Rich Williams, Head of Risk and Internal Quality Management at the Office for National Statistics (ONS), explains how adopting an Agile approach helped his team to do more for less.
By the very nature of their job, statisticians are trained to think in terms of numbers and to have rigorous processes in place to validate the accuracy of their work. Traditional risk management is also a numbers-based discipline.
The effect of the two overlapping was that when Rich arrived at the ONS four years ago, he was faced with a Risk Policy and Framework which ran to 121,000 characters over 56 A4 pages. The accompanying risk management database had 60 fields that needed populating.
The policy was fantastically comprehensive but made no allowance for how people actually behave and was almost impossible to use – the result of this was evidenced by the fact that less than a quarter (24%) of risk review deadlines were being met.
“The system as it stood was extremely bureaucratic, process-heavy and burdensome, with the focus on managing the risk database and not managing the risk itself,” said Rich.
Rich saw an opportunity to improve the risk management processes at the ONS by using the principles enshrined in Agile thinking – both to manage the change process and shape future practice.
In line with the AgilePM project management framework developed by the Agile Business Consortium, Rich’s approach involved extensive communication and collaboration, combined with a clear focus on the business need. Equally important was the commitment to safeguarding quality and maintaining an appropriate level of control that the framework promotes.
“The AgilePM framework inherently mitigates risk through regular and timely feedback loops with users, whereas waterfall development typically has less frequent interaction with users and so there is a higher threat of initiatives meandering off at a tangent,” he said.
He added that waterfall often relies on extremely comprehensive but burdensome reporting on progress, whereas Agile delivery involves trust, increased conversation and attending stand-ups as a source of assurance instead.
“While doing away with unnecessary reporting is welcome, there is a danger that organisations who move to Agile development and risk management can be tempted to document nothing, rather than appropriate levels of management information for assurance purposes,” Rich added.
“This is something which my team, in conjunction with our Agile colleagues, have ensured is done right.”
A comprehensive stakeholder engagement programme was undertaken to understand what internal users wanted from the burdensome risk management document. This helped to determine what needed to be included and which elements could be dropped.
At the same time, Rich visited and reviewed the risk management approach of outside organisations, such as government departments, to see what lessons could be learnt and what constituted best practice.
The result was a revised policy running to just six A4 pages – reducing the 56-page document to something that could fit onto three sides of A4.
A similar approach was taken regarding the risk management database. Prioritising the information it contained resulted in the number of fields required being reduced from the previous 60 to just 16. An added benefit was the new database could be developed using in-house resources, saving an estimated £100,000 in opportunity cost of purchasing an off-the-shelf alternative.
Of much more long-term value, though, was the reaction of staff at the ONS. As a result of being closely involved in its development, they have taken ownership of the database and have a greater commitment to using it and updating it.
3,500 users across the organisation can use it to see the whole risk landscape, and there are 400 core users. Compliance with risk review deadlines has increased dramatically – and now stands at 99.6%.
A further financial saving came from using internal expertise to develop a training programme aligned with the new, simplified risk management approach. This replaced one that had previously been delivered by an external organisation, which was being paid £10,000 to deliver risk training sessions to 16 people at a time.
Agile enabled all the changes to be introduced to a tight timetable. The new risk policy and database were operational within 12 months, with 18 months spent improving risk maturity.
Although the project proved successful, there was work to be done in migrating colleagues to a new way of thinking, and overcoming the tensions that can exist between traditional risk management – particularly in waterfall development environments – and Agile.
Rich found it a challenge moving a number-focused, intelligent and expert community of statisticians and economists to behavioural decision-making principles rather than mathematical ones.
However, he raised risk literacy and understanding by personally delivering the risk training course he developed.
Rich said: “I encountered very little actual cultural resistance due to my involvement of stakeholders and positive and visible response to their feedback. Colleagues felt at all times that I was listening to their input – which I was.
“Risk management is not an exact science, and accepting this fact and not trying to convince colleagues that it’s a pseudo-science either has led to a more open acceptance of my approach.”
Although risk management decision-making is now linked to behavioural principles at the ONS, the organisation has not moved entirely away from mathematical risk calculation; it’s simply secondary.
Rich concluded: “Agile was suited to a business that produces statistics and speaks to its users. It helped engage with end-users, determining what they wanted and helping to produce a product based on their needs.
“It ensured the project to upgrade the risk management systems was aligned to the organisation’s business plans, produced significant cost savings and nurtured a greater commitment among staff to using the new database.
“The Agile-driven project has produced a leaner and more efficient approach to risk management at the ONS and has significantly sped up the pace of delivery of threat analysis, improving the service for internal users and external clients alike.
“The work my team and I have also done in collaboration with the United Nations Economic Commission Europe (UNECE) has resulted in the ONS being viewed as a world leader in risk management in the context of Agile, for National Statistics Institutions (NSIs).