Making Agile Secure with Risk Management
A misconception exists that agile organisations only focus on responding quickly to changing customer needs by being highly adaptive and have become more vulnerable to malicious intents. On the contrary, genuinely agile organisations have even become more robust in managing risk. They have not only quality but also risk mitigation built-in.
In order to realise robust built-in risk mitigation and remain at low-risk levels, the risk management experts should shift from their traditional role of risk control towards actors that create awareness, help build and share expertise in the organisation.Authors: Günther Lemmens, Jens Desmet & Sonja Noben
Classic Versus Agile Risk Management
In traditional project management, the different phases of the project life cycle are clear, well-described and de-limited. The projects go through an initiation phase were organisations involve risk management experts. They must deliver key project documents that describe possible risk and issues, explicitly stating what can go wrong during the delivery of the project and implementing the change. Project delivery will only start the execution phase when risk management experts have performed this risk assessment.
When adopting agile delivery, risk management experts need to evolve. An agile DNA has quality and risk built-in, helping to reduce risks and to remain secure during iterative delivery cycles. Let us illustrate this with two examples:
- First, agile teams deliver small increments of value compared to the larger deliveries in classic projects. As increments are small, they represent a lower level of risk. If a quality risk does occur, an agile team will typically focus on quality first before continuing with the rest of their delivery scope.
- Second, agile teams can build in automated risk tests and generate outcome reports from their continuous delivery pipelines. These are useful for monitoring, risk management and external audit purposes.
Both examples clarify that in an agile context, risk management experts need to perform their assessments differently and at another rhythm compared to traditional projects.
Creating Risk Collaboration
Risk management experts are often vital to the organisation. They secure the “license or image to operate”. We can compare the interaction between the delivery organisation and risk management experts to that of an adolescent-parent interaction.
When a parent forbids or controls, the adolescent often experiments with creative solutions to escape that control. If the parent instead acts as a coach that explains the dangers and impacts of mistakes, the adolescent will likely react differently. Now, the adolescent is aware of his responsibility and knows that well-intended advice is available. He/she will be more open to learning from mistakes, being more receptive for warning signals.
Besides, today’s parents need to adapt as well. Adolescents do not live and act in the same context as parents did at their age of adolescence. The current context is dominated by an overflow of information, directly at the fingertips allowing and asking for immediate response.
Let us transfer this metaphor to the agile delivery organisation. When risk management experts shift towards collaboration, they make agile teams relentlessly aware of their responsibility to identify, resolve or mitigate risks. This solidly strengthens the critical first line of defence.
In collaboration modus, we prefer interactions over extensive documentation. Agile organisations need to involve risk management in their quarterly planning sessions, refinement sessions and sprint or quarterly reviews. These ceremonies are a unique opportunity for risk management experts to hear, understand, and assess in the most transparent way. These are perfect moments for them to advise, explain and ask questions. The agile teams and risk management experts collaborate in these critical moments together on potential threats and co-design qualitative solutions.
At the same time, risk management experts should learn from their intense interactions with the agile teams and adapt their risk policies and guidelines as to make them in sync with the new risk built-in practices of the agile teams.
When both conditions are successfully achieved, the risk management experts successfully realised the Shift Left, positively increasing their contribution to the organisation.
Relentlessly Improve Risk Expertise
With the Shift Left of risk management, risk awareness and mitigation is now built-in in the agile delivery process. At the same time, new threats keep emerging continuously: hacking, cyber-fraud, ransomware methods do not stop in getting better.
Risk management experts should then organise mandatory knowledge sharing and training to the agile teams and initiate the right risk mitigation enablers.
Include risk objectives within performance management
Organisations that positively recognise the progress agile delivery teams make on the risk key results ensure continued risk awareness and responsibility. Therefore, Agile organisations need to set appropriate risk objectives within their performance management. These risk objectives should then be translated into key results that are shared by all members of the agile delivery teams.
With precise risk-driven key results, the agile delivery teams will be incentivised to act. They will plan necessary initiatives to improve their risk levels, such as strengthening the depth and width of risk test automation in their continuous delivery pipelines.
We at DigitalScaler strongly advice to activate risk management in an agile transformation. The risk management experts should actively help to realise a shift left of risk skills and competences in the agile delivery organisation through participation and knowledge sharing. At the same time, these experts relentlessly focus on gaining new skills and methods to mitigate now emerging threats.
The agile way of working with short cycled increments delivery & feedback lowers risks. This is strengthened even more when risk mitigation is built-in in the continuous delivery pipeline through automated risk testing and validation. This way, the agile delivery model dramatically decreases risk levels compared to traditional project-driven delivery practices.