Traditional software engineering has Risk Management as an activity by itself. It is recognized as a process area or knowledge area by the most project management standards. Interestingly, it was never been part of Agile Programming. The reason was easy: Agile Programming was conceptualized and devised by the programmers. Programmers don't like activities like risk management and many others. This worked well to the point where the team was largely formed by two (three max) seasoned developers, and they used to churn out some of the great codes every month. The problem started when large projects started following agile methods. The methods and practices started getting questions that were never thought out, nor addressed. Risk Management was one of those.
So, doesn't a project following Agile methods need any Risk Management? Certainly, it does. The project needs to take help from the established project management standards. There is a problem though: Risk Management is a PM's job. Agile projects don't keep any PM. Who would manage the risks in that case? The question has been so far addressed by the volunteers. The Product Owner or the Scrum Master put on the hat of the PM to manage the risks. That demanded the risk manager to come out of the project chores time to time and take a thirty-thousand feet view to identify and assess the risk.
The broad level steps are same for risk management in Agile: Risk Identification, Risk Assessment, Risk Planning, and Risk Monitoring. These steps are implemented through scrums, the Scrum Master facilitates the session. However, these scrums don't follow the traditional 3 question format. These are more akin to the brain storming interactive sessions to ensure that all risks are identified and their impacts are rightly analyzed and understood. These sessions also demand the Scrum Master and Product Owner to provide a good perspective on the project risks. Being part of the team and weathering the daily chores, the risk of missing the forest for trees are very high in such a situation. Many project teams try to address this by bringing in an external expert / observer into these sessions and take their inputs. Such attempts are undoubtedly good but deviates from the Agile principles to a good extent.
To summarize, IT projects following Agile methods do need risk management. To accomplish this, the project team must leverage one of the many established formal project management standards and guidelines. The project team must assimilate the role of the PM within one of them to ensure the risks are formally managed. External support, if available would do good to the entire project process of risk management.
