To succeed with digital acceleration, risk professionals will need to transition from outdated methods, argues Mary Carmichael, managing director, risk advisory, Momentum Technology
We are in the digital acceleration era!
Enterprises are digitising their operations, implementing emerging technologies like artificial intelligence, for example, ChatGPT and delivering products and services with a shortened lead time to market in the post-pandemic environment.
To attain digital acceleration—that is, to shorten lead time to market—many enterprises are adopting agile methodologies for project delivery.
Typically, agile projects involve small, nimble teams working in short, iterative cycles known as sprints to plan, build, and deploy solutions.
As enterprises shift to Agile project delivery, it’s essential to reevaluate and adapt control functions, particularly risk management, to stay in step with digital acceleration.
By doing so, risk managers will be equipped to provide relevant and timely advice to risk owners, thereby facilitating the attainment of business value while addressing potential risks.
”As enterprises shift to Agile project delivery, it’s essential to reevaluate and adapt control functions, particularly risk management”
Friction between risk management and organisational agility
Organisational agility is vital in today’s rapidly changing business environment, but managing uncertainty remains equally important.
As companies expedite new product and service development, integrating risk management becomes challenging, especially in agile projects.
As explored in ISACA’s new whitepaper, Incorporating Risk Management in Agile Projects, Agile methodologies focus on speed and action, whereas risk management emphasises upfront planning and controls, potentially decelerating projects and impeding organisational success.
This misalignment can create friction in various aspects:
Risk management professionals might be involved too late in agile projects, lacking adequate time and understanding to assess risks effectively. Additionally, they may face uncertainty regarding their responsibilities and engagement with the agile project team.
On the other hand, agile project teams might struggle with an intricate web of risk management practices, such as complying with extensive documentation requirements, learning new terminology (e.g., risk appetite, heat maps, risk register), and attending numerous risk workshops. The hierarchical reporting lines associated with risk management could exacerbate these challenges, causing businesses to feel burdened rather than guided towards effective solutions.
For example, a traditional risk management approach may demand comprehensive documentation and sign-offs before proceeding to the next stage of a project.
In contrast, agile projects prioritise continuous delivery of value and rapid iteration, which can be impeded by extensive documentation requirements
Evolving to agile risk management
The Institute of Internal Audit (IIA) Australia has stated, “While risk management should be a dynamic activity that can quickly pivot to changing circumstances, in practice it seldom is.”
In its white paper, the IIA Australia introduces the concept of “Agile Risk Management,” a mindset and set of practices designed to foster stakeholder engagement and collaboration, transforming risk management into a dynamic and responsive function.
This whitepaper highlights two essential ideas:
Developing a flexible risk management service that adapts to the evolving risk landscape, ensuring prompt and informed advice for the board, audit committee, and senior management.
Utilising Agile techniques, fostering collaboration between risk management practitioners and stakeholders for timely updates and a focused approach. For instance, by using a Kanban board to track risk-related tasks, teams can easily identify bottlenecks, allocate resources efficiently, and ensure timely responses to emerging risks.
Per IIA’s guidance, agile risk management practices emphasise proactive engagement, collaboration, continuous risk assessment, swift adaptation, timely reporting, early detection of emerging risks, and the adoption of innovative techniques and formats.
Adapting to a competitive landscape with agile risk management
To evolve risk management in response to the competitive landscape and support agile projects, several approaches can be employed:
Integration: Engage risk management professionals in Agile teams from the project’s inception, ensuring their involvement in assessing the impact of new products and markets on the organisation’s risk profile.
Agile Mindset: Equip risk groups working with Agile teams with both the necessary skills and an agile-compatible mindset, characterised by adaptability, collaboration, and a commitment to delivering value quickly through incremental improvements.
Three Lines of Defense: Clarify risk management responsibilities across the three lines of defense when collaborating with Agile teams, eliminating overlapping roles and strengthening the first line to empower business units to assume risk ownership within their areas.
Technology: Leverage emerging technologies, such as machine learning and big data, to enhance risk management by integrating controls into processes, scanning for emerging risks, and enabling real-time monitoring of risk events for proactive action.
Demonstrating the value of risk management: what’s in it for me?
To succeed with digital acceleration, risk professionals will need to transition from outdated methods and adopt agile risk management practices.
By highlighting the benefits that stakeholders stand to gain, risk management will be seen as a valuable tool.
”To succeed with digital acceleration, risk professionals will need to transition from outdated methods and adopt agile risk management practices.”
Agile risk management helps identify potential risks early, enables faster decision-making, and promotes adaptability, all of which translates into increased organisational success.
When stakeholders can clearly perceive these advantages and confidently answer “What’s in it for me?”, risk management will become an integral part of the organisation’s culture and processes.
Mary Carmichael, CISA, CFE, CPA, s the assistant director of technology risk and assurance at the University of British Columbia (Vancouver, British Columbia, Canada). She leads assurance and advisory initiatives for a technology portfolio spanning a wide spectrum of operations including research, learning and administration.