In this series of posts the Institute of Agile Risk Management (IARM) will be offering you concrete suggestions on how to tackle risk in your projects. We want you not only to be able to manage risk, but to do so in an agile manner. The agile risk management process (see Agile Risk Management for the details) describes risk management principles and practices that are applicable to a wide range of agile methodologies. Beginning with an understanding of your project objectives, context and risk environment, the process goes on to describe how to risk scope and tailor your chosen methodology. This lays the foundations for optimal operational risk management at the daily and iteration levels.
So what does agile have to say about risk? An extensive review of the agile literature reveals that for the most part, risk is framed as something bad about to happen and that it chiefly affects requirements and their implementation. Moreover, it is claimed that merely “being agile” suffices to tackle risks in a project or that iteration timescales are simply too short to warrant explicit attention to risk management. Sadly whilst most agile methodologies cite risk, few offer concrete advice or guidance on how to tackle it in a manner consistent with the agile manifesto. This leads to the following deficiencies:
- Inability to make informed risk and reward decisions. A central function of risk management is the recognition of threats and opportunities within a project and to balance the desire for reward against the risks incurred in its pursuit. Accordingly an understanding of the risk appetite of a project together with the nature of the risks encountered in a project is central to such decision making.
- Failure to identify appropriate risk response strategies based on risk exposure. Risk exposure (i.e., likelihood and impact) is a key determinant in the classification (and where appropriate prioritization) of risks. The inability to recognize risk exposure may therefore impede the selection of an appropriate response (e.g., accept, reduce, exploit, avoid).
- Lack of oversight in risk monitoring. Failure to engage in the monitoring of risk results in an inability to judge whether or not risk is being adequately managed. Team members ought to know how their activities are affecting project risk and how effectively and efficiently they are addressing it.
- Poor understanding of when to engage in risk activities. Lack of understanding or inconsistencies about the perception of risk means that the responses to risk events will vary amongst team members who fail to explicitly agree on appropriate controls and triggers.
Agile risk management acknowledges that there are opportunities as well as threats to be found in projects and understands the role that people and culture have to play in risk management. It offers benefits in terms of an improved capacity to manage project uncertainties, enhanced communication and awareness of risk, better alignment of project and enterprise risk management, empowerment of project teams to tackle risk and the ability to extend and enhance existing investments in agile infrastructure.
Before engaging in operational risk management it is worth clarifying the project objectives, context and risk environment. This requires establishing neutral scales with which to express enterprise risk tolerance and to determine where the project risk profile lies in relation to these. Thereafter the underlying agile process needs to be risk tailored in order to determine when and how often risk related activities should occur. One tool that is useful in this respect is agile charting.
These initial elements lay the foundations for operational risk management which is concerned with the identification, assessment, treatment and monitoring of risks. In the next post of the series, we take a look at these practices as they would apply to a Scrum project that uses a Kanban board and describe which approaches we have found to be the most successful in agile projects.