People might think that Agile Risk Management is an oxymoron because there is a common stereotype that an Agile project is totally unplanned – so why would you take a planned approach to Agile Risk Management if the whole project is unplanned? That stereotype is closely related to the very common misconception that there is a binary and mutually-exclusive choice between “Agile” and “Waterfall”. The truth is that there is a continuous range of approaches from heavily plan-driven at one extreme to heavily adaptive at the other extreme with lots of alternatives between those extremes and you should fit the approach to the nature of the project rather than force-fitting a project to one of those extremes.
A similar thing is true regarding risk management. There is no single approach to doing risk management and it’s not a binary choice between zero risk management and a totally rigid and controlled approach to risk management. You need to fit the risk management approach to the nature of the project:
- For high risk projects where the customer is very sensitive to risk, it probably makes sense to do a fair amount of risk management to identify, analyze, mitigate, and monitor those risks.
- For lower risk projects where the risk is less of a concern to the customer, a more informal approach to risk management may be appropriate.
The overall process for doing risk analysis in an Agile environment is generally the same as a traditional, plan-driven project; however, it may not be as formal and it may not be as disciplined. The general approach follows these stages:
- Risk Identification – this might consist of a brainstorming session to identify potential risks in the project
- Risk Analysis – this involves further study to determine the probability and impact of each risk
- Risk Response – this involves determining what, if anything, should be done to mitigate the risk
- Monitoring and Control – Finally during the course of the project, the risks are monitored and controlled
An Agile approach is inherently well-designed for dealing with risks:
- Risks are generally directly related to uncertainty in a project and an Agile approach is intended to be flexible and adaptive in order to deal with uncertainty. For that reason, it is easier to adapt to risks in an Agile environment as the project is in progress.
- In a traditional, plan-driven project; a considerable amount of re-planning may be necessary to adapt to risks as the project is in progress; and, for that reason, it may be more important to plan for risks upfront in a traditional, plan-driven environment.
Another factor is due to the iterative and incremental nature of development in an Agile project, it’s not too difficult to structure the Product Backlog to address high risk items early in the project; and, if there is a lot of uncertainty associated with those risks, a “spike” can be performed to evaluate the risk without having a major impact on the project.
It’s easy to lose focus on risk management in an Agile environment because there is no well-defined focal point of responsibility for risk management as there may be no project manager to be the focal point for that.
- In an Agile environment, the focus on risk management is typically owned by the entire team just like the focus on project management is typically owned by the entire team.
- Another factor is that because an Agile approach is more adaptive to risks, there tends to be a “cavalier” approach to not worry about risks.
However, it doesn’t have to be that way. It’s primarily a matter of:
- Making a conscious decision of how much (and what kind of) risk management is needed based on the nature of the project
- Training the team in the basics of risk management
- Building in some focus on thinking about risks in all of the Agile/Scrum ceremonies (Daily Standup, Sprint Planning, Sprint Review, Sprint Retrospective, etc.)
- Determining how the risk management effort will be managed – how will risk management be done and how will responsibilities for risk management be distributed among the team?
This is only a brief overview. I’ve just finished some detailed training on Agile Risk Management and I will be adding that to my “Mastering Agile Project Management” online training course in the next few weeks. Check that out here: