What is Risk Evaluation and how can it be used for Managing Risk in Scrum? Agile and Scrum are specifically targeted at Minimizing Risk. This does not mean that Risk to any Project can be disregarded. The Scrum Risk Management Process has much in common with many other Risk Management Frameworks. If your Company has embraced a specific Framework, it is recommended that you line up the Scrum Risk Management Framework to that of your Organisation. If you do not have a Formal Risk Management Framework in place, this is a straightforward Process. The process has much in common with ISO 31000. There are however some differences in the grouping of the main activities, however not their content.

Risk Evaluation: The Scrum Risk Management Process

‘Risk Management’ is an Iterative Process, which makes it easy to Integrate into Scrum. The Process starts with the Identification of a Risk. The risk is typically Reported in an appropriate forum, like the Daily Stand-up Meeting. A Risk however can be Identified and Reported by anybody at any time.

• The Stand-up Meeting is Timeboxed to about 15 minutes. This is just enough time for the Team to Report on their Daily Progress. Assessing a single Risk could easily take 15 minutes and should be discussed in a different forum.
• The Scrum Product Owner is an optional attendee of the Stand-up Meetings. They may however attend as an observer, and not an active participant. They have the Responsibility for Risk Assessment and Prioritization.
• It is quite possible that Assessing the Risk Requires input from one or more Stakeholders. Stakeholders would not be at the Standup Meeting.

Risk Evaluation: Running a Risk Meeting.

The Risks to be Assessed ought to have been listed in no particular order. They can be included in the Risk Register toward the end of the Meeting. The Risk Register is a list of all the Risks that have been Identified. The register includes the risk Severity, and the Mitigation’s to be applied. When the new Risks have been managed, the Risk Register should be revisited to see if the Risk Level and the Priority has Changed on each Risk. The Risk Meeting can be held prior to the Sprint Planning Meeting. New risks can be discussed during the Sprint Review, Sprint Retrospective and Daily Stand-up meetings. An updated Risk Register, with the new Risks and revised Prioritization, can be issued to all Stakeholders.

How to Assess Risk Using Probability and Impact.

When Assessing a Risk, the following factors are evaluated:-

• ‘Probability (P)’- this is the likelihood of a Risk occurring.
• ‘Impact (I)’ – this is the magnitude of the effect the Risk will have on the Project.

The Risk Severity (S) is determined hence:- S = P x I.

Risk Evaluation: Risk Scales

There are different Scales used for Measuring P and I. These include the most popular, a Scale of 1 to 10 and differ from Company to Company. However the outcome is still a Severity Score that can be used to Prioritize the Risk.

A Third Factor that is not always thought about. This can be extremely relevant, when the Risk can be expected to turn into an Issue or Event. An example is the “100-year flood”. This is a Severe Flood that happens approximately every 100 years. It can be used to decide how far structures need to be built from a river bank to stay safe. If it has been 95 years since the last flood, chances are the next one is on its way.

As most Agile Projects are Planned to be of brief duration, Proximity Risk can typically be Avoided. However it needs to be considered for large Projects with a longer Lifespan.

We found these books great for finding out more information on Agile Scrum:

Other Techniques: Decision Trees and Expected Monetary Value.

Decision Trees are a Form of Quantitative Risk Management. These can be utilized in combination with the Expected Monetary Value (EMV) to choose on the very best Risk Option. The expected cost of each outcome is Calculated, Resulting in a set of monetary options. The best choice can then be picked based on these values.

This is an alternative way of depicting and Evaluating Risk. Here is a typical example where a new CRM is Required and the decision is Build vs Buy. The Impact of Failure will be the same for both options (£3.5m). The Risk of Failure is higher for the build option, but the lower initial cost makes this the better cost option overall.

Risk Evaluation Techniques: Pareto Analysis.

Pareto Stipulated the “80:20” guideline – 20% of the Cause Produces 80% of the Effects. The Pareto Principle holds real in an amazing number of circumstances. It benefits use in Scrum Risk Analysis as a Technique to identify the Highest Risks. These risks are then Prioritized and dealt with first by the Scrum Development Team. The Values used for the Pareto Analysis stem from the Severity Values calculated as an aspect of Probability x Impact.

This a useful method and the findings can be graphed in a Risk Burndown Chart. It should be kept in mind that all the information is historic and based upon previous events. Risks that have actually been Identified as taking place in the future are not catered for.

We found these books great for finding out more information on Agile Scrum:

Risk Evaluation Techniques: FMEA.

‘Failure Mode Effects Analysis’ was originally used by the US military and later embraced by Automotive and Aeronautical Engineering. It can be utilized in Testing a Process, Product or Service, but varies from Industry to Industry. There are other Techniques that are extensively utilized in Engineering, such as the “Physics of Failure”. Nevertheless, using such Techniques requires Training for the Scrum Team (Agile Scrum Master, Scrum Product Owner and Scrum Development Team). The Traditional Approach of Assessing and Mitigating Risks Works well for all ability levels no matter what Maturity Level your Company’s Risk Management Processes have reached.