Uncertain and highly dependent stories

Last post 06:51 am October 27, 2021
by Simon Mayer
4 replies
06:56 am October 26, 2021

Hello all,

I have a team who work on stories that are highly uncertain to estimate. For example, we should be tracking the story but work is distributed to other teams as well. Like as part of project, we should go though security assessment which is done my security team, however we should be tracking it to know what are the pending items and eventually this cannot be finished in one sprint. how to handle this kind of stories? which board is better to handle majority of stories which are like this. pls provide suggestions.

04:53 pm October 26, 2021

In the situation you describe, how is any one team able to produce a Done and finished increment of work? It doesn't sound like they can -- yours just being a "security" team for example -- and these dependencies make it difficult to estimate the work needed.

05:28 pm October 26, 2021

+1 to @Ian Mitchell's comment.  Instead of working to eliminate dependencies or impediments, it sounds like your organization is introducing them. 

Using your example of the security assessment, in the past companies where I have worked have made that more of a precursor to development than a post effort action.  It is considered part of refinement of the work that the Developers will be doing so that the work is done correctly.  Your organization needs to look at the workflow that is required now and look for opportunities to improve with the focus on eliminating wasted effort and improving the ability of the development teams to deliver increments of value in Sprint time boxes.

06:50 pm October 26, 2021

Generally speaking, I'd tend to agree with Ian and Daniel. I'd want to try to find and eliminate dependencies, such as on a security team. It may not be possible to eliminate all dependencies, but it should be possible to make it so it's extremely likely that work will flow through downstream activities with potential feedback but few instances of a downstream team rejecting the work.

For cases where you do have hand-offs and receive feedback from other teams, I'm not sure why that feedback can't just go onto the Product Backlog like every other piece of work. Perhaps I'm misunderstanding, but you should be able to treat everyone downstream from the Scrum Team as an external stakeholder. Like any external stakeholder, they have feedback regarding the state of the product and their requested changes go onto the Product Backlog, where the Product Owner decides what work the team should do next. Refinement can help break up the work, identify dependencies, and so on.

06:51 am October 27, 2021

Possible way of visualizing the problem

Are you already using an explicit Kanban workflow, which shows such bottlenecks? e.g. when a story is "Ready for security review", "Security review has started", and "Ready for [whatever comes after security review]".

By timing when each story first enters each stage of the workflow, you should have evidence which could be used to help the team improve its own processes where possible, and highlight impediments to management and stakeholders where necessary.


Possible solution

Would it be possible to have at least one security expert on each team? Perhaps this could be achieved by dissolving the security team, and have each member join a cross-functional Scrum Team, or alternatively it could be achieved by hiring or training staff to fill the knowledge gap.