While Agile and Scrum are particularly targeted at Risk Assessment and the Minimizing of Risk. This does not mean that Risk to any Agile Project can be ignored. The Scrum Risk Management Process has much in common with most other Risk Management Frameworks. If your Company has embraced a specific Framework, it is recommended that you align the Scrum Risk Management Framework to that of your Organisation. If you do not have a Formal Risk Management Framework in Place, this is a simple Process. The process has much in common with ISO 31000. There are however some variations in the grouping of the primary activities.

The Risk Management Process

‘ Risk Management’ is an Iterative Process, that makes it simple to Integrate into Scrum. There are 5 Major Risk Management Activities. The Process starts with the Identification of a Risk. This is where the risk is Reported in a suitable forum, like the Daily Stand-up Meeting. The Risk can be Identified and Reported by anyone at any time. The Severity of the Risk then requires to be Assessed. If there are Risks that are Reported in a Standup Meeting, it may be advisable to call a separate Meeting. This separate meeting is for the Assessment and Prioritization of the risk. This separate meeting is for three primary reasons:-.

• The Stand-up Meeting is Timeboxed to about 15 minutes. This is only long enough for the Development Team to Report on their Daily Progress. Assessing a single Risk could easily take the entire 15 minutes.
• The Product Owner is an optional attendee of the Stand-up Meetings. If attending they are expected to serve as an observer. They are not an active participant in the meeting. The Product Owner has the Responsibility for Risk Assessment and Prioritization
• It is quite possible that Assessing the Risk Requires input from one or more Stakeholders. Stakeholders do not attend the standup Meeting.

Running a Risk Meeting for Risk Assessment

The Risks to be Assessed must have been listed. They are listed in no particular order, and can be included to the Risk Register. The Risk Register is a list of all the Risks that have been Identified. The register also details the risk Severity, and the Mitigations to be applied. When the new Risks have been managed, the Risk Register ought to be revisited. This is to see if the Risk Level and the Priority has actually Changed on each Risk.

How to Assess Risk Using Probability and Impact.

When Assessing a Risk, the following factors are evaluated:-.

-‘ Probability (P)’- this is the scale of possibility of a Risk occurring.
-‘ Impact (I)’ – this is the magnitude of the impact the Risk will have on the Agile Project.

The Risk Severity (S) is calculated as:- S = P x I.

There are various Scales applied to Measuring P and I, such as a Scale of 1 to 10. The scales differ from Company to Company. The outcome is a Severity Score that can be used to Prioritize the Risk.

A Third Factor that is not always considered, but can be extremely relevant. This is when the Risk can be anticipated. This is called Risk “Proximity” in Scrum. An excellent example is the “100-year flood”. This is a Severe Flood that occurs every 100 years. This proximity risk is used to decide how far structures need to be built from a river bank to remain safe. If it has been 95 years since the last flood, chances are high that the next one is on its way.
As the majority of Agile Projects are Planned to be of brief duration, Proximity Risk can generally be Avoided. This however ought to be considered for large Projects with a longer Lifespan.

There are a couple of other methods of Assessing Risk that are explained below. The most common Method utilized is the approach taken in ISO 31000.

We found these books great for finding out more information on Agile Scrum:

Risk Assessment Techniques: Decision Trees & Expected Monetary Value.

Decision Trees are a Form of Quantitative Risk Management. This approach can be utilized in combination with the Expected Monetary Value (EMV) to select the very best Risk Option. The expected costs of each outcome are Calculated. This Results in a set of financial options from which the best choice can be chosen.

This is an alternative way of depicting and Evaluating Risk. Here is a common example where a brand-new CRM is Required and the decision is Build vs Buy. The Impact of Failure will be the exact same for both options (₤ 3.5 m). The Risk of Failure is higher for the construct option. This option has the lower preliminary cost that makes this the better expense choice in general.

Risk Assessment Techniques: Pareto Analysis.

Pareto Stipulated the “80:20” rule – 20% of the Cause Produces 80% of the Effects. The Pareto Principle holds true in an amazing number of situations. It is excellent for use in Scrum Risk Analysis. It is a Technique to identify the Highest Risks, which are then Prioritized and dealt with’. The risks are initially dealt with by the Scrum Team (Scrum Master, Product owner and Development Team). The Values utilized for the Pareto Analysis derive from the Severity Values determined as an aspect of Probability x Impact.

While this a helpful technique and the findings can be graphed in a Risk Burndown Chart it must be remembered that all the data is historic and based upon previous events. Risks that have been Identified as possibly taking place in the future are not catered for.

Risk Assessment Techniques: FMEA.

‘ Failure Mode Effects Analysis’ was originally used by the US military and later adopted by Automotive and Aeronautical Engineering. It can be used in Testing a Process, Product or Service, but differs from Industry to Industry. There are other Techniques that are thoroughly used in Engineering, such as the “Physics of Failure”. The use of such Techniques requires Training for the Team. The Traditional Approach of Assessing and Mitigating Risks Works well for all skill levels no matter what Maturity Level your Company’s Risk Management Processes have actually reached.