Does It Make Sense to Excise Risk Management from Software Development Methods?

This is a second annotation of an article, Send in the Tech Reinforcements authored by Arthur Herman and John Scott. We’re focusing here on the authors’ point that “the Pentagon relies on a bureaucratic review process that demands contractors anticipate and resolve problems in advance. Every software engineer, however, knows that’s not possible or even desirabled.” (quoted from Messrs Herman and Scott’s article, a link to which has been provided in this paragraph). We are also interested in a comment made further on in the article that “[l]earning by trial and error doesn’t work so well for aircraft carriers or Abrams tanks, but it is crucial for the development of effective software.” (ibid).

We think that the Pentagon process that’s got our authors’ attention, which they find hard to accomodate, is actually operational risk management for software development. In our opinion, the interest on the part of the Pentagon in implementing and exercising operational risk management in order to ” . . . anticipate and resolve problems in advance” is far more than merely a “bureaucratic review process”. (quotes are excerpted from the Messrs. Herman and Scott’s article). In fact, we think it is critically important for the welfare of our military personnel that this type of scrutiny be exercised over custom requirements for software. Regardless of whether specific software is intended for office computing use, or for use on the battlefield, any software application accessed by today’s desktop computers is potentially a trojan horse that could be maliciously exploited by enemies of our country or other individuals with nefarious intent.

To give the authors credit, perhaps their point is that the operational risk management methodology implemented by the Pentagon is ineffectual. If, in fact, the authors are attempting to make just such a point, then, perhaps we can be more agreeable to their point of view. However, by no means do we see how the Pentagon could safely adopt a policy that welcomes a “learning by trial and error” method of software development and still safeguard our military personnel.

Rather, we agree with the authors that attempts at managing the risk represented by custom software have been, evidently, somewhat clumsy on the part of the Pentagon, and, further, ineffectual as regards safeguarding our systems from malicious attack, despite substantial cost overruns. But we think all of this work and little progress points to a real need to rethink operational risk management policies and procedures for the actual task of developing software for military use in 2013. By no means, in our opinion, does it make sense to abandon the attempt altogether.

In the next post to this blog we will look at one last set of points made in this article.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.