What is Agile Risk Management? How Is It Different?

Some people might think that Agile Risk Management is an oxymoron:

  • There is a common stereotype that an Agile project is totally unplanned
  • So, why would you take a planned approach to Agile Risk Management if the whole project is unplanned?   
Agile Risk Management

There is always some level of planning in an Agile project even though the level of planning may be limited.  Here’s an article with more detail on that:

Why Is Planning So Difficult? Is It a Waste of Time?

The gist of this is that you have to adapt the planning approach to the level of uncertainty in the project.  A similar thing is true regarding risk management:

  • There is no single approach to doing risk management and
  • It’s not a binary choice between zero risk management and a totally rigid and controlled approach to risk management. 

You need to fit the risk management approach to the nature of the project:

  • For high risk projects where the customer is very sensitive to risk, it makes sense to take a planned approach to risk management
  • For lower risk projects , a more informal approach to risk management may be appropriate.

Agile Risk Management Process

The overall process for doing risk analysis in an Agile environment is generally the same as a traditional, plan-driven project; however, it may not be as formal and it may not be as disciplined.  The general approach follows these stages:

Risk IdentificationThis might consist of a brainstorming session to identify potential risks in the project
Risk AnalysisThis involves further study to determine the probability and impact of each risk
Risk ResponseThis phase involves determining what, if anything, should be done to mitigate the risk
Monitoring and ControlFinally during the course of the project, the risks are monitored and controlled

Advantages of an Agile Risk Management Approach

An Agile approach is inherently well-designed for dealing with risks:

  • Risks are generally directly related to uncertainty in a project and an Agile approach is intended to be flexible and adaptive in order to deal with uncertainty
  • For that reason, it is easier to adapt to risks in an Agile environment as the project is in progress

Risk Management in a Plan-driven Environment

In a traditional, plan-driven project:

  • A considerable amount of re-planning may be necessary to adapt to risks as the project is in progress and
  • For that reason, it may be more important to plan for risks upfront in a plan-driven environment.

Structuring an Agile Project for Risk Management

Another factor is due to the iterative and incremental nature of development in an Agile project:

  • It’s not too difficult to structure the Product Backlog to address high risk items early in the project and,
  • If there is a lot of uncertainty associated with those risks, a “spike” can be performed to evaluate the risk without having a major impact on the project.

Responsibility for Agile Risk Management

It’s easy to lose focus on risk management in an Agile environment because there is no well-defined focal point of responsibility for risk management. Risk management is normally a project management responsibility and there is typically no project manager at the team level in an Agile project:

  • In an Agile environment, the entire team owns responsibility for risk management. In a similar way, the the entire team owns responsibility for project management
  • Another factor is that because an Agile approach is more adaptive to risks, there tends to be a “cavalier” approach to not worry about risks but it doesn’t have to be that way
  • You can do as much (or as little) risk management as necessary depending on the nature of the project and the sensitivity to risk

Overall Summary

Risk management is not inconsistent with an Agile approach. In fact, an Agile approach offers many advantages for doing risk management more effectively. Developing a risk management strategy for an Agile environment is primarily a matter of:

  • Deciding how much (and what kind of) risk management is needed based on the nature of the project
  • Training the team in the basics of risk management
  • Building in some focus on thinking about risks in all of the Agile/Scrum ceremonies
  • Determining how the risk management effort will be managed:
    • How will risk management be done and
    • How will responsibilities for risk management be distributed among the team?

Additional Resources

You will find much more detail on this in my Online Agile Project Management Training.

A Broader View of Risk Management for Agile – How Is It Different?

How is Risk Management for Agile different? Most people think of a conventional approach to risk management built around a plan-driven approach to project management.

  • I want to share my thoughts on a broader view of risk management for Agile project environments.
  • This approach will also work in a traditional plan-driven project management environment.
Agile Risk Management


First, if you’ve read any of my other blog posts or books, you will understand that:

  • We need to broaden our view of project management to see “Agile” and what is commonly called “Waterfall” as complementary to each other rather than competitive and
  • Recognize that traditional plan-driven project management is not the only approach to project management

I prefer to think of a continuous range of alternatives from heavily plan-driven at one extreme to heavily adaptive at the other extreme that looks something like this:

Increasing Agility and Adaptivity

And, the right thing to do is to fit the approach to the project rather than force-fitting a project to some arbitrary model (whatever it might be – Agile or plan-driven).

  • One of the biggest characteristics that would influence the choice of an approach is the level of uncertainty in the project and
  • Uncertainty is directly related to risk

That kind of broader approach to project management has a big impact on how you might do risk management.

Why is Risk Management Different in an Agile or More Adaptive Environment?

There are some key differences in an Agile risk management approach in a very uncertain environment:

1. Definition of Failure

Risk is associated with the failure of a project, so how you define “failure” has a big impact on how you do risk management.

Traditional Plan-driven Projects

In a traditional plan-driven project,

  • The requirements of the project are typically well-defined.
  • A “failure” would normally be associated with failing to deliver those requirements within the required cost and schedule budgets allocated for the project

A conventional approach to risk management is typically used that is generally based on avoiding and eliminating risks and uncertainty as much as possible:

Agile Projects

In an Agile environment,

  • There is a much larger risk that the project won’t produce the required business value even if it does meet the defined requirements within budgeted cost and schedule goals
  • That’s a very important difference between an Agile (or adaptive) approach and a more traditional plan-driven approach.

2. Relationship to Upfront Planning

Since an Agile approach normally has a lot less upfront planning,

  • It typically requires a more dynamic approach for identifying and managing some of the risks while the project is in progress rather than
  • A comprehensive approach to identify and anticipate risks before the project starts.

Note that this is not an all-or-nothing choice between zero upfront planning and highly detailed and rigid upfront planning – the approach to planning could be anywhere between those extremes and the approach to risk management should be consistent with the level of planning.

The important point is that it just isn’t practical to take a comprehensive approach to identify and anticipate all risks in a project with a very limited amount of upfront planning

3. Relationship to Business Value

The risk of not producing the appropriate business value in a very uncertain environment is a very different kind of risk. You could produce a relatively mediocre product that met the letter of the requirements but really didn’t provide much business value. That requires a different kind of risk management approach:

  • To reduce the risk in a project, you might tend to favor a low risk approach of using tried-and-true technology rather than
  • “Pushing the envelope” a bit to use riskier technology that might provide a higher level of value to the user

From a risk management perspective, that may be the right thing to do, but it could easily result in a very mediocre product that doesn’t provide much business value.

Advantages of an Agile or Adaptive Risk Management Approach

An Agile or adaptive approach can have a lot of advantages for developing a very effective risk management approach.

  • Agile or adaptive thinking provides the ability to structure a project to fail early and inexpensively. That minimizes the impact of a risk on the overall project
  • When a risk does occur in an Agile environment, it is generally easier to adapt to the risk without extensive re-planning of the entire project

There are also several more specific risk management advantages that an Agile or adaptive approach can provide:

  • Technical risks are addressed through early prototypes (“spike stories”) and side-by-side comparison of alternatives (‘A/B testing’)
  • Integration risk is mitigated through early and continuous integration. User acceptance risk is mitigated through early product review
  • Cost and schedule risk is mitigated through incremental releases. We always have something to show for the money spent; it is no longer an all or nothing trade-off

Overall Summary

Some people might think that risk management isn’t appropriate in an Agile environment. I don’t believe that to be the case.

  • You can do as much or as little risk management as needed depending on the nature of the project and
  • An Agile project actually provides an environment that can be well-suited to risk management

It just requires a different approach to risk management:

1. Definition of Failure

The risk management approach needs to recognize a broader definition of “failure”. A project can fail by failing to deliver business value even if it meets defined requirements and meets its cost and schedule goals

2. Level of Upfront Planning

The approach to risk management needs to be consistent with the overall level of upfront planning in the project:

  • Risk is directly related to uncertainty and
  • The level of uncertainty also determines the planning approach

An abbreviated level of upfront planning might mean

  • A less comprehensive identification and analysis of risks prior to the start of the project and
  • A more dynamic approach to risk management as the project is in progress.

3. Risks Are Related to Opportunities

Instead of seeing all risks as a bad thing that should be avoided and eliminated, we need to recognize that some risks are related to opportunities. For that reason, a decision to avoid or eliminate risks needs to consider the impact of potential missed opportunities as well as the impact of the risk.

Additional Resources

You will find much more detail on this in my Online Agile Project Management Training.