Contrary to traditional project management where risk management is an integral and crucial part of the project management process, there is no explicit mention of risk management in popular agile methodologies. This makes us wonder whether we manage risk on agile projects at all. It should make sense that since agile project management differs from traditional project management, agile risk management should differ from traditional risk management.
There is an understanding that agile does not explicitly define risk management simply because agile manages risk implicitly. How does that make sense? There is a good explanation in the book “Becoming Agile: …in an imperfect world” by Greg Smith and Ahmed Sidky where the authors state that “a secondary definition of agile could be continuous risk management”. In fact, agile processes are intended to stay on top of risk management by making the team alert and responsive to new information and changes as the project progresses.
Implicit agile risk management
There are several aspects of risk management that agile addresses implicitly:
- Daily standup meetings. When an agile project team conducts daily standup meetings this is in itself an opportunity to review potential risks. The developers report what is preventing them from getting their work done or what is blocking their progress. By voicing their concerns they allow the team to work towards eliminating such problems immediately. Since each team member is given the opportunity to speak every day, there are plentiful opportunities to bring risks to the attention of the team instead of being forgotten or ignored.
- Early and continuous delivery of working software. Through each iteration of an agile project the customer interacts with a working version of the envisioned product. This helps them to get a feel for how the requirements are translated into the developers’ understanding of the product. Prompt and constant feedback aids the developers in refining the final product and increases the chances that they deliver what the customer really wanted.
- Iteration planning. During each iteration planning the entire team joins in selecting which features from the user story list will make it into an iteration and how many story points or any other estimation measure that is used by the team the story or feature is worth. The estimation process itself is a type of risk management in that it decreases uncertainty. When a feature is considered for implementation in the next iteration, more details about it become known and potential risks are better understood.
- Team inspection and adaptation. Agile teams constantly try to improve the effectiveness of how they work and search for ways to optimize and streamline their process. This is another aspect of agile risk management as the team is always on the lookout for bottlenecks and impediments that must be overcome.
Explicit agile risk management
In addition to implicit risk management, agile project management does address risk management explicitly in some situations.
A risk burndown chart may be introduced to track remaining risk on an agile project. Obviously, in order to track remaining risk, initial risks must have been identified at the beginning of the project. This is done in a similar fashion to iteration planning and story estimating, by involving all stakeholders to identify potential risks. Actually, the process is quite similar to how potential risks are identified in traditional project risk management.
Risk management is not limited to software development. Since agile projects, for example those that use the Scrum approach, mostly focus on the software development aspect of the project, only risks that relate to the technical issues and within the scope of development are managed implicitly using above mentioned techniques. As we know, projects are made up of more than just software development and therefore the realm of risk management is much broader. Additional risks, for example those associated with stakeholders, project interfaces, the organizational environment and more must be identified and managed.
All project managers, traditional and agile alike, should be aware of and understand all aspects of their project environment. Too often project managers focus on the details of their project so much that they miss the forest for the trees. Taking a step back and identifying risk is a good way to manage a project from a broader perspective.