The Year of Being Agile -- Agile Risk Management, Part One

This is part of a serious of posts on using the agile development method as a PMPM (Practical Magic Project Management) technique... go see the Index page for links to the full series.

OK, first off full disclosure: Agile doesn't have much time for risk management. It's not that the methodology is against it in any way, it just doesn't address it. I think this is because it was developed to mitigate particular risks (the risk that you might put in a ton of work building the wrong thing) rather than addressing risks in general. However, the core features of agile can be used to address risk -- and I think there are very good reasons for doing so.

Still, I'm going way off book here, based not on the official Agile Methodology but on my own experience and interpretation.

But first, let's take a look at how risk management is currently practiced:

Formal Risk Management
TL;DR: Don't do this

  1. Identify the risks
  2. Analyze the risks for likelihood and consequence
  3. Rank the risks based on a combination of likelihood and consequence
  4. Treat the risk by doing something about it
  5. Monitor and review the risk
I've done a lot of risk management in my career and I have to say that bluntly, this process is crap. There's limited use to step one and sure, step four is always going to be useful. But the rest is a waste of time.

First, while here is some use in listing the risks you know about, the real danger are the ones you don't know. So any process that only deals with known risks is inherently flawed. Taleb would argue that the biggest risks, the Black Swans, are unpredictable to begin with. In addition, while capturing the risks you know about can be useful (if only to make sure you have some kind of plan for them) the idea that you are going to capture everything is up front is unrealistic. So any process that's too onerous is never going to be repeated. A list of what was worrying you in January is not that interesting in July.

Second, analyzing and ranking risks doesn't work because people are notoriously bad at predicting the odds of a risk happening, let alone the size of the impact. Again, one of the hallmarks of a Black Swan is that it has completely outsized impact to what anyone would have expected. And while we're underestimating stuff that could be really serious, we often overestimate other risks. We often see this with risks that are emotionally fraught -- like the risk of telling your parents that you don't want to join the family business. Since we suck at this so bad, I say don't bother. You CAN prioritize risk -- at least for the ones you know about, and we will be getting to that, but it's not based on either the odds of it happening or how bad you think it's going to be when it does.

Third, monitoring and reviewing the risks on the regular does make sense, but because the rest of the process is so heavy it frankly introduces the risk that you'll never do it. Not to mention that repeating a flawed process doesn't make the process better.

Why Bother Anyway

So if risk management is such a waste of time, why bother? Well, because bad stuff can happen in your life and you'll do better if you've given this some thought and preparation. That's where agile risk management comes in. 

Agile methodology was specifically designed as a response to these kinds of lumbering and inflexible top-down processes that reduce a team's ability to respond to a rapidly changing environment. Just like the lumbering and inflexible risk management process I just eviscerated. The same features that make agile so good for reaching goals can also be leveraged for risk management. 

Agile Features
Just as a quick recap, here are the core features of agile:
  • Cyclical -- agile works in a repeating short cycle of planning/working/validating. We're talking weeks, not months.
  • Iterative -- agile breaks everything down into small pieces that iterate slowly toward the correct solution.
  • Prioritized -- agile regularly validates that the priority of the upcoming work is correct based on lessons learned in the past short cycle. Priorities can, and in many cases should, change as frequently as that cycle.
  • Validated -- agile incorporates frequent regular check-ins to make sure that a) the results are satisfactory and b) the process is effective. 
  • Agile (obviously) -- agile is designed (and named) for rapid change in direction and plan, allowing you to pivot quickly in response to changing circumstances, failures, and opportunities

Step One -- Adopting the Risk Mindset
Note, the following content is from my earlier risk management series (from two years ago, my thinking has evolved and my process solidified since then).

In my experience, you never really know how sustainable your life is until something comes along and shakes it up. I speak from personal experience here. Something goes wrong and you suddenly realize that your life has overly complex maintenance, too much management overhead, inflexible tools, and not enough redundancy to cope with chaos. Things seemed to be hanging together when everything was fine, but are now rapidly coming apart at the seams. It's not just the big stuff either. Lots of little related problems coming together can throw everything out of balance.

It makes sense to examine the weaknesses in your systems... and one of the best ways to do that is to think about the things that could go wrong. Because if you know what could go wrong, you can not only avoid those things so they don't happen, but change your life now so that if they do happen, things won't go sideways quite as badly. This is risk management and it applies to both project management and operations. Risk in this context, by the way, is any uncertain event. If something bad is already happening, that's an issue and you go straight to trying to fix it. Dealing with stuff before it hits gives you lots more options.

Just as we discussed in the Black Swan divination post, seemingly good things can still have bad results, and bad things can be turned around or avoided. The whole point of risk management is to increase the chances of good stuff happening and decrease the chances of bad stuff happening. Technically, there are both positive and negative risks. But this is specifically about the negative ones.

In order to manage risk in your life, you need to do something that people just aren't very good at doing... you have to think about bad things happening and you have to plan what you might do if they did.

First, let's get past the magical elephant in the room: thinking about bad things happening will not make them happen. And thinking about good things won't make them happen either. I know this is completely contradictory to a lot of current pagan and newage thinking, but it's true. Research shows that:
  • Positive visualization can actually make you less likely to reach your goals. This is because it tends to sap the energy for actually doing anything to actually reach them. Read the article... the bit about mental contrasting at the end is particularly relevant.
  • Negative visualization can be highly beneficial (just ask the stoics). Defensive pessimism, acceptance of death, and not getting too tied to outcomes can increase gratitude, reduce anxiety, and improve actual outcomes. Our willingness to acknowledge bad things can help us make changes to avoid them. And our flexibility with regard to goals is helpful in dealing with whatever comes, bad or good. Note, negative visualization is not the same as pessimism (see below). 
  • Self-fulfilling prophecies do exist, but they are based on action, not thought. It's an untrue belief that's made true by acting as if it's true. Not an actual risk that you somehow trigger just by thinking about it.
  • Optimists are healthier, but because of what they do, not what they think:
    "We also know why optimists do better than pessimists. The answer lies in the differences between the coping strategies they use. Optimists are not simply being Pollyannas; they're problem solvers who try to improve the situation. And if it can't be altered, they're also more likely than pessimists to accept that reality and move on. Physically, they're more likely to engage in behaviors that help protect against disease and promote recovery from illness. They're less likely to smoke, drink, and have poor diets, and more likely to exercise, sleep well, and adhere to rehab programs. Pessimists, on the other hand, tend to deny, avoid, and distort the problems they confront, and dwell on their negative feelings."
OK, to sum up: actions are more important than thoughts, negative visualization can be good for you, and don't be a pessimist, but don't be a Pollyanna either.

Next post, how to identify risks when humans are terrible at identifying risks.


Popular posts from this blog

Sustain-ability: The Dishes of Life

Robin Hood 2018: Thank Your Local IT Geek

EBER Project -- Crossroads