This presentation look into how to implement Agile risk management in a highly regulated industry. The presentation focus not only on project risk, but also compliance, legal and reputational risks.
2. Agile Risk Management in Largest
Nordic bank
Executive Summary
- Complete digital
transformation program
- More than 680
employees working on
project
- 100 M EUR + project
Challenge
How do you implement
Agile Management and
still manage risk in a
highly regulated industry?
Solution
- Implementation of risk
log
- Implementation of Agile
risk management process
-Implementation of pre
release check points
Result
-Clear overview and
prioritization of risks
- All releases are
compliance tested before
release
3. What is Agile Risk Management?
• How does Agile Risk Management reduce risk?
• How do you incorporate Agile Risk management
into a highly regulated industry?
• What tools can you use on a day to day basis to
manage your risk?
4. Content
Background
How does Agile development reduce risk?
Key points from Agile Risk management transformation
Key learning points
11. Align Organisation &
People
Risk train
Teams
2nd LoD
11 •
Strategy
Process
Organisation
& People
Tools &
applications
Create a Risk Train to align
methodology
Define who is risk owner
Align metric & reporting
12. Align Tools &
applications
12 •
Strategy
Process
Organisation
& People
Tools &
applications
EA
Agile
Risk mgt
Have a (integrated) risk tool
17. Key learning points
Agile Risk Mgt team should have a mandate and be proactive
Follow the “Agile beat”
Make a “Agile Risk mgt Train”
Find the Agile trigger for risk process
Have a backlog
Use a public KANBAN board
Work in the same Agile tool
Define clear ownership of risks and mitigation actions
18. What is Agile Risk Management?
• How does Agile Risk Management reduce risk?
• How do you incorporate Agile Risk management
into a highly regulated industry?
• What tools can you use on a day to day basis to
manage your risk?
20. How to set risk appetite in Agile
Risk appetite is set by the
organization and should be
SMART
Risk Open
Risk Closed
21. How to identify risks in Agile?
Bottom up
Risk
identification
Daily Scrum
PI event
Risk
assessment
before
release
Product
Owner
meetings
22. How to identify risks in Agile?
Top Down
Risk
identification
Scenario
risk
assessment
Business
risk
assessment
Compliance
risk
assessment
23. How to identify risks in Agile?
- Daily Scrum
Bottom up
Risk
identification
Daily Scrum
PI event
Risk
assessment
before
release
Product
Owner
meetings
Agile name of meeting: “Daily stand up
meeting”
Duration: 0,5 - 1 hour
Participants:
Scrum master
Developers
Sometimes architect, business and PO
Scope is to identify:
Impediments (something that is slowing you
down)
Dependencies (Something that you are
dependent on to move forward)
Blockers (Roadblocks that makes it
impossible for you to to move on)
Risks (Things that you believe that impact
the project negatively in future)
Identify
• Make MOM
• Confirm with RTE and SM
Analyse &
Report
• Introduce in Risklog and Jira
• Evaluate risk picture
Mitigate
• Close follow up with risk owner
• Follow up in Jira
Risk management process
24. How to identify risks in Agile?
- Product Owner meeting
Bottom up
Risk
identification
Daily Scrum
PI event
Risk
assessment
before
release
Product
Owner
meetings
Agile name of meeting: “PO
meeting”
Duration: 1 hour
Participants:
Product owners
Sometimes architect and
business
Scope is to identify:
Understand specifications
Align features with business
Identify
• Make MOM
• Confirm with Product mgt and PO
Analyse &
Report
• Check if feature is in conflict with
compliance
• Evaluate risk picture
Mitigate
• Escalade to compliance (2nd LoD) if
needed
Risk management process
25. How to identify risks in Agile?
- Pre-release risk assessment
Bottom up
Risk
identification
Daily Scrum
PI event
Risk
assessment
before
release
Product
Owner
meetings
Agile name of meeting: NA
Duration: 1- 2 hours (at least 3 weeks
before release)
Participants:
2nd LoD (Business, compliance, legal, risk)
1st LoD
RTE (Should be able to invite)
Product manager
Product owners
Sometimes architect
Scope is to identify:
Get a risk overview where all aspects are
evaluated.
All potential risks related to the release
Identify
• Introduce main new features
• Structure session according to technical,
legal and business risk to identify risk
Analyse &
Report
• Look for critical risks and evaluate the
impact.
• Share with all who attended and mgt.
Mitigate
• Ensure mitigation or risk acceptance of
critical risks before release
Risk management process
26. How to identify risks in Agile?
- Planning event
Bottom up
Risk
identification
Daily Scrum
PI event
Risk
assessment
before
release
Product
Owner
meetings
Agile name of meeting: “PI”
Duration: 1-3 days
Participants:
All teams at all level
Scope:
Align planning between
teams
Identify Dependencies
Identify Risks
Vote of confidence
Identify
• Risk boards
• Walk the boards with mgt.
• Be proactive and have questions ready
Analyse &
Report
• Collect ALL risks
• Use categorization to get an overview
Mitigate
• Issues and Risk should mainly be solved
in the PI
• Make conclusions if possible.
Risk management process
27. How to analyse risks Agile?
Two risk logs
General risk log (see example)
Risk that can kill you (see example)
Use 4 categories to evaluate risks
Financial impact
Reputational impact
Process impact
Legal impact
Use algorithm to see what the SUM of less critical risks
28. How to share analysis in Agile?
Weekly report (see example)
Monthly report (see example)
29. How to set mitigation actions in
Agile?
Set mitigation strategy during the risk identification
Set a deadline
Set a owner (only one)
Make integrated alerts
Consider risk mitigation tool
31. Roadmap
31
Highlighting the current PI commits, PI forecast and subsequent prioritised backlog
• One liner
Prioritised backlogPI n
• One liner
Committed Forecast
PI n+1
• One liner
• One liner
------- Stretch objectives -------
• One liner
PI n+2
• One liner
Release
Milestone
Stopper
Release example
Milestone example
Stopper example
32. Logs
32
Main actions, risks and dependencies in release train
Action Action and impact description Status Raised date Due date Owner
Impacting Supplier Supplier delivery Required date Status Owner
sadfadsf
Risk/Issue Risk/Issue description and mitigating action Criticality Update date Owner
sadfadsf