Managing risk in agile organisations

The concept of agility is currently being extended to apply to governance and organisation, business functions such as operations, and corporate support functions such as IT and HR, but what are the implications for risk management?

How should risks be managed in these new and rapidly changing business environments to avoid being seen as an obstacle? Should risk management itself also become agile?

Agility embraced in response to the rapidly changing business environment

Many organisations face a rapidly changing business environment due to a convergence of technological, economic and social-demographic developments. With intense competition in a tough market, organisations are being forced into continuous innovation to remain successful.

In addition, a rapidly digitising and interconnected world, consumers have near real-time access to all the information they require to compare and buy the products they need. They demand better services and no longer accept standardised products. As customer needs are changing quicker, the adoption of innovative new products can be very fast and this results in shorter product cycles.

New technologies such as blockchain and fintech enable new business models which, together with a smart leverage of data, can enable a unique costumer experience with higher quality service and lower costs. This typically requires considerable change to existing ways of working, systems and organisation or the launch of a new and separate venture.

Many organisations are looking at or piloting new change methods, pioneered in Silicon Valley, labelled as Agility (which includes Scrum) which help organisations rapidly adopt new technology oriented ways of working, become more flexible and reduce their costs.

What is “Agility”?

Agility is derived from the “Manifesto for Agile Software Development (2011)” and is based on 4 main principles which are significantly different from traditional ways of working:

  • Individuals and interaction over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan

Agile ways of working have significant organisational implications. This is more than a project management technique – it requires fundamental changes to governance and organisation within business units and the corporate functions supporting them

  • Agility requires a shift from top down to bottom up, Frederic Taylor philosophy, focused on efficiency and scale, is dead!
  • Leadership, team supervision, business unit and function management and executive management have to change to enable Agility to succeed. For example, the IT resources supporting a business unit are assigned to dedicated, cross disciplinary and self-directed teams which work on changes for the business unit. The traditional demand-supply structure between a business unit and the IT department is transformed into an intense collaborative and dynamic relationship.
  • Agility is not just for start-ups and new companies – it can help large established incumbents to rapidly change and become disruptors themselves.

Implications for risk management and internal control – from saying “no” to saying “how to”

AXVECO’s recent roundtable with CROs and risk management leaders from the major Dutch financial institutions discussed practical experiences and approaches. Risk departments who traditionally focus on risk tools and techniques and controlling mindset (saying “no”) need to make the transition to helping business teams to achieve objectives whilst respecting risk and compliance requirements (saying “how to”). Some examples are listed below.

From traditional risk and control methods:

  • Static, rigid, top down control frameworks with manual and numerous controls
  • Policies that are rule based and formalised in central structures; procedures and protocols
  • Separate control testing per test goal (SOx, 3402…)
  • Reward and sanctions
  • Risk at end of development process (PARP)
  • Long planning cycles – annual plan for RCSAs
  • Departments and functions
  • Top down management
  • Key focus of risk assessments on systems and processes
  • Risk culture promoted by risk and compliance functions

Towards Agile risk and control methods:

  • Dynamic and changing control framework, based on soft controls and trust; designed into work process; automated and manual controls
  • Policies that are principle based and easy to communicate
  • Reuse of test results for multiple goals
  • Intrinsic motivation and learning
  • Risk integrated into design and development process
  • Multiple short iterations (RCSA backlogs, Sprints etc.)
  • Cross functional teams
  • Self-steering, multidisciplinary teams (bottom up)
  • Key focus of risk assessments on changes and culture/ behaviours
  • Strong awareness and sound risk culture in the first line and present in the agile teams

All improvements are great as long as it does not require change…

There are some great examples of risk departments who have completely redesigned their own way of working. Change is hard, however, and many will resist. I think the (shortened) quote below of Machiavelli sums it up quite well.

There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things.

— Niccolo Machiavelli

AXVECO has developed a comprehensive guide for CROs and risk managers that helps them to confidently support the transition to an agile organisation. If you would like to find out more about this then please contact Arjan Udding on or 0611779647