Risk management is crucial to the success of all software development, enhancement and maintenance projects. Risk management at its basest level is avoiding problems that can be avoided and recognizing those that can’t be avoided. In order to recognize and avoid problems, every project must take the steps that need to be taken to consciously look outward and forward. The act of risk management requires both introspection and extrospection. Extrospection, a rarely used word in the everyday conversation, is even rarer in many Agile approaches. One important way to assess risk is to consider whether there are internal or external risks.
Internal risks are from within the organization and arise during normal operation. Internal risks are often forecastable, and therefore can be avoided or mitigated. Internal risks are typically generated by one (or some combination) of human, technical or physical factors. Many Agile practices naturally address internal risk. Practices like short planning cycles, retrospectives, flexible backlogs, and small teams are geared to addressing the delivering short-term value by addressing the risks that that team perceives to be controllable.
External risks come from outside the organization or project and outside of the team’s control. External risks tend to only be forecastable in retrospect, and therefore efforts need to be focused on recognition and reaction. Many external risks stem from legislative, environmental and political changes. The impact of a major earthquake on an organization’s supply is an external risk.
Recently, Steven Adams published an article on his blog titled, Seven Risks in Software Development. In his article, Steven the following seven risks:
- Risk of delivering little or no value to the customer or organization.
- Risk of missing the delivery schedule because of poor predictions.
- Risk of unplanned work disrupting the work process and schedule.
- Risk of poor quality in the delivery.
- Risk of work item becoming an outlier … way off!
- Risk of the team not working well together.
- Risk of end-users not using or liking the product.
Steven’s list is a powerful tool for facilitating a discussion of risks that are controllable at a team level. Steven’s are all internal risks. A lean approach practiced by many teams to identify and manage internal risks (mostly) includes:
- Identify knowable risks.
- Build mitigation for common risks into the definition of done.
- Generate stories for less common risks and add them to the project backlog.
- Review risks when grooming stories.
- Carve out time during planning to identify emerging risks.
Agile techniques at a team level are designed to capture and manage internal risks. No one believes in not managing risk because not managing risk puts the value a team delivers at risk or at the very least puts their weekend when a risk becomes an issue and had to be dealt with. Agile techniques tend to give teams a short-term inside the boundary perspective that is very delivery. External risks often lurk outside the short-term focus, which means our techniques need to be tailored to address both internal and external risks.
Next: Incorporating External Risks into an Agile Risk Approach