What if you were asked to put risk into some sort of framework in a scaled agile system? How would that work? Well, in many cases, you might start with an existing framework. let’s take SAFe for example, the answer might be that we do roaming in PI planning. So as far as most folks are concerned, all risk is taken care of there. That’s it. That’s all we do for risk. The problem is that in many organizations that are audited for risk management that doesn’t even come close to what an auditor is looking for.
Why is that? Well, if we look at the rules that many large companies have to operate under, they were written on stone tablets with a chisel sometime back in the 1980’s. Those rules typically specify that an organization should use risk management practices that were originally defined by project management practices at the time, long before agile was commonly accepted.
Now there’s nothing wrong with risk management per se. It’s really just a fact of life. All projects and products have risk. The question is, are the risk management practices managed in a lightweight and iterative fashion? Those risk management methods from the 1980s are typically heavyweight, if not outright overweight, and require a great deal of overhead and centralized management which I’m not sure anyone wants to do. So if you’re going to provide a system of risk management for a company that has to deal with compliance and that has to deal with auditors, then you’re going to have to put together a system that manages risk, tracks risk, and insure that risk is not idly disposed of, thrown away, or magically disappears. Risk needs to be taken seriously as a first-class artifact and a first-class citizen in these contexts. If you are a smaller company, if you don’t have to deal with audit and compliance, then there’s no reason we would ever do these sorts of things. However, if you are in a financially regulated or government regulated business like healthcare or financial services, then it’s very likely at some point that you will find yourself in a situation where you are asked to show a structured set of risk management practices that are used and have controls so that they can be validated within your organization. The question is, what do you do then?