Balancing agile development with regulatory compliance feels like trying to mix oil and water. But what if I told you there’s a way to integrate risk management directly into your Jira workflow without sacrificing speed or compliance?
Based on a recent webinar with Aaron Morris, I’ve distilled the process into six practical steps that will transform how you handle risk in regulated environments.
VIDEO: https://youtu.be/N4DFqluEWvk
Agile Risk Management Fundamentals
Agile development thrives on fast feedback, continuous learning, and breaking big problems into manageable chunks. But when you’re working in regulated industries like medical device development, you also need to deal with SOPs, compliance tasks, and audit trails.
This is where AAMI TIR45 comes in. It provides a framework for mapping agile workflows to regulated environments, particularly to processes described in IEC 62304 and ISO 14971 for risk management.
Step 1: Define Your Agile Layers
TIR45 breaks down agile processes into four distinct layers:
- Product layer
- Release layer
- Iteration layer
- Story/backlog item layer
The key principle here is to push as much of your risk and compliance activities down to the story layer. This approach creates the foundation for traceability, agility, and compliance to work together harmoniously.
According to research on agile compliance, teams that distribute compliance tasks across all layers report 40% less documentation overhead compared to those who handle compliance only at release time.
Step 2: Configure Jira for Risk Management
Before diving into risk management, you need to set up Jira properly:
- Create custom issue types for risks and hazards
- Use SoftComply Risk Manager Plus to create risk models for assessment
- Map risk model fields to ISO 14971 requirements (severity, probability, initial and residual risk assessment)
- Define link types for traceability (creates hazard, is mitigated by, mitigates)
These link types are crucial for establishing end-to-end traceability, which is a cornerstone of regulatory compliance in medical device development and other regulated industries.
Step 3: Perform High-Level Risk Analysis
When a new feature request comes in:
- Begin with high-level requirements analysis
- Identify risk impact on a broad level (product safety, cybersecurity, usability)
- Add hazards as Jira issues using your custom hazard issue type
- Perform initial risk evaluation using Risk Manager Plus
This is your first touchpoint for cross-functional collaboration between developers and quality assurance or risk managers.
Step 4: Conduct Low-Level Risk Analysis
As you break features into epics and stories:
- Repeat the risk management process at the story level
- Identify hazards
- Assess initial severity and probability
- Link mitigation actions
- Link and run tests to verify mitigation effectiveness
- Log outcomes and approve residual risks
While doing this, you’re creating live end-to-end traceability in Jira from risks to requirements to mitigation to tests. This approach aligns perfectly with agile risk management best practices, which emphasize continuous risk assessment throughout development.
Step 5: Build and Maintain Your Live Risk Register
SoftComply Risk Manager Plus includes a dynamic risk table view that serves as your live risk register. This table contains:
- Hazards
- Severities and probabilities
- Mitigation actions
- Risk calculations
- Updates as work progresses
At the end of each sprint, review and approve each risk by asking:
- Is the residual risk acceptable based on your defined criteria?
- Have all mitigation actions been implemented and verified?
- Are there any new emerging hazards?
This approach creates a living document inside Jira that evolves with your project, rather than static documentation that quickly becomes outdated.
Step 6: Create Baseline Release Documents in Confluence
To finalize your documentation:
- Export the Jira-based risk table to Confluence
- Create a static snapshot using SoftComply’s snapshot app
- Route for formal approvals using signatures in Confluence with SoftComply Document Manager
Documents that typically require this baselining include risk registers, requirement specifications, and traceability matrices.
Getting Developer Buy-In
Why would developers want to participate in agile risk management? There are compelling reasons:
- Faster, smoother releases with fewer bugs when compliance tasks are integrated into the development lifecycle
- Less documentation burden at release time since data is already being collected throughout development
- Safer products that can be released more quickly
Final Thoughts
Agile risk management isn’t about sacrificing compliance—it’s about embedding it into your everyday work inside Jira. Follow these tips for success:
- Use TIR45 for guidance on integrating compliance into agile workflows
- Push compliance tasks down to the story layer
- Ensure traceability through linking Jira issues
- Use the right tools: Jira with SoftComply Risk Manager Plus, and Confluence with Static Snapshots and Document Manager
By following these six steps, you’ll create a risk management process that satisfies regulators while maintaining the speed and flexibility that make agile development so powerful.
—
Ready to implement agile risk management in your Jira environment? Try SoftComply Risk Manager Plus free for a month or book a live demo to see how it works with your specific workflow.
