What you need to know about risk management in agile methodologies
There’s no such thing as a risk-free project. According to the statistics quoted by the Project Management Magazine, more than half of all projects, especially large ones, fail. Many ambitious projects are not completed on time or budget.
Doubtlessly, one of the reasons for this is insufficient or indeed no attention paid to the identification, assessment and management of risks, despite many potential threats in the implementation of complex projects.
For this reason, in today’s post, I’d like to focus on risk management in various project methodologies, with a particular emphasis on agile methodologies, which are among the most popular approaches to software development today.
However, to have a point of reference, let’s start by looking at the classical approaches to risk management in projects.
Risk management in traditional project management methodologies
Regardless of the adopted project methodology, risk management can be understood as identifying, estimating and responding to potential and existing threats over the life cycle of a project. This process must be kept going at all times, whether you use the waterfall or agile method.
In traditional methodologies, such as PMBok or Prince2, risk management is understood as a precisely defined cycle divided into several stages.
In both cases, we usually deal with such elements as a regularly updated risk register, and risk response, avoidance and reduction plans. At the planning stage, financial and time reserves are created for the identification of risks.
Each of those phases uses various techniques and tools to support or facilitate implementation of its underlying function in the entire risk management process. On the other hand, there are as many ways to adapt these processes in PMBoK and Prince2 as there are projects and managers managing them 😉
It should be reiterated here that risk management in classical project methods should be a continuous process, repeated at all project stages, even if the waterfall method is used.
Agile risk management
When a project is carried out using an agile methodology, the approach to risk management is quite different. Risk management is embedded in the Agile philosophy, and is often treated as a natural element of project implementation.
This belief may certainly result from the fact that the iterative approach in project management allows progress to be tracked with high accuracy, ensuring fast response to and the reduction of the potential costs Associated with risk materialization.
Agile methodologies are characterized by a greater responsibility of the entire team for the success of the project, a focus on actions and the constant identification of risks at the interface of technology and business.
Depending on the type of agile methodology used, we may talk about different approaches to risk management, such as an active approach (AgilePM, DSDM) or lightweight approach (SCRUM, XP, Lean).
Now let’s look at the main differences between these two views on risk.
Agile risk management: the active approach
At first glance, the active approach may resemble the methods we know from traditional methodologies.
First off, potential risks in the project should be properly identified and assessed. Then, you should plan, carry out and then monitor actions in response to the identified risks. All those stages are briefly described below:
Identify & Assess
Risk identification is a phase that requires the involvement of all the project stakeholders: from the Product Owner, to Sponsors and the Development Team, to the Users.
You’ll be well advised to use all instruments well-known from traditional methodologies, including: lessons learned, risk registers, and facilitated workshops for that matter. As in the case of waterfall methodologies, if you go for the Active Agile approach, you should arrange a kick-off meeting to put together a list of risks.
This will help you prioritize and determine severity of the identified risks. One of the most common practices is also to use a heat map with risk likelihood and impact.
Unlike in traditional methodologies, in the active agile approach the recommendation is to ditch time-consuming and costly quantitative risk assessment. At this point, however, you can apply the Planning Poker, an estimation method often used in agile methodologies. This working method is described e.g. on the ProCognita blog.
Plan & Act
Planning helps you prepare appropriate and timely responses to specific, identified risks. The process may take place during regular, dedicated team meetings. Here, the options are similar to those available in traditional methods: acceptance, avoidance, mitigation and transfer.
At the execution stage in Agile, we can distinguish two basic ways of activating this process. One is to allocate enough time to identify, assess and respond to risks in iteration. The other is to create additional user stories and treat them in the same way as other standard requirements – this may mean that we duly prioritize and estimate them.
Don’t be mislead by how the monitoring stage is depicted on the chart. Risk control should be carried out continuously, or at least cyclically at the times determined by the team.
Key risks, e.g. presented in the form of a risk register, should be visible to the team during the whole life of the project, and updated after each sprint. This will ensure a continuous and relatively cost-effective monitoring mechanism.
Changes in risks can also be presented in the form of the Risk Burndown Chart, which shows the status of risks over the course of individual iterations.
Risk management: the lightweight approach
While risk management in Active Agile may be confusingly similar to traditional methodologies, the “lightweight approach” focuses on eliminating risks by providing frequent deliverables, such as new portions of codes or functionalities, as well as regular contact with the client.
In the constantly changing project environment, this helps in eliminating risk factors on an ongoing basis. This approach is largely based on the assumption that the benefits flowing from risk management outweigh the cost of the exercise.
Instead, in the lightweight approach, risks are mitigated based on agile processes, including:
- Team dailies, meetings whereby typical risks associated with sprint can be identified and eliminated.
- Sprint retrospectives, which help streamline processes and eliminate threats.
- Working with the Backlog, especially Backlog refinement, as a method for avoiding risks associated with misinterpretation of requirements.
- The incremental delivery of products and regular presentations to end users, which ensures the quick verification of whether functionalities meet the expectations of the target audience.
- Code review, eliminating errors and keeping the code “clean” at the development level.
Risk management is still present in the lightweight approach, although it may not look like a conscious process to the untrained eye.
This approach has one major advantage. While changes in the scope or related risks in the traditional or Active Agile methodology may, in extreme cases, increase costs and and cause delays, the lightweight approach is free from such limitations. This is because risks and their related requirements are not specified at the beginning of the process. The client may refine them during one sprint or another in the implementation process, submitting additional comments at the end of each iteration.
Instead of a summary – keeping risk at bay an agile way
Despite the undoubted advantages of agile risk management, it should be noted that these approaches may not always fully take into account the threats which result from, e.g. changes in the financing of the project or the market situation. These aspects cannot be managed by short iterations or by delivering value to the client.
However, no matter which of the above approaches you choose for your project, one thing’s for certain. Conscious risk management will help your reduce or even eliminate risks to implementation, especially those related to technology or the scope of work.
As specialists in complex technological projects, we always help our clients select the right methodology so they can keep their risks down as they work towards their goals.
At the same time, we rely on certificates and experience in working in the most popular project methodologies – both traditional, waterfall ones, such as Prince2, ITIL, IPMA or PMP, and agile ones – from AgilePM to Professional Scrum Master. Admittedly, the Active Agile approach is closest to our hearts, but we are always happy to provide advice on and apply other methodologies if we see that this is what will do the job in the project at hand. But that’s a topic for another post 😉
Please get in touch with us – we’ll not only choose the right technologies for your project, but we’ll also pick a methodology for its implementation.