July 11, 2018

Managing risk

Time to read: 7 minutes (11 if you watch the video's also)

Often I hear people say that Scrum does not take care of risk: there is no risk log, risk is not on the agenda of the Sprint Review or Retrospective as a standard agenda-item. The Development Teams need to be accountable for the quality of the product and how it's made. That's a risk right there! If there is not one person accountable for quality, being on time, within budget, building the right thing... How is risk managed in Scrum?

I'll break it to you right away. Scrum is all about risk management. Ken Schwaber talks a little bit about it in this short video:

Risk is personal

First let's think about what risk actually means. According to the Oxford English Dictionary:

(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.

That's a very broad definition. Reading it like this makes it also subject to personal interpretation. And I think we all look at risk a little bit different. Risk has also a lot to do with our own personal involvement. If someone I don't know will cross two buildings on just a rope without safety net, that's very risky for that person, but not for me.

That also relates to the work that we do. For some the same project or product outcome can hold far more risk for one than for others in the same project that we do.

Different types of risks

Within work related environments, we usually talk about:

  • Financial risk - can we pay for it?
  • Business risk - will it be used? Does it solve the problem?
  • Technical risk - can it be made/build? (often in relation with finance, when a product becomes possible to build, but too expensive).

Controlling risk with Scrum

Scrum is a very good way of controlling risk in a number of ways. I'll elaborate on these different types of risk in the context of using Scrum.

Financial risk

When we are going to build a new product or change an existing one, we would like to know the costs of or change or innovation. Unfortunately, the complexity of the development of these products causes for great uncertainty and thus makes it difficult to estimate what the costs of a project will be upfront.

This often is a difficult subject for many, because the way we run projects (not using Scrum) is often first establishing scope, finances and resources (what we now call people). With Scrum, some say we skip that phase, but actually, we don't. We build it up empirically, because that's the best way to control the future in complex environments.

However, we are not giving anybody a blank cheque. We define clear roles and responsibilities.

We establish the role of the Product Owner. He or she is in control of the budget and planning of the product.

We establish a self-organizing Development Team of cross-functional professionals who can get the job done, from start to finish.

We ask a Scrum Master to facilitate this Scrum Team to encourage empirical process control and coaches this team to be a little bit better every day.

Then we ask the team how long it will take them to validate the first wishes into a concrete result. The shorter the better, because that saves money, that might otherwise be wasted on building the wrong thing.

Often I advise sponsors of teams like this in an organization to fund just a couple of Sprints at first and look at the results after every Sprint. Have a conversation with the Product Owner and Development Team about the results and the return on investment. This means the costs are pretty predictable. It's the costs of the team + out of pocket expenses for these Sprints.

The sooner the first release goes out to the users, the sooner the financial risk decreases!

Business risk

Business risk is the risk of people (users) not actually using your product, thus not solving the problem that the product needed to fix in the first place. This happens all the time. And not because our teams are dumb or stubborn, but mostly because a customer really knows what he needs the moment he can actually use the product. Everything before that is useful (Product Backlog refinement, requirements engineering, talking to users, doing surveys etc.) but does not take away the risk of people not actually using your product. Look at this short clip to illustrate:

Within Scrum, the Product Owner's role is to keep in close contact with stakeholders and the Development Team, so the right thing will be build. Reviewing the releasable increment together with those stakeholders every Sprint and (to speak from Eric Ries perspective) pivot or persevere from there.

The Product Owner is not a business stakeholder, it's not an analyst. It's the business representative in the team to manage and monitor that business risk, to create the best possible outcome.

When I started using Scrum, I remember this was one of the key elements that I liked so much: there is no more "us and them", we work collectively to solve business problems.

Technical risk

Technical risk actually can be sub-divided into two categories:

  • Can it be build with a good ROI?
  • Can we maintain the product during and afterwards?

These are important questions to keep asking yourself along the product development effort. Everyday, decisions need to be made by the Development Team if the effort that is put into a certain feature is worth the value to the Product Owner. So communication is key here.

And in second part: being able to maintain the product. Always keep a scout's view on technical issues. What I mean by that is: whenever you encounter bad technical quality, make it (at least a little bit) better.

Now, again, "done" comes into play here. Within Scrum, defining what is meant by "done" is important to be in control of technical risk. This can enhance the quality and maintainability of the overall product.

Technical skills, tools and improvements can be adopted in a good definition of done. The right testing, validation, documentation etc. can reduce the technical risk.

To conclude: the best way to reduce risk in general is: build potentially releasable increments for users.

I remember someone on LinkedIn mention:

The day we started to deliver, people stopt asking about our velocity.

Scrum values

I started out this article with the definition of risk and how subjective it can be. The Scrum values are extremely important to make sure that overall risk is transparant and dealt with at the right time, by the right person, with proportional effort.

Take a couple of minutes to look at these values in respect to risk. What's the effect of these values on risk?

Complex environments are full of risks. You can fear them, analyze them, calculate them. Or you could build the product, inspect and adapt and deliver a done increment each Sprint.