I’ve got a question: Where do you keep your risks? If you’re doing a project of any significance you have risks, right? That just comes with the territory. Anything that is significantly challenging or meaningful has very likely got some risk associated with it. And let’s also clarify that we’re asking about agile teams. Because we all know that traditional waterfall teams would have some sort of risk register. Risk is just built-in to the waterfall model, so we don’t need to bother those folks.
But if you are an agile team, where do you keep your risks? I’m not trying to be deep about this. Simply put, if I asked, could you show me your current risks? Yes or no? Most agile teams that I ask this question say “No.” Some tell me that they ROAM their risks once a quarter. That’s nice, but looking at risk for 30 minutes every quarter hardly qualifies as effective risk management. And then guess what I ask? Where do you keep those risks you ROAMed in your last PI planning? Uh…we didn’t.
So where are your risks? Now this is the point where some people might get defensive and say that risk management is build into the agile process (insert your flavor here). To which my answer is, if risk management is built in to your process then it should be trivial to show them to me. To that, they answer that risks are always resolved immediately rather than waiting in large batches. OK, there are certainly some risks that are trivial to resolve, but there are many risks that are long term and require more than a little effort to manage. What about those risks? Can you show me those risks? No? Huh.
So what do you do with your risks? If you own them how do you know it? If I asked you what risks do you have today, could you show me?