Enterprises are digitizing their operations, implementing emerging technologies (such as artificial intelligence) and developing new ways of delivering products and services with a shortened lead time to market to help them succeed in the post-pandemic environment. To attain the strategic objective of digital acceleration—that is, to shorten lead time to market—many enterprises are adopting Agile methodologies for business, technology and process-related projects. Generally, Agile projects have a small, nimble team working to roll out technology and business changes in frequent cycles known as “sprints” (e.g., two-week cycles to plan, build and deploy a solution).
As enterprises transition to Agile delivery, they will need to rethink their control functions, including risk management, to keep pace with frequent release cycles and develop capabilities to advise risk owners in near real time. To respond to this need, an Agile risk management process “integrates” project and enterprise risk management practices with Agile methodologies to establish an adaptive, risk-driven approach for project delivery. This process supports enterprises in determining what risk can be accepted in the pursuit of digital acceleration, while considering enterprise risk appetite and tolerance thresholds.
To learn more about this “integrated” risk management approach, ISACA’s “Incorporating Risk Management into Agile Projects” white paper provides guidance for conducting risk assessment in an agile project context using scrum roles, artifacts and events.
What is Agile Project Delivery?
Agile project delivery uses an iterative, team-based approach to project management, emphasizing the rapid delivery of a solution in an incremental and iterative fashion and focusing on business value and progress visibility. Rather than creating tasks and schedules, Agile boxes time into segments called “sprints.” Each sprint has a defined duration (usually from one to four weeks) with a running list of deliverables planned one sprint in advance.
Before the sprint cycle begins, the product owner gathers information from stakeholders to determine a goal for the solution and prioritizes the product backlog (Figure 1). During sprint planning, the developers choose prioritized features from the product backlog, decide how they will complete the sprint, establish a timeframe for completion and create a sprint backlog. Once the sprint cycle begins, the team holds daily scrum meetings to track progress toward the sprint goal, discusses challenges and plans for the next day. The sprint ends with a potentially shippable solution ready to be reviewed and used by the customer. The team conducts a sprint review of the finished solution and a retrospective of the completed sprint cycle, applying lessons learned to the next sprint cycle. The cycle repeats itself again with a sprint planning meeting to develop the next solution increment.
Figure 1 - Agile Risk Management Process
Agile project delivery involves frequent planning, goal-setting and feedback loops to help the scrum team focus on the sprint’s goals, thereby increasing productivity, quality and customer satisfaction.
What Is the Role of Risk Management for Agile Projects?
The findings of the 2020 Standish Group Chaos Study suggest that Agile software projects are three times more likely to succeed than Waterfall, and Waterfall software projects are twice as likely to fail. However, it is important to note that “Agile is not a panacea.” The need for organizational agility has not eliminated the requirement to manage uncertainty, otherwise known as risk.
ISACA defines risk as “the combination of the likelihood of an event and its impact,” a definition that affords opportunities for benefit (upside) as well as barriers to success (downside). Risk and opportunity go together. To provide business value to stakeholders, enterprises must engage in many activities and initiatives (opportunities) that carry degrees of uncertainty and, therefore, risk. For Agile project delivery, exploring this risk calculation is required to determine what risk to pursue and what value to expect in return.
How Is Risk Managed in Agile Projects?
Agile does not offer a universal definition of risk or provide a standardized approach to risk management. In fact, as project management specialist Roland Wanner notes, “the Scrum Guide does not explicitly address risk management, except for these brief references:
- The incremental approach with sprints reduces risk.
- Sprints increase predictability and limit cost risk to a maximum of one month.
- Constant “Artifact Transparency” helps optimize (business) value and reduce risk.”
However, Agile claims to be risk-driven and based on its implicit practices—it lends itself to an adaptive risk management style. For instance, the adaptability of sprint planning is a response to uncertainty, “biting off a small chunk at a time” to eventually deliver the finished solution.
Risk Management Limitations with Agile Project Delivery
Due to its inherent nature, Agile can mitigate some risk that occurs during the sprint cycle, but this is not the only risk that may occur during a project’s lifespan. For example, in larger enterprises, there is more risk related to the external, organizational and project environments, including corporate reputation, project financing, user adoption of business changes and regulatory compliance. Management of this type of “project” risk is not addressed in most Agile literature, which focuses on risk that may occur at the sprint level.
One recent proposal to address this limitation is to adopt an Agile risk management process that includes tailoring Agile methodologies to include project and enterprise risk management approaches in line with the risk context for the project (e.g., size, complexity and strategic importance).
What is Agile Risk Management?
As shown in Figure 2, the Agile risk management process is an adaptive and iterative cycle that is repeated per sprint, enabling tailoring at the “setting context” phase to identify project and enterprise risk management techniques for managing the risk context at a project (e.g., project financing) and sprint level (e.g., meeting timelines).
Figure 2 - Agile Risk Management Process
The two levels, project and sprint, may seem to be separate; however, they work in tandem during project execution. The scrum framework uses its practices (e.g., roles, events and artifacts) to identify and mitigate risk throughout the project and sprint cycles, with the Agile risk management process supporting these practices through tailoring for the risk context.
1. Setting Context Step
For “setting context,” risk is discussed at the project kickoff and for each sprint start. When the project begins, uncertainty is explored with stakeholders (e.g., project team, customers and subject matter experts) by identifying risk for the overall project and the already-known requirements in a workshop setting. The stakeholders assess these risks and determine what actions to take. For example, requirements with the highest risk are often the first to be tackled in the sprint cycle, according to the motto: Fail early; fail fast; fail cheap. A risk register is created for project and sprint risks, which is updated throughout the project at various points in the sprint cycles.
2. Risk Assessment Steps – Identify, Analyze and Determine
At the start of the cycle, during the sprint planning meeting, the project team assesses the product backlog to discuss the risk of each individual requirement, identify and evaluate any new risk, and determine response plans. Through this approach, the team becomes aware of potential risk and can implement planned actions, like identifying features from the sprint planning session that have a technical problem without a solution. The team may decide to perform an architectural spike during the sprint, otherwise known as a proof-of-concept to explore workable solutions.
3. Implementing Risk Response
The team considers risk when determining the sprint backlog items, ensuring that it can successfully deliver the sprint while incorporating the risk response tasks. A key output is updating the product backlog for risk activities associated with the product feature requirements, ensuring that future sprint cycles will include these risk tasks as part of its effort estimation and sprint backlog items.
4. Monitoring Risk
There are several scrum events and artifacts that help with risk monitoring. For example:
- For the stand-up scrum meeting, the team manages risk by discussing the status of deliverables on a daily basis.
- The sprint review functions as a forum to ensure that the solution meets stakeholder expectations. Stakeholders discuss solution changes required to accommodate new business needs, which reduces the risk of presenting the customer with an inadequate solution at the end of a project.
- Sprint retrospectives explore issues with the completed past sprint and assess whether those issues will be a risk at project and sprint levels.
For effective Agile risk management, there needs to be agreement on its importance and a commitment to the approach among the project team members. Agile has a shared decision-making framework that requires all team members to be engaged and to communicate the relationships between solution requirements, and threats and opportunities, with strong risk ownership as its foundation.
Rethinking Control Functions
As enterprises adopt Agile methodologies to achieve strategic objectives with digital acceleration, they will need to rethink their control functions, including risk management, to keep pace with frequent release cycles and to develop capabilities to advise risk owners in near real time. To respond to this business need, an Agile risk management process can be used, integrating leading practices from project management and enterprise risk management with Agile methodologies to meet demands for organizational agility.