With increasing project complexity and with the COVID-19 pandemic many companies have been driven to reexamine and improve their risk management techniques, technologies, and processes. This short article should help you better understand how to apply risk management in agile projects and help you take steps to reduce risks in the future.
Risk is any uncertain event that can occur and be either positive or negative. Positive risks are called opportunities and issues are known as materialized risks. Risk management is the process of identifying and responding to any risks in the project lifecycle. Managing risks should be part of the planning process and not a method of proaction.
The ISO 31000 standard divides the risk management process into several steps:
Be an integral part of the overall organizational process
Factor into the company’s overall decision-making process
Explicitly address any uncertainty
Be systematic and structured
Be based in the best available information
Be tailored to the project
Take into account human factors
Be transparent and all-inclusive
Be adaptable to change
Be continuously monitored and improved upon
Besides the ISO 31000 framework, there are a few others worth mentioning:
COSO ERM Framework
British Standard (BS) 31100
The Risk and Insurance Management Society’s Risk Maturity Model (RMM)
Traditional vs. Agile Risk Management
Projects using traditional techniques require the plan to be developed in the project planning and preparation phase. Traditional techniques are usually done to reduce/eliminate as many risks as they can to produce the “perfect” plan. All risks that cannot be mitigated are tracked. Work on the project can start after the plan has been approved by the project sponsor. The rigidity of this approach creates additional issues when a risk materializes.
In comparison to long periods of work that can’t be reviewed in time and have low project flexibility, Scrum has built-in points for plan adjustment and risk identification. These points provide the perfect time for the risk management process. During every agile planning ceremony there are opportunities for identifying risk and time can be allocated to mitigate or eliminate the risk.
There are plenty of tools, techniques, and approaches for agile risk management, they include, but are not limited to:
Monte Carlo Analysis
Risk Burndown Chart
Risk Register or Log
Risk Modified Kanban Board
Risk Probability and Impact Matrix
Prioritizing Backlogs based on Value and Risk
Identifying / Discussing Risks in Regular Meetings (e.g. Daily Scrum)
In practice, every project follows a somewhat unique approach for dealing with risks and the tools and techniques should be used when needed. This follows the agile doctrine.
The ROAM board is a widely used tool for scaling risk management under SAFe®. It is used during PI planning to Resolve, Own, Accept or Mitigate all risks. It enables teams to highlight risks so they can take action. Resolved risks are disregarded, risks that cannot be mitigated but are completely understood can be Accepted, and Mitigated risks require a plan for impact or probability reduction.
Owned is the only category that contains risks that have no work done upon them. They are assigned to a team member. It is very important that their mitigation is planned and executed.
It works in three steps:
Brainwriting – where team members write all possible risks onto sticky notes or cards
Readouts – where the facilitator reads the notes/cards and asks for clarification if needed
Categorization – where the risks are mapped to ROAM attributes
Monte Carlo Simulations
A Monte Carlo simulation is a computerized technique that allows for risks to be accounted in decision making and quantitative analysis. It builds possible results by substituting values for any uncertain factor and the results show not only what could happen, but how likely the outcome is, and it is also used as a tool for assistance in decision making. One of the practical uses is determining possible minimum or maximum time needed for completing a defined amount of work as shown on FIGURE 3 below.
The y-axis shows the probability that the work will be completed at a given date and the x-axis shows the time planned for the work to be done.
Applying Risk Management in Practice
The agile framework with a well-functioning single product team inherently reduces the need to monitor, control and track risks; it does not eliminate them.
In order to successfully apply risk management to the agile framework, it’s important to understand where to include it. Risk management needs to be incorporated from the beginning and throughout the entire project lifecycle.
There are “pause” points that can be used for identifying risks on the Project level:
And once risk management practices are in place at the project level, it’s important to incorporate the same behaviors and the same mindset on the Iterative level:
To find out more about how we can help you with Agile Methodology check our Proof of expertise:
The project was co-financed by the European Union from the European Regional Development Fund. The content of the site is the sole responsibility of Serengeti ltd.
Get a Quote
To get an accurate quote, please provide as many details as possible. One of our key account managers will contact you back with a custom quote for your project.
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.