Three Lenses for Risk: Value, Flow, and Controls

Why this matters:

Most discussions about risk focus on schedules and status colors, but that’s not enough. To steer complex work, leaders need to see what we’re building (Value),

how it moves (Flow), and how we prove it’s safe and compliant (Controls). When these three lenses come together, risks stop being surprises and start becoming decisions.

Lens 1: Value - Are we funding the right outcomes?

What to look for

• Weak or vague problem statement for an epic.

• Outputs over outcomes (features built, but no customer impact).

• Sunk-cost momentum (“we’ve already invested, so we must finish”).

Leading indicators

• % epics with measurable outcomes (and a baseline).

• Early signal of adoption/usage on pilot features.

• Hypotheses tested vs. planned this increment.

Simple moves

• Re-frame each epic to “problem, audience, success metric.”

• Slice a pilot that proves value in ≤ 4 weeks.

• Stop/continue decisions based on evidence, not effort spent.

How AI can help

• Summarize epic goals and flag non-measurable outcomes.

• Compare similar past epics to suggest likely risks and effort ranges.

• Draft stop/continue briefs from telemetry and stakeholder comments.

Lens: 2 Flow - Where does the work stall?

What to look for

• Long wait times at handoffs and reviews.

• Aging stories that bounce between teams.

• Rework loops on “done” items.

Leading indicators

• Aging WIP (items open > X days).

• % time blocked; average unblock time.

• Rework rate (items reopened or defects per story).

Simple moves

• Limit WIP; finish small before starting new.

• Put owners on cross-team dependencies; add time buffers where slack is low.

• Shift checks left (design, test, control evidence created with the work).

How AI can help

• Auto-rank blockers by impact and suggest owners.

• Pattern-match where similar items stalled before.

• Simulate delivery dates under small changes (add reviewer, split story, resequencing).

Lens 3: Controls - Are we audit-ready as we go?

What to look for

• Controls checked at the end instead of with the work.

• Manual evidence scattered across tools.

• Surprises at go/no-go gates.

Leading indicators

• Control coverage on high-risk items (e.g., security, privacy, SOX).

• Missed or late control checks.

• Evidence completeness (what % of required artifacts exist and link to work items).

Simple moves

• Add a “control ready” step to your Definition of Done.

• Centralize evidence links on the story/PR; avoid side documents.

• Run mini-audits monthly so there’s no cliff at release.

How AI can help

• Generate checklists from policy; compare PRs/stories to the list.

• Spot missing evidence links before a gate review.

• Draft compliance summaries from the artifacts you already have.

Put the Lenses Together: One Page, Once a Week

A 30-minute cadence

1. Scan (10 min): Review top signals for Value, Flow, Controls.

2. Decide (10 min): Pick the top 3 risks. Assign owner, action, due date.

3. Log & Learn (10 min): Update a simple board. Note what worked/what didn’t.

I'm curious to know how this would play out in your world. DM me “VFC” and I’ll send a quick mapping template.