1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Agile. The way to security
Antonio Ramos
2Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
3Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Table of contents
1. Risk analysis? Analysis? Are you serious?
2. Risk in complex environments
3. Agility applied to risk management
4Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
RISK ANALYSIS? ANALYSIS? ARE YOU SERIOUS?
5Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What the f*$k?
6Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Risk Management Planning
Risks Identification
Qualitative Risk Analysis
Quantitative Risk Analysis
Risk response Planning
Risks control and monitoring
7Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Risk Management Planning
Risks Identification
Qualitative Risk Analysis
Quantitative Risk Analysis
Risk response Planning
Risks control and monitoring
8Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
But if we have never carried out a plan of this kind before, or worked in this kind of setting before, how successful can we be in anticipating
all the risks?
9Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
When we look at projects that failed, the most devastating risk factors often turn out to be things no one expected or was even thinking about
10Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
11Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
12Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
13Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Risk Management Planning
Risks Identification
Qualitative Risk Analysis
Quantitative Risk Analysis
Risk response Planning
Risks control and monitoring
14Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
15Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
R
R
R
R
R
R
R
R
R
R
16Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
BIASES
Combining probabilities
Base rate error
Anchoring
Overconfidence
Availability
Confirmation
Categorization – Law of large numbers
Representativeness
17Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
18Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
19Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
20Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
21Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Twister 564 90Fireworks 160 6Asthma 506 1886Drowning 1684 7380
Yearly death number per 200 millions people
Estimated Real
22Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
23Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
8 × 7 × 6 × 5 × 4 × 3 × 2 × 1
1 × 2 × 3 × 4 × 5 × 6 × 7 × 8
24Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
25Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
26Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
27Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
28Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
29Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
30Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
C X C X C X C X C X C X C X
C C X C X X C X X X C C C X
31Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
You’ ll like your jobYou’ ll own your own homeYou’ ll travel to EuropeYou’ ll go five years without a night in the hospitalYou’ ll have an alcohol problemYou’ ll get divorcedYou’ ll get a sexually transmitted diseaseYou’ ll have gum problems
32Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Risk Management Planning
Risks Identification
Qualitative Risk Analysis
Quantitative Risk Analysis
Risk Response Planning
Risks control and monitoring
33Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
34Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
35Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
36Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Risk Management Planning
Risks Identification
Qualitative Risk Analysis
Quantitative Risk Analysis
Risk Response Planning
Risks control and monitoring
37Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
38Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
39Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
40Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Analysis? Are you serious?
41Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
RISK IN COMPLEX ENVIRONMENTS
42Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Dave Snowden
43Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Complex Complicated
SimpleChaoticBest PracticeSense - Clasify - Respond
Good practiceSense - Analyze - Respond
Emerging practiceTest – Sense - Respond
Novel practiceAct - Sense - Respond
44Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Simple
45Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
SenseClasifyRespond
46Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
47Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Complicated
48Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
SenseAnalyzeRespond
49Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
PMBOKPMI Practice Standard for Risk Management
SEI’s SRE v2_0
ISO/IEC 16085 – 2006
ISO/IEC 27001
50Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Complex
51Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ProbeSenseRespond
52Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
53Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
54Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
55Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Chaotic
56Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ActSenseRespond
57Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
58Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Complex Complicated
SimpleChaotic
59Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Prioritize-and-reduce makes the most sense for well-ordered domains
The calculate-and-decide approach to risk works best in well-ordered
situations
60Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
This is really the essence of doing risk management planning in
agile: determining if we need to do it formally or if we should instead
allow risk to be addressed organically as part of the overall
process of constant inspection and adaptation
61Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
62Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Traditional Risk Management will make us overconfident when we are in complex and ambiguous situations
63Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
If we enforce traditional RM practices in complex
situations, we run the risk of imposing additional
procedures and constraints that reduce flexibility
64Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
65Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
near-misses
66Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
67Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Hypothesis
Arguments
Facts Assumptions
68Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Data
Formulate Design
Obtain
Hypothesis
Experiment
Learn
69Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
We need to develop resilience as a tactic for protecting ourselves against risk. We
need to engage in Risk Management by Discovery.
70Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
AGILITY APPLIED TO RISK MANAGEMENT
71Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
72Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
In Agile, the way addressing risk is built organically into the Agile Values, Principles and Practices
73Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Scrum
XP
Crystal Clear
DSDM
FDD
74Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Plan APlan BPlan C
75Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
76Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
77Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Original target
?
Original target
New target
78Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Original target
?
New targetNew target
New target
New target
79Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Original target
New targetNew target
New target
New target
New target
New target
New target
?
80Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ApplyInspectAdapt
81Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
82Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
83Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
84Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
85Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
86Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
87Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
88Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
89Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
90Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Entonces, si el cliente cancela la reserva, ¿Tiene derecho a la devolución de la fianza?
No, te diré… ¿Tú qué crees? ¿Qué se van a quedar con mi pasta? Y además tendrán que darme una confirmación por email de que la cancelación es Ok!
Ya, pero el cliente tendrá que hacerlo con una antelación mínima, digo yo
91Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
92Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
93Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
94Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
95Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Early detectionInmediate responseQuick exploitation
96Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
‘Resilience’
97Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
98Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
99Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
100Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
101Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
A VIABLE organization
Less controls
An AGILE organization
More controls
A SECURE organization
102Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
A VIABLE organization
Less controls
An AGILE organization
More controls
A SECURE organization
Early detectionInmediate respondQuick exploitation
103Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
A VIABLE organization
An AGILE organization
A SECURE organization
A RESILIENT organization
104Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
105Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
106Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
107Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
108Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Co-authors
This presentation is possible thanks to Mario López de Ávila and his work and research on agile enterpreneurship
ISACA blog,”Forget the impregnable fortress approach—it’s time to adapt”http://goo.gl/NZuDU
109Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ContactMario López de Ávila
@mariolopezdeavila
http://es.linkedin.com/in/lopezdeavila
110Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
111Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ContactAntonio Ramos
@antonio_ramosga
http://es.linkedin.com/in/sorani
112Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Thank you!