《ISACA:2023将风险管理纳入敏捷项目白皮书(英文版)(23页).pdf》由会员分享,可在线阅读,更多相关《ISACA:2023将风险管理纳入敏捷项目白皮书(英文版)(23页).pdf(23页珍藏版)》请在三个皮匠报告上搜索。
1、RiskIncorporating Risk Management in Agile Projects 2023 ISACA.All Rights Reserved.2INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSC O N T E N T S 4 Introduction 4 /Establishing Competitive Advantage Using Agile 5 /What Is the Role of Risk Management for Agile Projects?5 /What Is Risk?5 /Defining th
2、e Risk Management Process 7 /Achieving Organizational Agility Through Agile Risk Management 8 What Is Agile?9 /Agile Methodology in Practice:Scrum Framework 11 /Scrum Framework:Sprint Cycle Explained 11 How Is Risk Managed in Agile Projects?12 /Difference Between Risk Management for Waterfall and Ag
3、ile Projects 13 Introducing the Agile Risk Management Process 14 /Agile Risk Management Process Implementation 15 /1.Setting Context 15 /2.Identifying Risk 16 /3.Analyzing Risk 16 /4.Determining Risk Response 16 /5.Implementing Risk Response 17 /6.Monitoring Risk 17 Agile Risk Assessment in Practice
4、 Using Scrum Framework 18 /1.Setting Context 18 /2.Assessing Risk 19 /3.Implementing Risk Response 20 /4.Monitoring Risk 20 /Scrum Artifacts 21 Critical Success Factors for Agile Risk Management 21 Conclusion 22 AcknowledgmentsA B S T R A C T Enterprises are digitizing their operations,implementing
5、modern technologies(e.g.,transitioning to cloud)and developing new ways of delivering products and services with a shortened lead time to market to help them succeed in the post-pandemic environment.This increased velocity poses a new challenge for the risk management function as it strives to ensur
6、e strong practices are in place for the planning,development and implementation of new services and products to achieve business value while managing risk.To attain the strategic objective of digital accelerationthat is,to shorten lead time to marketmany enterprises are adopting Agile methodologies
7、for business,technology and process-related projects.Generally,Agile projects have a small,nimble team working to roll out technology and business changes in frequent cycles,known as sprints(e.g.,two-week cycles to plan,build and deploy a solution).As enterprises transition to Agile delivery,they wi
8、ll need to rethink their control functions,including risk management,to keep pace with frequent release cycles.They will also need to develop capabilities to conduct risk assessments and advise risk owners in near real time.To respond to this need,an Agile risk management process can integrate leadi
9、ng practices from project management and enterprise risk management with Agile methodologies to meet the demands of organizational agility.This approach supports enterprises in determining what risk can be accepted as they pursue digital acceleration.This white paper provides guidance for conducting
10、 risk assessment in an Agile context to support decision making.2023 ISACA.All Rights Reserved.3INCORPORATING RISK MANAGEMENT IN AGILE PROJECTS Introduction The increasing rate of change in the global business environment has been compelling enterprises to find ways to bring new services and product
11、s to the marketplace quickly and to enhance the overall digital customer experience with cost-effective results.To keep up or to gain a competitive advantage,enterprises need to have expertise in emerging technologies such as big data,artificial intelligence and robotic process automation.This is re
12、shaping how enterprises compete.It is crucial to be agile and flexible in order to rapidly build and deploy new products and services while scanning for innovations that enhance the customer experience more quickly and at a lower cost.The COVID-19 crisis has brought about years of change in the way
13、companies in all sectors and regions do business.According to a McKinsey Global Survey of executives,their companies respondents to the McKinsey survey have accelerated the digitization of their customer and supply chain interactions and of their internal operations by three to four years.And the sh
14、are of digital or digitally enabled products in their portfolios has accelerated by seven years.11 Establishing Competitive Advantage Using Agile There is an ongoing discussion about whether the linear Waterfall project management methodology or the Agile approach is more useful.There is no clear an
15、swer that is applicable in general,because each has its strengths and weaknesses(figure 1).11McKinsey&Company,“How COVID-19 Has Pushed Companies Over the Technology Tipping Pointand Transformed Business Forever,”5 October 2020,https:/ 2023 ISACA.All Rights Reserved.4INCORPORATING RISK MANAGEMENT IN
16、AGILE PROJECTSFIGURE 1:Waterfall and Agile Project Delivery Differences Waterfall project deliveryAgile project deliveryPlanDesignBuildTestDeployDeployDesignTestBuildPlan However,it appears the pandemic may have spurred a shift toward Agile.If that is the case,it would be helpful to understand the u
17、nderlying reasons.22 The 15th Annual State of Agile Report points to“significant growth in Agile adoption within software development teams,increasing from 37%in 2020 to 86%in 2021.”33 Further,the number of non-software teams adopting Agile methodologies doubled from 2020 to 2021,with 17%reporting A
18、gile use in marketing and 10-16%reporting use in finance and human resources.44 For many enterprises,Agile projects have helped to increase customer satisfaction,shorten time to market,enable innovation and reduce costs.55 What Is the Role of Risk Management for Agile Projects?The findings of the 20
19、20 Standish Group Chaos Study suggest that Agile software projects are three times more likely to succeed than Waterfall,and Waterfall software projects are twice as likely to fail.66 However,it is important to note that“Agile is not a panacea.”77 The need for organizational agility and flexibility
20、has not eliminated the requirement to manage uncertainty,otherwise known as risk.What Is Risk?ISO 31000 defines risk“as the effect of uncertainty on objectives,which focuses on the effect of incomplete knowledge of events or circumstances on an organizations decision making.”88 ISACA defines risk as
21、“the combination of the likelihood of an event and its impact,”a definition that affords opportunities for benefit(upside)as well as barriers to success(downside).99 Risk and opportunity go together.To provide business value to stakeholders,enterprises must engage in many activities and initiatives(
22、opportunities)that carry degrees of uncertainty and,therefore,risk.1010 T Th he e n needeed f fo or r o or rgagan nizaizat tio ion nal al agiliagilit ty y a an nd d flflexiexib bili ilit ty y h hasas n no ot t elimielimin na at teded t th he e r requiequir remeemen nt t t to o maman nageage u uncnce
23、 er rt tai ain nt ty y,o ot th he erwrwiseise knkno ownwn asas r ris isk k.Enterprises do not aim to avoid or minimize risk in todays competitive environment,which is a significant departure from predictive risk management,which requires risk planning up front and favors risk aversion.Instead,“these
24、 enterprises seek to manage risk exposures across all parts of their organization so that,at any given time,they incur just enough of the right kinds of riskno more,no less to effectively pursue strategic goals”1111 and maintain a position that enables them to adapt to new outcomes depending on the
25、risk outlook.Figure 2 shows“this is the sweet spot,or optimal risk-taking zone.”1212 Defining the Risk Management Process Risk management requires an enterprise to define the scope for applying risk management steps(e.g.,achievement of strategic objectives)and set criteria for assessing identified r
26、isk or evaluating its alignment with the enterprises risk taking preference(e.g.,adverse,cautious,aggressive).1313 Figure 3 shows how the ISACA Risk IT Framework,2nd Edition can be used to identify the“sweet spot”through its 22IIBA,https:/www.iiba.org/business-analysis-blogs/why-more-companies-are-m
27、oving-to-agile-during-covid-19/33Digital.ai,15th State of Agile Report,https:/info.digital.ai/rs/981-LQX-968/images/RE-SA-15th-Annual-State-Of-Agile-Report.pdf44Ibid.55Rigby,D.;J.Sutherland;T.Hirotaka;“Embracing Agile,”Harvard Business Review,May 2016,https:/hbr.org/2016/05/embracing-agile66Johnson,
28、J.;Chaos Report:Beyond Infinity,The Standish Group,202077Mersino,A.;“Project Managers Fail to Help Software Projects(Standish Group Chaos 2020),”29 October 2021,https:/ New ISO 31000 Keeps Risk Management Simple,”ISO,15 February 2018,https:/www.iso.org/news/ref2263.html#:text=Risk%20is%20now%20defin
29、ed%20as,on%20an%20organizations%20decision%20making99ISACA,Risk IT Framework,2nd Edition,USA,2020,https:/www.isaca.org/bookstore/bookstore-risk-digital/ritf21010Ibid.1111Curtis,P.;M.Carey;“Risk Assessment in Practice,”COSO,October 2012,https:/www.coso.org/Shared%20Documents/COSO-ERM-Risk-Assessment-
30、in-Practice-Thought-Paper-October-2012.pdf1212Ibid.1313Op cit ISACA 2023 ISACA.All Rights Reserved.5INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 2:Balancing Risk with RewardValue/rewardInsufficient risk takingOptimal risk takingExcessive risk taking“Sweet spot”RiskFIGURE 3:ISACA Risk Manage
31、ment Process Steps Setting contextCommunicationRisk identification and assessmentRisk reporting and communicationRisk analysis and business impact evaluationRisk responseExample type and categories of riskStrategicOperationalIT riskCybersecurityInformation security 2023 ISACA.All Rights Reserved.6IN
32、CORPORATING RISK MANAGEMENT IN AGILE PROJECTS Source:Curtis,P.;M.Carey;“Risk Assessment in Practice,”COSO,October 2012,https:/www.coso.org/Shared%20Documents/COSO-ERM-Risk-Assessment-in-Practice-Thought-Paper-October-2012.pdf.Used with permission.Source:ISACA,Getting Started With Risk Management,USA
33、,2018,https:/www.isaca.org/bookstore/bookstore-wht_papers-digital/whpgsr,page 7,fig.2.risk management process steps.As a starting step,setting the context positions risk to the enterprise within its mission,strategy and objectives to ensure that every process and procedure meets the objectives of th
34、e enterprise and aligns with its risk posture.Next,the risk identification and assessment steps help management understand how significant each risk is to the achievement of the enterprises strategic objectives and to determine how much risk to accept on its behalf,thereby defining enterprise risk a
35、ppetite and tolerance thresholds.These thresholds guide the risk analysis and response decision making that determine what risk will be accepted,mitigated,transferred or avoided.1414 Last,risk reporting and communications steps provide risk awareness for decision makers and stakeholders(including bo
36、ards of directors)to receive timely and accurate risk information on which they can act before the risk is realized as an issue,incident or major crisis.1515 T Th he e AgileAgile r ris isk k maman nagemeagemen nt t prpro oc cessess susuppppo or rt ts s e en nt te erprrprisesises i in n dedet te er r
37、mimin ni in ng g whwha at t r ris isk k c ca an n b be e a acccce ep pt teded i in n t th he e p pu ur rsuisuit t o of f digidigit tal al a accccelaelar ra at tio ion n,c co on nsidesider ri in ng g e en nt te erprrpriseise r ris isk k a appppe et ti it te e a an nd d t toleoler ra ancnce e t thrhre
38、sesh holdsolds.The risk management process is used in determining what risk to pursue and what value to expect in return by addressing the following components of risk calculation:Recognize threats and opportunities for a project to balance the potential reward against the risk incurred in its pursu
39、it.This requires that senior management have an understanding of risk appetite and tolerance.Assess risk to determine the appropriate response strategies(e.g.,accept,mitigate,avoid,exploit)based on risk appetite and tolerance thresholds for risk exposure.Evaluate whether the risk is managed effectiv
40、ely through risk monitoring,ensuring that risk exposure does not exceed tolerance thresholds.Achieving Organizational Agility Through Agile Risk Management As enterprises transition to Agile delivery,they will need to adapt their governance model,including risk management,to keep pace with frequent
41、releases cycles and to develop capabilities to advise risk owners in near real time.T Th he e AgileAgile r ris isk k maman nagemeagemen nt t prpro oc cessess i in nt tegegr ra at teses prprojeojec ct t a an nd d e en nt te erprrpriseise r ris isk k maman nagemeagemen nt t prpra ac ct ti ic ceses w w
42、i it th h AgileAgile memet th hodologiesodologies t to o esest ta ab blislish h a an n adaadap pt tiveive,r ris isk k-d-dr riveiven n a apprpproaoachch f fo or r prprojeojec ct t delivedeliver ry y.The Agile risk management process integrates project and enterprise risk management practices with Agi
43、le methodologies to establish an adaptive,risk-driven approach for project delivery.This process supports enterprises in determining what risk can be accepted in the pursuit of digital acceleration,considering enterprise risk appetite and tolerance thresholds.In addition,this white paper provides gu
44、idance for conducting risk assessment in an Agile context with scrum roles,artifacts and events to support decision making.1414For more detail on risk response,see ISACA,Optimizing Risk Response,https:/store.isaca.org/s/store#/store/browse/detail/a2S4w000004KtiREAS1515Ibid.2023 ISACA.All Rights Rese
45、rved.7INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSWhat Is Agile?In 2001,seventeen software developers drafted the Manifesto for Agile Software Development1616 to propose a novel approach that would efficaciously address the challenges of evolving business needs and requirements in the context of
46、software development projects.The manifesto stresses the importance of having close contact with customers throughout the project,from planning to implementation,to mitigating risk with rework,and to addressing unexpected changes,customer dissatisfaction and unmet business value.The manifesto states
47、 that projects should incorporate a mindset that embraces four values(figure 4).1717 The Agile Manifesto addresses a common challenge in Waterfall projects:Requirements may change during the software development life cycle with implications for schedule,budget,scope and quality.A Waterfall project m
48、anagement approach is predictive,documenting the project plan and capturing requirements at the beginning of the project,creating a higher risk for changing customer needs later.Its delivery focuses on long-term planning,ensuring that the plan is in place and approved before the execution of work be
49、gins.Although changes are embraced,a strict change control system and extensive documentation are required throughout the life cycle.To respond to this challenge,Agile mitigates the risk of changing requirements through persistent contact between the customer and the Agile team.In addition to the fo
50、ur values,the Agile Manifesto articulates 12 principles that enable enterprises to be more responsive and to prioritize collaboration,flexibility and customer satisfaction(figure 5).18181616Highsmith,J.;“History:The Agile Manifesto,”Agile Alliance,2001,https:/agilemanifesto.org/history.html1717Scrum
51、Alliance,“The Key Values and Principles of the Agile Manifesto,”https:/resources.scrumalliance.org/Article/key-values-principles-agile-manifesto1818Ibid.2023 ISACA.All Rights Reserved.8INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 4:Agile Manifesto Values Individuals and interactions over pr
52、ocesses and toolsAgile manifesto valuesWorking software over comprehensive documentationCustomer collaboration over contract negotiation Responding to change over following a planThe methodologies collectively known as Agile reflect the values and principles set forth in the Agile Manifesto.Among th
53、e most well-known are extreme programming(XP),Kanban,lean startup and scrum.In this white paper,scrum terminology is used because it is the most popular Agile methodology,adopted by 66%of the user base(figure 6).1919 Agile Methodology in Practice:Scrum Framework The Scrum Frameworkan iterative,team-
54、based approach to project managementemphasizes the rapid delivery of a solution in an incremental and iterative fashion,focusing on business value and progress visibility.2020 Rather than creating tasks and schedules,thescrum approach boxes time into segments called sprints.Each sprint has a defined
55、 duration(usually from one to four weeks)with a running list of deliverables planned one sprint in advance.21 The Scrum Framework has its own terminology to define its roles,events and artifacts (figure 7).1919Op cit Digital.ai2020ScrumAlliance,“What Is Scrum?”https:/scrumalliance.org/about-scrum 20
56、23 ISACA.All Rights Reserved.9INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 5:Agile Manifesto Principles Achieve customer satisfaction by early and continuous delivery of valuable software.Welcome changing requirements,even in late development.Deliver working software frequently(in weeks rat
57、her than months).Enable close,daily cooperation between the business and developers.Projects are built around motivated individuals,who should be trusted.Face-to-face conversation is the best form of communication.Working software is the primary measure of progress.Ensure sustainable development,mai
58、ntaining a constant pace.Pay continuous attention to technical excellence and good design.Simplicitythe art of maximizing the amount of work not doneis essential.Best architectures,requirements and designs emerge from self-organizing teams.Reflect regularly on how to become a more effective team and
59、 adjust accordingly.FIGURE 6:2021 State of Agile ReportMost Adopted Agile Methodologies Scrum/XP Hybrid 6%Scrum 66%ScrumBan 9%Other 9%Iterative 4%Kanban 6%21West,D.;“Sprint Planning,”Atlassian,https:/www.A Scrum relies on an extremely elevated level of customer involvement and strives to achieve emp
60、irical process control through transparency,inspection and adaptation.Figure 8 illustrates how the scrum roles,events and artifacts interact with each other during a sprint cycle,reinforcing empirical process control.2221 FIGURE 7:Scrum Framework Terminology Sources:https:/scrumguides.org/docs/scrum
61、guide/v2020/2020-Scrum-Guide-US.pdf,https:/creativecommons.org/licenses/by-sa/4.0/legalcode,https:/creativecommons.org/licenses/by-sa/4.0/FIGURE 8:Agile-Scrum Framework Overview 2122Yelkar,Y.;“The AgileScrum Framework,”C#Corner,26 September 2017,https:/www.c- FrameworkFramework TermTermi inologynolo
62、gy Scrum TeamA scrum team has three roles:DeveloperAnyone on the team who delivers work,including team members outside of software development Product OwnerThe team member who holds the vision for the product and prioritizes the product backlog Scrum MasterA facilitator who helps the team best use s
63、crum to build the product Scrum ArtifactsScrum artifacts help manage the work:Product BacklogAn emergent,ordered list of what is needed to improve the product;includes the product goal Sprint BacklogThe set of product backlog items selected for the sprint by the developers(team members),plus a plan
64、for delivering the increment and realizing the sprint goal IncrementA sum of usable sprint backlog items completed by the developers in the sprint that meets the definition of done,plus the value of all the increments that came before;a recognizable,visibly improved operating version of the product
65、The scrum team displays its plans and progress so that all team members and stakeholders can always see what the team is accomplishing.Scrum EventsScrum teams work in sprints,each of which includes events(or activities).The SprintTime segment of a month or less,including planned activities to bring
66、the product closer to the product goal Sprint PlanningEstablishment of the sprint goal,what can be done,and how the chosen work will be completed;maximum of eight hours for a month-long sprint,with a shorter timebox for shorter sprints Daily ScrumInspection by developers of the progress toward the s
67、print goal with adaptation of the sprint backlog and adjustments to the upcoming planned work as necessary;15-minute daily timebox Sprint ReviewInspection of the sprints outcome by the entire scrum team and stakeholders to determine future adaptations;stakeholder feedback on the increment Sprint Ret
68、rospectiveInspection by the team of how the last sprint went regarding individuals,interactions,processes,tools and definition of“done”;identification of improvements to make the next sprint more effective and enjoyableSprint RetrospectiveMeeting for project team and stakeholders to discuss lessons
69、learnedUser Stories From business usersProduct Backlog Maintained by Product OwnerSprint Planning Meeting with Scrum Master and project teamSprint Backlog Identifying features to implementSprint Review To present solution to stakeholders by project teamShippable solution incrementDaily Stand-up With
70、 Scrum Master and project teamSprint Executionby project team(14-week cycle)2023 ISACA.All Rights Reserved.10INCORPORATING RISK MANAGEMENT IN AGILE PROJECTS Scrum Framework:Sprint Cycle Explained Before a sprint cycle begins,the product owner uses information from stakeholders to determine a goal fo
71、r the solution and prioritizes the product backlog(figure 8).During sprint planning,the developers choose prioritized features from the product backlog,decide how they will complete the sprint,establish a time frame for completion,and create a sprint backlog.Once the sprint cycle begins,the team hol
72、ds daily scrum meetings to track progress toward the sprint goal,discuss challenges and plan for the next day.During the sprint,the scrum master maintains the teams focus on the sprint goal and monitors the sprint backlog through a burndown chart that measures the amount of work completed and the to
73、tal work remaining in the sprint,predicting the likelihood of completing the sprint in the time available.The sprint ends with a potentially shippable solution ready to be reviewed and used by the customer.The team conducts a sprint review of the finished solution and a retrospective of the complete
74、d sprint cycle.The cycle repeats itself again with a sprint planning meeting to develop the next solution increment.EaEachch s sprpri in nt t e en ndsds w wi it th h a a p po ot te en nt tiallyially s sh hi ippppa ab ble le solusolut tio ion n r readyeady t to o b be e r revieeview weded a an nd d u
75、sedused b by y t th he e c cusust tomeomer r.Scrum offers several benefits,such as faster solution build time and achievement of business value through defined goals within each sprints time horizon with constant customer contact.This framework involves frequent planning,goal setting and feedback lo
76、ops to help the scrum team focus on the sprints goals,thereby increasing productivity,quality and customer satisfaction.How Is Risk Managed in Agile Projects?Agile does not offer a universal definition of risk or provide a standardized approach to risk management.In fact,as project management specia
77、list Roland Wanner notes,“the Scrum Guide does not explicitly address risk management,except for these brief references:The incremental approach with sprints reduces risk.Sprints increase predictability and limit cost risk to a maximum of one month.Constant“Artifact Transparency”helps optimize(busin
78、ess)value and reduce risk.”2322 However,Agile claims to be risk-driven,and based on its inherent nature and implicit practices,it lends itself to an adaptive risk management style.For instance,the adaptability of Agile projects is a response to uncertainty.T Th he e adaadap pt ta ab bili ilit ty y o
79、 of f AgileAgile prprojeojec ct ts s is is a a r resesp po on nsese t to o u uncnce er rt tai ain nt ty y.For each sprint,the project team defines and builds small increments,“biting off a small chunk at a time,”to eventually deliver the finished solution.Figure 9 illustrates other Agile practices t
80、hat manage risk efficiently.2423 2223Wanner,R.;“How to Manage Risk in Agile Projects,”18 October 2019,https:/ Risk Management,Springer Verlag,Germany,2014 2023 ISACA.All Rights Reserved.11INCORPORATING RISK MANAGEMENT IN AGILE PROJECTS Difference Between Risk Management for Waterfall and Agile Proje
81、cts Traditional project risk management and Agile risk management both perform every step in the risk management process;however,different activities are emphasized depending on which approach is selected.Traditional project risk management,which typically employs the Waterfall approach,emphasizes b
82、ig upfront risk planning,or BURP,by identifying and assessing all risk at the beginning of a project and implementing controls before it proceeds,as shown in figure 10.25 This type of risk planning aims to identify“hypothetical hazards,risk events and/or consequences that can potentially occur in a
83、given situation.”26 Predictive risk management highlights risk forecasting and analysis based on the rationale that when project managers identify and prioritize project risk earlier,they can navigate the risk and prevent it from becoming a problem.27 On the other hand,Agile delivery embraces adapti
84、ve risk management,which“emphasizes keeping risk small by defining,developing,and delivering system functionality iteratively and incrementally allowing teams to handle risks while their potential for project impact is small and to continually monitor risks as solutions evolve and grow.”2824 Further
85、,Agile planning divides the project timeline into increments,facilitating the adaptability of plans if circumstances change for an upcoming sprint.2925 2428Ibid.2529Ibid.2023 ISACA.All Rights Reserved.12INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 10:Predictive Risk Management for Project L
86、ife Cycle In the waterfall project life cycle,risk management is conducted at the beginning of the project through big upfront risk planning(BURP).Risk is captured at Initiation and revisited at Planning stages.Big upfront risk planning(BURP)InitiationPlanningExecutionClosing25Project Management Ins
87、titute,A Guide to the Project Management Body of Knowledge(PMBOK Guide),Sixth Edition,USA,2017.26SMS Pro,“What Is Predictive Risk Management?”https:/www.asms- 27Velazquez,E.;“Traditional vs Agile Risk Management,”Agile Cheetah,16 May 2021,https:/ 29 Ibid.CollaborationThe team meets regularly with th
88、e product owner and discusses how closely the project is aligning with the product goal and identify deviations.SprintsUses short iterations to build the solution in segments with risk being addressed in each sprint.FocusBy concentrating on each sprint separately,the team has a clearer vision of wha
89、t might cause risks for the sprint.FIGURE 9:Agile Practices for Managing RiskDeciding between adaptive(Agile)and predictive(Waterfall)risk management depends on the characteristics of the project,its requirements,and the level of customer involvement.In some cases,predictive risk management(Waterfal
90、l)is a preferred optionfor example,for projects that have well-understood requirements that are not likely to change.In summary,in Waterfall delivery,predictive risk management focuses on conducting risk planning at the start of a project,envisioning what uncertainties can occur throughout the proje
91、cts duration.Agile methodologies“implicit”practices support an adaptive risk management style that involves the project team looking for risk in the sprint cycle through inspection and review activities(e.g.,scrum stand-up and retrospective meeting)and making adjustments.2023 ISACA.All Rights Reserv
92、ed.13INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSIntroducing the Agile Risk Management Process Due to its inherent nature,Agile can mitigate some risk that occurs during the sprint cycle,but this is not the only risk that may occur during a projects life span.For example,in larger enterprises,the
93、re is more risk related to the external,organizational and project environments,including corporate reputation,project financing,user adoption of business changes and regulatory compliance.The risk potential influences the organizational context the Agile team operates in and requires project leader
94、ships involvement to address.Management of this type of risk is not addressed in most Agile literature,which focuses on risk that may occur at the sprint level.Managing risk implicitly and primarily at the sprint/iterative level introduces several risk management shortcomings with Agile projects,suc
95、h as:Limited information available to support risk vs.reward decision-makingpoor understanding of managements appetite for potential risk the project may encounter Lack of risk oversightfailure to monitor projects that have exceeded risk thresholds in relation to the level of risk that an enterprise
96、 is willing to accept or can absorb Inconsistent risk responseslimited understanding about risk in the team,creating inconsistent responses to risk since there is a lack of appropriate controls and triggers3026Unmanaged risk beyond the sprint cycle may cause a project to deviate from the plan and fa
97、il to achieve its objectives.As a result,the effectiveness of the Agile risk management process is linked to project success.One recent proposal to address the unmanaged risk limitation is to adopt an Agile risk management process that includes tailoring Agile methodologies to include project and ri
98、sk management in a manner consistent with the Agile Manifesto and in line with the risk context for the project(e.g.,size,complexity and strategic importance).3127 Education and acceptance are the keys to successfully adding risk management to Agile practices.We need to get people engaged in the pro
99、cess and instill a common understanding of threats as the possibility of negative value.Once people understand this they can answer the question“Where is the next best dollar spent?”more effectively.It might not be on building the next feature from the backlog,but instead avoiding a risk or exploiti
100、ng an opportunity.3228 As shown in figure 11,the Agile risk management process is an adaptive and iterative cycle that is repeated per sprint,enabling continuous improvement.3329 Unlike the waterfall-driven project,it requires specific steps for setting the context and scoping risk management,based
101、30Op cit Moran31Ibid.32Griffiths,M.;“Agile Risk Management,”Leading Answers,12 November 2016,https:/ cit Project Management Instituteon ISACAs Risk IT Framework,2nd Edition.These include risk scoping and tailoring exercises to identify and analyze risk,as well as steps to determine and implement ris
102、k response and maintain risk monitoring through the utilization of Agile practices documented in the projects risk management plan.For example,as part of the Setting Context step,tailoring can identify predictive techniques for managing types of risk that are more strategic and slower paced in natur
103、e(e.g.,project financing).The project leadership works with the scrum team to translate these types of risk into actionable and prioritized work items,with the team having access to risk management tools(e.g.,risk register and reporting)for visibility throughout the sprint cycle.Agile Risk Managemen
104、t Process Implementation The Agile risk management process establishes steps required to control risk in an intentional manner in alignment with the Agile Manifesto,integrating project and risk management techniques with Agile practices to create value while balancing risk and rewards for the projec
105、t.Figure 12 illustrates three key principles to guide a risk-based Agile project.3430 3034Op cit Moran 2023 ISACA.All Rights Reserved.14INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 11:Agile Risk Management Process Setting contextRisk Assessment Identifying riskMonitoring riskRisk Assessment
106、 Analyzing riskImplementing risk responseRisk Assessment Determining risk responseFIGURE 12:Agile Risk Management Principles FlowUnderstanding risk and having response plans enable the project to continue without serious disruption.TransparencyAll risk-related activities and artifacts should be visi
107、ble to the team members at all times.BalanceRisk and reward should be balanced.Ways to generate the same level of value with a lower level of risk should be sought.Multiple Agile risk management processes and tasks are involved in identifying,analyzing and implementing risk-driven activities for an
108、Agile project.1.Setting Context ISACAs Risk IT Framework,2nd Edition,describes planning for risk management as follows:Positioning risk to the enterprise within the context of its mission,strategy and objectives is the first step to ensure every process and procedure that is carried out on a daily b
109、asis meets the long-term business objectives of the enterprise and is in alignment with its risk posture.This is known as setting the context for risk management.Pairing a risk-based approach with a strategic view of the enterprise enables communication and clarification of which uncertainties,or ri
110、sk,have the greatest potential to jeopardize enterprise targets,objectives and mission.3531 Through this exercise,risk management activities for a project will be identified and documented in the risk management plan(figure 13).3632 This process ensures that the degree,type and visibility of risk ma
111、nagement are proportionate to both the risk context and the importance of the project to the enterprise.2.Identifying Risk The Identifying Risk process identifies individual risk threats,sources and vulnerabilities,and it documents their characteristics in a risk register.The risk register provides
112、information to the project team about identified risk(figure 14).3733 FIGURE 14:Identifying Risk Steps 3135Op cit ISACA3236Op cit Project Management Institute3337Ibid.I Ideden nt ti if fy yi in ng g R Ri is sk k SteStep ps s1.Conducting risk identification Engage stakeholders in risk identification
113、activities through interviews and workshops.2.Creating a risk register Document individual and overall project risk in the risk register.Implementation Considerations:Identifying Risk is an iterative process,since new risk may emerge and risk changes may occur as the project progresses,affecting the
114、 overall project risk profile.In Agile,new risk is identified throughout the sprint cycle such as during sprint planning;product backlog refinement;daily scrum meetings;and sprint reviews,with the risk register being updated accordingly by the scrum backlog.2023 ISACA.All Rights Reserved.15INCORPORA
115、TING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 13:Setting Context Risk Management Steps Setting Context Risk Management Steps1.Understanding the organizational contextUnderstand strategic objectives,project objectives and risk context in order to assess the project alongside similar projects and deter
116、mine if its proposed benefits warrant the risk level.2.Identifying risk drivers to assess risk appetite alignmentUnderstand risk sources and their implications for the enterprise risk environment(e.g.,financial,strategic and reputational risk)to determine how much risk the enterprise is willing to t
117、olerate in pursuit of project objectives.3.Confirming risk appetite and tailoring project delivery for risk contextConfirm risk appetite(e.g.,risk averse,risk seeking)and tolerances for the project(e.g.,earn a return of investment of 7%)with stakeholders.Based on the risk context,tailor the Agile me
118、thodologies to take advantage of the appropriate project and enterprise risk management techniques to enforce risk appetite and tolerance thresholds.Implementation Considerations:Once the risk appetite and tolerance thresholds have been approved,set the parameters for controlling risk in the project
119、,for example:Set thresholds to establish the acceptable level of overall project risk exposure and to assess and prioritize risk.Identify aspects of the project that are excluded from internal controls(e.g.,allowing more risk for highly innovative product launches)or that otherwise constrain its pro
120、gress(e.g.,redefinition of project scope if deemed to be too risky).3.Analyzing Risk The Analyzing Risk process conducts risk analysis to set priorities for further action by assessing the probability of occurrence and impact,along with other characteristics(figure 15).3834 4.Determining Risk Respon
121、se The Determine Risk Response process develops and approves plans to respond to priority risk.The response plans include agreed-upon actions to be taken and are documented in the risk register(figure 16).3935 5.Implementing Risk Response The Implementing Risk Response process ensures that agreed-up
122、on risk responses are executed as documented in the risk register to minimize overall project risk exposure(figure 17).4036 3438Ibid.35 3640Ibid.2023 ISACA.All Rights Reserved.16INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 15:Analyzing Risk Steps A An nalyzalyzi in ng g R Ri is sk k SteStep
123、 ps sGathering data 1.Identify high-priority risk through data-gathering activities that can include interviews and workshops to assess risk probability and impact.This information is reviewed in the sprint planning session with the scrum team to assess the probability and impact of the risk.Analyzi
124、ng data 1.For each risk listed in the risk register,assess the probability of occurrence and level of impact:Determine the Impact(1=low,5=high).Determine the Probability(1=low,5=high).Multiply the Impact by the Probability to obtain the Risk Value Identify high-priority risk items by Risk Value.Impl
125、ementation Considerations:The Analyzing Risk process establishes the risk priority.The risk register is updated by the scrum master and records the priortized risk and its owner(responsible party e.g.,developer).FIGURE 16:Determining Risk Response Steps DeteDetermrmi in ni in ng g R Ri is sk k ResRe
126、sp po on nsese SteStep ps s1.Identifying priority riskPrioritize risk based on risk value(based on information from the Analyzing Risk steps).2.Developing and approving risk response plansResponse plans are developed by the risk owner(responsible party,e.g.,developer)for priority risk items.Dependin
127、g on its nature,the risk response plan may trigger a change request that requires the product owner to review and update the product backlog accordingly.Implementation Considerations:Risk responses should be appropriate for the significance of the risk,cost-effective in meeting the challenge,realist
128、ic within the project context,agreed-upon by all parties involved,and owned by a responsible person(risk owner).2.FIGURE 17:Implementing Risk Steps ImpImple lemme en nt ti in ng g R Ri is sk k SteStep ps s1.Implementing Risk ResponseRisk owners reduce overall project risk by implementing the agreed-
129、upon responses,managing threats and opportunities proactively.Updates on the implementation status is provided in the stand-up scrum meetings.Implementation Considerations:Proper attention to the Implementing Risk Response process ensures that agreed-upon risk responses are executed.39 Ibid.6.Monito
130、ring Risk The Monitoring Risk process tracks the status of implemented risk response plans and related risk(in the risk register),identifies emerging risk,and evaluates the effectiveness of the risk management plan throughout the project(figure 18).4137 The Agile risk management process is an iterat
131、ive life cycle approach for managing risk with a sequence of steps that can be adapted to the risk context of the project.Due to the evolving nature of risk,the life cycle ensures a repeatable workflow of steps that support decision making with integration into enterprise risk management through ris
132、k appetite and tolerance thresholds.FIGURE 18:Monitoring Risk Steps Agile Risk Assessment in Practice Using Scrum Framework The Agile Risk Assessment is completed at the project and sprint level for the scrum framework at different points in time:At the project level,it identifies what risk threaten
133、s the overall project.At the sprint level,it identifies the risk for each requirement.Before the project is initiated,an assessment should determine whether the risk profile is too high,potentially terminating or delaying the project.Another valuable opportunity to review the project status is at th
134、e requirements workshop,where alignment with risk appetite and tolerance thresholds can be determined.The two levels,project and sprint,may seem to be separate;however,they work in tandem during project execution.The scrum framework uses its practices(e.g.,roles,events and artifacts)to identify and
135、mitigate risk throughout the project and sprint cycles,with multiple Agile risk assessment steps supporting those practices as described below.3741Ibid.MoMon ni itotor ri in ng g R Ri is sk k SteStep ps s1.Monitoring riskTrack for new,changed and outdated risk items and for changes in the overall le
136、vel of project risk exposure through risk reviews.The sprint review and retrospective offer opportunities to conduct a risk review for the completed sprint and key indicators such as:Key Risk Indicators(KRIs)measure risk levels in comparison to defined risk thresholds,generating an alert when a risk
137、 level approaches a threshold.Key Control Indicators(KCIs)measure the effectiveness of controls,generating an alert when any defined control malfunctions(e.g.,defined control has not been implemented,is not enforced,or is not working as designed).2.Communicating risk statusCommunicate current level
138、of project risk exposure to project team and key stakeholders through risk reporting.3.Initiating change requests and updating product backlogDiscuss potential change requests with the product owner for corrective and preventive actions to address the current level of project or individual risk.Thes
139、e items will be included in the product backlog and may be prioritized for the next sprint cycle.Implementation Considerations:A risk report(e.g.,risk burndown chart)is a key communication tool to visualize the overall risk exposure and risks exceeding risk tolerance thresholds for the project.2023
140、ISACA.All Rights Reserved.17INCORPORATING RISK MANAGEMENT IN AGILE PROJECTS 2023 ISACA.All Rights Reserved.1.Setting Context For setting context,determine overall risk at project kick-off and for each sprint start.When the project begins,the product owner discusses the risk with stakeholders(e.g.,pr
141、oject team,customers and subject matter experts),identifying risk for the overall project and the already-known requirements in a workshop setting.The product owner and the participants assess the risk value and determine what actions to take.4238 The product owner needs the risk value of a requirem
142、ent because,along with the business value,the risk value is an important criterion when prioritizing the requirements to be implemented.Requirements with the highest risk are often the first to be realized,according to the motto:Fail early;fail fast;fail cheap.4339 The scrum master creates a risk re
143、gister to be used for the project and sprints,which is updated throughout the project at various points in the sprint cycles.The workshop supports product envisioning with the stakeholders,mitigating the risk of misunderstandings about what the product needs to accomplish.For visibility,all team mem
144、bers have access to the risk register with shared ownership of the risk.The team is encouraged to update the risk register with information from scrum events such as sprint planning,scrum stand-up,sprint review and retrospective meetings.2.Assessing Risk At the start of the the sprint cycle,during t
145、he sprint planning meeting,the product owner and project team assess the product backlog to discuss the risk of each individual requirement,identify and evaluate any new risk,and determine response plans.Through this approach,the team becomes aware of the risk and can implement planned actions.Also
146、during the team discussion,the product backlog is refined and adjusted for risk using the steps referred to in figure 19,influencing the items to scope in the sprint and its time duration.4440 The team considers risk when determining the potential increment for the sprint,ensuring that it can delive
147、r successfully.3842Op cit Wanner3943Ibid.4044Botis,S.;“A Simple Approach for Risk Management in Scrum,”Today Software Magazine,https:/ RISK MANAGEMENT IN AGILE PROJECTS5.AlignDocument risk in the product backlog and determine risk response for the sprint2.IdentifyDetermine risk with the product back
148、log and document in risk register4.PrioritizeArrange risk value in descending order and identify top risk to be addressed in the sprint3.AssessAnalyze probability and impact of risk1.AwarenessReview product backlog and understand requirementsFIGURE 19:Assessing Risk Steps Using Scrum Framework The A
149、lign step contains several critical items for risk management,specifically:Incorporating the risks in scope for the current sprint and response plans into the sprint backlog integrates these tasks with the schedule.Updating the risk register for all risk identified(current and future sprints),in add
150、ition to noting the response plan for each risk addressed in the current sprint,provides a reference point for the team during the sprint cycle.Identifying features from the sprint planning session that have a technical problem without a solution.The team may decide to perform an architectural spike
151、 during the sprint,otherwise known as a proof-of-concept to explore workable solutions.Adjusting the product backlog to include risk complexity and priority to assist with future sprint planning.A key output from the Assess step is an updated risk register,an example of which is reflected in figure
152、20:3.Implementing Risk Response Several techniques are used by the scrum team to implement risk reponses,such as the risk-modified Kanban board(figure 21).4541 A risk-modified Kanban board encourages the color coding of risk-related tasks(e.g.,green for opportunity,red for threat)to support the visu
153、alization of risk.Incidentally,such practices can also be extended to other Agile artifacts,including Agile story maps that describe the relationship between epics and their constituent user stories as illustrated in figure 2.This enables an excellent visualization of the distribution of risk and ev
154、en enables detection of where risk analysis may have been deficient(e.g.,a collection of user stories with no apparent upside or downside risk).4642 FIGURE 20:Sample Risk Register 4145“Agile-An Incantation,Seen it to Mean it,”6 May 2015,http:/ Ri is sk k RegRegi istester rDescriptionProbability(P)Im
155、pact(I)Risk Value(P*I)Response/OwnerPlanned Sprint CyclePotential security flaws identified due to new features4416Task created for an upcoming sprintassigned to lead developerSprint 5New features may require re-work4520Architectural spike task created in the sprint backlog assigned to lead develope
156、rCurrent Sprint 2023 ISACA.All Rights Reserved.19INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSFIGURE 21:Risk-Modified Kanban Board LegendPlannedTask 1ReviewNegative risk taskTask 4In progressNormal taskTask 2Task 3DonePositive risk taskTask 5Task 646 Moran,A.,“Risk Management in Agile Projects,”IS
157、ACA Journal,vol.2,2016,https:/www.isaca.org/resources/isaca-journal/issues/2016/volume-2/risk-management-in-agile-projects4.Monitoring Risk Figure 22 shows an effective monitoring practice for risk reduction using a risk burndown chart,identifying cumulative risk value outstanding at various sprint
158、intervals created from the risk register.In addition,there are scrum events and artifacts that help with risk monitoring:For the stand-up scrum meeting,the team manages risk by reaching the sprint goal and providing deliverables.The Sprint review functions as a forum to ensure that the solution meet
159、s stakeholder expectations.Stakeholders discuss solution changes required to accommodate new business needs,which reduces the risk of presenting the customer with an inadequate solution at the end of a project.Sprint retrospectives explore issues with the completed past sprint and assess whether tho
160、se issues will be a risk for upcoming sprints.The team identifies options to prevent that risk from occurring.Examples of questions that may be asked during a retrospective include:Is there any new or escalating risk?How are the teams risk management capabilities developing?Is risk reduction proceed
161、ing successfully?For risk items transfered to a third party,are the risk mitigation plans working as expected?Scrum Artifacts The risk register is updated to show how risk was handled throughout the project at defined points in the sprint cycles(e.g.,sprint planning,scrum meeting,sprint reviews and
162、retrospectives),providing a source of information for lessons learned and best practices for upcoming sprints.A risk wall or information radiator can be created in a central location(e.g.,an intranet or a physical office)to provide a variety of risk and performance reports,such as a burndown chart a
163、nd tracking work completed in each sprint.A forecast can then be made about the amount of work remaining based on velocity to date.FoFor r e eff ffe ec ct tiveive AgileAgile r ris isk k maman nagemeagemen nt t,t th he er re e n needseeds t to o b be e agagr reemeeemen nt t o on n i it ts s imimp po
164、or rt ta ancnce e a an nd d a a c commiommit tmemen nt t t to o t th he e a apprpproaoachch amoamon ng g t th he e prprojeojec ct t t teameam memmemb be er rs s.These are some example of practices and artifacts Agile projects may or may not use depending on the project and organizational context.For
165、 effective Agile risk management,there needs to be agreement on its importance and a commitment to the approach among the project team members.Agile has a shared decision-making framework that requires all team members to be engaged and to communicate the relationships between solution requirements,
166、threats and opportunities,with strong risk ownership as its foundation.2023 ISACA.All Rights Reserved.20INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSSprint cycle30405060FIGURE 22:Risk Burndown Chart Critical Success Factors for Agile Risk Management Risk presents enterprises with challe
167、nges but also offers a competitive advantage when both threats and opportunities are managed proactively.The Agile risk management process provides insight into risk that needs to be addressed to support the pursuit of strategic objectives and take advantage of opportunities.For this process to be e
168、ffective,six critical success factors must be in place(figure 23).4743 With acknowledgment that risk management as a shared responsibility,there will be stronger input concerning potential threats and opportunities and increased collaborative problem solving,fostering collective risk ownership.With
169、Agile,the role of a project manager being responsible for risk makes the transition to an empowered team handling risk proactively.FIGURE 23:Key Success Factors for Agile Risk Management Conclusion As enterprises adopt Agile methodologies to achieve strategic objectives with digital acceleration,the
170、y will need to rethink their control functions,including risk management,to keep pace with frequent release cycles and to develop capabilities to advise risk owners in near real time.To respond to this business need,an Agile risk management process can be used,integrating leading practices from proj
171、ect management and enterprise risk management with Agile methodologies to meet demands for organizational agility.Decision-making in an Agile contextusing scrum roles,artifacts and eventssupports enterprises in determining what risk can be accepted as they pursue digital acceleration.4347Op cit Proj
172、ect Management InstituteRecognition that risk management provides a positive return on investmentUnderstanding that risk management is everyones responsibilityOpen and honest communication about riskOrganizational commitment to enterprise risk management alignmentTailoring of risk effort to organiza
173、tional and project contextIntegration with agile methodology 2023 ISACA.All Rights Reserved.21INCORPORATING RISK MANAGEMENT IN AGILE PROJECTS Acknowledgments ISACA would like to acknowledge:Lead Developer Mary Carmichael CISA,CRISC,CPA,MBA,CFE,CSM Managing Director,Risk Advisory Momentum Technology
174、Canada Expert Reviewers Diana Calderon CISM Delivery Hero SE Germany John Espina CISA,CRISC,CMS,PMP,SSLP Societe Generale Canada Hakan Kantas CRISC,CDPSE,ITIL,ITIL Managing Halkbank USA Baris Kavalali CISA,CISM,CGEIT,CRISC,CDPSE,ISO 20000,ISO 22301 LA,ITIL,TOGAF Australia Donald Morgan CISA Farm Cre
175、dit Canada Canada Kane Porter CISA Peoples Trust Company Canada Jaroslaw Boguslaw Richert Ruchniewicz CISA,CRISC,ITIL Schneider Electric USABoard of Directors Pamela Nigro,Chair CISA,CGEIT,CRISC,CDPSE,CRMA Vice President,Security,Medecision,USA John De Santis,Vice-Chair Former Chairman and Chief Exe
176、cutive Officer,HyTrust,Inc.,USA Niel Harper CISA,CRISC,CDPSE,CISSP Chief Information Security Officer,Data Privacy Officer,Doodle GmbH,Germany Gabriela Hernandez-Cardoso Independent Board Member,Mexico Maureen OConnell NACD-DC Board Chair,Acacia Research(NASDAQ),Former Chief Financial Officer and Ch
177、ief Administration Officer,Scholastic,Inc.,USA Veronica Rose CISA,CDPSE Senior Information Systems AuditorAdvisory Consulting,KPMG Uganda,Founder,Encrypt Africa,Kenya Gerrard Schmid Former President and Chief Executive Officer,Diebold Nixdorf,USA Bjorn R.Watne CISA,CISM,CGEIT,CRISC,CDPSE,CISSP-ISSMP
178、 Senior Vice President and Chief Security Officer,Telenor Group,USA Asaf Weisberg CISA,CISM,CGEIT,CRISC,CDPSE,CSX-P Chief Executive Officer,introSight Ltd.,Israel Gregory Touhill CISM,CISSP ISACA Board Chair,2021-2022 Director,CERT Center,Carnegie Mellon University,USA Tracey Dedrick ISACA Board Cha
179、ir,2020-2021 and Interim Chief Executive Officer Brennan P.Baybeck CISA,CISM,CRISC,CISSP ISACA Board Chair,2019-2020 Vice President and Chief Information Security Officer for Customer Services,Oracle Corporation,USA Rob Clyde CISM,NACD-DC ISACA Board Chair,2018-2019 Independent Director,Titus,Execut
180、ive Chair,White Cloud Security,Managing Director,Clyde Consulting LLC,USA 2023 ISACA.All Rights Reserved.22INCORPORATING RISK MANAGEMENT IN AGILE PROJECTS1700 E.Golf Road,Suite 400 Schaumburg,IL 60173,USA Phone:+1.847.660.5505 Fax:+1.847.253.1755 Support:support.isaca.org Website:www.isaca.org Provi
181、de Feedback:www.isaca.org/incoporating-risk-management-in-agile-projects Participate in the ISACA Online Forums:https:/engage.isaca.org/onlineforums Twitter: LinkedIn: Facebook: Instagram: ISACA ISACA(www.isaca.org)is a global community advancing individuals and organizations in their pursuit of dig
182、ital trust.For more than 50 years,ISACA has equipped individuals and enterprises with the knowledge,credentials,education,training and community to progress their careers,transform their organizations,and build a more trusted and ethical digital world.ISACA is a global professional association and l
183、earning organization that leverages the expertise of its more than 165,000 members who work in digital trust fields such as information security,governance,assurance,risk,privacy and quality.It has a presence in 188 countries,including 225 chapters worldwide.Through its foundation One In Tech,ISACA
184、supports IT education and career pathways for underresourced and underrepresented populations.DISCLAIMER ISACA has designed and created Incorporating Risk Management in Agile Projects(the“Work”)primarily as an educational resource for professionals.ISACA makes no claim that use of any of the Work wi
185、ll assure a successful outcome.The Work should not be considered inclusive of all proper information,procedures and tests or exclusive of other information,procedures and tests that are reasonably directed to obtaining the same results.In determining the propriety of any specific information,procedu
186、re or test,professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.RESERVATION OF RIGHTS 2023 ISACA.All rights reserved.2023 ISACA.All Rights Reserved.23INCORPORATING RISK MANAGEMENT IN AGILE PROJECTSIncorporating Risk Management in Agile Projects