Agile Network India Pune Chapter conducted an interesting Session Talk on ‘Risk Management in VUCA World‘.
It is scheduled on 29th May 2021 between 10:00 to 10:50 Hours IST.
Abstract- VUCA world requires new techniques and practices to manage Risks as both problem as well solution domain tends to be volatile and unpredictable. A paradigm shift is required in terms of empowering teams across organization to be responsible for effective risk management in a decentralized and collaborative fashion. Further, risk impact has to be looked from Outcome perspective vs. traditional output perspective. Application of BizDevOps telemetry for predictive foresights to Risks leveraging eco-system of cohesive toolsets is an emerging trend.
2. INTRODUCTION
Ashwinee is an Enterprise Agile Transformation Coach and Digital
Transformation Leader having over 21 years of total IT experience with
12+ years of exclusive experience driving enterprise Agile and DevOps
driven Digital Transformations across geography (US, UK, Australia,
France, India) while working with various Fortune clients and Tier-1 IT
Companies. Ashwinee is currently working as member of core
transformation central team driving strategic Agile-DevOps based
Transformation designing and implementing Target Operating Model for
entire Lines of Business for major global Financial organization.
3. SESSION OBJECTIVES
What is VUCA World and what challenges organizations face operating in VUCA world?
What are Traditional Risk Management Practices and why they seem inadequate for VUCA World?
What New Risk Management Techniques better equip organizations handling challenges in VUCA World?
What would make organizations to be risk overcomer and not just risk survivor?
What are key takeaways on Risk Management techniques adopted in a Complex Regulatory and
Compliance landscape experience?
In this session today, let us try to understand :
7. WHAT IS VUCA WORLD AND
HOW IT IS AFFECTING
ORGANIZATIONS?
https://www.youtube.com/watc
h?v=9jd4tq_mwlM
8. Failures in Risk
Management:
Nokia
BlackBerry
Kodak
Xerox
Courtesy : http://www.rmmagazine.com/
Delayed response
to major
competitor threats
Failure to identify
risks under
uncertainty
Reactive rather
than proactive
Assumption - “This
has worked well in
past, hence will work
in future”
Inability to gauge
fast changing
customer
preferences
Complacency
10. VUCA Characteristics Template
V
U
C
A
Volatility
Uncertainty
Complexity
Ambiguity
Characteristics
Dealing with unexpected, unstable
events / issues probably for
unknown duration
Examples
This is a sample text.
Insert your desired
text here
This is a sample text.
Insert your desired
text here
This is a sample text.
Insert your desired
text here
This is a sample text.
Insert your desired
text here
World economy and national
economy impact due to Covid19
pandemic
Dealing with vague issues with
unclear relationships and
(unknown) unknowns
Dealing with situations flooded with
interconnected variables & parts
even though some info is available
Dealing with lack of other info even
when basic cause and effect are
known
Uncertainty of market reaction
due to disruptive technological
changes like IoT. Blockchain, etc
3rd party logistics with operations
in multiple countries each having
unique regulatory environment
and culture
Launching new products in
emerging markets never
explored before
11. LETS ANALYZE VUCA WORLD CLOSELY
From Dave Snowden’s Cynefin Framework
From Stacey’s Complexity Matrix
12. CHALLENGES MANAGING RISKS IN
COMPLEX OPERATING
ENVIRONMENTS
Simple ‘cause-&-effect’ can’t be established
Elaborative upfront Risk Management for Long-term cycles doesn’t work
Increasing Risk of missing Business Value generation and meeting customer needs
‘Tried-&-Tested’ technology approaches can’t be leveraged due to fast changing
Technologies (Eg – Newer types of Cyber security risks due to wider internet adoption)
14. NEW AGE RISK MANAGEMENT PRACTICES - 1/2
Traditional Risk Management
Big up front Risk Planning and relying on historical
risk database
Ongoing risk planning as part of various Agile events / ceremonies and
leveraging sophisticated AI Analytics to generate Risk Foresights
New Age Risk Management
Aligned to waterfall based Project Plans Aligned to short timed events, cadence and objective milestones
Centralized Risk Management Function (typically
under PMO Group)
Distributed & decentralized Risk Management done by everyone
involved in Product Lifecycle
Few Risk Management specialist owns and manages
Risks (PM / PgM)
Collaborative Risk identification and mitigation is practiced using Big
Room Planning and managed collaboratively by teams
Output and activity focus rather than
quality or need
Outcome driven Risk Management focussed on Business Value (linking
Business & Customer Outcomes and OKRs)
Traditional RAID Management Tools are used with
restricted access and control
Risks are transparently managed across ALM Tools
15. NEW AGE RISK MANAGEMENT PRACTICES - 2/2
Traditional Risk Management
Big-Bulk Requirement Risks managed through
Requirements Traceability Matrix and RAID Log
Requirements are Agile and faster feedback loops to validate
requirements while MVP and product hypothesis and Design Thinking
practices are adopted to align with customer needs to reduce Risks
New Age Risk Management
Regulatory and Compliance domain Risks are managed
by means of implementing various Controls and Audits
Regulatory and Compliance needs are added as Product Backlog
items and managed throughout Product development cycle
Formal RAID reviews only points of actions Addressed daily in Stand ups with immediate action when needed
Whole RAID reviewed every time – high
maintenance overhead
Reviewed individually at point of impact, or at due date, until resolved
Extensive up front mitigation planning Mitigation planning as needed and at appropriate level throughout
product lifecycle
PM / PgM manages Risk in RAID log and publishes
periodic reports to Senior Management
Team manages Risk Burndown across iterations and gives
transparency and visibility to all stakeholders
16. KEY BENEFITS OF NEW AGE RISK MANAGEMENT PRACTICES
The ability of project to fail early and inexpensively significantly
reduces overall project risk as not only the risks are identified early
in cycle but the impact on realization of risk is also limited
The ‘Lean Startup-approach’ of validating ideas and
investments before fully committing the spend helps reduce
the risk of building expensive and unsuccessful products
Proactive and ongoing Risk Management helps identifying
Opportunities also as potential Risks which could lead to increased
Business with timely consideration. Risk identification across different
Investment Horizons helps identify newer opportunities
The culture shift from being reactive to
proactive as organization practices
New Age Risk Management practices
17. NEW AGE RISK MANAGEMENT CASE STUDY
Organization Context
Global Financial Organization with its one of main Lines of Business having 3500+ global IT staff
Risk Management Context
• Central Risk Management Function
• Various Control Frameworks
• Separate Risk Audit and Compliance
Team
• Risk Planning tied to Project Planning
• Risk being managed and reported
across Project Plan’s output
milestones
• Lack of visibility and transparency to
central risk management function
Changes Introduced
• Adopted de-centralized and distributed Risk
Management approach
• Aligned teams to Value Streams and
established integrated Risk Management
across Value Streams
• Outcome measurements defined and OKRs
established for teams
• Risks associated to Value Stream and Program
Team’s Outcome and impact measured on
OKRs
• Control and compliance requirements added
to Product Backlog
• ALM Tools leveraged to track and manage all
Risks
Benefits Realized
• Improved Risk Transparancy and visibility
across stakeholders
• Risk impact calculation became automated
and consistent across Value Stream with
associated OKRs
• Integrated Risk Dashboards available through
ALM Tools with real-time updates for
consumption
• Lightweight Compliance and Controls stage-
gate checkpoints
New Age Risk Management
Traditional Risk Management
Current state
18. SUMMARY AND TAKE-AWAYS
18
Collaborative &
Distributed Risk
Management
New Risk
Management
Mindset and
Culture
Outcome
Focus Risk
Management
Effectively
Leveraging ALM
Tools & DevOps
Telemetry
• No central team but distributed Risk Management by everyone together
• Teams collaborate in Agile ways of working to identify and manage risks
• Various Agile events and ceremonies leveraged across Organization levels to manage Risks
• Risk Management is everyone’s responsibility
• Threats related Risks could also enable growth if handled well hence mindset change required
• Risk overcomer then just risk survivor
• Outcome focus helps relating clear impact of Risk materialization
• Risk Management practices which apply Systems Thinking approach to Risk Management and does not
treat risks handling in silos since impact of risks in VUCA world could fast transform into undesirable
outcomes for organization
• Integrated eco-system of well-connected Tools is integral to create a holistic
view of all Risk with their Outcome linkage
• Sophisticated DevOps Tools based Telemetry could also be leveraged to
provide potentially useful Risk Insights
22. Key organizational outcome metrics
of KPI’s
Release
Frequency
Cost of a
Pod
Volume of
Defects
Service
Availability
Mean time to
Recover
Lead time to
Deploy
Volume of
Incidents
How often do Pod teams release code (new or modified
features) into the Production?
How quickly do Pod teams recover from a service failure (for
both complete and partial disruptions)?
How long does it take for Pod teams from building or
modifying a feature to deploying it into the Production?
How many failures (both complete and partial disruptions)
do the services in a Pod experience?
How available are the services with respect to the
committed availability targets agreed with the Business?
How many defects are detected during the engineering of
applications delivered by the Pod?
How much does it cost to run the services delivered by the
Pod (people, property, licenses, and administration)?
Goal Metric Definition
Deliver
Faster
Deliver
Better
Deliver
Cheaper
Velocity
Trends
The pace of delivering value (in story points) every sprint by
a Pod.
Delivery
Predictability
What is the ratio of completed vs committed stories / story
points for a pod?
Measure
15-25% increase over a year
25-30% increase from initial
baseline
~ 20% improvement for shared
platform
~ 25% improvement
~ 90% commitment achievement
ratio
~ 20% decrease in production
incidents
100% meeting the agreed targets
20-30 % decrease in defect leakage
Active prioritization to create more
value per pod cost
Cost of
Quality
How much preventive and corrective effort is being spent for
each release to maintain quality?
~ 25% decrease in cost of quality
24. VUCA World: Problem as well as solution landscape is fast changing
COMPLEXITY
Multiple Key decision factors
VOLATILITY
Rate of change
AMBIGUITY
Lack of clarity about
meaning of n event
UNCERTAINTY
Unclear about the
present
How
well
can
you
predict
the
outcome
of
your
actions?
How much do you know about the situation?
25. VUCA WORLD
Shore
Past Experiences and Current Conditions
Vision
Understanding
Clarity
Agility
Horizon
The Future State
VUCA
Quadrangle
Volatility Uncertainty Complexity Ambiguity
27. NEW AGE RISK MANAGEMENT PRACTICES - 1/2
Operating in VUCA World requires following key changes in Risk Management approach over traditional Risk Management practices:
Traditional Risk Management New Age Risk Management
Scope
Level
Big up front Risk Planning and relying on historical risk
database
Ongoing risk planning as part of various Agile events /
ceremonies and leveraging sophisticated AI Analytics to
Risk Foresights
Program
Aligned to waterfall based Project Plans Aligned to short timed events, cadence and milestones Team /
Centralized Risk Management Function (typically
PMO Group)
Distributed & decentralized Risk Management done by all
involved in Product Lifecycle
Enterprise
Few Risk Management specialist owns and manages
Risks (PM / PgM)
Collaborative Risk identification and mitigation is practiced using
Big Room Planning and managed collaboratively by teams
Enterprise
Output and activity focus rather than quality or need Outcome driven Risk Management focussed on Business Value
(linking Business & Customer Outcomes and OKRs)
Enterprise
Traditional RAID Management Tools are used with
restricted access and control
Risks are transparently managed across ALM Tools All
28. NEW AGE RISK MANAGEMENT PRACTICES - 2/2
Traditional Risk Management New Age Risk Management Scope Level
Big bulk Requirement Risks managed through
Requirements Traceability Matrix and RAID Log
Requirements are Agile and faster feedback loops to validate
requirements while MVP and product hypothesis and Design Thinking
practices are adopted to align with customer needs to reduce Risks
Enterprise
Regulatory and Compliance domain Risks are managed
by means of implementing various Controls and Audits
Regulatory and Compliance needs are added as Product Backlog items
and managed throughout Product development cycle
Enterprise
Formal RAID reviews only points of actions Addressed daily in Stand ups with immediate action when needed Team
Whole RAID reviewed every time – high maintenance
overhead
Reviewed individually at point of impact, or at due date, until resolved Program
Extensive up front mitigation planning Mitigation planning as needed and at appropriate level throughout
product lifecycle cycle
Program
PM / PgM manages Risk in RAID log and publishes
periodic reports to Senior Management
Team manages Risk Burndown across iterations and gives transparency
and visibility to all stakeholders
Program
Notas do Editor
Simple cause-&-effect based approaches don’t apply in Complex domain
Long term Planning can’t be applied as its changing rapidly making plans outdated
The Traditional Risk Management practices wont work ‘as-it-is’ since detailed upfront planning can’t be done and rather needs more adaptive incremental Risk Management
The Risk of not generating required Business Value has increased many folds in VUCA world and isn’t adequately addressed by Outcome focused Traditional Risk Management approaches
There is less and less applicability of applying ‘Tried-&-Tested’ technology approaches and patterns due to fast changing technology landscape hence resulting in rise of newer types of risks (Eg – Newer types of Cyber security risks due to wider internet adoption)
The illustration above outlines the key metrics that are to be measured at each level of the organisation, the enabling toolset and the reason why stakeholders are interested. There is a bidirectional flow of data for key data items from POD level through to enterprise, which makes data upkeep critical to making informed decisions.
The illustration above outlines the key metrics that are to be measured at each level of the organisation, the enabling toolset and the reason why stakeholders are interested. There is a bidirectional flow of data for key data items from POD level through to enterprise, which makes data upkeep critical to making informed decisions.