agile risk management

http://institute.agileriskmanagement.org/ Copyright © 2014. All Rights Reserved.

Agile Risk Management Agile Consortium Belgium

12.05.2014

Dr. Alan Moran

(IARM, Managing Director)


About the IARM

• The Institute for Agile Risk Management (IARM) is a Swiss based

institution that exists to promote the principles and practices of agile risk management.

• Focus primarily on research and training activities through a network of third parties in the agile and academic communities as well as in the private sector.

• Publication of books and whitepapers on agile risk management and related topics as well as appearances at public events and conferences.

• Further details can be found at http://institute.agileriskmanagement.org/


My Biopic

http://www.linkedin.com/in/agility

Experience spanning nearly two decades of working in both public and private sectors. Currently employed as an IT Manager in the Swiss public sector and as Managing Director of the IARM.

Dr. Alan Moran MBA CITP

AgilePM, DSDM Adv. Practitioner, Scrum PSM


Understanding Risk: Social Media Example

I was nearly finished my test when all of a sudden I was kicked out of the system and had to enter a code to get back in (which I don't have!) I can't restart and there is no help whatsoever! How can I get back into the test or get my money back!!

Sorry to hear you are having problems, we'll get right on it now!

Wow! That was a lightening response! Thanks so much! I was able to finish the test - and passed!!! Money well spent! Thanks so much!


Risk Defined

Risk is “uncertainty that matters”, i.e., uncertainty that if realised impacts one or more objectives in either a negative (i.e., threat) or a positive (i.e., opportunity) manner.


Nature of Risk

• Risk culture, attitude and tolerance are defining elements of organizational character.

• Like change, there is advantage to be found in embracing risk.

• Risk is inherent, residual and secondary

and all are intertwined in a complex

web of causality!


Agile and Risk

• “A project risk is something that may happen and, if it does, it will have a detrimental effect”

• Risk is “an exposure to a potentially negative outcome”

• Risk in the context of projects with “dynamic requirements” with “customers [who] need a new system by a specific date” that is a “new challenge for your software group”

• The “first iteration will immediately expose the risks, wherever they may lie”


Sources of Project Risk*

Requirements Technical Project

Schedule Supplier People

*Research based on IT project risk excl. enterprise risk which includes systemic financial and L&C risks.


Why Risk (Management) Matters

Not focusing on risk in projects exposes them to the following shortcomings:

• Inability to make informed risk and reward decisions.

• Failure to identify appropriate risk response strategies based on risk exposure.

• Lack of oversight in risk monitoring.

• Poor understanding of when to engage in risk activities.


Agile Risk Management Process


Principles

Transparency Balance Flow


Roles

Risk Manager Team


Objectives, Context and Risk Environment

Environment

Context

Objectives


Risk Scoping


Risk Tailoring (XP)


Identify Analyse

Treat Monitor

Risk Management

Key is how to incorporate agile practices and values!


Risk Management: Identification

Exploit agile team structures to involve appropriate stakeholders and use the

agile approaches to group discussions (e.g., facilitated workshops).


Risk Management: Risk Log Artefact

Timebox Name:

Timebox Objectives:

Timebox Start/End Dates:

ID Description Classification Likelihood Impact Score Strategy Priority Measure

Residual

Likelihood

Residual

Impact

Residual

Score

Notice anything different compared with a traditional risk list ?


Risk Management: Risk Analysis

• Risk Exposure comprises of the following components:

– Likelihood (proxy is frequency with respect to a fixed time period)

– Impact (e.g., financial, reputation, affected customers)

– Proximity (implicit at the iteration level)

• Use T-shirting sizing against agreed scales if possible and endeavour to be

robust (e.g., use ranges)


Risk Management: Risk Scoring

1

2

4

6 6


Risk Management: Response Strategy

This is the MOST critical point in the process from a social and cultural perspective.


Risk Management: Cultural and Social Influences

There are many humanist aspects to risk management that agile project managers need to be aware of:

• Personal attitudes towards risk.

• Risk typologies (e.g., cultural theory).

• Risk compensation effects.

These become particularly important when balancing personal and organisational risk in culturally mixed or geo-dispersed teams.


Risk Management: Risk Typology


Risk Management: Cultural Uncertainty Avoidance*

* Data sourced from The Hofstede Centre

(http://geert-hofstede.com/)


Risk Management: Response Treatment

• The following options are available:

– Tasks for the iteration backlog.

– Risk tagging.

– Contingency planning (conditional tasks on the backlog).

– Avoidance.

• Risk Log records risks but responses are found on the backlog or Kanban.


Risk Management: User Story Map

User story map approach for rendering risk distribution.

• U1: mixture of risk activities and agile practices.

• U2: relies solely on agile practices.

• U3: worth considering if the same amount of value can be achieved with less risk.

Do you see something that might cause you concern ?


Risk Management: Backlog (Scrum)


Risk Management: Timebox Plan (DSDM)

Timebox Name:

Timebox Objectives:


ID Description Acceptance Criteria MoSCoW Comments Assignee Type Status Ris

k Tag

ging

Archite

ctur

al S

pike

Busin

ess

Proce

ss M

appi

ng

Cod

ing

Standa

rds

Con

tinuo

us In

tegr

atio

n

Facilita

ted

Wor

kshop

Mod

elling

Pair P

rogr

amm

ing

Proto

typing

Qua

lity Fun

ction D

eploym

ent

Ref

acto

ring

Simpl

e Des

ign

Static

Cod

e Ana

lysis

Test D

riven

Dev

elop

men

t

Usa

ge S

cena

rios

-

-

-

-

-

-

-

-


Risk Management: Risk modified Kanban


Risk Management: Monitoring

Reduction a consequence of risk management activities but some systemic risk

always present reflecting project context and risk environment.


Risk Walling

Use Risk Walling to solicit and encourage continual feedback!

Timebox Name:

Timebox Objectives:


ID Description Classification Likelihood Impact Score Strategy Priority Measure

Residual

Likelihood

Residual

Impact

Residual

Score


Become Involved!

Find out about forthcoming events (e.g., public talks, conferences, trainings) http://institute.agileriskmanagement.org/ or follow us on LinkedIn

http://www.linkedin.com/company/institute-for-agile-risk-management/

Learn about agile risk management http://institute.agileriskmanagement.org/publications/

Tell us about your experiences and let us know if we can help you!

http://institute.agileriskmanagement.org/










http://institute.agileriskmanagement.org/publications/

agile risk management

Economy & Finance

risk analysis risk exposure

risk activities

informed risk

enterprise risk

nature of risk risk

risk monitoring

embracing risk

risk scoping