Risky Business: A Comprehensive, Agile Approach to Risk Management , March , 2025
From the document: "While many Department of Defense (DoD) programs today have an active risk management (RM) framework in place for their cyber-physical weapon systems, most of them are tuned for long-term risks that require significant time and effort to manage. Even if programs are doing a lightweight Agile risk management approach, such as ROAM, which generally has lower costs, it is often siloed from the other traditional RM system [1]. To achieve a comprehensive RM process, organizations need a solution that addresses each type of risk — long- and short-term — because a realized risk can have profound implications for an organization, its clients, and beyond. For example, Equifax, in 2017, provided a cautionary tale when it didn’t update a key security patch — a risk that was known but not properly addressed, and hackers accessed personal data of an estimated 143 million Americans [2].
To protect against this sort of breach and ensure effective RM, we recommend that the traditional approach to managing long-term risks be combined with such Agile RM practices as Risk ROAMing, which organizations like Scaled Agile, Inc. have used to address short-term risks. The DoD references the possibility of combining approaches in its seminal RM guidebook the Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs (the RIO Guidebook) [3].
Aligning with the RIO Guidebook, our recommendation is that a more efficient RM system can be made by using a lightweight approach like Risk ROAMing as the first line of defense against short-term risks and as an iterative and incremental approach to address long-term risks. Additionally, organizations can benefit from the data and insights produced through the Agile process to inform — and adjust — the approach to managing long-term risks. We recommend using Agile best practices as an empirical approach that favors rapid incremental reduction of risk. This approach allows programs to more completely close the smaller risk mitigation steps on a frequent Agile cadence. These risk mitigations steps are decomposed from the larger risk statements. Using this concept, the program can retire technical debt and risk mitigation steps in a timely manner."
Related Resources