SOCIETY | Sep 13, 2018

Agility and systemic risk management

The extent to which and how an agile mindset can help prevent problems and accidents

“If you don’t actively attack the risks, they will actively attack you”
Tom Gilb

In their recent articles in Ingenium, Chiara Ruffino and André Chaussod addressed a topic of crucial interest: how innovation and digital transformation can contribute to the management of environmental risk. Intelligent sensors placed throughout a territory generate continuous streams of heterogeneous data, with which to activate event correlation, calculation of metrics and statistics and predictive calculations.

If we can do it for hydrogeological phenomena, for fires and for intense weather events, we could (and should) also do so in relation to human, material and immaterial works and more generally all production and service processes.

For example, let us consider the management by a company or a public administration of its software application range. This can no longer be limited – as still happens in most cases – to a set of “silos” of activities that are unrelated to each other. Development activities distinct from maintenance activities. Those of evolution distinct from those of adaptation.

The goal is not to gain efficiency on every single service according to a “divide and rule” logic, but the more general one of constantly improving the quality of the entire application ecosystem, increasing the business value that this generates for the organization.

To be more straightforward, rather than the half-yearly report produced by IT that shows how quickly and efficiently problems and bugs have been solved by technical support, what should matter to the CEO is how many fewer corrective actions were needed compared with the previous semester thanks to “preventive” developments and evolutions which, by improving the quality of the software, have reduced defects and, at the same time, the probability and impact of the negative risks associated with possible malfunctions.

It is only the manifestation of a ubiquitous and general law of common sense, according to which the cost of prevention of a problem will always be much less than the cost of resolution. This applies to both intangible objects (software) and material infrastructures (highways and bridges). The tragic events of this summer in Bologna and Genoa have reminded us of this in an abrupt and dramatic way.

Prevention and risk: Cassandra and Mister Wolf

Prevention therefore, but any form of prevention comes from an analysis of risk which, in turn, is a conceptualization of the degree of uncertainty inherent in any activity or initiative. A risk is simply an “uncertain” event, with a certain probability of occurring and capable of determining impacts. If these are negative, we talk about “threat”; if they are positive we talk about “opportunities”.

Most confirmed problems represent the evolution of threats (negative risks) that are not considered or mismanaged. As long as they are risks, they are things that “could” happen. However, when they occur, they cease to be hypothetical and become a reality to be addressed.

Today, with our ability to manage Big Data and our amazing predictive algorithms, we are technically able to build dashboards for comparing data and trends, hypothesize scenarios and build risk maps about practically anything. But, as always happens, the solution is not (only) technological. No new injection of technology can improve processes that were designed when this did not exist and for this reason must be redesigned. Risk Management is not a set of more or less sophisticated instruments. Risk Management is a set of management processes and, first of all, an attitude.

Usually, anyone who tries to worry deliberately about what might happen is considered a jinx. Like Cassandra, when she warned everyone about the risks they faced by bringing that strange wooden horse inside the walls of Troy. Nobody paid her any attention and we know how it ended.

In Greek mythology like in modern business, prevention, anticipation and planning were never considered sufficiently sexy activities, while “solving problems” is.  The proof? For any professional position, companies and recruiters continue to ask candidates for “strong problem-solving ability“. I have never seen a job posting in which they were looking for someone with a “strong attitude for preventing and avoiding problems“.

Confiding in our ability to save the situation with a brainwave makes us feel like Mister Wolf in Pulp Fiction (“I’m Winston Wolfe. I solve problems” cit.). A problem fixer, a cleaner, who solves critical situations under pressure of the result with class and efficiency.

In reality, acting like this panders to a basic managerial laziness, because it puts off any question to a later date, according to the precept dear to many managers of “why worry about it now? If the problem then arises, we’ll handle it …“.

This “reactive” approach, based on the ability to mitigate the effect of the problem, even with temporary workarounds while waiting for a definitive solution, not only results in higher costs but does not guarantee success. When the problem occurs with an anomaly or an accident, we will have no certainty of having the capacity and resources to cope with it “in that moment”.

It is therefore of fundamental importance to try to change the culture and mentality of organizations, promoting a proactive approach, ideally even predictive, where the aim is to anticipate the problem or intercept it as soon as possible to be able to defuse it as well as possible. The tool for doing this is Risk Management.

Managing risk with agility

Any managerial discipline – from Project to Program to Portfolio Management – defines specific risk management processes, identifying canonical deliverables, roles and responsibilities that it would be opportune to integrate into all the operational and business processes of public and private organizations.

Analyzing risks forces us to think of a problem before it occurs, overcoming the laziness of “if anything we manage it” which, after all, is only a manifestation of resistance to change.

Change and innovation frighten, because they force people and organizations to leave their comfort zone. It’s only human. It takes so much to understand a context, give ourselves rules, write procedures and identify best practices that the thought of calling something into question pushes us to inaction. The problem, however, is that even if we decide not to change “because we have always done so and look where we have arrived …”, it will be the context in which we move that changes. Continuously. And faster and faster.

Change is the only constant“, said Heraclitus of Ephesus twenty-five centuries ago. Continuing to do always in the same way, crystallizing frameworks and practices, will no longer have the same effect on scenarios that have changed in the meantime.

It is necessary to govern change by managing uncertainty and associated risks

There are two ways to do this. The first, which responds to a traditional management approach, is the “predictive/deterministic” way that has been proposed for years in various variants by analysts and consultants. A sequence of phases consisting of a detailed evaluation of AS-IS, detailed definition of TO-BE, analysis of the gap to be crossed, careful and punctual planning of interventions, implementation. The modality with which change is dealt with is of the “big bang” type, with the release of results at the end of the entire process.

Wanting to make a comparison, it’s like planning a trip by plane. The route is defined at the beginning, based on precise directions, and control is centralized.

The second approach is the “adaptive/agile“ approach, where you try to reduce the risk associated with taking the wrong direction on the basis of initially still incomplete information, organizing the process of change in iterative work cycles. Each cycle brings home a partial result that increases the previous one, with the advantage of being able to more easily make adjustments between one iteration and the next.

Continuing with the previous comparison, it’s like planning a trip by car. The route initially established can easily be changed according to need, depending on contingencies (traffic conditions, road closures, etc.), and control is distributed. It is the occupants of the car (the team) who decide, not the control tower.

Speaking of “agile” usually refers to specific methodologies developed in the context of software projects since the second half of the ’90s (Scrum, XP, DSDM, etc), whose values ​​and principles were established in 2001 by the Agile Manifesto. The reason for their success is that they proved to be more effective in managing intangible production projects, characterized by a greater degree of risk and uncertainty. In other words, in certain production and service scenarios, agile methods defuse certain recurrent threats, such as the difficulty of consolidating a set of detailed requirements in the initial work phases.

However, the agility that is needed is not just the methodological one, circumscribed to a framework and a specific sector. The agility needed is first of all etymological, the ability to easily change one’s operating parameters to adapt to volatile, uncertain, complex and ambiguous environments and contexts (VUCA: Volatility, Uncertainty, Complexity, Ambiguity). Before expressing yourself with techniques, the agility that is needed is a mindset, a personal and organizational attitude that overcomes laziness and moves towards change and continuous improvement, one step at a time, slowly but unceasingly.

It is not enough to “do things” in an agile way by applying a method. It is necessary to be agile. For a company or an administration this means (re)organizing through the downscaling of activities, with small cross-functional teams working on tasks within iterative work cycles, with the obsession of releasing the “greatest value possible as soon as possible”, coordinating the work through interactive networks.

With this different modus operandi, contrary to what a superficial reading might suggest, planning continues to play a fundamental role. Being agile and adaptive does not mean improvising or navigating on sight. This misunderstanding can generate a cure worse than the disease. Planning means trying to anticipate, forecast, prevent problems by analyzing and assessing risks. It is only a question of spending the right planning commitment at the right time.

The predictive/deterministic approach largely concentrates it at the beginning of an initiative, trying to get a picture of maximum detail at the outset, and then try to respect it by deviating from it as little as possible. The agile/adaptive approach does not involve less planning, it simply spends it differently, operating at a high level in the initial phases and at a level of detail distributed evenly along the entire timeline of the initiative.

The adaptive planning that characterizes the agile mindset thus becomes an intrinsic factor in risk reduction. The iterative work cycle and the less formal and more frequent communications multiply the moments of comparison and control, postponing the choices until when more information is available, according to a principle of late decision.


In terms of the environment as in other areas, many managerial and administrative choices are subject to an emergency logic, of reactive problem solving. Technological innovation alone is not enough. We are able to collect huge amounts of data, process them analytically and bring them to dashboards to make more informed decisions, anticipating problems and assessing scenarios, but all this does not lead to appreciable results without a real aptitude for prevention.

Preventing a problem costs much less than solving it and prevention crosses the path of Risk Management in a natural way. Identifying and analyzing risks allows us to face the uncertainty inherent in any business or initiative. It is not enough to hope that things work out for the best: it is necessary to overcome laziness by setting in motion a change to adapt ourselves in an agile way to ever more dynamic and changing scenarios.

However, agility does not end with the learning and practice of one of the many methods, like Scrum, circumscribed to well-defined areas. It is necessary to construct an attitude to agility, a mindset which, by operating in an adaptive way and with a view to continuous improvement, becomes a factor in reducing risk by design.

Agile transition is a particularly challenging and demanding goal for any organization, be it a company or a PA, but there is good news. There is no need to start bloody revolutions, to necessarily imagine three-year or five-year plans. Values ​​and principles of the agile mindset can be introduced progressively, also in an incremental and iterative way, starting from projects and initiatives in the most critical areas, taking the bull by the horns and obtaining quick wins in a short time, then spreading and extending to the whole organizational and operational dimension.

As Lao-Tzu would say: “A journey of a thousand miles begins with a single step“.

Marco Caressa