.png)
What can you do to make your risk practices both proactive and adaptive?
The pace of change and emerging uncertainty is very high these days. Everything is interconnected, just in time and digitalised. Value chains are disaggregated, creating layers upon layers of complexity. Sometimes organisations have grown organically without many thoughts about overall organisational design and efficiency, leading to increased risks.
In response to these challenges, what I would call “Agile Risk Management” could be seen at the next level of capabilities, or perhaps yesterdays renewed. I feel there is a lot to learn about the agile methodology as applied to project management and some of the principles are already used in credit and market risk management.
This article explores the principles, benefits, and best practices of Agile Risk Management and provides insights into how organisations can embrace agility, adaptability, and responsiveness to effectively manage risks in a rapidly fast-paced environment.
Table of contents
What does Agile Risk Management mean?
I would define Agile Risk Management as an approach to managing risks within an organisation that emphasises flexibility, adaptability, and responsiveness to changing circumstances. It involves continuously identifying, assessing, mitigating, and monitoring risks in an iterative manner, and potentially real-time, rather than relying on periodic or ad-hoc assessments and static mitigation strategies.
At its core, agile risk management builds upon the principles of agile methodology commonly used in project management and software development (see at the end of this article for more details). It prioritises collaboration, empirical learning, and iterative improvement to enable organisations to face uncertainty effectively.
At high level, risk management frameworks could be designed based on the following characteristics:
Iterative Approach: Agile risk management is characterised by iterative cycles of risk identification, assessment, mitigation, and monitoring. Instead of treating risk management as a one-time or a periodic cycle activity, organisations continuously revisit and refine their risk management practices in response to changing circumstances based on (real-time if possible) new information.
Adaptability: Agile risk management prioritises adaptability and responsiveness to emerging risks and uncertainties. Organisations are encouraged to anticipate and prepare for potential disruptions by building resilience and flexibility into their operations and decision-making processes. Moltke the Elder is at the origin of the saying – “No plan survives contact with the enemy” – Though he used this axiom to explain why he had not one but multiple plans at play during wartime, I have always read this it is necessary to be able to pivot and adapt.
Collaboration: Agile risk management fosters collaboration and information sharing among stakeholders across different business functions. By engaging a diverse range of perspectives and expertise, organisations can gain a more comprehensive understanding of risks and develop more effective risk mitigation strategies.
Empirical Learning: Agile risk management emphasises empirical learning and experimentation. Organisations are encouraged to take calculated risks, learn from both successes and failures, and continuously improve their risk management practices based on feedback and insights gained. Stated differently, risk managers are invited to take risk with their risk frameworks.
What type of risks to consider?
As a former trader, I benefited from real-time information to manage my trading positions. This was possible because I operated in a data-rich environment where data and information were readily available in real-time. Stated differently, credit and market risks are already being managed in a quasi-agile way as they meet at least some of the characteristics described below. In my experience, the situation with non-financial risk is more nuanced.
That said, I thought it would be useful to share some thoughts on the characteristics of the type of risks making the best candidates for an agile risk management approach:
High Velocity: Risks with a high velocity, meaning they evolve rapidly or have a quick onset. These risks can emerge suddenly, escalate quickly, and have a significant impact on the organisation if not addressed promptly.
Uncertainty and Complexity: Risks characterised by uncertainty and complexity. These risks may involve multiple interconnected factors, ambiguous probabilities, and unpredictable outcomes.
Emerging Risks: Risks that are novel or emerging in nature. Emerging risks are often characterised by a lack of historical data, uncertain probabilities, and evolving dynamics.
Technological Disruption (and other types of disruption): Technological innovations can introduce new opportunities as well as new risks, including cybersecurity threats, data privacy concerns, and disruptive technologies.
Market Volatility: Risks associated with market volatility, such as economic downturns, geopolitical tensions, and fluctuations in supply and demand. Market conditions can change rapidly, impacting businesses' revenue streams, profitability, and competitiveness.
Regulatory Changes: Risks related to regulatory changes and compliance requirements. Regulatory landscapes can evolve rapidly due to changes in legislation, industry standards, and geopolitical factors.
All these items have in common to be dynamic in nature and to be subject to rapid evolution, often driven by external factors. Considering this list, the types of risks that should be considered for agile risk management could include (in addition to credit and market risks I mentioned earlier):
1. Cybersecurity Risks: Risks related to cybersecurity threats, such as data breaches, malware attacks, and ransomware incidents, exhibit high velocity and uncertainty. Cyber threats evolve rapidly, and organisations must continuously adapt their security measures to mitigate risks effectively.
2. Emerging Technology Risks: Risks associated with emerging technologies, such as artificial intelligence, blockchain, and Internet of Things (IoT), are characterised by uncertainty and complexity. These technologies introduce new opportunities as well as potential risks, including cybersecurity vulnerabilities, data privacy concerns, and regulatory implications.
3. Market Volatility Risks: Risks related to market volatility, such as economic downturns, geopolitical tensions, and supply chain disruptions, require agile risk management. Market conditions can change rapidly, impacting businesses' revenue streams, profitability, and competitiveness. Organisations must be able to adapt quickly to mitigate risks and capitalise on emerging opportunities in volatile markets.
4. Regulatory Compliance Risks: Risks associated with regulatory changes and compliance requirements necessitate agile risk management. Regulatory landscapes can evolve rapidly due to changes in legislation, industry standards, and geopolitical factors. Organisations must adapt their compliance strategies in real-time to remain compliant with changing regulations and mitigate associated risks effectively.
5. Strategic Risks: Risks related to strategic decisions, market trends, and competitive dynamics require agile risk management. Strategic risks involve uncertainty and complexity, as organisations must navigate evolving market landscapes and anticipate potential disruptions. Agile methodologies enable organisations to adapt their strategies quickly in response to changing circumstances and mitigate strategic risks effectively.
6. Operational Risks: Risks associated with operational processes, supply chain management, and business continuity require agile risk management. Operational risks can arise from internal factors, external events, or unforeseen disruptions, impacting organisations' ability to deliver products and services effectively. Agile risk management allows organisations to respond swiftly to operational challenges and mitigate risks proactively.
What are the benefits of Agile Risk Management?
There are many benefits, but four stand out when I look back at my career. I will cover some of these aspects in more details in my upcoming book on risk management and psychological safety.
Enhanced Resilience: Rather than waiting for risks to manifest into full-blown crises, agile risk management allows organisations to anticipate potential threats, implement timely mitigation measures, and prepare contingency plans, thereby reducing the likelihood and severity of adverse impacts on operations, reputation, and financial performance.
Improved Decision-Making: With access to real-time data and insights, decision-makers can assess risks, weigh alternative courses of action, and allocate resources effectively to mitigate risks or capitalise on opportunities.
Greater Agility: Rather than being constrained by rigid risk management protocols or bureaucratic procedures, agile organisations empower employees to take initiative, make timely decisions, and implement agile responses to mitigate risks or exploit opportunities.
Enhanced Stakeholder Trust: Transparent communication builds trust with stakeholders, including investors, customers, employees, regulators, and the broader community, by providing assurance that risks are being managed effectively and that the organisation is well-prepared to address potential challenges.
A step-by-step plan to implement Agile Risk Management
You will find below a proposed step-by-step approach to implement such framework. Regardless of the implementation approach used, developing such new approach to manage risk will only yield positive results if it comes with a supporting risk aware and accountability culture across the organisation.
Step 1: Assess Current State:
Evaluate your organisation's current risk management practices, processes, and capabilities.
Identify strengths, weaknesses, and areas for improvement in existing risk management frameworks.
Step 2: Define Objectives and Goals:
Define clear objectives and goals for implementing agile risk management aligned with organisational priorities.
Determine desired outcomes, such as enhanced resilience, improved decision-making, and greater agility.
Step 3: Establish Leadership Commitment:
Obtain strong leadership commitment to agile risk management from top executives and key stakeholders.
Communicate the importance of agile risk management in achieving strategic objectives and sustaining long-term success.
Step 4: Develop Agile Risk Management Framework:
Develop a tailored agile risk management framework that aligns with organisational goals, industry best practices, and regulatory requirements.
Define clear roles, responsibilities, and processes for managing risks throughout the organisation.
Step 5: Integrate with Agile Methodologies:
Integrate agile risk management practices seamlessly into existing agile project management methodologies.
Align risk management activities with project timelines, objectives, and sprint cycles to ensure effective coordination.
Step 6: Leverage Technology Solutions:
Leverage technology solutions and data analytics tools to support agile risk management processes.
Implement risk management software, dashboards, and reporting systems to capture, analyse, and visualise risk data in real-time.
Step 7: Conduct Training and Awareness Programs:
Conduct training sessions and awareness programs to educate employees on agile risk management principles, practices, and tools.
Provide guidance and resources to build employees' skills in identifying, assessing, and mitigating risks effectively.
Step 8: Pilot Test and Refine:
Pilot test agile risk management practices in select projects or business units to assess effectiveness and identify areas for improvement.
Solicit feedback from stakeholders and participants and refine agile risk management processes based on lessons learned.
Step 9: Scale and Institutionalise:
Scale agile risk management practices across the organisation, integrating them into standard operating procedures and practices.
Establish mechanisms for continuous monitoring, evaluation, and refinement of agile risk management initiatives.
Step 10: Measure Performance and Results:
Define key performance indicators (KPIs) and metrics to measure the effectiveness of agile risk management initiatives.
Monitor and track progress against established KPIs, and regularly review and report on risk management performance to key stakeholders.
Best practices
To effectively implement agile risk management, organisations can follow these best practices:
Establish a Risk-Aware Culture: Foster a culture of risk awareness and accountability throughout the organisation. Encourage employees to actively identify and report risks and provide training and support to enhance risk literacy across all levels of the organisation.
Integrate Risk Management into Decision-Making Processes: Embed risk considerations into strategic planning, project management, and operational processes. Ensure that risk management practices are integrated seamlessly into decision-making frameworks to support informed and proactive decision-making.
Use Data and Analytics: Leverage data analytics and technology to gather, analyse, and visualise risk data in real-time. Use predictive analytics and scenario planning to anticipate potential risks and their potential impacts, allowing organisations to develop proactive mitigation strategies.
Promote Collaboration and Communication: Facilitate collaboration and communication among stakeholders across different business functions. Encourage open dialogue and information sharing to ensure that all relevant perspectives are considered when assessing and mitigating risks.
Monitor and Review: Continuously monitor the risk landscape and evaluate the effectiveness of risk mitigation strategies. Conduct regular reviews and assessments to identify emerging risks, evaluate the performance of existing controls, and identify opportunities for improvement.
At a time of high uncertainty and volatility, Agile Risk Management could become essential for organisations seeking to thrive in a rapidly changing competitive and strategic landscape. By embracing the principles of agility, adaptability, and collaboration, organisations can proactively identify and mitigate risks, enhance resilience, and capitalise on opportunities for growth and innovation. And by integrating agile risk management practices into their operations and decision-making processes, organisations can navigate uncertainty with confidence and emerge stronger and more resilient in the face of future challenges.
Some additional resources on the agile methodology
Agile methodologies are a set of principles and practices used in project management and software development to promote flexibility, collaboration, and responsiveness to change. They emphasize iterative development, continuous feedback, and customer collaboration to deliver value efficiently and adaptively. Agile methodologies, such as Scrum, Kanban, and Extreme Programming (XP), have gained popularity in various industries due to their ability to enhance productivity, quality, and innovation.
Resources for Further Reading on Agile Methodologies:
Agile Manifesto: The Agile Manifesto is a foundational document that outlines the core principles and values of agile methodologies. It provides insights into the mindset and philosophy underlying agile practices. Read the Agile Manifesto
Scrum Guide: Scrum is one of the most widely used agile frameworks for project management. The Scrum Guide provides a comprehensive overview of Scrum principles, roles, events, and artifacts. Read the Scrum Guide
Kanban Method: Kanban is a visual management method used to optimize workflow efficiency and transparency. The Kanban Method emphasizes visualizing work, limiting work in progress, and continuous improvement. Learn more about the Kanban Method
Extreme Programming (XP): Extreme Programming is an agile software development methodology that focuses on delivering high-quality software through practices such as test-driven development, pair programming, continuous integration, and frequent releases. Explore Extreme Programming (XP)