Risk Mitigation Strategies in Implementing Scrum Framework for Internet-Based IT Companies in Indonesia

To date many Information Technology Companies in Indonesia implement Scrum Framework which is one of the frameworks that uses Agile principles. The implementation of the Scrum Framework does not guarantee that these companies will be free from risk, since many risks will also appear during the implementation of the framework itself. Therefore, risk management strategies are needed to mitigate these risks. This research is a qualitative research to manage risk due to the implementation of Scrum Framework in software development of IT companies, especially in Indonesia. Interviews have been conducted to the Scrum stakeholders in three IT Companies to gather some initial data to be analyzed further using Qualitative Indonesian Journal of Information Systems (IJIS) Vol. 3, No. 1, August 2020 51 Rahayu, Indrawan, Kamarudin (Risk Mitigation Strategies in Implementing Scrum Framework for Internet-Based IT Companies in Indonesia) Content Analysis Method and Risk Breakdown Structure. Our finding shows that there are 17 Risk Registers and their Mitigation Strategies for the implementation of Scrum Framework in Indonesian IT Companies. Furthermore, it can be used as guidelines for decision making about whether to implement this framework in their core businesses.

The solution to overcome the shortcomings of the conventional SDLC's such as Waterfall Model is applying Scrum Framework which is one of the implementation of Agile Principles. Scrum Framework is used in implementation related to public relation [12]. Other Agile Principles approach is Distributed Agile Development (DAD) for software development that able to identify five risk categories such as SDLC's risk factors, project management risk factors, team awareness risk factors, external stakeholder collaboration risk factors, and technology arrangement risk factors [13] which should be responded.
Risk response planning is a process to develop several strategies to increase opportunities and decrease threats to the project [14]. The strategies include risk avoidance, risk transfer, risk acceptance, risk monitoring, risk mitigation, and developing contigency plan and strategic plan [15].Moreover, these risks could be related to several responses [16] [17]. Since not all risks can be eliminated, the risk mitigation and its optimation sometimes are the best approaches [18]. This mitigation, viewed as more effective solutions than damage repairment [14] [19], and other backup plan are developed to decrease the impact of the risk.
Based on the current conditions which are (1) IT project management is a relatively new area and (2) Scrum Framework is relatively new methodology, so in developing countries such as Indonesia this research areas have limited publications. This paper attempts to fill the gap by identifying risks that might happen and developing mitigation strategies for these risks [20][21] [22][23] [24]. The findings will be useful as the guidelines for IT Companies especially in Indonesia which are already using or planning to use Scrum Framework in their product development.

Research Methodology
This research is a qualitative research in which the purpose is to generate risk mitigation strategies in implementing Scrum Framework during software development based on the perspective of Scrum's stakeholder. The research methodology is conducted in the following phases: 1) Determine the companies as the subject of the research using Purposive Sampling Method [25].
2) Gather risk information using semi-structured interviews [13], which divided into three components: Identity of the interviewees, interview and then Follow up based on Theory Driven [26]. 3) Validate data using data triangulation [25] and member checking [27]. 4) Analyze data using Qualitative Content Analysis Method [27]. The unit here is the transcript of the interview and the codes are phrases or sentences from the transcript. The subcategories are the risk identified from the codes, and the categories are the groupings of the risks based on the Risk Breakdown Structure from The Project Management Body of Knowledge [14] as shown in Figure 1 below.  Each of the risk is analyzed further by identifying the description, cause, and impact of the risks in the form of Risk Register [28]. This list can be used as guidelines for IT Companies which is considering in implementing Scrum Framework in their core business. Determine the risk probability and risk impact categories based on the description of each cause and impact in the risk register. The combination of the risk probability and risk impact will determine the risk exposure. The risk exposure also determines the priority of the risk. Finally, the risk mitigation strategies are suggested for managing these risks.

Result and Analysis
The selection of the IT companies using Purposive Sampling [25] and it is performed by criteria, that company should be Indonesian IT companies which already implemented Scrum Framework for at least one year. There are three companies selected as the subject of research which are: 1) ABC is a news portal which collects news from many online media by implementing machine learning and recommendation system. The ABC app has been downloaded more than 40 K times in Google Play and rated 3.4 stars with 36th rank in News in App Store in 2018. 2) XYZ is one of five startup unicorns in Indonesia which has value more than $ 1 billion. It is a Cto-C e-commerce platform that is very popular in Indonesia. XYZ app has been downloaded more than 10 million times in Google Play and rated 4.8 stars with 2nd rank in Shopping in App Store in 2018. 3) EFG is a grocery delivery app in which users can order groceries from popular grocery stores and delivered to the users' home at their convenient. EFG app has been downloaded more than 1 million times in Google Play and rated 4.4 stars with 10th rank in Food & Drink in App Store in 2018. The risk gathering is conducted by interviewing selected personels from these three IT companies. The interviews were conducted to 5 interviewees from ABC, 7 interviewees from XYZ, and 8 interviewees from EFG. The interviews are recorded and then transcripted for further analysis.The analysis using Qualitative Content Analysis [27] produces 17 identified risks of implementing Scrum Framework These 17 identified risks are then categorized based on the Risk Breakdown Structure as shown in Figure 1, and it is classified as shown in Table 1. It can be observed from table 1 that there are some interesting findings about these identified risks : 1) Most of the risks are from organization category with 7 risks, followed by project management category with 5 risks, technical category with 4 risks, and external category with only one risk. 2) Most of the identified risks in organization category are related to the discipline in implementing the Scrum Framework practices. 3) Most of the identified risks in project management category are related to the effectiveness of the Scrum Framework practices. 4) Most of the identified risks in technical category are related to clarity of the goals and the discipline in creating documentation. 5) The only identified risk in external category, which is very fast requirement changes, is actually the reason that Scrum Framework should be used in the first place. Every Internet-based IT companies will face the similar challenges. Each of the identified risks is then analyzed further in forms of description, cause, and impact and then tabulated in the form of Risk Register [28]. Table 2, 3, 4, and 5 shows the Risk Register of each identified risk that categorized as Technical Risk.

Risk ID R01 Risk Name
Unclear requirements.

Risk Category
Technical Description There are unclear requirements according to the developers or stakeholders that make them unable to produce the expected products.

Category
Technical Cause • Developers are not knowing the overall requirements of the project and only given requirements for each Sprint. • Requirements are given in the form of stories that may be lacking in details.

Impact
• Developers cannot grasp the big picture of the product being developed.
• The work from the developers are not as expected by the project owner.
• Unclear acceptance criteria which will trigger bugs.

Risk ID R02 Risk Name
Unclear project goals.

Risk Category
Technical Description The project goals are not properly understood by the developers, so that they have difficulty in predicting what to do to create product that fulfill the these goals.

Category
Technical Cause • Project Owner is giving project goals that are too general. • Project Owner is not able to describe the project goals clearly. Impact • Developers do not understand the goals of the project.
• The work result from the developers is not as expected by the Project Owner. The lack or absence of documentations about the product from both the developer and management that will create several problems.

Category
Technical Cause • Stakeholders are too lazy to produce documentations. • Developers feel that documenting is cumbersome task.
• Documentation is considered time wasting activity since changes in the product will also require changes in documentation.

Impact
• Onboarding process of the new recruits will be longer.
• Difficulty in remembering created features when inquired by certain stakeholders. • Quality Assurance (QA) personel will have difficulty to perform regression testing.

Risk ID R04 Risk Name
Incompatibility in pair programming.

Risk Category
Technical Description There are incompatibilities when performing pair programming with other developer. These incompatibilities will make the developers cannot work together in performing pair programming.

Category
Technical Cause The single-fighter character inside every programmer.

Impact
The development process will slow down. Table 6 shows the only identified risk that is categorized as External Risk, which is very fast requirement changes. Very fast requirement changes.

Risk Category
External Description Requirement changes from market / users are so fast in which the company must accommodate those changes in order to make its product competitive in the market.

Category
External Cause • Agile organizations should be adaptive to changes.
• Working in the Internet-based companies are challenging due to quick changes. Impact • Tasks that are marked done can be back as work in progress.
• Inability to perform good development practices since everything must be done quickly.  The occurrence of dependencies in continuing work in the team scope as well as the between-tasks scope that causes delays since one work must wait another work in order to be completed.

Category
Organization Cause • Lack of details in planning (priority of the story is not considering the dependencies of codes . • Lack of communication and coordination among team members and the difference in priorities in the backlog works between the teams. Impact Time of completion of one or more features will be longer. Unoptimized work.

Risk Category
Organization Description Developers cannot complete the work assigned to them due several reasons.

Category
Organization Cause • Scrum has tight completion time in each Sprint.
• Developers will do their work in a hurry do the tight completion time.
• Developers can get suffer illness / sickness. Impact • Scrum has tight completion time in each Sprint.
• Developers will do their work in a hurry do the tight completion time.
• Developers can get suffer illness / sickness.

Table 9. Risk Register of ineffective numbers and compositions of team members
Risk ID R08

Risk Name
Ineffective numbers and compositions of team members.

Risk Category Organization Description
Ineffectiveness of the work due to the Scrum team conditions such as too many members or inaccurate composition of the team.

Category
Organization Cause • The size of the team is different than what is recommended by Scrum Framework guidelines. • The composition of the team members are not balanced between the senior and junior team members. Impact • Too many team members can create too many communication channels.
• Difficult to manage too many people at the same time.
• The junior team members have difficulty in adapting without the guidance from the senior members. Table 10. Risk Register of no specific product owner

Risk ID R09 Risk Name
No specific product owner.

Risk Category
Organization Description Nobody in the company who acts as specific Product Owner and work exclusively as Product Owner.

Category
Organization Cause • The position of Product Owner is not yet assigned.
• The title of Product Owner is given to specific managerial positions. Impact • Running out of Product Backlog (PB) since there is not time to create PB.
• Product Owner rarely attends and follows the Scrum processes due to his / her activity in other managerial position.  Table 11. Risk Register of minimized role of QA in Scrum processes

Risk ID R10 Risk Name
Minimized role of QA in Scrum processes.

Risk Category
Organization Description Quality Assurance personel who is one of the developer is never involved in Scrum events such as Sprint Planning, Daily Scrum, Sprint Review, or Sprint Retrospective.

Category
Organization Cause • Lack of awareness from the development team that QA is important in the Scrum Framework. • QA personnel is involved only during testing of the features. Impact Creating more bugs. Disruptive additional meetings.

Risk Category Organization Description
Additional meeting for developer which is not Scrum event that could disrupt developers in developing their work.

Category
Organization Cause • Request from the management.
• Changes in meeting schedule.
• Too many meetings. Impact • Disrupt the concentration of the developers during their work.
• Disrupt the working time of the developers.
• Disrupt the productivity of the developers.
• Delay the completion of the current work.   Ineffective communication.

Risk Category
Project Management Description Lack of effective communication due to human character aspects and communication skills of each team members.

Category
Project Management Cause • Some team members are introverts.
• Some characteristics of team members who are difficult to reach agreement.
• Limitation in English language skills. Impact • Uncomfortable working environment.
• Longer development process.
• Need for translator in communication in different languages.

Project Management
Description The Scrum team makes incorrect decision during Sprint Planning.

Category
Project Management.

Cause
• Over-estimation about the stories.
• Under-estimation about the stories.
• Lack of experience in Sprint Planning.

Impact
• Developers become unproductive if he / she finishes earlier than the estimated time. • Some tasks or stories are incomplete due to time limitation due to underestimation.

Project Management
Description The Daily Scrum process is not conducted properly that causes the member of Daily Scrum unable to get benefit from participating in the Daily Scrum.

Category
Project Management.

Cause
• Duration of daily Scrum is too long.
• Discussion of unnecessary technical issues during the Daily Scrum.
• Absence of Product Owner during Daily Scrum. Impact • Developers will be bored and not focused.
• Stakeholders who have no interest in technical issues will not having any benefits.
• Miscommunications will occur.   Additional work in the middle of Sprint.

Risk Category
Project Management Description Additional work in forms of new stories or new tasks is added in the middle of running Sprint.

Category
Project Management.

Cause
Additional work from management. Impact • Some stories must be postphoned to the next Sprint.
• Developers must leave their current work to do higher priorities work.
These 17 Risk Registers shown in table 2 through table 18 shows the complete list of identified risks with all of the required analysis during Risk Identification phase of Risk Management. The next step of the study is determining the probability and impact of each risk in order to find the risk priority. The probability of the risk is determined by examining the causes of the risk from table II through table 18. Each cause is labeled and checked its correlation with other causes in the risk itself and other risk in order to determine its likelihood of occurrence that translates into the risk probability. The risk is then categorized into three probability category, ie. High, Medium and Low. The impacts of each risk are examined into three categories, which are: 1) H (High) : the impact may cause the incorrect or incomplete product.

2) M (Medium)
: the impact may be fixed by the management, but some additional times will be required to perform the correction. It can be shown from Table 19 that most of the top priority risks are from technical and project management categories and most of the low priority risks are from organization category. IT Companies implementing Scrum Framework should pay more attentions in the technical and project management aspects in order to succeed. The risks that are in low priorities and categorized into organization and project management are related to the discipline in implementing Scrum Frameworks based on its guidelines and principles. Each of the risks, especially in the top priorities, should be mitigated by either reducing the probability or minimizing the impact or both. The mitigation strategies can be formulated and then executed in order to achieve the project's final goal. Table 20 shows the suggested risk mitigation strategies of the risk.  Table 20 shows that some of suggested mitigations are similar which indicates that these strategies should be conducted and the result should accommodate the mitigation of more than one risks. The proper implementation of risk management when implementing Scrum Framework during software development will enable the IT Companies to properly anticipate most of the risks in order to increase the success of the development.

Conclusion
This research is able to formulate risk mitigation strategic related to the risks associated with the implementation of Scrum Framework when developing software in IT Companies especially in Indonesia. There are 17 identified risks based on the interviews to three selected Indonesian IT companies. These 17 identified risks are then categorized based on the Risk Breakdown Structure which are organization, technical, external, and project management. Each of the 17 identified risks are then tabulated into Risk Register that identify the additional information relating to the risk such as description, cause, and the impact of the risks. The risk probability and risk impact are determined in order to find the risk exposure and risk priority. The suggested risk mitigation strategies are proposed so that these findings could assist IT Companies wanting to success in implement Scrum Framework in their core businesses. Future work of the research is expanding the study by including more IT Companies in Indonesia, and also finding risk mitigation strategies in more specific types of IT Companies which result in more targeted risk mitigation strategies.