Agile is Not a Risk Management Approach
Some people believe agile approaches with their short cycles and regular feedback have a risk management approach naturally built into the process. It is easy to see why, the building blocks and attachment points for plugging in an effective risk management process are certainly present, but unfortunately just building something iteratively or incrementally does not ensure risks are managed.
It is all too easy to develop iteratively missing opportunities to actively address threats or exploit opportunities. Many agile teams also fail to actively look for risks, discuss and decide on appropriate actions, undertake those actions and reassess the risks and evaluate if the risk management process is even working.
It is a shame because in many ways agile methods provide an ideal framework for introducing effective risk management practices. They have short timeframes, active reprioritization of work, frequent review points, high team member and business engagement in planning, etc. However, similar to having a group of people to help you find something, “a beach-party is not the same as a search-party”. We need a conscious effort, coordination and cooperation to make it effective.
Consciously Adding Risk Management to Agile Approaches
The good news is, that when organizations and their participating teams decide to layer risk management onto agile approaches there are many self-reinforcing cycles and mechanisms to make use of. For instance, the frequent consideration of change requests and reprioritization of work in the backlog makes the insertion risk avoidance or risk mitigation tasks an easier process to handle.
Likewise, the regular retrospectives that review progress and process are great points to examine the effectiveness of risk management strategies and take corrective actions. Daily standup meetings that surface issues and blockers can also act as early warnings for potential new risks, etc.
For anyone interested in linking agile approaches to risk management steps, here’s a White Paper on Collaborative Games for Risk Management that was presented at the 2012 Agile conference and PMI Global Congress. These ideas and their development more into Opportunity Management were explored at this 2015 Agile Conference Session. However, the mechanics of doing the work and linking it into an agile lifecycle are the easy parts, getting people to take a risk-based view to project work is where the real work is needed.
Thinking about Risk Management
Education and acceptance are the keys to successfully adding risk management to agile practices. We need to get people engaged in the process and instill a common understanding of threats as the possibility of negative value. Once people understand this they can answer the question “Where is the next best dollar spent?” more effectively. It might not be on building the next feature from the backlog, but instead avoiding a risk or exploiting an opportunity.
All three of these actions can deliver business value and when there is a shared framework for decision-making projects are more successful. Some tools that can be used to help make better decisions around risk management on agile projects include:
- Risk Adjusted Backlog
- Risk Profile Graph
- Risk Retrospectives
- Risk Adjusted Backlog – Working with Product Owners or business representatives to add threat avoidance and mitigation work along with opportunity enablement work into the backlog.
We need a way to insert risk avoidance / mitigation and opportunity stories into the backlog. It is done by the product owner, but with consultation and guidance of the development team. By avoiding and reducing risks closer to their identification, the horizon of risk the project is exposed to shortens. By making changes earlier in the lifecycle, the cost of changes are reduced. On the flip side, capitalizing on opportunities is like getting investments done early; they have longer to accumulate. These are the compounding benefits of early and rapid risk & opportunity management.
Getting the risk response actions into the backlog is how these tasks are scheduled and undertaken. We want to make sure that all our risk management work is not supplemental to the project plan, but baked right in. All too often, risk management is an activity done upfront or alongside the project, but never really integrated into the day to day activities of the project. By inserting these new stories into the backlog, we drive risk management actions from the analysis to action.
- Risk Profile Graph – Visualizing and communicating overall project risks, trends and impacts of risk management strategies.
Risk profile graphs (sometimes called risk burn-down graphs) are a great way of showing the project’s cumulative risk position and trends over time. They are stacked area graphs of risk severity that allow trends, along with new and escalating risks to be easily identified.
- Risk Retrospectives – Periodic team reviews of the project risks and risk management process.
Risk Retrospectives are periodic reviews of the risk and opportunity log along with assessments of the risk management processes being used on the project. Just as we review the evolving product and team processes throughout the project, so should we be evaluating the effectiveness of the risk management plan and processes being used by the team.
These are just some example tools, not the recommended set to use on every single project. Your approach should vary based on your project and organizational factors. The risk management approach for a large military project would most likely be inappropriate for a commercial, in-house project and vice versa.
The key to adding effective risk management approach is generating consensus on the importance and approach. Communicating the links between threats, opportunities and features and then getting people engaged in building a shared framework for decision-making that is appropriate for your project type and domain. Empowered teams who meet frequently to review progress and process already have many of the techniques in place for effective risk management. However, they also need to be educated and equipped with the tools, time and permission to execute them to start the journey to better risk management.
Risk management, like estimation, should not be just a project management activity. We can greatly raise a project team’s ability to manage risk--and therefore avoid project failures through socialization, collaboration and practice. If nothing else, these team activities make the basics of risk management more accessible to a larger pool of project stakeholders, and in doing so provide more eyes to find and avoid risks before they can impact the project—which, at the end of the day, is the heart of effective risk management.
(Note: I first wrote this article for ProjectManagement.com, if you are a member you can read it here)