When we consider the sheer scale of disruption caused by the COVID-19 pandemic across all continents and industries, very few would argue that management of business, financial and technical risk hasn’t now spiked in terms of criticality.

With that in mind, we should also not forget that even at times of highly disruptive change, we have the opportunity to innovate our ways-of-working, so: can we embrace Risk Management practices by following an Agile & Lean approach to the underlining framework and associated workflows?

When in past occasions I asked others the same question, I would summarise the remarks I got back in: “Risk Management isn’t a discipline you’d even remotely associate to Agile ways-of-working… is it?

Risk Management, especially if we’ve gone down the path of dissecting regulatory standards such as ISO-27001/2, can be perceived as a bit of a beast with no fertile grounds for Agile and Lean methodologies, but then that is true only if we exclude the possibility of Agile Risk Management on the sole basis of our first impressions.

The Thought Process

Any operational framework for Risk Management relies on the following components:

  • Identification
  • Assessment
  • Mitigation
  • Monitoring
  • Governance

Effective Risk Management also implies continuous tracking and updating of items typically stored in the following:

  • Risk Register
  • Corrective Actions Register
  • Preventive Actions Register

In reminding ourselves that Agile execution implies slicing work backlogs into smaller and independently manageable work items, we can define the first act.


Optimise strategic and tactical risk exposure through iterative risk identification and monitoring, risk aware decision-making by means of continuously supported governance and an Agile drive of the risk agenda.

Scrum, with its iterative approach to development and delivery of solutions, is my recommended Agile methodology because it empowers time-boxed focus in regards of ownership and resolution.

It also supports a leaner engagement model of stakeholders; if, for example, we consider owners of risk and action items, these can form a virtual team purposely setup at Sprint Planning when the relevant Sprint Backlog have items for which this group of owners must ensure measurable progress over assessment, mitigation and resolution; once “done”, we move onto the next sprint with a different team potentially assigned each time.

  • Risk Items + Preventive & Corrective Actions registers = Backlog/s
  • Tasks and resolutions planned over a predefined sprint cadence
  • Execution by virtual teams instead of a single and dedicated team

A visual on how the Scrum workflow fits in all this.









Considering all of the above, we then see the following taking shape.

Value Proposition:

  • Defining a risk management framework based on lean an iteratively-run workflows
  • Creating a core ISO-27001 ISMS subject to continuous development/improvement
  • Monitoring and resolution of risk and action items logged in backlog/s
  • Setting iterative check-points with use of metrics and new reporting capabilities
  • Establishing risk rating as a variable in the prioritisation of new business and tech initiatives
  • Iterative coaching of stakeholders to ensure pervasive risk governance across the business


The simple flowchart that follows illustrates key areas for a transition to an Agile way of managing Risk.









This concludes my introduction to mission and value proposition of an Agile Operational Risk Management model; if you wish to follow-up on the topic, then feel free to reach out over LinkedIn or email (see top header).

Andrew Celi