Credit: PEO EIS STRATCOMM
Mission Area
April 18, 2024
During a May 2022 Agile information session for Program Executive Office Enterprise Information Systems (PEO EIS), ASA(ALT) Principal Deputy Young Bang said one of the chief benefits of moving from waterfall to Agile software development was risk reduction.
“As we shift over into an Agile mindset and a product mindset — and into Agile software development — the intent is to reduce risk,” said Bang. “Relying on a year-type of timeframe for a release increases the surprises, and the size of those surprises tends to be big. When you do things in an Agile fashion, as you reduce the timeframe of delivery of functionality, you reduce the size of the surprise — and the numbers.”
Since that discussion, EIS has undergone an Agile transformation and begun experiencing a corresponding reduction in surprises and risks. Yet even with the adoption of the Scaled Agile Framework (SAFe), EIS acquisition professionals have learned that risk management is a necessary and ongoing requirement for ensuring successful outcomes in Agile software development.
According to EIS leaders, best practices for managing risk include bringing together all stakeholders to conduct risk assessments and identify potential risks at the start of each project or sprint; incorporating continuous risk assessment in program increment (PI) planning; prioritizing risks and establishing mitigation plans; assigning a person to own the risk until mitigated; managing risk throughout the project lifecycle, including by conducting retrospectives; having open and transparent communications with all stakeholders; and embracing change.
A few EIS programs have forged ahead with Agile risk management and recorded some related successes.
At ArmyIgnitED, which is part of EIS’ Defense Integrated Business Systems (DIBS) portfolio, the team participates in DIBS’ monthly Risks and Opportunities Management Board at which they brief Project Manager Kevin Curry about significant challenges. Given that ArmyIgnitED is a relatively small program, it’s only carrying one significant risk right now, said contractor and senior acquisition principal Scott Knudson, and team members are “doing a good job working through it.”
Risks are categorized by impact and likelihood, said contractor and program manager Larry Dismore, and plans are put in place to reduce both those factors. If new functionality needs are identified for release by a certain date, for example, it could be a risk if they don’t happen, he said.
One example Knudson and Dismore cited was the ArmyIgnitED team’s recent realignment of credentialing assistance for the Global Fund Enterprise Business System because the feature was needed sooner than originally planned. Team members had to bump up its development by one planning interval — around three months — and “move some stuff out the way to make that happen.”
To help keep track of risks, ArmyIgnitED and other DIBS programs have been using an Army-developed risk management tool called Project Recon, said Knudson.
Another EIS program, the Army Training Information System (ATIS), has its own tools and processes for managing risk. As part of ATIS’ Agile Release Train (ART) process, development teams identify risks and — if they pose a risk to the overall system — escalate them for tracking and mitigation at the program level.
During PI planning, said contractor and release train engineer Melissa Lee, risks are posted on a PI planning board, and development teams decide if they can manage the challenges on their own or need help from the ART team. Similarly, the ART team monitors risks using a ROAM (Resolved, Owned, Accepted, Mitigated) board, as recommended by SAFe guidance, and escalates risks that are beyond its control to the program level.
One risk that was elevated from the PI planning board to the ART and eventually to the program level was the inability of the new ATIS system to exchange data with the Army Training Management System. That meant that duplicative data could potentially reside in both systems, according to contractor and ATIS operations and risk manager David Bridges.
To address this significant challenge, the ATIS team had to develop a data bridging strategy, including using Agile methods to build and implement a code product that is currently remedying the problem, said Bridges. In the past, the data exchange issue might have lingered for over a year, but by employing Agile risk management, ATIS team members were able to nearly completely resolve the problem within around six months.
“First it was a critical risk, but now it’s a low to moderate risk, improving every day and unlikely to happen because it is tracked at the program level,” said Bridges.
Many of ATIS’ recent risk management practices have been iteratively refined over time, and the product office is in the process of codifying them in an updated risk management plan. Bridges pointed out that in September 2023, the DOD added Agile risk management guidance to its Risk, Issue and Opportunity Management Guide for Defense Acquisition Programs.