The risk technology presents within organisations is considerable, and the consequences potentially catastrophic. The new ways people are now working within organisations also present risks, and a balance is required between new practices and the discipline of ensuring risks are managed accordingly. When implemented appropriately, methods like "Agile" can assist with the management of risks.
There is and will continue to be a higher expectation and involvement of technology professionals understanding and applying mature Risk practices.
How do you analyse Risk?
Inherent Risk: how “likely” and “bad’ could this be?
Residual Risk: what are you comfortable in tolerating? Accepting the risk needs to be within an organisation’s appetite for risk.
How to strategically manage Risk?
Controls are how you can minimise the likelihood and impact of the “bad” thing occurring. There are several types of controls:
Preventative controls are best; however, they are not always available or possible
Detective controls can help minimise the event by identifying and action the event early in its occurrence.
Who can implement controls?
Primary controls can be applied directly by the service provider (i.e. large technology vendor – this is ideal) or by the team managing the service (i.e. the application team)
Leveraged controls are provided by another party (i.e. Security with an organisation) and assist the team that is delivering the service (i.e. the application team)
Compensating controls are implemented by a team to manage a risk before a Primary or Leveraged control is available. The situation is not ideal; however, it is likely to assist in reducing Inherent Risk or possibly achieving a Residual Risk position.
How to manage issues?
Teams who analyse risks and implement controls will improve their awareness and practice of Risk. During the exercise, it is likely there will be an identification of “issues”. These are to encouraged! An issue is an event – a “bad” thing that has occurred.
Teams should be encouraged to self-identify issues at all times
Issues are to be documented with a forecasted closure date; if possible, expedite closure before the forecasted date
Teams are to be measured on both the frequency and length of issue extension rates. An issue not closing on the forecasted date may indicate an area of under investment or poor vendor performance.
How to encourage a risk culture beyond training, incentives and consequences
Encourage everyday awareness at every gathering: introduce a risk moment at the beginning of team gatherings. For example, somebody can share a risk story or perspective; civil construction organisations do this with safety, increasing awareness and creating a safety mindset.
Use "Agile" practices to assist Risk Management: Scrums and Visual Management Boards (VMBs) are a very effective way to create focus and demonstrate progress. Ensure the meetings are minuted.
Place Risk VMBs on the wall in a working area, which are an everyday reminder for people.
Encourage teams to create Risk one-pagers that describe the mindset and specific responsibilities for a area.
Introduce Risk role model awards and ask people to identify and nominate a colleague.
Promote Risk knowledge exchange by encouraging teams to visit another’s Scrum, VMB and Risk document portal.
To those in technology functions: Risk management should be within everyone’s job and not an addition to their job. This reflection is intended to be a simple explanation about the practice of Risk with some practical suggestions to encourage a culture of Risk.