Full Scale

    Risks in Software Development: How to Match Your Caution to What’s Actually at Stake

    Matt Watson
    By Matt Watson · CEO of Full Scale, 4x Founder, Author of Product Driven
    13 min read
    Risks in software development: match your caution to what's at stake
    In this article

    There’s one question every developer should ask before they change anything, and almost nobody is taught to ask it.

    What’s the worst thing that happens if I’m wrong here?

    Search “risks in software development” and you get the same article over and over. A tidy list of project categories. Budget risk, schedule risk, scope creep, technical risk, security risk. It reads like something a project manager keeps in a binder. None of it tells a developer how to do their actual job differently on a Tuesday afternoon when they’re about to push a change.

    That checklist misses the risk that decides whether you’re any good. Every change you make carries a blast radius, the amount of damage it can do if it goes wrong. A senior engineer reads that blast radius before they start and lets it set how careful to be. A weaker one treats every line of code the same way, and that’s a problem in both directions. They move too slowly where nothing’s at stake, and they walk straight into the changes that look harmless but aren’t.

    This is a guide to reading that blast radius. It’s written as much for our own engineers at Full Scale as it is for anyone else, because this judgment is the thing that separates a developer who moves the business forward from one who just takes tickets.

    The real risk isn’t a checklist, it’s the blast radius of each change

    Risk isn’t something you assess once at a project kickoff and file away. It’s a question you answer every time you open a pull request.

    Think about the range of software a single company ships. Code that launches a rocket has to be perfect, because you can’t patch a spacecraft that’s already gone. Code that runs an internal dashboard three people glance at once a week can be wrong all day and nobody notices. It’s the same craft and the same language, but the stakes are nowhere close. If you build both the same way, you’re doing one of them wrong.

    The skill is matching how carefully you work to how much damage a mistake can actually do.

    Most developers never make that call consciously. They either bring the same heavy process to everything, which is slow, or they bring the same casual attitude to everything, which is dangerous. The good ones triage. They look at what they’re about to touch and ask how bad it gets if this breaks, and they spend their caution where it buys something.

    Matt Watson: match how carefully you work to how much damage a mistake can do

    A blast-radius ladder for the work in front of you

    Here’s the mental model. Before you start, put the change on a ladder by its worst case. Two things set the rung: how much damage it can do, and how hard it is to undo. A bug you can roll back in thirty seconds is a different animal from one you can’t take back. The more damage and the less reversible, the more rigor it earns.

    A simple way to judge reversibility is whether a change is a one-way door or a two-way door. A two-way door you can walk back easily: a small feature behind a flag, a config tweak, a deploy you can roll back in one click. A one-way door you can’t take back without enormous cost: the core architecture everything else gets built on, a database migration that rewrites millions of rows, a massive production cutover that swaps everything at once. Most day-to-day work is a two-way door, so it carries far less risk than it feels like, and you can move fast through it. Save your caution for the one-way doors, where getting it wrong has lasting consequences.

    Catastrophic. Anything that touches money or sends messages to a lot of people. Billing code that charges a customer’s card twice. A job that fires emails or texts to your whole list. Anything that runs automatically at scale, so a single bug repeats itself thousands of times before a human even notices. Code like this can’t be wrong once. The clearest public example is the CrowdStrike outage in July 2024, where one faulty update crashed about 8.5 million Windows machines and grounded airlines, banks, and hospitals for roughly a day. One change, enormous reach, no easy undo. This rung earns the deepest testing, the most careful rollout, and a real review by someone who knows the system.

    Serious but recoverable. This is where most of the real work lives, and it’s the hardest rung to judge. Customer-facing features, a data migration, an API change a few clients depend on. You can come back from a mistake here, but it costs you a bad day and some trust. The move is to find the one or two paths that actually matter and test those hard, not everything. On a checkout change, that’s the path that takes payment, not the one that updates the order-history label. On a data migration, it’s whether you can run it again safely if it dies halfway through. Test the paths that hurt if they break, get a second set of eyes on the tricky logic, and don’t get cavalier with the rest.

    Low or trivial. The internal dashboard, the throwaway script, the new feature sitting behind a flag that only your own team can see. The worst case is you fix it in twenty minutes and nobody outside the building ever knew. Move fast. Heavy process here is pure waste, and waste is its own cost.

    The same logic drives how much testing each piece deserves. We’ve made the whole argument for why testing depth is a leadership decision, not a QA checklist, and it comes down to this exact ladder. You don’t need test coverage on everything. You need it on the things that can hurt the business if they’re wrong, because that’s where tests buy you the confidence to move quickly. Security sits high on the ladder too, which is why we treat secure development as a set of practices baked into the work rather than a step at the end.

    Blast-radius ladder: catastrophic, serious but recoverable, and low-risk changes

    When software breaks, it is almost always about what changed

    Here is something I want every engineer to internalize, because it changes how you should ship.

    When something breaks, the cause is almost always whatever just changed.

    When a system that worked yesterday falls over today, your first instinct shouldn’t be to go spelunking through the entire codebase. It should be to ask what changed since the last time it worked. That instinct only saves you if the answer is small. If you shipped one tight change, you can find the cause in minutes. If you shipped a giant release with forty things bundled together, you’re now hunting through forty suspects while production is down.

    So the single most reliable way to lower risk is boring and unglamorous. Ship lots of small changes instead of a few big ones. A small change is easy to reason about, easy to review, and easy to reverse. A big release buries the cause of any problem in noise.

    The rollout is the other half. You don’t have to turn a risky change on for everyone at the same moment. Feature flags let you decouple shipping the code from releasing the feature, so you can switch it on for a small group, watch what happens, and widen only when it holds.

    Bugs are going to happen no matter how good you are, so the smart move is to find them with a small blast radius. Picture Tesla pushing a software update to every car on the road in a single night. If something’s wrong, the whole fleet has the same problem by morning. Now picture them rolling that update to a few thousand cars first, confirming everything behaves, and then expanding. Same update, wildly different risk. Get the change in front of a small set of real users first, especially when you already know it’s a heavy one.

    Shipping to everyone at once versus rolling out to a small group first

    The hidden risks: when “trivial” isn’t

    The dangerous changes are the ones that look harmless. This is where developers who don’t understand production get hurt.

    Adding a new index to a database table, or modifying an existing one, feels like nothing in your development environment. The table has a few thousand rows. The change runs instantly. You commit it and move on.

    Then it goes to production, where that same table has 500 million rows. Now that “instant” index change can lock the table, run for hours, and bring the application to a crawl during the busiest part of the day. What was a one-line migration in dev needs a planned maintenance window and a careful rollout in production. The risk was never in the code. It was in the gap between what your laptop looks like and what production actually looks like.

    Building a development team?

    See how Full Scale can help you hire senior engineers in days, not months.

    You can’t judge a blast radius you can’t see. A developer who has never watched a system under real load, with real data volumes and real traffic, will keep mistaking high-risk changes for trivial ones. This is why understanding the production environment isn’t optional. The trivial-looking change that quietly breaks the thing next to it is the most common way good engineers cause bad outages.

    8.5 million Windows machines crashed by one faulty update, July 2024

    Most developers get risk exactly backwards

    Now the uncomfortable part. Most developers don’t calibrate at all. They run scared on everything.

    That fear is understandable. It isn’t their company. A mistake feels like it could cost them their reputation or their job, so they over-review, over-test, and ask permission for changes that carry no real risk. The whole team slows down to protect against downsides that were never going to be that bad.

    I notice this because I don’t feel it. As a founder, I’m not afraid to make a change. If I break something, I’ll fix it, and I’m certainly not going to fire myself over it. An employee doesn’t get to feel that way as naturally, and that’s fine. The point of this guide isn’t to tell people to stop caring. It’s to help you see when to be cautious and when to ease off, so the caution lands where it counts.

    There’s a catch to all of this, and it’s the fair objection to everything above. Telling people to move fast on low-risk work assumes they can tell low-risk from high-risk, and the index story just showed that they often can’t. So here’s the rule when you’re new to a system, new to production, or just not sure: treat the change as riskier than it looks and get a second read. Reading blast radius is a skill you earn by watching real systems break, not a license to skip review on day one. You ease off the caution as you learn where the bodies are buried, not before.

    There’s a second way developers get this wrong, and it costs even more. They overengineer.

    We needed a small internal tool recently, a quick and dirty MCP server, the kind of thing that should take a couple of days. Instead the developers wanted to architect it properly. They spent six weeks on it. When they finally delivered, it didn’t even work right, because in six weeks of building they never once let a real user try it. All that effort went into polishing something nobody had validated. The risk they should have been managing wasn’t “is this elegant enough.” It was “are we even building the right thing.”

    The biggest risk is building the wrong thing

    Every risk we’ve covered so far assumes the work is worth doing. The largest risk in software development is that it isn’t.

    You can write perfect, well-tested, beautifully rolled-out code for a feature no customer wanted. All the rigor in the world doesn’t save you from building the wrong thing. At Stackify, we once spent $10,000 sponsoring a developer conference to launch a product, and we got zero new customers from it. The product wasn’t what people needed, and no amount of engineering quality was going to fix that.

    We learned the same lesson a quieter way too. We assumed that more usage of our product meant more value, so we optimized to get people logging in more. Then we actually listened, and customers told us the opposite. “I just need to know why production is broken.” They didn’t want to spend time in our app. They wanted answers and to get back to work. The most valuable thing we could build was the thing that got them out of the product faster.

    This is why getting real feedback early beats almost any other risk control. It’s also the heart of asking why before you build, a theme I come back to constantly in Product Driven. Shipping the wrong thing efficiently is still shipping the wrong thing.

    Why reading risk is now the developer’s job, not the manager’s

    For a long time the industry treated developers as order takers. Requirements came down, you built exactly what the ticket said, and judgment was somebody else’s department. That model is finished.

    Now that AI generates so much of the code we ship, the bottleneck is no longer typing. It’s judgment. Developers have to understand the business problem, weigh the risk of different solutions, and go solve it without waiting for permission at every step. The 2025 DORA report put it well: AI amplifies what’s already there. Strong teams get faster and better with it, and weak teams just ship their problems quicker. The tool doesn’t supply the judgment. You do.

    This is the real difference between a developer who multiplies a team’s output and one who drains it, and it isn’t raw speed or lines of code. It’s the ability to read risk and move accordingly, to go fast where it’s safe and slow down where it isn’t. The developer who treats every change like it might launch a rocket is the same drag on the team as the one who treats a billing change like a throwaway script. The one who reads each change correctly is worth far more than their salary.

    That judgment is also exactly what you’re paying for when you hire a senior engineer, and exactly what you’re not getting when you chase the cheapest possible developer. We call that mistake cheapshoring, and risk judgment is one of the first things it costs you. A cheap body can write code. Reading the blast radius of a change, in your system, against your business, is the part that takes real experience.

    How to actually calibrate: a software development risk management checklist

    Risk management in software development doesn’t have to be heavy. Most of it is a handful of questions you run before you start, and a few habits that keep your blast radius small.

    Before you make a change, ask:

    • What’s the worst case if this is wrong? Money, data, customer trust, or just a quick fix?
    • Is it reversible? Can I turn it off in seconds, or am I committed once it ships?
    • How many people does it touch if it fails?
    • Do I actually understand how this behaves in production, not just on my machine?

    Then let the answers set your rigor:

    • High blast radius: deep testing on the risky paths, a real review, and a staged rollout behind a flag.
    • Medium: test the important paths, review the tricky parts, ship normally.
    • Low: move fast, skip the ceremony, fix forward if it breaks.

    And keep two habits no matter what. Ship small so you always know what changed. Get the work in front of a real user as early as you can, because the worst risk is building something nobody needed.

    Frequently asked questions about risks in software development

    What are the main types of risks in software development?

    The common list covers technical risk, schedule risk, budget risk, scope creep, and security risk. Those are real, but they describe a project from a manager’s seat, and most of them are downstream of the same thing: an uncontrolled blast radius. A “quick” change that locks the production table is what turns into a schedule slip and a blown budget. For a developer, the more useful framing is the blast radius of each change you make: what’s the worst thing that happens if this specific piece of code is wrong, and how hard is it to undo.

    How do you assess software development risk?

    Assess it per change, not just per project. For anything you’re about to ship, ask what the worst case is if it fails, whether it’s reversible, and how many people or how much money it touches. The higher the answer, the more testing, review, and careful rollout it earns. Low-stakes work earns very little.

    How do you mitigate risks in software development?

    The habits that matter most are simple. Ship small changes instead of big releases so you always know what changed when something breaks. Use feature flags to roll risky changes out to a small group first. Concentrate your testing on the code that can actually hurt the business. And get real user feedback early, before you’ve built the wrong thing well.

    Does AI change the risks in software development?

    It raises the stakes on judgment. AI can generate code far faster than a person can carefully review it, so the risk of shipping something nobody truly understood goes up. The 2025 DORA research found AI amplifies whatever a team already is. Disciplined teams ship faster and safer, while teams with weak habits just produce their mistakes more quickly.

    Build a team that reads risk well

    Calibrating risk is a learned skill, and it’s the difference between an engineer who accelerates your company and one who quietly slows it down. It’s exactly what we train for at Full Scale, where our engineers work as part of your team through our staff augmentation model instead of as a vendor taking orders. If you want to scale with developers who own that judgment, book a call and let’s talk.

    See How We've Helped Teams Like Yours

    Real results from companies who scaled their engineering teams with Full Scale.

    Scaling Engineering with a Fully Integrated Global Team
    Media & Entertainment

    AMC Theatres: Scaling Engineering with a Fully Integrated Global Team

    Derrick Leggett, CIO of AMC Theatres, on scaling engineering from 170 to 900+ theatres, going AI-first, and why integrated global teams have replaced traditional outsourcing inside one of the world's largest entertainment platforms.

    Finding Top Engineering Talent in a Competitive Market
    Healthcare Technology

    SOTA Cloud: Finding Top Engineering Talent in a Competitive Market

    Dustin Johnson, co-founder and CTO of SOTA Cloud, on competing globally for engineering talent and why Full Scale's pre-vetted .NET engineers became top performers across his dental imaging software company.

    Turning Challenges Into Triumphs
    Sports & Entertainment

    Facility Ally: Turning Challenges Into Triumphs

    Facility Ally, born out of necessity from the experiences of organizing sports leagues and events, encountered a significant gap in the market: the need for a comprehensive management solution for sports facilities.

    View All Case Studies

    Get Product-Driven Insights

    Weekly insights on building better software teams, scaling products, and the future of offshore development.

    Subscribe on Substack

    Ready to add senior engineers to your team?

    Book a 15-minute call. Tell us your stack and where the gaps are, and we'll show you the engineers we'd put on your team.