Rethinking Risk and Issue Management in a Hybrid Delivery Context

As organizations adopt agile, it is typical (and often necessary) to go through an extended "hybrid" phase, where agile coexists with traditional waterfall or project-based delivery. This period of transition presents a great opportunity for organizations to reexamine their approach to risk and issue management.

The shift to agile, particularly in a regulatory context, demands a more dynamic, responsive approach to managing risks and issues. Traditional methods, while structured, may not fully align with the agility and flexibility required in a fast-paced agile environment. In addition, foundational challenges start to emerge. Where in the traditional world we would simply manage risk against a project, in the new world we must adjust our framework to encapsulate risk that should be managed at the Value Stream, ART and Epic level.

This blog serves as a guide to some of the best practice and key points to consider when designing a risk management framework that is fit for purpose in these circumstances, whether you're fully agile, still in the waterfall world, or navigating the hybrid in-between.

Balance data quality and quantity

In the pursuit of comprehensive risk management, there is a common misconception that more data equals more insight. However, there is an inverse correlation between the volume of data a organization seeks to collect, and its quality, especially where that data collection requires manual human effort.

Seeking the "goldilocks" balance is key. The balance between not enough information to effectively manage the organization's risk profile, and seeking so much data that the quality of your data is too poor to use.

The chart below illustrates this relationship.

"there is a common misconception that more data equals more insight"

Ongoing monitoring and alerting of stale risks

Risk management can quickly become a "wood for the trees" problem. One easy tactic to avoid this is to track stale risks. These are risks that have not been reviewed or updated within a specific timeframe (e.g. 30 days). Automated alerts that identify risks that are going stale provides a quick easy method for teams to keep risk logs contemporary.

Contextual Risk Tracking

Ensuring that the framework (and tooling) you use to manage risks and issues captures the context in which the risk or issue exists will help to streamline your risk oversight controls.

In the traditional world, this is straightforward. Risks and issues are raised and managed against projects.

However, in an agile environment, teams should be able to raise risks against a Value Stream, an ART or an Epic. Where the risk has been raised against the ART, it should be visible at the Value Stream level, as well as on the ART. Where a risk has been raised against an Epic, it should be visible at the Epic level, against the ART that owns the Epic, and against the Value Stream to which it is aligned as well.

Learn more about
risk management with Kiplot

Core "Manual" Fields

Manual fields describe the data that teams must manually maintain on an ongoing basis. These are the fields that are most affected by the law of inverse data quality to quantity described further above.

Therefore its important to focus on the data you must capture, rather than the data you would like to capture.

Field Description
Title A title for the risk for easy reference. For example, a risk related to the system being unable to deal with the additional traffic that the product might expect on its first few day of launch might be called, "Insufficient launch day load capacity".
Description A clear description of the risk. It is good practice to have a clear format that teams are required to follow. For example "There is a risk that... [insert] as a result of [cause/trigger]. This may lead to [consequences]."
Category/Type The classification of the risk (e.g. operational, financial, resource, technical). It's good practice to have a pre-defined list of categories that teams are able to pick from. This helps to manage trends across the organization (e.g. increasing resource risk).
Probability This records the probability of the risk happening. It can be helpful to provide a guide for teams to help them assign a % probability.

Category Description Liklihood
Rare/Unlikely This category applies to risks that are highly unlikely to occur, happening only in exceptional circumstances. 1-19%
Occasional Risks in this category have a small chance of occurring, expected to happen infrequently. 20-39%
Possible This level is for risks that have a reasonable chance of occurring, neither highly likely nor highly unlikely. 40-59%
Likely Risks in this bucket are more likely to occur than not, with a strong chance of happening. 60-79%
Almost Certain This category is for risks that are almost certain to happen, highly predictable and expected under normal conditions. 80%+
Impact This records the scale of the impact if the risk were to materialize

Impact Level Description Impact Value (1-5)
Minimal Impact Impact is negligible or very minor, with little to no disruption to normal operations or project outcomes. 1
Low Impact Impact causes a small degree of disruption but can be managed or mitigated with minimal effort. 2
Moderate Impact Impact has a noticeable effect, causing disruptions that require management attention and additional resources to address. 3
High Impact Impact is significant, leading to major disruptions or setbacks, potentially affecting the project's or business's strategic objectives. 4
Critical Impact Impact is severe and could lead to catastrophic consequences, jeopardizing the entire project or the core operations of the business. 5
Owner The owner of the risk. This is the person who is accountable for mitigating the likelihood of the risk materializing.
Mitigation/Resolution Plan This describes the mitigation plan for the risk. The mitigation plan is the actions that will be executed to reduce the probability of the risk materializing.

"To mitigate this risk, [proposed actions or strategies] will be implemented."
Status Current status of the risk or issue (e.g., Open, Closed).
Due Date The point at which the next action must be undertaken in order to mitigate the likelihood of the risk materializing.

Additional "Meta Data"

Meta data should be captured passively by your tooling. This means that teams should not be wasting time maintaining this data. It should be automatically maintained in the background.

Field Description
Creation Date The date when the risk or issue was initially logged.
Last Updated The most recent date the risk or issue log was modified.
History/Change Log A record of all changes made to the risk or issue log over time.
Previous Probability/Impact Historical values of probability and impact before the current update.
Alerts/Notifications Automated alerts generated for overdue updates or impending due dates.
Trend Analysis Analysis of the risk/issue trends over time based on updates.

Effective risk and issue management requires balancing detail with agility, embracing the right technological tools, and adapting practices to fit the project context. By focusing on essential data, automating routine tasks, and maintaining an up-to-date risk landscape, organizations can navigate the complexities of project and agile initiative delivery with confidence.

Want to see Kiplot Risk Management in action?

Book demo!

Fill out the form below and we will be in touch today to arrange a time that suits you:

Get the intro deck

Fill out the form to receive the Intro Deck to your inbox instantly: