Risk management in agile organizations

The much-mentioned speed and dynamics refer to the frequently changing needs of customers, stakeholders, etc. In order to withstand the competition with regard to new products/services, efficiency and quality increases, business processes must be adapted in addition to new business models.

Classic process orientation
Hierarchical, functional organizations with a high need for coordination and approval are less and less suitable for this. Decision-making processes are no longer fast and effective enough to react appropriately to the dynamic challenges. Therefore, agile approaches are increasingly used for organizational development as well as for departmental and company-wide change processes. The standard for quality management systems also recognized that these challenges can be met more easily with the so-called process orientation. As early as 2000, it recommended that process orientation be applied "wherever possible". About twenty years later, it is an assumed basic principle (1) and at least in chapter 5.1.2 an explicit requirement.

With the classic process orientation, the focus is on the cross-functional/divisional processes. These are defined end-to-end, i.e. from the initiation of the customer order to the paid invoice. Management responsibility by process owners is also assigned to the process. In this way, a process owner is able to react promptly to new requirements and to adapt the assigned process without having to obtain further formal releases from the line.

Nevertheless, process organizations - with the exception of a few industries such as the automotive industry and automation - have not been able to establish themselves equally. Although companies write process maps with horizontal business processes and nominate process owners, developments and decisions are still mostly made vertically according to functional circumstances.

Agile process orientation
Agile companies, analogous to the process orientation from quality management, also align their strategy with customers and strive for the highest possible customer benefit. This means that they view the company from the customer perspective in all areas. In practice, agile organizations develop network-like structures or bring the process organization as well as the process teams in the direction of the customer with the help of interdisciplinary teams. And because the functional organization does not directly create value, it is likely to be inferior to models such as EFQM (and the enabler-results approach).

The advantages are demonstrably obvious. Team members do not have to familiarize themselves with different fields, but experts from the respective directions can process relevant knowledge more holistically. They are challenged to think in new ways, which means that the ideas and thought processes for individual problems are understood more comprehensively and are also culturally transferred into the organization. This ultimately strengthens identification and commitment within a company and is the cornerstone for sustainable change. Process orientation is therefore not a contradiction to agile approaches and methods.

Man and process
The difference why the application of process orientation with interdisciplinary teams will have a better chance in the future is that with the decision to digitize, agile approaches to change will become necessary. The agile approach assumes that quality is not dependent on processes, but on a higher factor: people. Conversely, this also means that people and not processes (alone) are therefore a quality factor, and this takes them to the center. This action inevitably leads to the currently still missing assertiveness of interdisciplinary teams and process orientation.

It should also be noted that this change must be formally anchored in the company independently of quality management or agile methods. A consistent governance can define relevant rules and guidelines (quality policy, agile manifesto, lean principles, etc.). By means of a consistent risk management, the establishment of a lived process orientation can be strengthened and related risks can be monitored and controlled.

Last but not least, it should be noted that every company has processes that are dynamic and need to be redesigned frequently, and processes that should function as stably as possible over a period of time. When choosing a method, it is important to remember that agile methods are particularly suitable for processes that have to meet complex and dynamic requirements - but less so for processes with high demands on correctness and compliance. These changes have hardly any effect on the process map. Assuming that the process map is not documented in too much detail, the depiction of the value creation processes (service provision, customer or innovation process) remains unchanged. It is only the underlying representation of how these activities are to be carried out, or the nature of the actions, that is highly dynamic due to change. And that is why agile and conventional methods can be combined across different processes to varying extents and degrees.

Risk-based thinking and action
The current ISO 9001:2015 standard for quality management systems is only just catching up in terms of business management approaches with the latest revision and now also explicitly addresses the topic of risk-based thinking and action. However, it rightly leaves the relevant fields of action to the companies.

Risk is the effect of uncertainty and insecurity. The decision of a company management to "go digital" in the future already stirs up uncertainty and existential questions in many people. Even the frameworks with unusual names such as Scrum, LeSS, SAfE, etc. from "distant" software development that have recently been applied for this change sound as unusual as their approaches can seem. It is understandable that the question arises as to whether these approaches take into account the important point of considering risks/opportunities or what other effects they have on elements of the management system.

Agile risk management is lived through a continuous risk management process. For this purpose, measures and reviews are integrated during implementation through continuous learning from failures and successes, and these create room for trust and openness.

There are several examples in Agile of dealing effectively with risks. The foundation here is also the agile manifesto. By dealing openly and courageously with obstacles of all kinds (impediments), risks are tackled together in the Scrum method, for example. Changes, both organizational and related to the performance or the product, are desired. Conversely, this also means that a too precisely planned future is a great risk. Instead, work is done in short time spans (sprints) and one can react to changes at an early stage. Customer wishes are taken into account by considering them at the necessary time during the implementation. Thus, the prioritization of requirements according to importance is maintained.

During project implementation, "obstacles" that represent a risk always arise. These are initially collected and made transparent on boards. Here you will find, for example, the interpersonal problems and organizational obstacles that arise during the collaboration and represent a risk to achieving the goals. Through discussion (user stories), the team creates a common understanding for each and everything that is of concern. Because it is only through the pictures of all participants that the multi-layered system becomes realistic. The ScrumMaster, as Primus inter pa-res in the team, also has the task of addressing these obstacles across all areas and to positively demand a culture of change across all levels. The core, however, is and remains that this feedback does not happen once, but continuously until the end.

The question of "why
The agile manifesto presented in the previous issue could give the impression that quality issues such as processes, tools, and documents are becoming less important due to all the soft criteria. Also, the opposite impression could arise that due to unprecedented evaluation possibilities, decisions are made based on numbers, data and facts in such a way that the soft aspects are completely disregarded. Certainly, both risk potentials are not unfounded. But the following approaches in agile projects counteract this: As strong as the fast time focus is, as strong the value-oriented culture is lived in agile projects. For continuous learning from failures and successes, rituals and reviews are integrated even during implementation, and they create space for trust and openness. Another difference to previous reviews is that the focus is not on "what worked/what didn't work", but on the question "why does it work?/why doesn't it work?

With these explanations, it becomes clear that, in addition to the known data protection risks, culture is one of the main risks for agility in the company. Accordingly, it is not enough for management to want to keep pace with change and to apply new approaches for this purpose. For the above-mentioned ways of dealing, a new (risk) culture is also needed, which must be systematically planned and whose change must be measured and controlled in terms of its effectiveness. Planning should create a common understanding of risk appetite at the management level. How many risks does the management want to take on the way to change? Which risk limits (heat map) should be considered? Only after these answers have been given can it be planned which awareness-raising measures for this awareness among employees will be target-oriented. And only after the introduction of these awareness-raising measures can the corresponding attitude of employees be assumed.

If one approaches the topic of risks with this systematic approach, one does justice to the claim of the standard requirements and quality management principles of "appropriateness" and "risk/opportunity-based thinking/action". If one views this opportunity with uncertainty, scepticism or even disbelief and therefore does not consider it for the company, this may, conversely, represent a strategically greater risk as far as the future success of the company is concerned.