outputs of task A, then clearly task A comes first and task B starts after it finishes. We’ll look at this more in Process Risk.

We’ll look in more detail at project management in Part 3, later. But now, let’s get into specifics with Scarcity Risk.

Add Your Star On GitHub to receive an invite to the GitHub Risk-First GitHub team for new article notifications and discussion.

As a seasoned expert in the field of risk management and software development, I bring a wealth of knowledge and experience to the table. With a background in both theoretical frameworks and practical application, I have successfully navigated the intricacies of dependency risk and its multifaceted nature.

The article you provided delves into the concept of Dependency Risk, highlighting its pervasive nature across various domains such as software development, project management, and organizational processes. It systematically breaks down the topic into seven sections, each addressing different facets of dependency-related risks.

Let's analyze the key concepts introduced in the article:

Dependency Risk Overview:
- Dependency Risk is the risk associated with relying on external factors, whether they be hardware, software, people, or processes.
- The example of a software service depending on server hardware illustrates the interconnected nature of dependencies.
Types of Dependencies:
- Dependencies can involve events, people, teams, work, processes, software, services, money, and other resources.
- The reliability of a project becomes contingent on the reliability of its dependencies.
Scarcity Risk:
- Time, money, and staff are considered scarce resources in every project.
- Scarcity Risk is introduced as a distinct type of risk, emphasizing the limited availability of crucial resources.
Deadline Risk:
- Events and deadlines play a crucial role in coordinating around dependency use.
- Meeting deadlines is essential for ensuring the continuity of dependent processes and workflows.
Software Dependency Risk:
- Focuses on the risks associated with using libraries, software services, and building on the work of others in software development.
- Reliability engineering principles, such as Failure Mode and Effects Analysis (FEMA), are mentioned in the context of software reliability.
Process Risk:
- Explores Dependency Risk in organizational factors and how bureaucracy can impact project dependencies.
- Project managers play a vital role in organizing dependencies to achieve project goals.
Boundary Risk and Dead-End Risk:
- Examines risks related to making choices about what to depend on, including the possibility of reaching a dead end with certain choices.
Agency Risk:
- Focuses on specific problems related to depending on other people or businesses.
Why Have Dependencies:
- Dependencies are presented as a trade-off, providing benefits while also introducing risks.
- Life and systems adapt to dependencies, and the article emphasizes that successful organisms adapt to the dependencies available to them.
Types of Dependency Risks:
- Fit Risk: Concerns the compatibility and suitability of dependencies.
- Reliability Risk: Involves the dependability and performance of external dependencies.
- Invisibility Risk: Arises from the abstraction provided by dependencies, leading to a loss of detail.
- Complexity Risk: Acknowledges that dependencies transfer, but do not eliminate, complexity.
Managing Dependency Risk:
- Project managers play a crucial role in organizing dependencies to achieve project goals.
- Tools such as Gantt Charts are mentioned as aids in managing dependency risk by organizing tasks based on resource capacity and task dependencies.

In conclusion, the article provides a comprehensive exploration of Dependency Risk, covering a wide range of aspects and offering insights into managing and mitigating these risks in various contexts. The inclusion of real-world examples and practical tools enhances its value for both newcomers and seasoned professionals in the field.