How to make the whole organisation agile?

Storytelling is a crucial tool for culture change, because often, nothing else works. Charts leave listeners bemused. Prose remains unread. Dialogue is just too laborious and slow. When faced with the task of persuading a group of managers or front-line staff in a large organization to embrace a major change, storytelling is the only thing that works.

What constitutes risk management – A senior management’s view

When discussing how to improve the value contributed by risk management, I typically start by saying ‘where do we start?’. At the heart of this question is the desire for a simple and practical point of view that makes sense in practice. Because risk profile, appetite and tolerance are different in different organisations, risk management presents itself differently. However, there are 4 fundamental pillars:

  1. Process

Like any value adding activity, risk management requires a process and it entails a purpose, inputs, activities and outputs. According to ISO31000, the activities typically include risk identification, sourcing, assessment, measurement, mitigation and monitoring. The purpose of the process varies from organisation to organisation too. It may be reducing performance variability, prevention of incidents or taking more risks to maximise returns.


  1. Integration

Traditionally as well as in financial services sector, risk management is focused on protecting the value of assets tabled in the company’s balance sheet, related contractual rights and obligations. Typical risk management methods include insurance, tools for treasury risks, mitigation of environmental risks such as health and safety concerns. Whilst these forms of risk management had served a useful purpose in the past, contemporary risk management serves a higher and better use. The relevance of the risk management process increases if it is integrated with core management processes that help the organisation in achieving its objectives and executing its strategy. The degree of the integration again varies and typically include core processes such as strategy formulation, business planning, performance management, capital and funding planning, M&A and project management etc.  effective integration means risk management is embedded into the rhythm of the day to day business decisions and contribute to establishing competitive advantage and boosting performance.

  1. Culture

Effective risk management requires a top down sponsorship and consistent application of conducive behaviours. If the reward system is not balanced with shareholder interests, if the board doesn’t question the assumptions and risks taken for a strategy, or if risk management is restricted to compliance or after-fact firefighting and not focused on strategic issues, risk management will not be able to have an impact at the crucial moment. Robust risk culture promotes open communication, knowledge sharing, promoting best practice and continuous improvement and more recently a focus has been placed on value-driven commitment to ethical and responsible behaviours.

  1. Infrastructure

No given the risk management processes, how it integrated with core business processes and the elements of an organisation’s culture, the focus then turns to whether the organisation has what it takes to get the job done – its infrastructure – its policies, procedures, organisational structure, reporting lines, systems and people related to managing risks. If the infrastructure requires improvement such as a lack of risk management policy, unclear risk appetite, unclear roles and responsibilities, lack of risk reporting process or IT systems (GRC), resources must be diverted to have these areas addressed.

Essentially these 4 elements are the foundation of an effective risk management framework and it should be what senior management and the Board look for when establishing risk oversight, or what a maturity assessment be looking at. Ask some of these questions when you think about your company’s risk management practice:

  • Do we have a process to identify risks related to our strategy?
  • Is our risk management only focused on insurable and financial risks?
  • Is our risk management capabilities coordinated across the company or operate in silos
  • Do we have risk materialise primarily because there is a lack of risk culture or understanding?
  • Is risk management restricted due to resourcing limitations?

What are your thoughts and your experiences in your organisation???

Change management, Resistance and risk management – a hard lesson learnt


I came across this brief slide – I didn’t hear the presentation first hand but the topic itself prompted a great deal of thinking and reflection upon a valuable lesson I learnt recently.

The background

Recently I had a short spell in a tech company that had experienced huge growth and doing fantastically well in recent years. It deliberately maintains a startup mentality but has an aspiration to be more mature in its corporate governance aspects – processes, controls, compliance and risk management. Enter me to the stage – I signed up to a role in a tiny risk management and audit team and saw a great deal of opportunities in implementing risk management from ground up in a greenfield environment. Without going into much details, building a risk management framework is no mean feat – it entails tangible deliverables such as risk process, appetite, reporting, roles and responsibilities and ongoing compliance and maintenance. An effective risk management framework also includes a crucial soft element – risk aware culture that permeates through the organisation so people consciously talk about risk and weave risks into their daily business conversation.

Typically and conveniently, implementing the tangible stuff is the way to go. Usually backed by senior management or compliance regulatory requirements, certain things must be in place to discharge senior management and the board responsibilities. However, without the soft culture environment, many of these processes, reports and tasks remain a paper exercise or deliver limited business values. That’s one of the reasons that risk management sometimes is still perceived as functional support team and struggles to win a seat in the high level decision making round table (again another hefty topic).

Now back to my experience. Within the first 3 weeks, I had drafted a risk management maturity roadmap with strategic and tactical plan items – the tangible and soft elements. I managed to obtain an in-principle endorsement of it without an agreement on exactly what is to be done. I was then tasked with a number of incumbent ‘risk/audit’ projects – some must-dos and some operationally-focused topics that one would say that wasn’t derived from a risk-based planning (that’s a different topic). The only piece of risk-focused project was business continuity implementation, which deals with disruption and availability risks. I sought to leverage on this project to firstly get to quickly understand the most critical parts of the business and secondly, promote risk management as a school of thought and get to people’s mind about its importance and value adding capability. I conducted informal and formal interviews and workshops, always started the conversation with an introduction of who risk management team is – what we do, how we do it and what value we can add, before launching into a tangible risk topic that was business continuity. It was a rather exhilarating experience as I put risk ‘on the map’ – interviewing 50 plus mid and senior managers in a space of 2 months.


I was not Messi in risk management, but I was battling hard and much of time I was battling alone. I had the passion and desire in abundance and hoped hard work and persistence would overcome every challenge. I was working 10-12 hours a day in the office plus some hours at nights. Time flew by but I felt I was in the zone and making solid progress.

So I think I did…

In hindsight, I neglected an important thing to do. To put it in an analogy – I was a charged up and prepared warrior, carrying my swords and jumped right into the battlefield, with my fists clenched and eyes on the target, I fought a hard battle and importantly I made advances according to my war plan, I was hitting milestones. However, I forgot to stop in between battles and turn around and to communicate to my fellow warriors, to report on wins, losses and problems, to ask for reinforcement, to ask for advice, to tell them where I am going and most crucially why I am going that way and doing that thing. Well that’s a bit of exaggeration, I did, but not enough. I lost sight in my own backyard.


Especially when you are new to a company, what I did was doomed to fail – the odds were against me, I was going to fight to my death – either being recognised as a warrior that stupidly took up an unwinnable fight on my own and lost, or most likely I would be seen as someone who didn’t plan well, misjudged the problem, failed to come up with the right solution, failed to see negative obstacles, failed to communicate and most importantly failed to deliver.

I did fail by the way. I am no longer with this company.

When I reflected upon this experience, I could easily blamed a million other things that didn’t go my way.

  • I didn’t have a manager that understood my mission and my war plan, and failed to support me
  • It was a hard battle that no one had fought before
  • The team failed to see what I did was planting the seed and it will take time to yield fruits
  • The team didn’t recognise my efforts and I was helping the team
  • I could go on…

But as I look hard at myself and striping it all down, I was leading a project of change management – changing the risk culture in this case. This project invariably has a lot of obstacles and resistance – people, entrenched mindset, existing way of work, selling the value – the stuff on the battleground. Launching into the battle with a crafted game plan (maturity roadmap), armed with a set of weapons (risk management experience and tools) and a determined mindset can only last you so long. My success also depended on team support, collaboration and communication.

My battle was not lost on the battleground, but was lost in my war room and in my reinforcement and my support battalion. Like a game of football, Messi alone cannot win a game, he needs his team – a coordinated team, a team with shared belief and vision and a supportive team. I didn’t have it and I failed to build one before I went battling.


In any change management project in business or life, resistance is a false proposition – resistance to change doesn’t exist (well said Richard, even I don’t know you). In my case, the number one contributor to my failure that I had control of was ‘Communication’. A hard lesson to learn, but a valuable lesson learnt.

#failure, #lessonlearnt, #riskmanagement, #projectmanagement, #communication, #teambuilding

Applying agile to non-software development settings

“Agile” has been a buzzword in the software industry for quite some time now. These days you will be surprised to hear if an IT project is not utilizing some form of agile methodology. However, in more recent times agile has been showing up in mainstream publications touting success in various non-software project settings. The Wall Street Journal recently posted on how modern families are using agile to improve communication. Here’s a recent TED talk about again, using agile in the family. Finally recent article on Forbes about how agile is the “best kept management secret on the planet”. Clearly, people outside of software are seeing value in the ideas and principles behind agile. Culture and organisational structure  aside, what is agile that is so universally beneficial?

Let’s go back to the basic principles and philosophies behind agile and how they can be the catalyst for improvement:

  1. MVP

Minimum viable product – breaking things to manageable pieces is such a no brainer. By piece-mealing a often challenging and complex work into chunks not only improve workability, but more importantly reduce the fear and uncertainty associated with making the first step. Having something to celebrate also creates a sense of achievement, no matter how small, that boosts morale and teamwork.

  1. Feedback loops

Having key stakeholders continuously engaged is the best insurance for last minute surprises – and nobody likes surprises. Taking stakeholders along the journey also exposes them to not just the achievements but challenges faced so they understand where the time, effort and money were spent on. With a shared goal toward success, feedbacks identify all those negatives such as progress that is off track, group think, inaccurate or unrealistic requirements, poor quality delivery etc.

Agile teams do this in regular meetings called retrospectives. These meetings happen regularly (usually every 2 weeks) and the team is encouraged to talk candidly about their work and how things are going on the team. Positive things are reinforced, negative issues are discussed openly, and ideas for changes are considered and planned.

  1. Transparency

Agile teams are famous for their ‘walls’. Using a physical task board makes your team’s work more visible. Whilst tough to start this at first, creating columns for things to do, work in progress, and completed tasks can do wonders for your team’s communication and collaboration on projects. It is simple but there is something physiologically satisfying about moving a task across the board.

  1. Outcome-driven

Hands up if you intuitively think about your work in terms of output. How many features did we release? How many emails, phone calls, etc. did we make? How many ticks of approvals achieved? Us humans think about our work in terms of output because it is easy to measure (also we were told to set these measures up front, so we can call our goals ‘measurable’), but it’s not what really matters. What matters is the impact or outcome of our work – the value it creates. Maximizing the outcomes is a fundamental principle of agile and I feel it’s the most powerful.

Opposite to value is waste. One of the agile principles is around the idea of simplicity. Is the team empowered to question the value of a piece of work? Be willing to ask if and why something must be done If it is no longer valuable, be willing to see what happens if you stop doing it. Look for things that are wasteful and eliminate them. This will free you and your team up to focus on the things that drive outcomes – the things that add value.

  1. Change is constant

Eisenhower once said “Plans are worthless, once the first shot is fired, but planning is still essential” we live in a world that sees information or circumstances change at a speed never seen before. Assisted by technology, information penetrates fast and the power is squarely in the hands of consumers now. Be very cautious about making detailed long term plans that are costly to change. Getting into the rhythm and embrace changes and be agile about changing directions, requirements, deliverables, in fact, Everything.

6.  Self organsing teams

Spotify uses the principle that the ‘culture is the sum of everyone’s values and behaviours’. Thoroughbred agile lives only in an environment of empowerment and trust. I personally think there is no better way than letting the team self-organise to demonstrate the company’s commitment to empowerment and trust. People with intrinsic motivation are more committed, outcome driven, push to limited and generally happier.  Tell them the problem at hand and don’t tell people how to do things, articulate the problem, create a facilitating environment and let them surprise you with their results.

In all, these above principles and their perceived benefits I believe transcend software development projects. Be it traditional product development, BAU operations management, business improvement, incident management and problem solving, adopting some or all of these principles could change the way it sued to be and potentially deliver massive benefits with little costs.

What is your experience with agile in non IT project?

How does risk management stay relevant in a fast-evolving digital world? (Continued)

Let’s start off with a recap

Last time we discussed how innovative culture represents the most important force behind modern business success, which drives innovation in both technology and the business model that applies such technology.  We dived into the concept of agile and agile thinking being the essential ingredient for building an innovative culture. We compared agile culture and its underlying value beliefs and how they influence the ‘way of work’ for different organisations.

In the context of risk management, the differences in this culture undertone, shared values and the way of work have profound implication to the risks faced by the organisation and how these risks can be best managed. Let’s explore this using project management as a relatively straightforward example.

Maybe I should rename this post to – ‘how to deal with the inevitable agile disruption?

Project and project risk management

How an organisation runs and manages its projects says a lot about itself. All projects are subject to constraints within the boundaries of the ‘way of work’ because they must work in tandem with resources already committed – people, funding, processes, priorities, inter-dependencies and timing.

An established companies usually run projects within a clear structure of teams, roles and responsibilities, reporting lines, handoff points and decision making regime. Embedded within a formalised PMO, traditional project risk management fits into this linear project lifecycle (usually waterfall) and is anchored by clear action points (or management controls) at key milestone stages such as qualitative and quantitative risk assessment, management review and approval points.


Comparatively in a start-up agile environment, project management is turned on its head. Team are mostly cross functional with significant autonomy in deciding what and how to deliver a product or value. Non-value adding activities such as process maps and progress report are considered ‘waste’ because constant progress will render them outdated by the time they are created.

Evolved from project management, the agile thinking has been dubbed as the single most fundamental feature for most of the modern successful tech companies. In advanced agile organisations, agile way of working extends beyond project management and becomes ‘the norm’ and ‘business as usual’ reinforced by people initiatives on trust, learning, innovation, sharing and value. I have seen organisations continuously deliver products or values in squads, tribes and guilds without formal reporting lines or delegation authority.

The key risks addressed by traditional project risk management – time, cost and quality – are significantly mitigated simply by the approach advocated by agile philosophy –  Agile teams can start with a simple user story to build a minimum viable product deployed into production through short and iterative sprints dotted with regular feedback loops. Agile practitioners will know that I had omitted a whole lot of other enablers, pre-requisites and tools of agile practice. For more details, refer to here, here, here, here, and here.

So how risk management can stay relevant and add value for a company that is yet to embrace digital revolution and agile (denial), or a company in transition (embrace), or a full digital/agile organisation (improve)? From my recent experiences, these are some conversation starters:

For agile aspirants, the values may lie in

  • Education of ‘agile way of working’ through a risk lens. A better understanding will lead to better acceptance for change. I was surely confused with jargons like lean, kata, Kanban, test-driven development and feature toggles and why the team believes ‘wall walks’ is better than a ‘status report’?
  • Providing people who came from an established environment with a risk assessment of ‘going agile’. An objective and independent assessment on how key attributes such as cost, time and quality can be managed in an agile environment? Why is it ok for project team to not commit to a deadline until much later into the project?

For those in transition, the values may lie in:

  • A risk assessment on how the transition as a project can impact and deliver value to the company. Informing a decision on the necessary investment in resources, people skills and organisational restructuring to maximise the values of ‘going agile’?
  • Leveraging risk knowledge in current process and practice to identify ‘best value’ opportunity for agile adoption. Being an agile champion and a catalyst for incremental changes. Highlighting the positive risks associated with agile and the risks of inaction.
  • Do what risk managers do best naturally in promoting a collaborative culture that values trust, transparency and challenging status quo.

For those already agile equipped, the values may lie in:

  • Providing management comfort over key risk areas that conventional risk information would otherwise not be available. Particularly for C-suite executives who usually came from a traditional setting. Gone are hefty business cases, periodic status reports and approval gates, replaced with risk insights from stand-ups, wall walks, demos and retrospective reviews.
  • Qualitative risk assessment in this high velocity environment where emphasis is skewed toward stakeholder feedback that is mostly subjective? Visual risk representation such as risk burn-down chart would bridge the communication between project teams and business stakeholders.
  • Contributing to the management of the most important asset – people. Devs, Agile coaches, BAs, Product owners and senior management. How best to recruit, retain, develop and grow people in an evolving environment? How to facilitate, promote and build a culture that is conducive to agile philosophy?
  • Providing risk support to the management of operational risks associated with ever moving structure and elevated autonomy. For instance proliferated user access management, IT change management (DevOps), security and availability risk consideration within the development lifecycle, incident response and problem management.


In true agile fashion, risk managers, irrespective of the industry or the disruptive journey the company is at, must also be digital-ready and agile – trial and error, explore and continuously improvement to stay relevant and add value. What is your experience?

#agile, #project management, #project risk management, #risk management, #culture, #values

How does risk management stay relevant in a fast-evolving digital world?

Any experienced risk management professional would know it best – establishing a risk management framework is no mean feat, particularly if it’s for a ‘one of a kind’ organisation and not guided by a set of prescriptive regulation and standards. Above all the bells and whistles a risk team can build is one crucial attribute – risk management must stay relevant and add value to the achievement of the organisation’s strategic objectives.

Strategic objectives are enabled and influenced by important factors within the organisation itself –processes, projects, resources and culture. Beyond these intrinsic factors, in recent times many companies had to deal with the impacts of the digital revolution as the disruptive forces of ‘Internet’ transcend tech sector and seep into pretty much every industry. Uber for taxi, Netflix for video, Airbnb for hotel, the list goes on.

This fast and inevitable change is forcing risk professionals to renew their emphasis on ‘emerging risks’ and must now broaden their ‘feel on the pulse’ beyond immediate competitors and adjacent industries. This is introducing an additional layer to the above question – ‘How does risk management stay relevant and continue to add value to organisation’s strategic objectives (in a digital world)?’

It is obviously a complex question that doesn’t have a simple answer, so let’s peel back to the basics and explore this topic piecemeal.

Illu #1

Learn from the best

In preparing for the disruption and its impacts, organisations must understand and learn the key factors fuelling the success of many modern successful companies. One thing for sure – simply embracing and adopting new technology only gives temporary reprieve in this fast evolving world. In fact, recent research confirmed that the technology itself only disrupts to certain extent as followers embrace and adapt. It is the innovative business culture that drives constant discovery of new business model and application of technology that is the most disruptive.


Agile and agile thinking

Literature abounds on why individual or companies succeed, you don’t need to go far to be inundated with business coaches and mentors spruiking ‘how to’ guides. Here, here, here. However, many would agree that ‘agile’ thinking is universally one of the most fundamental ingredients for many success stories.

Let’s focus on this topic for now, so what is agile?

Evolved from a form of project management methodology and manufacturing, agile and agile thinking are interpreted in countless ways and applied differently. In its very essence, its reciprocal power advocates value adding behaviours, cut development cycles, facilitate informed decisions and drive continuous improvement. In an advanced agile environment, agile thinking would become so pervasive in all aspects of the organisation, defining its culture, the way of work and risks that propel its growth.

Let’s look deeper using real corporate examples

Typical of a traditional yet progressive company with mostly established processes and linear structure, a great deal of emphasis would be placed over important values such as team work, accountability, efficiency and simplification to support the execution of its strategy. Typically, most manufacturers, banks, telcos, retailer would fit to this category.

On the other hand, a tech start-up based on agile principles of being lean and people oriented would focus on more tangible and actionable values such as collaboration, empowerment, fast throughput and continuous value delivery. Team structure and formalised policies would be minimised with virtually no reporting lines and delegated authority. Examples are Spotify, REA, Pivotallabs and many more.

Illu #3

Ok, you noticed I haven’t really answered my original question. That’s for another day.

#riskmanagement, #agile, #disruption, #culture, #values, #stayrelevant, #rispeak