What If You Can’t Get the Information You Need?

We Need the Source Code

We’re bidding on a project that requires us to process the output of another system.  To accurately estimate the amount of work, we need to know everything that this output file could ever include, and how it’s formatted. 

We’ve only been given two samples, and they’re noticeably different. There are no written specifications for the output file. The source code of the system that outputs it is owned by the client.

But the client won’t share the source code with us. They won’t accept an NDA. They simply won’t share the source code under any circumstances.

They’ve told us to assume that the two samples we’ve been given completely cover all possibilities. We know that the output is complex, and that it’s based on complex engineering calculations, so we have reason to question this assumption.

What Would You Do?

We could walk away from a client that doesn’t trust us enough to share the source code. We aren’t going to do that. This will be our first engagement with this client, and we understand that trust is earned.

We could list it as an assumption, and have them agree to it – in writing.  However, experience tells us that this won’t help much when the assumption turns out to be wrong.  They won’t accept a system that doesn’t do what they need, and they won’t be happy about it costing more than they had budgeted.

So what’s the answer?

Apply Some Risk Management  

Identify it as a risk.  

Assess the probability and impact of the risk (qualitative risk analysis).  The probability is high, and so is the impact.

Plan Some Risk Responses 

Transferring the risk isn’t very helpful.  It’s not worth trying to buy insurance for this.  Who would insure it anyway? And transferring the risk to the client via an agreed assumption isn’t going to work because the client won’t really take responsibility for it.

Avoidance is what we tried by getting the source code.  A complete specification would help to reduce the probability of this risk occurring, but there isn’t one.  Even more samples would help, but they aren’t willing to provide more.

Mitigation is the answer.  Estimate the impact, and create a contingency fund for it.  Have the client agree to this contingency fund as part of the contract.  This way, they know that we won’t use this money if the risk doesn’t happen, but they have the money in the approved budget if it does.

We mustn’t forget Monitoring.  We’ll want to identify ways to identify as soon as possible if and when this risk occurs.  

Don’t Forget the Budget

We need to budget for this monitoring.  We’ll be doing this monitoring whether the risk happens or not.  These costs need to be included in our main project budget. This money will be spent whether the risk happens or not.

The Budget for this risk response will include two components:

  • A monitoring budget that covers the costs of monitoring this risk
  • A contingency budget to be used if the risk occurs

P.S. You might ask yourself whether this assumption is a risk or an issue. I answer the question of how to distinguish issues from risks in my article Is this an Issue or a Risk?