Risk management is like sorting out the cords.

Risk management is like sorting out the cords.

As we have noted, the difference between the classic and Agile approaches to risk management boils down to a few serious dichotomies. The first is that classic methods tend to be project-manager driven, while Agile processes involve and hold the entire team responsible. Second, Agile risk identification and management is built on the continuous re-planning process that is intrinsic to Agile rather than being event/review driven (e.g. phase gates or defined review cycles) which is more the norm in classic project management. All projects need to expend time and effort on dealing with regardless of the processes used to identify, monitor and manage risks. That time and effort means there will be less time to address the functionality requested by the product owner and product management. This leads project personnel to try to balance the effort they spend on the risk management process AND to only focus on the risks that really matter.

Lean risk management processes, such as the one we have described, focus on minimizing the effort needed to identify and manage risks by integrating risk management into other processes. Examples include using the definition of done to mitigate risk and the product backlog to document risks as user stories. Risk management does require specialized meetings and deliverables that increase the perceived overhead. Building risk management into day-to-day activities has secondary benefit of creating team level involvement which is useful for reinforcing the risk management process.

One of the common features of mature risk management processes (whether they reflect waterfall or Agile methods) is risk prioritization. We have explored several mechanisms to evaluate the probability the an risk will become an issue and the potential impact of the issue (Agile and Risk Management: Prioritization Techniques, Part 1 and Agile and Risk Management: Prioritization and Measurement Techniques, Part 2). In all cases the goal of the processes is to consistently prioritize risks so that teams and managers spend their time on the risks that really matter. I recently chatted with a project “risk manager” while waiting for a table at a restaurant. He suggested that he often sees projects without formal prioritization techniques spending precious time and effort on worrying about risks that they can’t influence or have a nearly zero chance of happening, but sound scary. Every erg of energy and every minute spent on risks that are not relevant is waste and provides fodder for those that see risk management as a waste of space.

One common complaint about risk management is that we can never anticipate everything; there are unknown unknowns. The conclusion some practitioners make is to abandon planning and to just stay vigilant. The argument is the effort for risk management is not worth the return. This approach might work, however I have not seen it work on any sizable project. Coupling a lean risk management process with Agile risk management maximizes the value from risk management. This morning while listening to the Gist podcast, Mike Pesca (the host) stated that worrying about the future is an important survival mechanism.  True but that survival mechanism doesn’t require a 100-page risk register that no one will ever look at to be effective.