I had the chance to visit with Essential Scrum author Ken Rubin at Agile 2014. One of Ken’s primary focuses right now is Agile Risk Management. His presentation “Agile is Risk Management” addresses the fact that if it is applied well, agile will inherently help reduce the risk you would normally see on projects. His approach involves a lightweight way of addressing risk that let’s you reduce your exposure without having to cope with a lot of the heavy machinery that traditional risk management typically involves.
Risk management should not be something you do once at the beginning of a project. It should be part of the regular operating rhythm of any project. Whether you take a very structured approach to assessment, with quantitative analysis and a separately managed risk budget, or a qualitative approach with risk management costs baked in to the project budget, risk management is only beneficial if it is part of execution, as well as planning. Ken's comment that we do our risk assessment at the beginning of the project, when we know the least about the risks, reflects poor practice. Our risk assessment, like our requirements gathering, should be an ongoing process that improves the resilience (anti-fragility, if you prefer) of the endeavor over the course of the project.