A number of organisations who have an increasing maturity in both Risk Management and the use of Agile have recognised some common tensions which arise, outlined below. The manifestation of these tensions is by no means universal but it is useful to recognise that they can exist. Even if organisations are not experiencing these issues at present they may be likely to arise in the future.

Agile thinks risk management is ‘out-of-date’

Some Agile practitioners see explicit risk management as unnecessary, instead delaying the management of risks until they manifest into issues and subsequently managing those through the natural ‘sprint’ progression. Wider than this an Agile culture also encourages trust and empowerment to teams, allowing the regular prioritisation of activity and constant consideration of flow. Some Agile practitioners see this approach as at odds with traditional risk management which can be focussed on preventing potential problems rather than concentrating on the task at hand.

Risk management can also appear as being layered with levels of reporting and assurance which are counter to Agile working. For example, risk management models sit alongside a risk repository, taxonomy and scoring matrix (usually managed through an electronic risk database). Experience across organisations has seen Agile projects seeking to limit using such an experience base and instead using an informative workspace and appropriate conversation forums. This limits the ability of the organisation to consider the entire risk horizon, the impact of cumulative risk, and the corporate memory contained within the organisation’s risk repository.

However, Agile does take account of the balance between costs and benefits of risk treatment. This can avoid overlapping cycles in decision making processes and reporting if decisions around the treatment of risk are taken as and when they arise.

Risk management thinks Agile is weak on assurance

There are concerns, challenges and observations in achieving assurance in Agile projects. An Agile way of working focussed on sprints, shorter term planning and the devolution of trust can increase nervousness of senior leaders in terms of strategic alignment and delivery. Agile teams will highlight the advantages of being empowered to deliver, to change focus, to shift resource and to deliver the here and now to ensure incremental progress.

However, scale this up to an organisational level. As NSIs we face many risks in a modern world, be it maintaining the security of the data entrusted to us, the ability to keep pace with rapid changes in technology and society or the impact of the continuing global pressures of public finances. At a macro level we cannot afford to ignore or fail to mitigate these risks.  Additionally, at a micro level we face risks around the capability of our people, the quality of our statistical outputs and the vulnerability of our systems and processes all of which should be identified, understood and mitigated in order to ensure success.

Agile is sometimes not considered to be an effective approach to the management of strategic level risks due to its short term horizon and connection to the operational level. However, in an agile environment there are lessons to learn for the effective management of the most strategic risks facing statistical organisations.

 

Short Term Planning vs Long Term Planning

Public sector organisations need to plan for the longer term. A public organisation must consider the use of public money, the strategic direction for the organisation and how it will impact on society. Agile delivery environments have been seen to struggle with this longer term focus, with many of their processes and techniques engaged with the here and now.

On the other hand traditional risk management has been perceived as having too strict a focus on hard deadlines. Whilst this can help mitigate risks to delivery in order to enable time, quality and cost targets to be met it can also lack the flexibility needed in a rapidly changing situation. The nature of an Agile environment means a focus on incremental progress towards an overall goal, which can help deal with a complex environment, but can also be at odds with the need to sometimes focus on hard deadline delivery. NSIs have developed ways to work through this tension, for example by setting longer term deadlines (e.g. a census day) and using Agile in smaller sprints to get there.

It must also be recognised that often risk management is heavily weighted towards the consideration of risk as a negative, rather than the wider consideration of opportunity risks, particularly in organisations with a more embryonic risk management approach. An Agile environment, by contrast, is more focussed on the recognition of risks as opportunities and being adaptive to take advantage of these. If risk management is to be recognised as a helpful decision making tool, it should be regarded as an enabler to deliver rather than a barrier to success.

  • No labels