Australia Post’s head of risk - technology, cyber, fraud and head of risk - international (acting) group risk security & compliance, Australia Post, Tristan Bui tells us why agility in risk management is a must - not just a ‘nice to have’.
The Agile Manifesto has been around since 2001 and my first true introduction to living and breathing in an agile program of work was at ANZ nearly 8 years ago. Fast forward to today and ANZ is truly moving into a scaled-agile philosophy.
There are not many organisations I can recall that have gone ‘all-in’ to the scaled-agile way of doing things. Often the new ways of working are only adopted by the IT developers or the Product development teams within an organisation and rarely by the enterprise governance, Risk and compliance teams, internal audit or even the PMOs that governs projects. The disconnect and lack of understanding creates an environment of distrust and increases the friction between teams.
I’ve always been a believer of ‘don’t knock it till you try it’ so I set out to be a SAFe® 4 Agilist . When I received my certification on Christmas Eve in 2017, I felt the Scaled Agile way of working was missing some guidance on effective management of risks. That night, as I was having neat scotch, the Risk Manifesto was born:
De-risking risks over managing risks
The intent here is like the age old comment from Desiderious Erasmus. “Prevention is better than Cure’. If you can embed good risk management early so it becomes part of ‘the ways of working’ and design the risks out of your agile programs then there will not be a need to manage the risk. Risk management should not be an afterthought. It should be baked into the definition of done!
Managing risks from the customers’ lens
This simply is the ‘creepy test’. How will the average customer/consumer view about the risk, product or outcome you are introducing? How will YOU feel about this risk as an individual? Far too often I see the business care more about financial risks and consequences more than the perceived impact on to the customer. As risk professionals, we need to be aware that even when its legal and compliant, it may not be the right thing to do. The ‘creepy test’ will help you avoid the findings from APRA.
The Economics of risk treatments must make sense
Excuse the pun here. Treatments or mitigating activities to reduce risk must make economic sense. Would you pay $2K for car insurance when your old bomb will not fetch more than $1,500 on the market? So why would you put in any controls/treatments/mitigating activities that would cost more than the impact of the risk itself. A rational person wouldn’t.
Risk management over risk administration
The generally accepted guidance on risk management is the ISO 3100 standard. There are zero items on this standard that talks about how to administrate risks, so why do I see so many risk professionals do nothing more than risk administration? If your agile programs are documenting risks as a tick in the box exercise or calling out the obvious cover your butt risks, then it’s time you need a new risk manager.
What are your thoughts? Was the first thing that came to mind was ‘this guy had one too many scotches?’ or does it really resonate with your experience? I hope the Risk Manifesto can help you on your agile programs. Please share your experiences so we can improve the Risk Manifesto. I have also started to jot down the ‘Principles of Risk Management’ that supports the Risk Manifesto.
For more insights from Tristan, be sure to follow him on LinkedIn