AGILE Risk Management

The probability (likelihood) of experiencing the impact.

An organisation will normally assess risks against a predetermined appetite towards risk taking.

Risk management comprises co-ordinated activities to direct and control an organisation with regard to risks – this requires co-ordinated and economical application of resources to determine the level of risk treatment required to:

• Minimise, monitor, and control the probability or impact of unforeseen events.
• Maximise the realisation of opportunities

What are Traditional Risk Management Limitations?

Some risk management characteristics do not have the desired effect of encouraging or embedding risk management practice within organisations and often run counter to this objective, in particular:

• Voluminous frameworks and documentation – there are often multiple documents that contain similar information such as policy, procedure, framework, risk matrix, risk management plans, risk registers, etc.
• Risk management jargon for example risk culture, risk universe, risk appetite, risk tolerance, risk register, inherent risk, residual risk, etc. Facilitate a risk workshop in a hospital and see the reaction you get when mentioning ‘risk treatments’.
• Tedious risk workshops that seem to take hours or even days of people’s lives.
• The difficulty people have identifying and assessing inherent risk (risk without controls applied) – they find it almost impossible to assess the risk without considering the controls already in place.
• Control effectiveness assessments not done well, if done at all.
• Many people when identifying mitigating actions to help further reduce residual risk (risk after controls applied) come up with something that is not easily measured and where the link to the risk can be tenuous.
• Strategic and operational risks mixed together.
• Periodic risk reporting where risks and ratings never seem to change over time.
• Lengthy and complex spreadsheet reports that cannot be read unless printed on A3 paper.
• Above all, getting people interested in the concept of risk management – this manifests itself in a general level of disinterest that makes the job of a risk management practitioner more difficult than it need be – this is an inability for risk management to articulate to stakeholders ‘what’s in it for me?’

What is Agile Risk Management?

When we talk about agile risk management, we are focusing on two things:

• A nimble risk management response and approach to the changing dynamics in the organisation’s risk management landscape to provide a timely risk management service to the board (or equivalent governing body), audit committee and senior management.
• Leveraging agile project management techniques such as sprints to split the risk management service into manageable chunks, enabling risk management practitioners and stakeholders to collaboratively work together to stay timely and quickly update the risk management focus.
• The term ‘agile risk management’ suggests risk management should practice:
  • Engagement : Risk management practitioners actively engaging with people to manage their risks.
  • Collaboration : Managing risks through team effort between 1st line business activities and 2nd line risk management.
  • Dynamic : Recognising there is constant change in organisations and risk management needs to be continually re-evaluating the risk environment.
  • Adaptable : Rapid adjustment to new risk environment conditions as they emerge.
  • Timely : Risk reports contain the latest up to the minute risk situation.
  • Horizon : Focus Focusing on the risk horizon to provide early warning of potential and emerging risks.
  • New Ways of Working : Introducing innovative risk management methods, documentation and reporting formats.

Read more in the pdf