Risk Management and the Lean/Agile Frameworks

When we think of project risks, we think of events that, if they occur, will cause our project to miss deadlines, exceed budgets, or fail to meet customer expectations. One of the attractions of lean/agile methods is that they reduce these risks via quick delivery / feedback cycles, extensive business owner involvement and improved system engineering practices, including automated testing.

So, are project risks merely relics of the past and risk management obsolete? No. As described in the table below, with the exception of XP, agile frameworks and processes provide at least a limited amount of guidance for managing risks.

Framework / Process Reference Approach
XP Kent Beck: Extreme Programming Explained: Embrace Change (2nd Edition), 2005 Pearson Education, Inc. Risk management benefits are implicit within the principles and practices of XP, and separate risk management activities are not offered within XP.
Scrum Mike Cohn Blog:Click here:


As with XP, there are risk management benefits implicit within the principles and practices of Scrum.   However, Mike Cohn’s blog notes some guidance related to risk management. He proposes developing a Risk Census at the 1st sprint planning meeting then update the risk census at subsequent planning meetings. For ongoing management, he proposes maintaining and publishing a risk burndown chart during the project.
SAFe Scaled Agile FrameworkClick here:


At the end of sprint (Agile Release Train) planning, the team identifies and Resolves, Owns, Accepts or Mitigates each risk. If the risk is to be mitigated, the team will own the mitigation plan.   Technical / or functional spikes may be used (sparingly) to identify and mitigate risk.
Agile Project Management (APM) Jim HighsmithAgile Project Management – Creating Innovative Products, 2004 Pearson Education, Inc. Jim Highsmith proposes that risks be managed, “at each stage of planning and development” (page 43) and notes that during iteration planning, “sometimes the highest value will be to reduce the technical risk first” (page 44).
Disciplined Agile Delivery (DAD) Scott AmblerClick here:


DAD proposes risk identification begins during the Inception process, at governance milestones, and “go forward” decision points. During the project, risks can be managed via appropriate metrics and by accelerating high risk / value work items.

As organizations begin to undertake agile development at an enterprise level, managing risks tactically and at a project / release level will not be sufficient. For example, how do mitigation actions taken by a given project impact the overall risk profile of that project? In turn, how does that project’s evolving risk profile align with the organization’s appetite for risk and with enterprise risk management efforts? How can we apply effective risk management practices while remaining consistent with agile principles and avoiding unnecessary bureaucratic work?

These are questions that we agilists need to begin discussing. Alan Moran of Zurich, Switzerland recently published a brief book on the subject (Agile Risk Management, Springer, 2014) click here which provides a starting point for further discussions. Are we ready to begin the conversation?

Author: Ron Montgomery

Ron Montgomery is a management consultant and owner of OnPoint, LLC, a firm that partners with clients to drive business value from I.T. projects. Ron has 36 years of hands-on I.T. experience, including 8 years using the agile framework. Ron launched his independent consulting career in 1994, and his clients include major insurance carriers, banks, technical solution firms, and non-profit organizations. He has assisted these clients with business planning, IT strategy, project and program management, vendor selection and team training / mentoring. Over the past eight years, Ron has led multiple initiatives that employ the agile framework.

Leave a Reply

Your email address will not be published. Required fields are marked *