Applying Agile Risk Management

With increasing project complexity and with the COVID-19 pandemic many companies have been driven to reexamine and improve their risk management techniques, technologies, and processes. This short article should help you better understand how to apply risk management in agile projects and help you take steps to reduce risks in the future.

Risk is any uncertain event that can occur and be either positive or negative. Positive risks are called opportunities and issues are known as materialized risks. Risk management is the process of identifying and responding to any risks in the project lifecycle. Managing risks should be part of the planning process and not a method of proaction.

The ISO 31000 standard divides the risk management process into several steps:

• Identify the risk
• Analyze the risk
• Evaluate or rank the risk
• Treat the risk
• Monitor and review the risk

ISO 31000 set 11 principles as best practices:

• Create value for the organization
• Be an integral part of the overall organizational process
• Factor into the company’s overall decision-making process
• Explicitly address any uncertainty
• Be systematic and structured
• Be based in the best available information
• Be tailored to the project
• Take into account human factors
• Be transparent and all-inclusive
• Be adaptable to change
• Be continuously monitored and improved upon

Besides the ISO 31000 framework, there are a few others worth mentioning:

• COSO ERM Framework
• British Standard (BS) 31100
• The Risk and Insurance Management Society’s Risk Maturity Model (RMM)

Traditional vs. Agile Risk Management

Projects using traditional techniques require the plan to be developed in the project planning and preparation phase. Traditional techniques are usually done to reduce/eliminate as many risks as they can to produce the “perfect” plan. All risks that cannot be mitigated are tracked. Work on the project can start after the plan has been approved by the project sponsor. The rigidity of this approach creates additional issues when a risk materializes.

In comparison to long periods of work that can’t be reviewed in time and have low project flexibility, Scrum has built-in points for plan adjustment and risk identification. These points provide the perfect time for the risk management process. During every agile planning ceremony there are opportunities for identifying risk and time can be allocated to mitigate or eliminate the risk.

There are plenty of tools, techniques, and approaches for agile risk management, they include, but are not limited to:

• ROAM Board
• Monte Carlo Analysis
• Risk Burndown Chart
• Risk Register or Log
• Risk Modified Kanban Board
• Risk Probability and Impact Matrix
• Prioritizing Backlogs based on Value and Risk
• Identifying / Discussing Risks in Regular Meetings (e.g. Daily Scrum)

In practice, every project follows a somewhat unique approach for dealing with risks and the tools and techniques should be used when needed. This follows the agile doctrine.

ROAM under SAFe®

The ROAM board is a widely used tool for scaling risk management under SAFe®. It is used during PI planning to Resolve, Own, Accept or Mitigate all risks. It enables teams to highlight risks so they can take action. Resolved risks are disregarded, risks that cannot be mitigated but are completely understood can be Accepted, and Mitigated risks require a plan for impact or probability reduction.

Owned is the only category that contains risks that have no work done upon them. They are assigned to a team member. It is very important that their mitigation is planned and executed.

It works in three steps:

• Brainwriting – where team members write all possible risks onto sticky notes or cards
• Readouts – where the facilitator reads the notes/cards and asks for clarification if needed
• Categorization – where the risks are mapped to ROAM attributes

Monte Carlo Simulations

A Monte Carlo simulation is a computerized technique that allows for risks to be accounted in decision making and quantitative analysis. It builds possible results by substituting values for any uncertain factor and the results show not only what could happen, but how likely the outcome is, and it is also used as a tool for assistance in decision making. One of the practical uses is determining possible minimum or maximum time needed for completing a defined amount of work as shown on FIGURE 3 below.

The y-axis shows the probability that the work will be completed at a given date and the x-axis shows the time planned for the work to be done.

Applying Risk Management in Practice

The agile framework with a well-functioning single product team inherently reduces the need to monitor, control and track risks; it does not eliminate them.

In order to successfully apply risk management to the agile framework, it’s important to understand where to include it. Risk management needs to be incorporated from the beginning and throughout the entire project lifecycle.

There are “pause” points that can be used for identifying risks on the Project level:

• Risk Identification
• Risk Planning
• Risk Monitoring
• Risk Reviewing

And once risk management practices are in place at the project level, it’s important to incorporate the same behaviors and the same mindset on the Iterative level:

• Sprint planning
• Daily scrum
• Sprint review
• Spring retrospectives

To find out more about how we can help you with Agile Methodology check our Proof of expertise: