top of page

Agile Risk & Control, anyone?

When discussions with our clients revolve around how to prosper within a world of rapid change on the one hand, while at the same time keeping a solid governance, risk & control framework in place, frequently these are seen as opposite ends of the behaviour spectrum. Minimum constraints and maximum control clearly cannot work hand in hand, or so we hear.

For practical use then, what compromises and trade-offs between the two are required? Is a regulated banking world mostly better off with a risk & control focus, while start-ups and tech companies can reap the benefits of fast-fail-fast-improved work styles?

So much risk, so little control

Examples of risk management gone wrong are around every week. A large family office off-loading gap risk onto banks, a few football club owners launching a new venture, supply-chain blockages stopping critical parts delivery, a large country suffering from a lack of medical preparedness - with hindsight it is easy to analyse and write post-mortems. This article is not trying to attempt this. However we will look at a commonality among most risk disasters: something went wrong so fast, that no one could have done anything about it. Or could they?

Agile, just get it done

A big client facing transformation project, a product launch, a simplification of the location mix - agile logic has it, that this means working within guidelines (of the task) but without boundaries (of how you achieve it), i.e. an approach to getting work done with maximum flexibility and minimum constraints.

We will not dive deep into the finer details of agile working here. Instead we take a step back and look at a key prerequisite for any effective agile work delivery.

Just get it done

Managing rapid change and keeping controls effective are two sides of the same coin. Both rely on the beliefs and plans stakeholders make about their businesses, the opportunities in it and what could possibly go wrong. Aligning stakeholders on a vision, communicating it well, assembling the right teams for the tasks and doing this over and over again through complex execution is hard enough. Having a change of circumstances (or of people) thrown into the equation and crucial details might be forgotten or neglected.

The successful companies that we have worked with build a few key steps into their management frameworks, and it involves turning beliefs, hopes, aspirations etc into tangible data:

  • Precise and jargon free gathering of what stakeholders belief to be true in and around their business, including the 'facts' that everyone knows are true. This is a set of assumptions and most businesses have in some form or shape an understanding of what these are. Few turn assumptions into usable data though (aka validated assumptions).

  • Assumption validation must engage all stakeholders and not allow any to stay silent or non-committed. We have developed simple techniques that prevent "silent assassins" and "interested bystanders".

  • Documented assumptions act as a reference point for stakeholders where the journey started and moved to.

  • Regular revalidation of assumptions by the executive team is not optional and for sure not a tick-the-box exercise delegated 3 levels down.

  • Explicit linkage of accountably owned key milestones, tasks, risks and controls to the set of validated assumptions increases execution certainty exponentially.

Does it make a difference?

Would have validated assumptions made a difference to some of the risk incidents mentioned above?

The gap risk carrying banks that did make assumptions, and linked-up execution ready plans on how fast they have to react when a big client fails, came out as winners.

Among 12 clubs, the risk that a league launch would be catastrophically received by key stakeholders was not contemplated as a top-risk. The assumption that US and European sport cultures have the same values was critically missed. The clubs that could have but did not participate made different assumptions.

The supply chain managers that are looking good today are those that assumed that location or product choke points do exist. The really successful ones made explicit assumptions about the likelihood and impact of something going wrong, and had pre-emptive controls and execution ready mitigation in place.

The country that mismanaged COVID...ok, we are not going there today

Sound baseline, sound mind

In summary, establishing simple work routines that link who does what by when to the why has numerous immediate benefits:

  1. Implementation does not require new systems or tech investment.

  2. Stakeholder engagement becomes an evidence based exercise with full transparency.

  3. When assumptions change, it is clear how each part of the business is impacted and what adjustments are required down the line. Shell-shocked executive teams are upgraded to systematic solution providers.

  4. Agile teams have a golden source check-point to remain on track without setting new boundaries.

  5. Risk & control teams take validated assumptions as a key control itself in their forward looking control framework. Spotlights to the front augment the rear mirrors.

  6. Agile and risk & control are no longer opposing concepts.


To learn how your organisation can implement and benefit quickly from a framework of validated assumptions, please contact us below.


Get in touch with our team

Thanks for getting in touch!

We will reply to you within one business day

  • linkedin
bottom of page