agility and risk

by Michael Werneburg
on 2015.10.16

You are here:
Risk topics
» Risk topics blog
April, 2018

March, 2018
· the planning fallacy

February, 2018
· Valentine's day vm backup plan

November, 2017
· the unsafe workplace and the body's response

October, 2017
· ISACA article is live

September, 2017
· published
· the Equifax breach
· Tracking Vulnerability Fixes to Production

August, 2017
· evaluating third party cyber risk

July, 2017
· getting it wrong with R
· de-identifying health information
· that's a lot of tracking!

June, 2017
· gaming Google news
· privacy in this day and age
· another record breach
· writing an industry standard
· ISACA article accepted

May, 2017
· Covey time-management quadrants
· safe harbor de-identification of health data
· an ISACA article

April, 2017
· my guide on managing third party risk
· PMP for five years
· metrics that matter
· 720 reads in 48 hours
· I lost my job

March, 2017
· farewell, SIRA board
· the message and the medium
· an interesting take on consulting


Dave Thomas, one of the originators of the "Agile Manifesto", gave a talk in January that explains where the Agile movement has gotten off the rails (no pun intended). It sounds an AWFUL lot like the sort of things risk management professionals tell each other: the bundled up "best practices", certifications, and standards have gotten out of control and are now the tail that wags the dog to our great detriment. It's 42 minutes long, but it's worth returning to the old days to listen to someone speak for such a duration.

For me, the key take-away, which applies to risk remediation work as well as to software development, is as follows (minute 27). How to be agile:

1. Find out where you are.

2. Take a small step toward your goal.

3. Adjust your understanding, based on what you learned.

4. Repeat.

How to do it:

When faced with two or more alternatives that deliver roughly the same value, take the path that makes future change easier.

Is that brilliant or what.

Bonus! There's a footnote of sorts at the end of the talk, and it applies to the risk management field in spades. As follows:

Some people think they are important. Don't let them tell you what to do.

big list