PRINCIPLE 1: Define your appetite for risk, and make it real

A fundamental principle of Agile delivery is the focus on meeting customer needs and a fundamental principle of risk management is providing assurance that an organisation understands and mitigates the threats to delivery. In order to allow an organisation to understand the needs of its customers and also provide assurance when needed to manage risk, the definition and agreement to use risk appetite levels is essential.

Traditional approaches to the definition of risk appetite focus on simple descriptions of appetite across different business dimensions, or even for the organisation as a whole. For example an organisation may state it is ‘averse’ to risk around information security, or ‘cautious’ around financial risk. These simple statements of appetite may give a broad indication but are open to interpretation (one person’s ‘cautious’ is another person’s ‘actively seeking’) and can remain static over a period of time.

An alternative approach and one that is more suited to risk management in an Agile environment is to define risk appetite in a way that drives correct and consistent behaviours within the organisation in line with expectations of its senior stakeholders. In order to achieve this, the organisation needs to agree to the behaviours expected at different levels of risk appetite and articulate these specifically as a framework for decision making.

The main benefit of this approach is that it sets clear behaviours that are expected at different levels of risk appetite, rather than a series of bland statements open to interpretation. The articulation of behaviours in this way will give clarity to the organisation of the expectations and allow for the risk appetite to cascade and align through the organisation.  Risk management in an Agile environment, where risk is focussed on decision making  is a key enabler to success.

Figure 6 shows an example of a risk appetite statement for a particular type of risk, in this case ‘Data Security’, and how the expected behaviours can be articulated to ensure consistency in decision making.

 

Figure 6. Example Risk Appetite Statement


Risk Type: Data Security
 
Averse
 		Minimal
 		Cautious
 		Open
 		Actively Seeking
 

We avoid losing the trust of our respondents arising from a loss or disclosure of data but recognise our business depends on

access to and processing data which carries inherent security risk.

We have clear governance and processes for data security. The Board regularly discuss security issues.

We understand the appropriate level of cyber security around all data sets and invest in the highest priority areas.


We review our security policies and accept a level of risk around lower risk systems and
data but recognise data loss has the ability to cause significant reputational damage to the organisation.


We allow for appropriate access to data for staff in order to allow the organisation to deliver its programme of research,

development and analysis.

 

We are willing to consider access for approved researchers to linked admin data.

 

 

PRINCIPLE 2: Identify threats and opportunities

Risk management in an Agile environment remains important to identify both threats and opportunities. However, the approach to this identification should be clearly linked to the organisation’s objectives, the decisions it needs to take, and its defined risk appetite. Risk identification can follow these steps for individuals within the organisation:

  • The business plan or project plan articulates the deliverable
  • Decisions need to be made to ensure successful delivery (to get from A to B as effectively  as possible)
  • Align the decision you make to the risk appetite which relates to the activity
  • Decisions which create threats or opportunities outside appetite require someone to take responsibility, to document on the corporate risk system, and to manage
  • If you make a decision to achieve delivery which creates a threat above or beyond the risk appetite, you must then choose to either treat the risk, or tolerate it
  • If you choose to treat a threat or opportunity, you must provide evidence of what you are doing to decrease the threat to within the appetite level.
  • If you choose to tolerate (accept) the threat, you must document the threat on the risk register.

These steps should help to ensure that risk management is integrated into delivery and is not a separate process from the day to day operations of the organisation. They are also useful in ensuring the 'right' (true and honest) threats or opportunities are identified, so effort can be focussed on the true threats to delivery rather than documenting generic 'non' threats to provide false assurance. The diagram at figure 1 illustrates when and how threats/opportunities can be recorded or escalated (also related to Principle 3).

It should be recognised that this principle can be followed whether an organisation is operating with an Agile approach or not. However, it is the understanding of risks as opportunities as well as threats which demonstrates a more mature approach to risk management and this is particularly relevant in an Agile environment. Agile is focused on delivery and therefore exploiting opportunity risk to allow for quick delivery, to deliver incremental improvements and to meet customer needs is important. A shift of focus from mitigating threats (stopping bad things from happening) to exploiting opportunities (making good things happen) is fundamental to risk management in an Agile environment.

PRINCIPLE 3: Deal with threats and exploit opportunities at the most appropriate level but document and escalate if necessary

 

In order to support an Agile environment it is important for risk management to create an environment where decisions are taken at the right level, where staff are empowered and able to address threats and opportunities quickly and without having to follow an overly prescriptive process.

Figure 6 shows a ‘Pyramid of Uncertainty’ demonstrating the level of oversight for each level of risk. The pyramid shows that a large number of daily decisions will be risk-based, they should not all be logged on a corporate system or wrapped up in layers of governance. Risk management in an Agile environment is where decisions should be taken quickly in line with risk appetite and only formally recorded when wider action needs to be taken to mitigate the risk or exploit the opportunity.

 

Figure 6: The Pyramid of Uncertainty

 

However, in order to provide assurance around the management of risk an organisation should still evidence those decisions being made which create threats or opportunities above or below the risk appetite level.

As demonstrated in Figure 6, there will be a large number of decisions taken on a daily basis within any organisation, these will in themselves be mitigating risks and exploiting opportunities.

It is important that these decisions are taken as close as possible to where the impact will be, both in time and location within the organisation. In an Agile delivery environment these will be identified and addressed through the sprint process. Therefore, risk management in an Agile environment should focus on only logging threats or opportunities as formal corporate ‘risks’ if:

  • Reasonable mitigation to try to manage the threat/opportunity can be evidenced, and
  • The threat/opportunity isn’t already someone’s job, or an established process is in place to manage the threat/opportunity, and
  • The threat or opportunity is outside the organisation’s risk appetite

Figure 7: Agile Risk Management Maturity Model

  • No labels