Portfolio Planning
Rethinking Risk and Issue Management in a Hybrid Delivery Context
As organizations adopt agile, it is typical (and often necessary) to go through an extended "hybrid" phase, where agile coexists with traditional waterfall or project-based delivery. This period of transition presents a great opportunity for organizations to reexamine their approach to risk and issue management.
The shift to agile, particularly in a regulatory context, demands a more dynamic, responsive approach to managing risks and issues. Traditional methods, while structured, may not fully align with the agility and flexibility required in a fast-paced agile environment. In addition, foundational challenges start to emerge. Where in the traditional world we would simply manage risk against a project, in the new world we must adjust our framework to encapsulate risk that should be managed at the Value Stream, ART and Epic level.
This blog serves as a guide to some of the best practice and key points to consider when designing a risk management framework that is fit for purpose in these circumstances, whether you're fully agile, still in the waterfall world, or navigating the hybrid in-between.
Balance data quality and quantity
In the pursuit of comprehensive risk management, there is a common misconception that more data equals more insight. However, there is an inverse correlation between the volume of data a organization seeks to collect, and its quality, especially where that data collection requires manual human effort.
Seeking the "goldilocks" balance is key. The balance between not enough information to effectively manage the organization's risk profile, and seeking so much data that the quality of your data is too poor to use.
The chart below illustrates this relationship.
"there is a common misconception that more data equals more insight"
Ongoing monitoring and alerting of stale risks
Risk management can quickly become a "wood for the trees" problem. One easy tactic to avoid this is to track stale risks. These are risks that have not been reviewed or updated within a specific timeframe (e.g. 30 days). Automated alerts that identify risks that are going stale provides a quick easy method for teams to keep risk logs contemporary.
Contextual Risk Tracking
Ensuring that the framework (and tooling) you use to manage risks and issues captures the context in which the risk or issue exists will help to streamline your risk oversight controls.
In the traditional world, this is straightforward. Risks and issues are raised and managed against projects.
However, in an agile environment, teams should be able to raise risks against a Value Stream, an ART or an Epic. Where the risk has been raised against the ART, it should be visible at the Value Stream level, as well as on the ART. Where a risk has been raised against an Epic, it should be visible at the Epic level, against the ART that owns the Epic, and against the Value Stream to which it is aligned as well.
Core "Manual" Fields
Manual fields describe the data that teams must manually maintain on an ongoing basis. These are the fields that are most affected by the law of inverse data quality to quantity described further above.
Therefore its important to focus on the data you must capture, rather than the data you would like to capture.
| Field | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Title | A title for the risk for easy reference. For example, a risk related to the system being unable to deal with the additional traffic that the product might expect on its first few day of launch might be called, "Insufficient launch day load capacity". | ||||||||||||||||||
| Description | A clear description of the risk. It is good practice to have a clear format that teams are required to follow. For example "There is a risk that... [insert] as a result of [cause/trigger]. This may lead to [consequences]." | ||||||||||||||||||
| Category/Type | The classification of the risk (e.g. operational, financial, resource, technical). It's good practice to have a pre-defined list of categories that teams are able to pick from. This helps to manage trends across the organization (e.g. increasing resource risk). | ||||||||||||||||||
| Probability |
This records the probability of the risk happening. It can be helpful to provide a guide for teams to help them assign a % probability.
|
||||||||||||||||||
| Impact |
This records the scale of the impact if the risk were to materialize
|
||||||||||||||||||
| Owner | The owner of the risk. This is the person who is accountable for mitigating the likelihood of the risk materializing. | ||||||||||||||||||
| Mitigation/Resolution Plan |
This describes the mitigation plan for the risk. The mitigation plan is the actions that will be executed to reduce the probability of the risk materializing. "To mitigate this risk, [proposed actions or strategies] will be implemented." |
||||||||||||||||||
| Status | Current status of the risk or issue (e.g., Open, Closed). | ||||||||||||||||||
| Due Date | The point at which the next action must be undertaken in order to mitigate the likelihood of the risk materializing. |
Additional "Meta Data"
Meta data should be captured passively by your tooling. This means that teams should not be wasting time maintaining this data. It should be automatically maintained in the background.
| Field | Description |
|---|---|
| Creation Date | The date when the risk or issue was initially logged. |
| Last Updated | The most recent date the risk or issue log was modified. |
| History/Change Log | A record of all changes made to the risk or issue log over time. |
| Previous Probability/Impact | Historical values of probability and impact before the current update. |
| Alerts/Notifications | Automated alerts generated for overdue updates or impending due dates. |
| Trend Analysis | Analysis of the risk/issue trends over time based on updates. |
Effective risk and issue management requires balancing detail with agility, embracing the right technological tools, and adapting practices to fit the project context. By focusing on essential data, automating routine tasks, and maintaining an up-to-date risk landscape, organizations can navigate the complexities of project and agile initiative delivery with confidence.
