New Approaches to Risk Management

Level: Practicing

For almost a decade our community has claimed that agile is a risk-driven approach. Yet there is very little published material on agile risk management. Traditional risk management is based on avoidance of external variations. While, traditional project scheduling treats tasks homogeneously from a risk perspective. Lean pull systems and Real Options Theory provide new means to manage overall business risk in technology projects. This tutorial describes 3 techniques that evolved in the kanban community that increase sophistication of risk management and provide improved business agility.


This will be a straightforward powerpoint presentation.

A paper will be submitted for the transactions.

Here is the text of the attached file for convenience…


For almost a decade the agile community has claimed that agile development is a risk-driven approach. Yet there is very little published material on agile risk management. A survey of the transactions of the Agile conference over 4 years reveals no explicit presentation on risk management. An online search reveals a number of blog entries and articles on agile risk management.

Traditional risk management (defined in the PMBoK, Prince II, CMMI and other frameworks) takes an event driven approach to risk. It seeks to model external variations that affect schedule, budget and scope on projects. Traditional risk management focuses on what Walter Shewhart called “assignable cause” variation [Deming renamed this “special cause”.] The model is simple: try to build a list of external events that might occur; assess the impact and likelihood of occurrence; assess the cost of mitigation options; decide whether to mitigate (reduce chance of occurrence) or create a contingency plan (to recover in the event of occurrence.)

Most of the agile risk management articles surveyed look at how to implement traditional risk management in a more agile way. They address how to fit risk management into iterative, incremental development and how to assess and manage risks in a collaborative, transparent manner. There appears to be no literature that discusses how to apply agile and lean ideas that revolutionize risk management.

Meanwhile, traditional (non-agile) project scheduling techniques treat all tasks homogeneously from a risk management perspective. Elementary scheduling techniques do not account for variance in task completions, e.g. the Gantt chart technique. More advanced techniques (PERT, Critical Chain, Last Planner) account for variation and provide some risk mitigation against chance (or common) cause variation through time buffering. However, these techniques still tend to treat all tasks homogeneously from a risk perspective.

Project risk management literature does not appear to have advanced much in the last 30 years.

New Approaches

The application of Lean pull systems (kanban) and Real Options Theory in agile methods is providing new sophisticated means to manage overall business risk in technology projects and software delivery.

This tutorial will describe in detail 3 techniques that have evolved in the kanban community that provide improved project flexibility and business agility together with increased sophistication in risk management.

(1) Using classes of service based on cost of delay/failure functions

Classifying customer-valued deliverables according to the cost of delay (or failure) function allows for different prioritization policies to be implemented on the fly by self-organizing teams significantly reducing the business risks of late delivery. This scheme classifies customer deliverables such as user stories heterogeneously according to the loss incurred due to late delivery. Assigning different colored sticky notes, or index cards according to the classification allows team members to quickly assess risk and pull the most important item through the system in a self-organizing manner

Four example classes of service will be discussed along with their related pull system policies (for prioritization and scheduling) will be presented. The examples are: expedite; fixed delivery date (unit step cost of delay function); quantitative value delivery; and qualitative value delivery. Other classification schemes are possible and would be domain specific.

(2) Iteration Backlog selection based on market risk

This scheme allows for classification of customer-valued deliverables into 4 categories that are aligned with strategic planning and marketing objectives, namely: commodity (or table stakes); differentiator; spoiler; and cost saver. Features or user stories in each category exhibit different risk of change (deletion from scope, or change in definition) due to market conditions during the lifetime of the project, prior to release. The variance in market risk can be used to quickly prioritize iteration backlogs and target backlog items for iterations within an overall project schedule. The scheme mitigates the risk of rework (or waste) caused by changes in scope associated with changing market and business conditions.

(3) Risk-based Portfolio Management

This scheme allows the balance of resources and funding across a portfolio of projects or business initiatives based on the alignment of a project or development initiative with the strategic positioning of the business and its desired risk exposure.

Projects can be classified in to 3 categories: cash cow; mainstream developing market; and emerging market. Portfolio management is conducted similar to investment portfolio management by balancing investments and risk according to the risk preference of the investor. Resources and funding are allocated according to desired risk profile and kanban systems established for each line of business (or business initiative). Market releases (or projects) are defined to release value optimally based on transaction and coordination costs of making such a release.


These three techniques combine elements of Lean Thinking and Edwards Deming’s New Economics (cost of delay/failure functions, waste (transation and coordination costs, rework or scrap)), Real Option Theory and Decision Tree analysis to provide methods that enable simple, fast, and often self-organizing approaches to maximize business value and manage risk throughout a portfolio and the project lifecycle.


Most of this material has been previously presented anecdotally as part of presentations on kanban. Some of it has been documented at as blog posts. However, this tutorial will pull it all together, formalize it as a risk management approach and refine and develop some of the ideas.

The material is therefore new in this format but based on work and presentations given over the last 2 years.

The presentation will likely be trialed at various smaller venues prior to Agile 2009. In the first instance at the kanban conference in Miami in February 2009 to an audience of perhaps 50 people. Other opportunities of rehearsal performances will be available at local events such as the San Diego XP Users Group in May 2009.

Reference Material

Survey of online articles on agile risk management

Appelo, Jurgen, Cottmeyer, Mike, Cottmeyer, Mike, Cottmeyer, Mike, Fitzgerald, Donna, Griffiths, Mike, Rangaswami, JP, Smith, Preston and Roman Pichler, Thomas, Steven,

Learning outcomes
  • The attendee will take away three easy to use techniques that improve risk management in agile projects and assist risk management in collaborative and self-organizing teams. Each technique addresses a different problem in agile project delivery.
  • (1) Using classes of service based on cost of delay/failure functions, addresses prioritization, and iteration backlog (or kanban pull) selection and helps to minimize waste through reduced estimation effort
  • (2) Iteration Backlog selection based on market risk, address how to forward plan a series of iterations based on a simple classification of features
  • (3) Risk-based Portfolio Management, provides a simple method for resource and budget allocation across a portfolio of projects.
Featured participants
Primary target persona

No reviews

Subscribe to an RSS feed of reviews of this proposal Syndicate content