Risk-First: Stars of Software

Risk-First
  • 0.0 (0)
  • Management

Risk-First is about understanding how to manage risks in software development. But there are a million jobs in technology besides coding, testing, and releasing. How does risk inform those jobs? And could it be that being good at any job in tech really means being good at risk management? Is all work… risk management? I’m Rob Moffat, and in each episode I sit down with leaders, builders, and thinkers from across the software industry to understand what they do, the risks they navigate every day, and the lessons they’ve learned along the way. Because behind every successful system, career, and company… there’s someone making smart decisions about risk. And if you want to be great in your chosen field, you need to be great at managing risk. So who better to learn from… than the stars? Welcome to Risk-First: Stars of Software.

Episodes

  1. May 30

    Risk-First: Stars of Software #9 - Dave Thomas

    Dave Thomas: Pragmatism, Feedback Loops, and Why AI Doesn’t Change the Fundamentals In this episode of Risk-First: Stars of Software, Rob Moffat talks with Dave Thomas, co-author of The Pragmatic Programmer, original signatory of the Agile Manifesto, founder of The Pragmatic Bookshelf, and long-time thinker on software simplicity, agility, and feedback-driven development.  Dave has spent decades shaping how software developers think about programming — from pragmatism and feedback loops, through Agile, Ruby, and testing, to his more recent work on simplicity and AI-assisted software development. Along the way, Rob and Dave dive into: Why nearly every idea in The Pragmatic Programmer still applies in the age of AI The role of feedback loops in software developmentWhy Agile was originally about values and adaptabilityThe origins of the Agile Manifesto and how it unexpectedly “went viral” after SnowbirdHow military concepts like “commander’s intent” parallel modern agile software teamsWhy organisations built around top-down command structures struggle to be genuinely adaptiveHow delighting users requires empathy, not just technical competenceWhy empathy matters not only for people, but for machines, systems, and software design itselfThe possibility that future AI-generated software may eventually become unreadable to humansWhy AI may ultimately reinforce good software design practices like small modules, meaningful names, and readable structureThe ongoing “CVE apocalypse”Why writing books — and software — is fundamentally about synthesising and refining ideas from reality into reusable formsDave’s belief that the best way to navigate an increasingly complex world is to live “agilely”: taking small reversible steps guided by feedbackLinksThe Pragmatic Programmer https://pragprog.com/titles/tpp20/the-pragmatic-programmer-20th-anniversary-edition/ Classic software engineering book introducing concepts like pragmatism, tracer bullets, orthogonality, and feedback-driven development. The Pragmatic Bookshelf https://pragprog.com Technical publishing company focused on practical software development books across programming, AI, testing, and engineering. Agile Manifesto https://agilemanifesto.org The original Agile Manifesto and principles created at Snowbird in 2001. Simplicity https://pragprog.com/titles/dtlang/simplicity/ Dave Thomas’ recent book exploring simplicity, empathy, systems thinking, and software design. FINOS https://www.finos.org Open source foundation discussed in relation to software supply chain security and open source sustainability. Dave Thomas’ Substack https://newsletter.pragmaticengineer.com Dave’s writing and commentary on software, AI, and programming ideas.

    1h 11m

  2. May 16

    Risk-First: Stars of Software #8 - James Mcleod

    James McLeod: Open Source Communities, Hackathons, and Why Open Source Opens Doors In this episode of Risk-First: Stars of Software, Rob Moffat talks with James McLeod, Open Source Lead at NatWest Group, FINOS board member, and organiser of London JS.  James has spent years at the intersection of enterprise technology and grassroots developer communities — helping banks engage with open source while also building one of London’s best-known JavaScript meetups. Before NatWest, he worked directly within FINOS helping financial institutions collaborate through open source, standards, and shared engineering practices. The conversation explores how open source communities form around uncertainty, why meetups and hackathons matter far more than most organisations realise, and how the current explosion of AI tooling mirrors the chaos and creativity of the early JavaScript ecosystem. Along the way, Rob and James dive into: How the rise of React, Node.js, npm, and frontend frameworks created a “primordial soup” developers had to collectively figure out together Why London JS was created to help developers learn collaboratively rather than depend on individual experts The importance of creating communities where people can safely experiment, fail, and learn in public Why meetups act as “distilled serendipity” — compressing useful collisions between people and ideasHow open source communities help reduce dependency on proprietary ecosystems and centralized knowledgeWhy hackathons are valuable not just for innovation, but for exposing firms to external thinking and new technologies The challenge of maintaining momentum after hackathons end and preventing ideas from “rotting in a repo” How open source participation helps organisations avoid becoming technologically entrenched Why enterprises often misunderstand open source as purely an IP issue instead of a collaborative engineering model James’ experiences moving from highly proprietary Microsoft ecosystems into open source development cultures How AI today feels similar to the early React ecosystem: lots of tools, rapid change, and nobody really knowing the “correct” answers yet Why AI communities need openness, shared learning, and emotional intelligence — especially when many developers are anxious about the future of work The idea that “open source opens doors” — creating careers, friendships, startups, and opportunities far beyond code itselfLinksLondon JS https://www.meetup.com/london-js/ London-based JavaScript and frontend development community bringing together developers, speakers, and technology enthusiasts. FINOS (Fintech Open Source Foundation) https://www.finos.org Foundation enabling collaboration on open source projects and standards across financial services. NatWest Group https://www.natwestgroup.com UK banking group active in open source collaboration and FINOS initiatives.

    1h 20m

  3. Apr 25

    Risk-First: Stars of Software #7 - Viktor Petersson

    Viktor Petersson: SBOMs, Supply Chains, and the Reality of Software Transparency In this episode of Risk-First: Stars of Software, Rob Moffat talks with Viktor Petersson, founder of SBOMify and co-founder and CEO of Screenly. Viktor has spent years building real-world systems at the intersection of hardware, cloud, and security—from early Raspberry Pi-based digital signage through to globally deployed platforms used by organisations like NASA and Capital One. More recently, he’s focused on one of the most talked-about—and misunderstood—areas in modern software: Software Bills of Materials (SBOMs). The conversation explores why SBOMs have suddenly become a regulatory and industry focus, whether they actually solve the problems they claim to, and what it really means to understand what’s inside the software we run. Along the way, Rob and Viktor dive into: What an SBOM actually is—and why it’s often misunderstood as just “a file”Why software supply chain transparency is much harder than it soundsThe gap between regulatory intent and engineering realityWhy generating SBOMs is easy—but making them useful is notThe problem of incomplete, inaccurate, or outdated dependency dataHow transitive dependencies create hidden and compounding riskWhy most organisations don’t actually know what’s in their softwareThe difference between compliance-driven SBOMs and operationally useful onesWhy “perfect visibility” is probably unattainable—and what to do insteadHow SBOMs intersect with vulnerability management and incident responseThe role of tooling, automation, and standards in making SBOMs usableWhether SBOMs reduce risk—or just make it more visibleHow supply chain security is evolving alongside AI-generated codeLinkssbomify https://sbomify.com Platform focused on generating, managing, and operationalising Software Bills of Materials. Screenly https://www.screenly.io Digital signage platform originally built on Raspberry Pi, now deployed globally across enterprise environments. Topics and concepts discussedSoftware Bill of Materials (SBOM) A structured representation of the components, libraries, and dependencies that make up a piece of software. Software Supply Chain Risk Risks arising from dependencies on external code, including vulnerabilities, maintainership gaps, and compromised packages. Transitive Dependencies Dependencies of dependencies, which often introduce hidden complexity and risk. SBOM Accuracy & Freshness Problem The challenge of keeping SBOMs up to date and reflective of real-world deployed systems. Compliance vs Operational Security The difference between producing artefacts to satisfy regulators and actually improving security posture. Vulnerability Management Integration Using SBOMs as input into processes that identify, prioritise, and remediate security vulnerabilities. AI-Generated Code Risk The increasing difficulty of understanding software composition as AI accelerates code generation and reuse.

    1h 18m

  4. Apr 11

    Risk-First: Stars of Software #6 – Jyoti Wadhwa

    Jyoti Wadhwa: AI Governance at Scale, Decision Risk, and the Future of the SDLC In this episode of Risk-First: Stars of Software, Rob Moffat talks with Jyoti Wadhwa, global leader in AI governance and enterprise technology risk, and contributor to FINOS AI governance efforts. Jyoti has spent her career helping large organisations—from Fortune 100 companies to US federal agencies—adopt emerging technologies safely, translating regulatory expectations, risk frameworks, and responsible AI principles into governance models that actually work in practice. Which makes her the perfect person to explore what governance really means when you’re operating at scale. The conversation explores how organisations move from individual experimentation with AI tools to coordinated, enterprise-wide adoption, why governance isn’t about slowing things down but enabling decisions, and how the shift to agentic, non-deterministic systems is fundamentally changing the software development lifecycle. Along the way, Rob and Jyoti dive into: Why governance is really about decision-making at scale—not documentationThe concept of decision risk as the most important risk in AI adoptionHow organisations must bring the right stakeholders together based on use case, not hierarchyWhy governance enables innovation rather than slowing it downThe three major AI risk buckets: regulatory/compliance, data & privacy, and operational visibilityHow policies translate from law → organisational agreement → technical controlsWhy the SDLC is shifting from deterministic pipelines to probabilistic, agent-driven systemsThe challenge of maintaining control and auditability in AI-driven developmentWhy “human in the loop” systems must account for psychological limits like vigilance decrementThe emergence of baseline architectures and reference models for safe AI adoptionWhy inconsistent LLM usage across business units is already a real-world governance failureHow FINOS and industry standards help create shared “baselines of good” across firmsWhy vendor risk and AI tooling sprawl are becoming major enterprise concernsHow regulation will continue to lag innovation—but increase rapidly in response ## Links FINOS AI Governance Framework https://github.com/finos/ai-governance-framework Open-source framework defining risks and controls for adopting AI in financial services. FINOS (Fintech Open Source Foundation) https://www.finos.org Industry foundation enabling collaboration on open standards and governance across financial services. NIST AI Risk Management Framework https://www.nist.gov/itl/ai-risk-management-framework Widely referenced framework for managing AI risk, governance, and trustworthy AI systems. MITRE ATT&CK Framework https://attack.mitre.org Knowledge base of adversary tactics and techniques used for threat modelling and security analysis.

    1h 6m

  5. Mar 28

    Risk-First: Stars of Software #5 – Brittany Istenes

    Brittany Istenes: Open Source Readiness, OSPOs, and Why Contribution Is Risk Management In this episode of Risk-First: Stars of Software, Rob Moffat talks with Brittany Istenes, open source strategist, InnerSource advocate, and contributor to FINOS’ Open Source Readiness work. Brittany has spent years helping large organisations—especially in regulated industries—figure out how to actually work with open source, not just consume it. Which makes her the perfect person to explore one of the biggest blind spots in enterprise technology today: the gap between relying on open source and understanding how to manage the risks that come with it. The conversation explores why so many firms depend on open source but struggle to engage with it properly, what OSPOs are really for (beyond compliance), and how organisations can move from passive consumption to active participation without losing control. Along the way, Rob and Brittany dive into: Why open source is effectively critical infrastructure—but isn’t treated or funded like itThe reality of “OSPOs of one” and why most firms underestimate their importanceHow dependency risk, licensing, and supply chain issues create hidden exposure in large organisationsWhy contributing upstream isn’t altruism—it’s a way to reduce risk and gain influenceHow InnerSource helps organisations learn open collaboration safely before engaging externallyThe role of foundations like FINOS in creating trusted environments for collaboration between competitorsWhy the cost of internal forks is often invisible—but significantHow AI and “vibe coding” could massively increase the volume of open source (and the associated risks) LinksFINOS Open Source Readiness (OSR) https://osr.finos.org InnerSource Commons https://innersourcecommons.org FINOS (Fintech Open Source Foundation) https://www.finos.org Music Mentioned Includes: Oranssi Pazuzu (Finnish black metal)Nine Inch Nails – With TeethMF DOOM – DoomsdayTom WaitsThe Bobby LeesBlackwater HolylightWu-Tang ClanPusciferToolTron: Legacy (Daft Punk soundtrack)The Crow (1994 soundtrack)

    1h 2m

  6. Mar 13

    Risk-First: Stars of Software #4 - Colin Eberhardt

    Colin Eberhardt: AI Governance, Agentic Coding, and the Future of Open Source In this episode of Risk-First: Stars of Software, Rob Moffat talks with Colin Eberhardt, CTO of Scott Logic, long-time FINOS contributor, and one of the principal authors of the AI Governance Framework. Colin has spent years helping financial institutions adopt new technologies safely—without slowing innovation to a crawl. Which makes him exactly the right person to talk to about the biggest technological shift the software industry has seen in decades: AI. The conversation explores what AI governance actually looks like in practice, why banks struggled to work out whose problem AI even was, and how large organisations can adopt powerful new tools without accidentally causing chaos. Along the way, Rob and Colin dive into: Why AI governance isn’t about bureaucracy, but about helping organisations understand risks they didn’t even know they hadHow non-deterministic systems break many traditional software engineering techniquesWhy testing and feedback loops may become the most important tools in AI-driven developmentThe rise of agentic coding loops that can autonomously iterate until tests passHow AI could radically change legacy system migration, software delivery, and developer productivityWhether AI will flood the world with open-source projects… or quietly make open source less necessary Links: Colin EberhardtScott Logic https://www.scottlogic.com UK-based software consultancy focused on complex platforms, trading systems, and large-scale engineering challenges.FINOS AI Governance Framework https://github.com/finos/ai-governance-framework Open-source framework describing risks and mitigations when adopting generative AI in financial services.Newsletters & mediaAI Augmented Coding Weekly — Colin’s newsletter https://newsletter.scottlogic.com Commentary and analysis on how AI is changing software engineering practices.The AI Daily Brief podcast https://podcasts.apple.com/us/podcast/the-ai-daily-brief/id1669813433 Regular updates on AI developments, industry trends, and major model releases.Technologies and examples discussedClaude Code / Anthropic tools https://www.anthropic.com AI coding agents and autonomous development workflows.Next.js https://nextjs.org Popular React framework used as an example of modern web infrastructure and AI-assisted cloning.Ladybird browser project https://ladybird.dev Experimental open-source browser engine referenced during discussion of AI-assisted codebase recreation.

    1 hr

  7. Feb 28

    Risk-First: Stars of Software #3 - Kunal Kushwaha

    Episode 3 — Kunal Kushwaha: Cloud Complexity, Community, and the Human Side of DevRelIn this episode of Risk-First: Stars of Software, Rob Moffat speaks with Kunal Kushwaha—Senior Developer Advocate at CAST AI, founder of the global WeMakeDevs community, CNCF Ambassador, and one of the most recognisable voices in today’s cloud-native ecosystem. Kunal’s work sits at the intersection of cloud infrastructure, developer education, and community-driven learning, focused on helping organisations reduce cloud waste, improve reliability and performance, and navigate the growing complexity of Kubernetes and AI-driven platforms. At its core, his perspective highlights that risk in modern technology is not just technical—it’s human, organisational, and economic.  Together, Rob and Kunal explore: Why cloud complexity and over-provisioning create hidden financial and reliability risksHow developer relations connects human relationships to business outcomesLessons from building data-centre infrastructure and global developer communities early in a careerReal-world failures—from data-centre fires to open-source contribution overload—and what they teach about resilienceHow open source, AI agents, and autonomous cloud platforms are reshaping the future of softwareWhy success in technology still depends on focus, learning-by-doing, and strong human networks Kunal KushwahaCAST AI https://cast.ai Autonomous cloud optimisation platform focused on performance, reliability, and cost efficiency.WeMakeDevs community https://wemakedevs.org Global developer community running hackathons, events, and learning programmes across 20+ countries. Tech With Nana (YouTube) https://www.youtube.com/c/TechWorldwithNana Clear, practical explanations of cloud-native and DevOps concepts.TLDR Newsletter https://tldr.tech Daily curated updates across software engineering, AI, and startups.Hacker News https://news.ycombinator.com Community-driven discussion of technical trends and projects.Product Hunt https://www.producthunt.com Discovery platform for new developer tools and technology products.Kubernetes Blog https://kubernetes.io/blog Official updates and deep dives from the Kubernetes ecosystem.Stuff You Should Know https://www.iheart.com/podcast/105-stuff-you-should-know-26940277/ Broad, curiosity-driven explorations of everyday topics.Science Vs https://gimletmedia.com/shows/science-vs Evidence-based deep dives into popular claims, including AI and technology.

    55 min

  8. Feb 14

    Risk-First: Stars of Software #2 - Steve Tendon

    Episode 2 — Steve Tendon: Constraints, Flow, and the Human Side of Organisational Risk In this episode of Risk-First: Stars of Software, Rob Moffat speaks with Steve Tendon—creator of the Tameflow approach and a leading thinker in systems thinking, organisational performance, and flow-based management. Steve’s work sits at the intersection of theory and real-world change, helping organisations improve economic, operational, organisational, and human performance by focusing on constraints, decision-making, and the social dynamics of collaboration. At its core, Tameflow is about understanding how people communicate, make trade-offs, and ultimately manage risk—whether explicitly or by intuition.  bobmkite9s-studio_risk-first-st… Together, Rob and Steve explore: Why organisational success depends on decision-making and trade-offs, not just processHow the Theory of Constraints applies to knowledge work and software systemsThe hidden risks in mergers, acquisitions, and organisational culture clashesWhy certifications signal capability—but real expertise requires evidence and outcomesThe importance of feedback loops, systems thinking, and human collaboration in avoiding failureWhat it means to “think more differently” in a rapidly changing, AI-shaped futureFrom last-minute product disasters caught minutes before release to breakthrough organisational turnarounds, this conversation reveals a powerful theme: performance improves when we focus on what truly constrains us—and have the courage to change how we think. If risk is about navigating uncertainty and trade-offs, then mastering flow, constraints, and human decision-making may be the most important skill of all. The Goal — Eliyahu M. Goldratthttps://www.amazon.co.uk/dp/0884271951 A classic introduction to the Theory of Constraints, presented as a narrative about improving organisational performance. Steve highlights it as a book worth rereading many times because new insights emerge with each pass. Other works by Eliyahu M. Goldratthttps://www.goldratt.com/resources/books Further exploration of constraints thinking, flow, and systemic improvement across organisations and industries. Christopher Alexander & pattern thinkinghttps://patternlanguage.com Foundational ideas behind patterns, organisational design, and systems thinking, which strongly influence the Tameflow approach. Steve Tendon & TameflowTameflow Consultinghttps://tameflow.com Steve’s organisational performance and systems-thinking consultancy focused on improving economic, operational, organisational, and human flow. The Tameflow Circle (community)https://tameflow.com/circle A discussion community exploring systems thinking, constraints, organisational design, and knowledge-work performance. Career Booster traininghttps://tameflow.com/career-booster Steve’s programme aimed at helping individuals improve professional effectiveness using constraints thinking, conflict resolution, and systemic decision-making.

    45 min

  9. Feb 14

    Risk-First: Stars of Software #1 - Dom Vogel

    Episode 1 — Dom Vogel: Cybersecurity, Leadership, and the Risks We Choose Not to See In the very first episode of Risk-First: Stars of Software, Rob Moffat sits down with cybersecurity leader Dom Vogel to explore what risk really means beyond code, tools, and technology. With more than two decades in the field, Dom shares how cybersecurity has evolved from a niche IT concern into a core business risk—and why many executives still fail to see it that way. From boards of directors who only pay attention when their yachts are on the line, to companies brought to a halt by ransomware because no one ever tested their backups, this conversation reveals a simple truth: most disasters aren’t sophisticated—they’re preventable.  bobmkite9s-studio_risk-first-st… Together, Rob and Dom unpack: Why cybersecurity must be owned by business leaders, not just ITHow poor governance—not missing technology—causes most breachesThe hidden risks of dependency on digital systems and “shadow AI”Why networking and human skills matter more than technical brilliance in security careersHow AI could transform security from burnout-driven alert chasing into meaningful risk managementThis episode sets the tone for the series: understanding that success in technology—and perhaps any profession—comes down to making better decisions about risk. If you want to get better at what you do, start by understanding the risks that shape it. Cybersecurity news and analysisDark Reading https://www.darkreading.com Focuses on current security threats, research, and trends with strong links back to business impact.CSO Online https://www.csoonline.com Covers security leadership, governance, and risk from an executive and organisational perspective.Influential thinker in securityBruce Schneier’s blog (Schneier on Security) https://www.schneier.com Long-running, highly respected commentary on security, privacy, and real-world risk.Dom VogelLinkedIn – easiest place to connect and follow his daily “stories from the trenches” https://www.linkedin.comVogel Security Leadership & Training https://vogelleadershipcoaching.com

    58 min
  • 9 Episodes

About

Risk-First is about understanding how to manage risks in software development. But there are a million jobs in technology besides coding, testing, and releasing. How does risk inform those jobs? And could it be that being good at any job in tech really means being good at risk management? Is all work… risk management? I’m Rob Moffat, and in each episode I sit down with leaders, builders, and thinkers from across the software industry to understand what they do, the risks they navigate every day, and the lessons they’ve learned along the way. Because behind every successful system, career, and company… there’s someone making smart decisions about risk. And if you want to be great in your chosen field, you need to be great at managing risk. So who better to learn from… than the stars? Welcome to Risk-First: Stars of Software.

Information