On the 2nd of June 2025, Anko Tijman and Bas van Liere facilitated a one-day training on Balancing Agility with IT Governance, Risk, and Security at Security Academy in Woerden.
The training was fully booked, and most of the participants were either IT-auditors or IT Risk Managers (1st or 2nd line).
After a short round of introductions, the participants shared their expectations and dilemmas about the training and their field of work. This way the trainers could check throughout the training if the expectations were being met and if the dilemmas were addressed sufficiently.
It was an information-packed training with room for questions and interaction.
Key takeaways are:
- The Stacey Matrix model can be used as a means to verify whether the problem you are facing can either be solved by a traditional (‘Complicated’) approach or an agile (‘Complex’) approach.
- Establish ‘simple’ governance and avoiding adding governance if something is not working. Make it clear who makes which decisions using delegation poker (tell, sell, consult, agree, inquire, inform, delegate).
- Focus on Transparency – Inspect – Adapt
- The WSJF (Weighted Shortest Job First) can help to not only prioritize business requirements but also security, compliance and risk requirements.
- The Definition of Ready and Definition of Done can tell you a lot about the maturity of a team as well as the continuous improvement cycle
- As an auditor or risk manager, you can engage with Agile teams and Agile projects by joining the different practices (daily scrum, demo/review, PI planning etc.)
