Agile risk management is not about managing risk in agile projects but rather using the art of agile for what risk management performs.
For the later there are quite a number of resources online to learn about risk management in agile projects, such as “Risk Management in Agile” by ScrumAlliance or the paper by Ville Ylimannela from Tampere University of Technology titled “A Model for Risk Management in Agile Software Development”.
Having undertaken a lean startup course a number of years ago, I have always had in the front of my mind the need for risk management to embrace agile approaches. However, the challenge has been in how best to utilise them in an appropriate fashion for this type of process.
Risk management, across all of the different risk classes, traditionally undertakes an approach of outlining/developing a framework and then robustly “rolling it out” across the business. We can all picture the powerpoint packs, the word documents, the policies, the workshops, the templates and the submission process. And I am sure there are many risk professionals who have almost fallen asleep themselves whilst presenting this way!
However, under an agile approach the ability to take 6 months to develop a framework document, develop a tool to populate and then provide a long enough period of time to implement is not acceptable.
Utilising the agile approach, the risk management function needs to outline what are the potentially shippable products in their core components or parts. Consider this for one moment. You are not trying to develop the perfect end customer solution, but the first iteration of an ever evolving product. Ironically, most risk management leaders would say that “they are on a journey” or “continually embedding risk management”. Both of these comments are perfectly outlining an iterative, agile approach. Yet, we still fall into the trap of taking massive amounts of time to develop a project and framework, which we know is going to evolve!
Once we have these separable and achievable parts, the focus must shift to developing the backlog of key tasks and activities to complete and then undertaking “sprints” to achieve clear, achievable goals which can be implemented. This process must include a customer experience component where the focus is on how the customer will utilise the shippable product in their daily lives.
As we stand today, I am the first to say that this is an approach I am tying to embrace more in my daily life in risk management. I feel this approach is the future of risk management, and the key way we can achieve a more robust, clear, concise, and embedded approach to risk management within the business.
Embracing agile risk management is worth taking the time to consider, particularly the next time you are writing that 20 page framework or policy, and know full well the challenge that lays in front of you to have the business embrace the change.