All Software Development Is Risk Management
Most software methodologies tell you what to do.
Risk-First explains why those practices exist.
Once you understand the risks, you can choose the right practices for your context.
New to Risk-First?
Start here — a four-step path through the material.
What Are The Benefits?
Risk-First gives teams and leaders a shared vocabulary for making better software decisions.
Explain Trade-offs Clearly
Frame decisions in terms of the risks being managed and accepted.
Read more →
Build Consensus
Align teams around shared understanding of what matters most.
Read more →
Make Better Decisions
Choose practices deliberately rather than by habit or fashion.
Read more →
Talk the Language of the C-Suite
Connect engineering choices to business outcomes executives care about.
Read more →
Evaluate Methods and Processes
Compare Agile, Waterfall, DevOps and more through a risk lens.
Read more →
The Book
Second Edition · 265 pages
265 pages that reframe software development around the force that shapes every decision: risk. Risk-First peels back the onion — not a methodology telling you what to do, but a toolbox and pattern language to help you figure out what you should do, and communicate your case to others.
Gain the vocabulary, tools, and confidence to identify, evaluate, and mitigate risks before they derail your project — whether you are managing a startup product, steering an enterprise system, or incorporating AI.
The Risk-First Podcast
Stars of Software — conversations with leaders and builders about the risks they navigate every day.
From the Community
Interviews, keynotes, and conversations about Risk-First in the wild.
About Rob Moffat
Rob Moffat is a software developer with deep experience in the finance industry leading regulatory, risk, and transformation IT projects at top-tier investment banks in London. A strong advocate for open source, he currently serves as the chief architect for FINOS, the Financial Open Source initiative of the Linux Foundation.
- Chief Architect at FINOS
- Author of Risk-First Software Development
- Podcast host
- Conference speaker
How Does It Work?
Risk-First takes the view that a project's goals are obstructed by risks. These risks can be managed by software development practices, which are often packaged up as different methodologies (think Scrum, XP, Lean, DevOps), or risk frameworks as we call them here.
Every Practice Manages Risk
Every software development practice exists to manage a specific kind of risk. Risk-First makes that connection explicit — so you can choose the right practices for the risks you actually face.
| Adopting This Practice... | ...Can Help Manage This Risk | ||
|---|---|---|---|
Writing and running tests for individual units or components of the software. | Risk that the functionality you are providing doesn't correctly implement the perceived solution you are trying to build for your clients. | ||
Using machines to perform repetitive tasks. | The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. | ||
Two developers working together on the same code. | Risks due to the differences between reality and an internal model of reality, and the assumption that they are equivalent. | ||
Continuous observation and tracking of a system, team or person, perhaps with respect to performance, security or availability. | Risks of not getting benefit from a dependency due to its reliability. | ||
Managing and maintaining configuration settings of the software. | Risks caused by the weight of complexity in the systems we create, and their resistance to change and comprehension. | ||
Conducting systematic reviews of work done. | Risks caused by the weight of complexity in the systems we create, and their resistance to change and comprehension. | ||
Writing and running tests for individual units or components of the software.
Risk that the functionality you are providing doesn't correctly implement the perceived solution you are trying to build for your clients.
Using machines to perform repetitive tasks.
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Two developers working together on the same code.
Risks due to the differences between reality and an internal model of reality, and the assumption that they are equivalent.
Continuous observation and tracking of a system, team or person, perhaps with respect to performance, security or availability.
Risks of not getting benefit from a dependency due to its reliability.
Managing and maintaining configuration settings of the software.
Risks caused by the weight of complexity in the systems we create, and their resistance to change and comprehension.
Conducting systematic reviews of work done.
Risks caused by the weight of complexity in the systems we create, and their resistance to change and comprehension.
Risk-First for AI
What changes when software is increasingly designed, generated and operated by AI?
AI Risks Hub
Explore the Risk-First track on artificial intelligence risk
Agentic Software Development
Risks when AI autonomously writes, modifies, and deploys code
Societal AI Risk Framework
Civilisation-scale risks as AI grows in capability and autonomy
AI Governance Framework
FINOS open-source framework for generative AI in financial services
AI on the Podcast
Colin Eberhardt on AI governance, agentic coding, and open source
Risk-First Tracks
Readers are advised to start on the left and work right, but feel free to jump around.
