Agile methods have created different new challenges in the field of risk management. In modern software application development projects, security has become a significant part of the product. Software development projects are very complex and can quickly go off track if something went wrong thus, risk management is an integral part of the software application development process. Software security and risk management are not just something a business might do if even if time and resources are available. Risk management must be introduced at the planning stage and must be evaluated and assessed throughout the whole development cycle.
Agile software development methods are focused on delivering the possible maximum benefit to the business. Using existing models together with some new ideas, application developers can come up with a solution to manage the risks even before the problem start.
The agile risk management approach is based on frequent feedback and iteration. The development team together with the product owners are working together to help keep the project moving and achieve the goals that will deliver the highest value first. In this approach, the high-level goals of the project and constraints are defined in the planning stage and the progress are tracked against these factors and are adjusted depending on the situation to ensure completion and success.
Agile project plans are revisited and adjusted frequently. This means that a usable software system should also be available at the same time. The combination of frequently iterating the plan and having continuous working software means that completion can happen earlier than the deadline even if the plan changes dramatically. If something goes wrong in an agile project, the developers can still deliver a software system that has the highest priority features that have the highest value possible for the business.
It is also important to note that the team members can’t be part of the agile workforce unless they acknowledge that the project will always face uncertainties during the process. Rather than taking comfort in a plan, they take comfort in the fact that they can adapt to these changes and still be successful. A challenge in adopting agile method is to get everyone in the team and the business side to get involve and agree that agile planning is the more reasonable approach to software development. This means establishing agile practices for the iterative planning is part of the project.
Identifying the risks is the most basic step in agile project management. Risk can have two dimensional influences: The first dimension is a simple assessment of factors that can either be Helpful or Harmful for the project and the second dimension is the identification of the source of the Risk that can either be External or Internal.
Identifying these a two-dimensional assessment together provides the classic SWOT Analysis of the project: Strengths, Weaknesses, Opportunities, and Threats. It is important to understand these factors that even though we may have no control over the threats, we can develop processes to manage or minimize the effects on the software development project.
After identifying the risks, it needs to be categorized according to the likelihood and level of impact it may have on the project. These categories may or may not be prescriptive, but these can be divided into factors like scope, impact, resources, solution, budget, timeline and privacy and security. Although scope and resources are primarily relevant to the software development team, these can have a significant impact on the other categories that may affect the overall outcome of the project.
How do businesses go about measuring the risks? Impact and probability can help measure the risks effects and other factors. The Impact of a risk is a measure of its effect on the project. It can range from minimal, where the consequences would be very small up to extreme where effects will surely affect the success of the project. Risks on minimal range can be solved faster than the higher-level ones. Although these levels of risks cannot hinder the success of the project, these can turn into a more difficult one if left unnoticed.
If there is a very high probability of a certain risk, then it should have the attention of the team. Conversely, if there is a very low probability of the risk being realized, then it is likely that it should receive less attention from the team. We thus need to ensure that the greatest attention is focused on the Risks with the highest occurrence probability. The following chart provides a suggested scale for assessing the probability of Risk manifestation.
There are numerous techniques for risks management. Before the planning start, business must remember that that it is not possible to eliminate all risk. Risk planning is all about contingency planning. After identifying, assessing and quantifying the possible risks for the project, risk analysis lead to deriving a few effective risk responses.
Risk management requires involvement of stakeholders and software developers in interactive ways, as experience is the best means for managing these risks. Risk management should also be integrated with the decision-making processes to manage the projects more effectively, as risk management reveals the different rationales for making appropriate decisions.
Act is simply that. It is the actual implementation of the defined risk management and mitigation strategies. Well it’s not that simple. Human nature is such that we tend to put off the things that aren’t challenging and fun, interesting or that might be just boring or just plain hard work. This is project suicide when it comes to risk management. While it is imperative that high-risk items will be dealt first, deferring performance testing up to the last stage of the project and finding out that some features are not achievable in the remaining time frame can be the death of the project.
“What this teaches us, is that although failure can be painful and although we as people we have developed an aversion to it, it actually can allow us to unlock great potential” – Dr. Anna Powers The “Fail Early” phrase is becoming very popular in the world of venture capital. What do potato chips, Post-It Notes, pacemakers, penicillin and Silly Putty all have in common? They were all created by making mistakes. In fact, in each case, the inventor was attempting to create something completely different and thought that he had failed with the final product. Of course, as decades have gone by and profits have been made, the benefit of hindsight tells us that these so-called failures were actually triumphs. It’s like that old adage about Thomas Edison and the light bulb: When questioned on his many failures, he retorted that he hadn’t failed 10,000 times, but succeeded in finding 10,000 methods that wouldn’t work. – Forbes.
It might sound crazy at first but in the essence of agile risk management, it means figuring out as early as possible during the process if a certain solution will succeed or not. These findings are essentially the go-no go for your project. If success is not possible, either stop what you’re doing and do the next possible step and move on to something else. This could also be a good opportunity to rethink the project and come at it from a different angle. Either way, do the gnarly, risky and difficult stuff up front.
Failure has an added benefit that it helps you define different boundaries of the system and sets team expectations as to what is possible and realistic and what is impossible and unrealistic. It could even bring light unrealistic success criteria KPIs and can even change the definition of project success. When this happens, the project will live under a revised and a more realistic set of approach to manage stakeholder expectations. It may also stimulate commitments like a larger budget or easier access to key people.
As obvious and as simple as this may sound, it is amazing how often such high critical risk items are left until the final stages of the software development project. For over the years, this is one of the biggest reasons for project failure. Do the risky stuff first, fail early and do it again.
This part of the agile risk management process is very lightweight and very quick to perform. As discussed above, identifying the risks is the most basic step and implementing appropriate risk planning and mitigation strategies for each risk identified is essential to the success of projects, may it be related to software development or not. Done properly, it is a continuous virtuous circle of processes to constantly identify, manage and minimize the risks in different projects.
For software application development, an agile plan will only work if the code is adaptable enough. This means technical practices should also be established to make it possible to deploy a system frequently and evolve the code to meet the changing software requirements easily.