As Agile adoption grows even among developers of safety-critical products, the know-how of adopting risk management practices in an Agile environment is becoming vital. Based on a piece of research titled Practices to Improve Risk Management in Agile Projects, this post provides general guidance on Agile risk management best practices.
In order to avoid human injury, risk management in software engineering has always been a crucial point of concern in safety-critical product delivery. In the days of Waterfall/V-model, the BDUF (Big Design Up Front) way of controlling hazards was to assess and plan for the mitigation of risks before development even started.
With Agile gaining traction in (and fundamentally transforming) safety- and mission-critical software product engineering, risk management practices also have to adapt. Agile doesn’t offer any established best practices for managing risks in software projects. The whole point of applying Agile principles is that it’s a lightweight concept. Each team has to create the best practices that suit their needs – in risk management as well as in other areas.
According to both scientific literature and empirical evidence, in addition to certain undoubted drawbacks, there are many benefits of using Agile in safety-critical engineering. Some of the main benefits of iterative & incremental development relevant for risk management:
- Agile supports the early discovery and mitigation of risks.
- It provokes (and helps adapting to) change early and often, adding flexibility to the way risk management is carried out.
- Using iterative development helps manage both risks and overall product complexity in smaller increments.
- Accurate process tracking & documentation helps build up a risk management know-how and implement continuous improvement.
- Less defects and enhanced product robustness overall.
Intuitively, short increments and regular feedback loops benefit accurate risk management. But how exactly risk control procedures can be implemented into an Agile workflow is a whole different question.
Let’s look at the most important practices to improve risk management in an Agile project based on a 2019 study published in the International Journal of Software Engineering and Knowledge Engineering.
Based on survey results, this paper lists several practices that Agile teams use to enhance risk management in their software projects.
Daily standups with a focus on risks
Among these practices, the daily meeting is listed as the most important factor in Agile risk management.
These standup meetings provide the team with an opportunity to share and discuss tasks and action items for that day, also enabling team members to continuously monitor risks. In fact, identifying and analyzing risks, and defining risk responses should be made a recurring agenda point during these meetings. Pro tip: use a shared risk repository on standups to ensure transparency around risks!
Risk management in increments & iterations
Agile develops products in increments (commonly, work is done in iterations or sprints of one or two weeks, or even a month, each of which delivers a product increment that then receives user feedback). This is a great asset when it comes to risk management, as teams can focus their attention on the clearly outlined deliverables for that specific increment, and the risks pertaining to those deliverables only. When customer feedback is provided, they can build that into their risk activities.
Risk management can occur at all levels of Agile delivery: from daily standups to weekly meetings or biweekly or monthly sprints. As a general practice, the assessment of risks and defining an action plan for their mitigation should be part of the planning process for each iteration.
When building a sprint backlog, make sure all risks as well as the relationships and dependencies between items (requirements, risks, etc) are taken into consideration. When defining the product backlog, you’ll want to prioritize requirements by user value, and optimize scheduling speed and risks (e.g. deliver risky items first, but leave enough time for risk management with even the simplest of tasks). Reassess risks as you refine the product backlog on an ongoing basis.
Hold weekly risk meetings
In a high-risk environment such as the delivery of safety-critical products, you’ll want to have a structured approach to risk management. In addition to integrating risk control in your processes, you may also want to appoint a team member responsible for risks (Product Owners can take on this role), and to implement recurring risk rituals (e.g. a weekly risk meeting with all relevant stakeholders).
Use a risk repository
Establishing and maintaining a shared, electronic risk repository is a general best practice that greatly helps transparency and risk control. Digital risk management tools help a great deal in making the risk repository accessible for all relevant team members. Review the risk repository periodically to make sure it is kept up to date, and help team members interpret the data therein – daily or weekly meetings are a great place for both.
Focus on continuous communication and collaboration
Ensuring effective communication and transparent collaboration is the backbone of working Agile. With regards to risks, such an environment provides visibility over risks and widespread alignment on risk prioritization and mitigation.
Again, digital tools come in handy to establish efficient lines of communication both internally and externally (with customers or auditors). Use wikis to share information internally, and guarantee transparency in monitoring project progress. Ensure visibility around risk-related artifacts and processes to the entire team. Channel feedback from customers into development, and make sure risk management follows all changes.
Overall, we’ve surpassed the long-held belief that Agile is not compatible with the rigorous risk management and safety/quality stipulations that govern safety-critical product delivery. Many teams throughout the world have succeeded in adapting Agile practices to suit the needs of regulated delivery. While the above best practices don’t even come close to a comprehensive guide on managing risks in Agile software engineering projects, they provide good guidance in building out a satisfactory risk management practice.