// . //  Insights //  4 Factors That Make Agile Risk Management Work

All across the world, banks and other large organizations are increasingly moving to agile software, product, and project delivery. Adoption of the methodology — an iterative process that enables development teams to quickly release product features that their customers value — signals a dramatic change away from traditional, more linear waterfall systems whereby each stage of the workflow needs to be completed before moving on to the next step. For businesses that make the shift successfully, the benefits are clear: increased customer satisfaction, improvement in speed to market, and a boost in staff engagement, as our experiences working with clients in the financial services sector have shown.

But financial services companies, as well as others in heavily regulated industries such as healthcare and energy, face several challenges when it comes to managing the risk associated with agility, rapid deployment, and the inherent “test-and-learn” attitude that is the essence of agile delivery. On one hand, the entrenched governance structures, processes, and tools created for traditional waterfall delivery are not suitable for agile environments, and in some cases if left unchallenged might negate the benefits that come from agile delivery. On the other hand, losing governance and risk management practices might be a step too far for a heavily regulated and naturally conservative industry.

These companies cannot afford to simply assume additional risk to support faster releases without implementing proper governance and control measures. They need to upgrade their methodology to ensure that risks stemming from agile processes, such as develop and test using agile development method, are continuously identified, assessed, and mitigated.

Four ways to successfully manage risk with agile processes

Empower people to make decisions and manage risks in agile teams

A primary characteristic distinguishing how agile teams manage risk is who makes most of the decisions for projects and programs. Unlike in waterfall, where decisions are centralized and made chiefly by the project manager or sponsor, members of the agile governance and delivery teams are expected to make key decisions on the fly. Empowering these groups enables faster resolution and, ultimately, faster time to market.

The empowerment needs to span across risk management as well, and both governance functions and the agile teams themselves need to make their peace with it. Where applicable, they also should install mechanisms that introduce transparency and improve communications around the arrangement.

The organization of agile teams can vary depending on the size, complexity, and risk level of the project or product. At the minimum however, certain roles must be filled on the steering committee, governance team, and delivery team to ensure a clear delegation of authority, efficient decision-making, and proper governance of agile projects and programs.

Exhibit 1: Organization of a typical agile team

In regulated industries such as financial services, involvement of some functions across other lines of defense (in particular, the second line, which oversees the doers) may also be required. Roles and the integration of role-holders from other lines of defense should also be clearly defined and institutionalized.

Implement systematic process for risk identification

Agile entails addressing risk on a continuous basis. This requires both the governance and delivery teams to proactively identify and report risks, and to understand their implications to the project, product, end-users, supporting infrastructure, and more. Unlike in waterfall, where risks can be reduced through upfront analysis and planning before starting delivery, agile is more responsive to risks that arise as the product evolves and has greater flexibility to resolve delivery risks by reprioritizing backlog items based on user feedback.

During the agile delivery process, delivery teams are constantly identifying problems that may impact the successful build of the product. Once a problem has been identified, the delivery team is empowered to discuss potential steps to avoid it creating a risk. If it is unavoidable, they will add it to the list of risks, for which they will assess the materiality, decide on an action plan, and assign an action owner.

Exhibit 2: RAID and ROAM risk identification and assessment technique

The governance and delivery teams commonly use RAID (risks, assumptions, issues, dependencies) and ROAM (resolved, owned, accepted, mitigated) techniques to identify and manage risk. During regular meetings, the agile delivery team typically lists all relevant risks, assumptions, issues, and dependencies, and then discusses mitigation or resolution items. Each of the RAIDs will subsequently be categorized as resolved, owned, accepted, or mitigated.

The combination of RAID and ROAM techniques provide a systematic process for the delivery and governance teams to ensure all items under RAID have been moved to ROAM, and relevant items from ROAM are added to the risk log or product backlog at the end of each risk assessment exercise or meeting. Only risks that cannot be resolved by those teams or that could be material to the project, product, or organization should be escalated to senior stakeholders. The agile delivery team is also expected to be proactive about keeping senior leadership apprised at all times.

Ensure clear communication of mitigation action

Clear and continuous communication is vital for more than just risk escalation. The business unit and IT staff of the governance and delivery teams need to communicate regularly throughout the lifecycle to evaluate progress, identify impediments, and make relevant decisions concerning the project and product. This is accomplished through technological solutions typically adopted by agile teams, as well as through regular meetings and informal daily interactions when an issue that requires the opinion of a subject matter expert comes up.

Given that the key benefit of agile is to improve customer satisfaction and responsiveness to emerging and potential customer expectations, collection of feedback from users also is critical. Information, typically gathered through reviews, surveys, and statistical analyses of use patterns, must be shared openly and regularly between the business side and the IT members to more effectively refine the product. All of this is also relevant for communication with governance functions, as transparency and immediacy of information relating to risk and compliance needs to be a cornerstone of agile delivery in a regulated environment as well.

Use tools to monitor risk in agile delivery

Tools for identifying and remediating risks in each release cycle should be integrated with existing software that agile delivery teams are already using to manage their work. A centralized risk log is vital for continuous documentation of risks and issues and associated action plans, as well as to flag risks that need to be escalated in meetings with the steering committee. The log is intended to support frequent release cycles and rapid decision-making, so maintaining it must be efficient and not require significant investment of time nor extensive documentation.

Going beyond conventional practices

“Regular” agile practices, such as those initially championed by the tech industry, will continue to appeal to financial services firms and other regulated industries, and for good reasons. However, these firms need to find ways to effectively promote agility and protect the value it can create for them and their end-users, while insisting on some critical toolkits to secure their interests from potential downsides. For classic agile practitioners some of the practices might not be intuitive, but for senior management they should be non-negotiables.  

Additional contributors Krishna Kajaria, engagement manager, and Wan Ting Tan, senior consultant.