All across the world, banks and other large organizations increasingly are moving to Agile risk management. Adoption of the methodology — an iterative process that enables development teams to quickly release product features that their customers want — signals a sea change away from traditional, more linear Waterfall systems. For businesses that make the shift successfully, the benefits are clear: a 10% increase in customer satisfaction, 30% improvement in speed to market, and 45% boost in staff engagement, based on our experiences working with clients in the Financial Services sector.

But financial services companies, as well as others in heavily regulated industries such as manufacturing and energy, face several challenges in the transition to Agile when it comes to their risk management processes. Entrenched governance structures, a lack of appropriate processes and tools, and a naturally conservative approach to regulatory compliance can all hinder uptake. 

These companies cannot simply assume additional risk to support faster releases without implementing proper governance and control measures. They need to upgrade their methodology to ensure that risks stemming from Agile processes are continuously identified, assessed, and mitigated. To do so, four key components must be in place.

1. People

A primary characteristic distinguishing how Agile teams manage risk is who makes the majority of decisions for projects and programs. Unlike in Waterfall, members of the Agile governance and delivery teams should be chiefly responsible. Empowering these groups enables faster resolution and, ultimately, faster time to market. For example, in an Agile setup the delivery team can have the autonomy to prioritize one feature over another based on business value, effort, and available dependent resources.

2. Process

Agile entails addressing risk on a continuous basis. This requires both the governance and delivery teams to proactively identify and report risks, and to understand their implications on the company. Only risks that cannot be resolved by those teams or that could be material to the project, product, or organization should be escalated to senior stakeholders such as the CTO or business unit head. While the Agile delivery team typically escalates risks as part of regular meetings with the steering committee, the team is expected to be proactive about keeping senior people apprised at all times.

3. Communications

Clear and continuous communication is vital for more than just risk escalation. The business unit and IT staff of the governance and delivery teams should communicate regularly throughout the lifecycle to evaluate progress, identify impediments, and make relevant decisions concerning the project. Again, this is accomplished through regular meetings, but also through more informal daily interactions whenever an issue comes up — a legal or compliance question, for example — that requires the opinion of a subject matter expert. Moreover, given that the key benefit of Agile is to improve customer satisfaction, collection of feedback from users is critical. Information, typically gathered through reviews and surveys, must be shared openly and regularly between the business side and the IT members to more effectively refine the product.

4. Tools

Tools for identifying and remediating risks in each release cycle should be integrated with existing software that Agile delivery teams are already using to manage their work. A centralized log is necessary for continuous documentation of risks and issues and associated action plans, as well as to flag risks that need to be escalated in meetings with the steering committee. The log is intended to support frequent release cycles and rapid decision-making, so maintaining it must be efficient and not require significant investment of time nor extensive documentation.

Krishna Kajaria has also been an additional contributor to this article.