I’ve been thinking a lot about how an organisation with such a strong tendency towards risk-aversion could become more Agile in how it deals with risks associated with projects and programmes.
For a charity, risks come in all shapes and sizes, from risks associated with spending supporters money to risks of fines from the ICO. Risks to reputation that affect public opinion and supporter’s trust are important, so the objective here isn’t to ignore the risks and be reckless, the objective is to find better ways of reducing risks where possible and handling where necessary.
In a risk-averse culture, risks are mitigated in two ways; 1) attempt to make the risk as known as possible by getting as much information up front as possible, and 2) involve as many people as possible to use their knowledge and experience, and to spread the blame if something goes wrong.
Making risks known
The first step to making decision in a risk-averse culture is about getting as much information about the risks up front in an attempt to make decisions about which direction a project should go. It seems to make sense that the more information we have the better decisions we’d make, but research suggests that experienced decision makers don’t make significantly better decisions with significantly more information provided they already have good domain knowledge.
So perhaps the lessons here is that you don’t need all the information in order to make a decision, and that the experts should be the ones making the decisions.
Involving lots of people
In a risk-averse organisation the number of people involved in making a decision is often in double figures. But if everyone knows and everyone agrees, then no one gets the blame if something goes wrong.
But this way of spreading the risk only really fits if the risk is considered as one big risk. If the risks were considered as lots of small risks, then they could be tackled in a different way, with the right people taking responsibility for the right risks rather than everybody taking responsibility for the whole risk.
So maybe the lesson here is that risks can be dealt with better by breaking up into many smaller risks.
Agile controls risk by accepting uncertainty
Managing risk in an Agile way means accepting that all the information isn’t known up front, and that more information can be brought to light throughout the project by performing small tests along the way to find out what happens when the idea meets reality. This is instead of the more traditional risk management approach of identify all the risks up front, make decisions about the future direction of the project, and only find out if the idea survives contact with reality when the project goes live.
Modern Agile says to ‘Experiment and learn rapidly’. This fits. We can de-risk projects by testing small and testing early, and using the learning to make any course corrections.