




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The lack of formal risk management techniques in Agile software development methods, specifically Scrum. The authors conducted a survey to understand current practices in agile project management and propose the integration of PRINCE2 risk management framework with Scrum. The document also highlights the importance of risk management in software projects and the benefits of aligning these two frameworks.
Typology: Study notes
1 / 8
This page cannot be seen from the preview
Don't miss anything!





DOI : 10.5121/ijsea.2015.6107 81
There is a lack of formal risk management techniques in agile software development methods Scrum. The need to manage risks in agile project management is also identified by various authors. Authors conducted a survey to find out the current practices in agile project management. Furthermore authors discus the new integration framework of Scrum and PRINCE2 with focus on risk management. Enrichment of Scrum with selected practices from the heavy-weight project management methodology PRINCE promises better results in delivering software products especially in global development projects.
Project Management, Risk Management, PRINCE2, Scrum, Agile
Agile methods grew out of the real-life project experiences of leading software professionals who had experienced the challenges and limitations of traditional waterfall development methodologies on projects after projects. The agile development frameworks are widely used and they don’t contain any risk management techniques because it is believed that short iterative development cycles will minimize any unpredictable impact related to product development [1], [2]. However in larger projects or during development of complex products, especially in the global environment, the need of proper risk management is required. From the audit perspective, there is the clear control requirement “BAI01.10 Manage programme and project risk“ defined by COBIT 5 that requires that project risks should be systematically identified, analysed, responded to, monitored and controlled. Additionally the risks should be centrally recorded [3, p. 125]. Additionally, controlling risk in software projects is considered to be a major contributor to project success [4].
The need to manage risks in agile project management is also identified by various authors. The SOA principles from the agile project management perspective were used to create a framework for understanding agile risk management strategies for global IT projects [5]. Main risk models and frameworks used by software engineers are discussed with conclusion that the risk management steps are required for delivery of quality software [6], [7]. Agile methodologies don’t cover the risk management knowledge area that can be taken from project management frameworks like PMBOK [8]. Risks related to global software development projects using Scrum have been researched and a conceptual framework to mitigate them designed [9]. Also the increasing variety of security threats should be managed as risks in the agile development projects [10], [11].
The authors of this paper prove that this lack of risk management techniques in agile development can be fixed by aligning risk management techniques between project management framework PRINCE2 and agile product development framework Scrum. However the traditional risk management is heavily centred on documentation and agile development principles tries to avoid any unnecessary documentation and focus more on people iteration [12].
2. PRINCE2 RISK MANAGEMENT PROCESS
Prince2 provides a disciplined environment for implementation of risk responses based on identifying and assessing project risks. Lack of the proper risk management is the one of the leading factor, why the projects failed [13]. Risk management within PRINCE2 methodology contains three dimensions: risk management strategy (how risk management will be embedded in the project management activities, what is the risk tolerance and when is the exception triggered); Risk register as a tool for capturing and maintaining information of identified threads and opportunities (Project Support will typically maintain the Risk Register on behalf of the Project Manager); and a risk management procedure [14].
The project risk management process recommends 5 steps: identify, assess (estimation and evaluation), plan, implement and communicate. The first four steps are sequential, with the ’Communicate’ step running in parallel; As well as techniques for identification, risk estimation and evaluation techniques and thread responses (avoid, reduce, fallback, transfer, share, accept). In the implement step, the risk owner and the risk actionee roles are defined. The risk owner is a named individual who is responsible for the management, monitoring and control of a risk, while the risk actionee is an individual assigned to carry out a risk response action or actions to respond to a particular risk or a set of risks. They support and take direction from the risk owner.
3. RISK MANAGEMENT IN SCRUM
Scrum doesn’t define the formal risk management process or even the risk owner. However every Scrum artefact or meeting potentially help to identify or mitigate risks. The list of artefacts and meetings with related risks is described for example in [15]. If the Scrum master, the product owner or the development team want to manage risks in a more formal or in a more proactive way then they can use for example a simple risk register [1] or a risk burn-down chart [16]. If they do so then it will be recommended to prioritize the highest-value and highest-risk requirements first in the upcoming sprint [15].
In the Scrum guide [17] there is a concept of impediments. The impediment can be anything that keeps a team from being productive. From risk management perspective the impediment is equal to an issue (a materialized risk). The Scrum master is responsible to solve these impediments and let the development team work in effective environment.
The other risk management model, mentioned in [18], combines the PMBOK approach with Scrum. The author suggests using a risk board with two kinds of notes. The red notes are used to describe the risks and the yellow ones to describe the risk responses. Another good example how risks can be potentially mitigated in Scrum (such an intrinsic schedule flaw, specification breakdown, scope creep, and personnel loss and productivity variance) is mentioned by [19].
Some techniques have been developed to support the story prioritization based on inherit risks, for example the story-risk prioritization matrix [20] or the risk burn-down technique [21].
Figure 2. Risk Meetings. Source: The survey conducted by authors.
The last question was formulated as “Do you think that agile development frameworks should be enriched by the risk management techniques from the project management framework?” The majority of respondents (60%) think that the enrichment would be helpful and 40% think that there is no value in this enrichment.
5. TAILORING OF PRINCE2 PROJECT AND RISK MANAGEMENT TO MEET
THE SCRUM APPROACH
At first, integrated process model should be created for tailoring the PRINCE2 project management process model to meet the Scrum approach. This conceptual model has been developed and it is described in [22]. In this paper this model was further reviewed, slightly modified and key meetings (ceremonies) and documents highlighted in red, see the Figure 3.
Corporate orProgramme
Project Board
Project Manager
Scrum master
Project Mandate
Starting Up a Project
Initiating a Project
Directing a Project
Controling a Stage
Managing a Stage Boundary Closing a Project
Closure Notification
Project Brief & Business Case
Project Plan
Authorization
Development Team
Product Owner
Facilitating Scrum
Creating Initial Requirements
Delivering an Increment
Sprint Planning
Daily Sprint
Sprint Review
Product Backlog
Spring Backlog
Defining, Prioritizing and Communicating Requirements
Burndown report
Sprint Retrospective
Product Increment
HighlightReport End Stage Report End Project Report
Weekly Status Meeting
Figure 3. Process model integrating PRINCE2 and Scrum frameworks with highlighted risk meetings. Source: Authors.
The sprint planning meeting is the key meeting where the risks are identified. These risks are mostly related to the stories/software features that will be developed in the coming sprint. Based on the risk-story prioritization technique [20], the high-risk stories should be selected first and developed first. All the risks related to the developing features should be adequately assessed and evaluated by the development team. The risk attributes that are mostly used are: risk exposure, mitigation actions, likelihood, responsible person and financial impact (based on authors’ survey).
The weekly status meeting should contain the review of the current sprint risks. This meeting should be led by the project manager. The Scrum master should also participate in this meeting because he/she has the overview of the risks and other impediments the development team is facing to. It is a good practise to invite also risk actionees who can comment on progress for the critical risks or risks with the lowest risk proximity. As a suitable technique for reviewing the total sprint risk exposure can be the risk burndown chart [21].
conceptual framework is extended by mandatory or optional risk related tasks that are done during the Scrum meetings. The major Scrum meetings and their relations to risk management activities have been discussed. The benefits of agile – scrum risk management include improving capacity to manage project uncertainties on the product delivery level and enhance communication of risks within the entire project organization.
REFERENCES
[1] D. G. Edzreena Odzaly, “Lightweight Risk Management in Agile Projects,” Proc. Int. Conf. Softw. Eng. Knowl. Eng., vol. 26, pp. 576–581, Jul. 2014. [2] R. L. Rick Dove, “Fundamentals of Agile Systems Engineering – Part 1 and Part 2,” Int. Counc. Syst. Eng. Int. Symp. 2014, 2014. [3] ISACA, COBIT 5 - Enabling Processes. Rolling Meadows, IL 60008 USA: ISACA, 2012. [4] P. L. Bannerman, “Risk and risk management in software projects: A reassessment,” J. Syst. Softw., vol. 81, no. 12, pp. 2118–2133, Dec. 2008. [5] O.-K. D. Lee and D. V. Baby, “Managing Dynamic Risks in Global It Projects: Agile Risk- Management Using the Principles of Service-Oriented Architecture,” Int. J. Inf. Technol. Decis. Mak., vol. 12, no. 6, pp. 1121–1150, Nov. 2013. [6] S. S. Limkar and V. P. Bhosale, “Software Project Risk Management,” in Proceedings of the 5th National Conference; INDIACom-2011, New Delhi, 2011. [7] S. C. Misra, U. Kumar, V. Kumar, and M. A. Shareef, “Risk management models in software engineering,” Int. J. Process Manag. Benchmarking, vol. 2, no. 1, pp. 59–70, Jan. 2007. [8] M. N. Brohi, “Embedding project management into XP, SCRUM and RUP,” Eur. Sci. J., vol. 10, no. 15, pp. 293–307, 2014. [9] M. A. B. Emam Hossain, “Risk Identification and Mitigation Processes for Using Scrum in Global Software Development: A Conceptual Framework.,” Softw. Eng. Conf. 2009 APSEC 09 Asia-Pac., pp. 457–464, 2009. [10] R. B. M. Siponen, “Integrating Security into Agile Development Methods,” Syst. Sci. 2005 HICSS 05 Proc. 38th Annu. Hawaii Int. Conf. On, p. 185a – 185a, 2005. [11] I. G. Zulkarnain Azham, “Security backlog in Scrum security practices,” Softw. Eng. MySEC 2011 5th Malays. Conf., pp. 414 – 417, 2011. [12] K. Beck, M. Beedle, A. van Bennekum, A. Cockburn, W. Cunningham, M. Fowler, J. Grenning, J. Highsmith, A. Hunt, R. Jeffries, J. Kern, B. Marick, R. C. Martin, S. Mellor, K. Schwaber, J. Sutherland, and D. Thomas, “Manifesto for Agile Software Development,” 2001. [Online]. Available: http://agilemanifesto.org/. [Accessed: 16-Dec-2012]. [13] N. Cerpa and J. M. Verner, “Why did your project fail?,” Commun. ACM, vol. 52, no. 12, p. 130, Dec. 2009. [14] OGC, Managing Successful Projects with PRINCE2: 2009 Edition, 2009th ed. Stationery Office Books, 2009. [15] M. C. Layton, “How to Manage Risk within Agile Management - For Dummies,” Agile Project Management For Dummies, May-2012. [Online]. Available: http://www.dummies.com/how- to/content/how-to-manage-risk-within-agile-management.html. [Accessed: 18-Mar-2014]. [16] S. T. Veethil, “Risk Management in Agile,” Scrum Alliance, 03-May-2013. [Online]. Available: http://www.scrumalliance.org/community/articles/2013/2013-may/risk-management-in-agile. [Accessed: 18-Mar-2014]. [17] K. Schwaber and J. Sutherland, “The Scrum Guide: The definitive guide to Scrum: The rules of the game.” SCRUM.org, Jul-2013. [18] V. Ylimannela, “A model for risk management in agile software development,” 16-Mar-2012. [Online]. Available: http://www.cloudsw.org/under-review/a6f468c9-4857-4206-96ee- f67df0583d41/file_initial_version. [Accessed: 18-Mar-2014]. [19] V. Morris, “Managing Risk in Scrum, Part 1,” SolutionsIQ, 28-Oct-2011. [Online]. Available: http://www.solutionsiq.com/resources/agileiq-blog/bid/70560/Managing-Risk-in-Scrum-Part-1. [Accessed: 18-Mar-2014]. [20] A. Arora and C. Naresh, “A Risk Based Story Prioritization Technique In An Agile Environment,” Int. J. Adv. Found. Rese Arch Comput. IJAFRC, vol. 1, no. 7, pp. 16–25, 2014.
[21] M. Singh and R. Saxena, “Risk Management in Agile Model,” IOSR J. Comput. Eng., vol. 16, no. 5, pp. 43–46, 2014. [22] M. Tomanek, R. Cermak, and Z. Smutny, “A Conceptual Framework for Web Development Projects Based on Project Management and Agile Development Principles,” 10th Eur. Conf. Manag. Leadersh. Gov. ECMLG 2014, vol. 10, pp. 550–558, Nov. 2014.
AUTHORS
Martin Tomanek graduated from applied informatics at the Faculty of Informatics and Statistics, University of Economics, Prague. Currently, he is PhD student at the Department of Systems Analysis, Faculty of Informatics and Statistics, University of Economics, Prague, where he develops the integrated framework based on PRINCE2, Scrum and other best practices used in SW development area.
Jan Juricek graduated from applied informatics at the Faculty of Informatics and Statistics, University of Economics, Prague. Currently, he is PhD student at the Department of Systems Analysis, Faculty of Informatics and Statistics, University of Economics, Prague, where he deals with agile principles, objectives and benefits in project management.