We live in a world of increasing regulatory constraint-
So how the heck can we make Agile work with compliance?
Where Do We Start With Agile and Compliance?
Most organizations labor under some degree of regulatory constraint requiring a proactive demonstration of oversight and control. Meanwhile, conventional wisdom often asserts that Agile adoption in a regulated environment can’t work. Both scenarios will naturally exert an influence on our project delivery processes and roles, to some degree. The majority of regulations exist for very good reasons, but often solutions are poorly implemented. Surprisingly, not all of them are necessarily bad. If appropriately interpreted, there are some facets of regulations that may enhance efficiency, transparency, and risk mitigation — all things that Agile seeks to promote.
Governance, Risk & Compliance
Due to increasing sensitivity around data ownership, social media, and AI, we are experiencing unprecedented growth and complexity in the Governance, Risk, and Compliance (GRC) domain. More and more, strictures and control requirements are arising from legislation for governance, data retention, and privacy. These are being promulgated at both domestic and international levels. As a result, most organizations are required to establish, maintain, and demonstrate alignment with a defined standard or scheme. Beyond this, some organizations operate in markets or domains that are subject to even more intense and onerous regulatory demands and scrutiny.
The World of Regulations and Standards
There are a growing number of sources of regulations. These include- SOX, Dodd Frank, Basel, HIPAA, FDA, OSHA and EU GDPR, to name just a few. Some sectors are regulated more stringently than others. Most notably, pharma, medical, aerospace, energy, food production/distribution, transport, communications, defense, and finance are often subject to more control and oversight than other domains.
The Linear Vs. Agile Compliance Conundrum
Unfortunately, the need to meet the constraints of regulatory requirements often manifests itself in a more “command and control” Linear (waterfall) style approach to process. Conversely, the Agile family of methods emphasize a stronger bias toward establishing a light-weight and highly-flexible approach to delivery processes for teams. Indeed, Agile methods are potentially powerful at this level, but problems arise when attempting to scale at an enterprise or business-unit level. Right now, many companies are struggling to reconcile team-based Agile methods with their more traditional governance-based processes. So, due to their perceived inflexibility, some compliance and regulatory frameworks may represent a significant challenge to evolving toward Agility.
Our Dilemma
On the face of it then, we have a situation in which traditional Linear (waterfall) compliance processes and Agile methodology appear to be almost entirely incompatible. But there is a substantial population of organizations and practitioners who are forced to make them align and work together. Derived from three case studies from the Medical field, part 2 of this article will explore tips and techniques that illustrate how these apparently — divergent processes can coexist and even complement each other.
NFRs — Solution for Simple Situations
But before we move to part 2, let’s pause briefly to address the simplest solution that is most often advocated by Agile models, frameworks, and methods. The premise is that, in many cases, it is possible to simply treat discrete regulatory requirements as items to be addressed within their standard pipeline of work. In Agile terms, this manifests itself as Non-Functional Requirements (NFRs) or “compliance” stories (also often referred to as Enablers), that get refined, prioritized, and sized for inclusion within an Agile Backlog. Often these are tagged to differentiate them from the general population of “regular” user stories. Then, perhaps with a little additional tracking, these compliance elements get folded into the regular workflow of the Agile team. Sometimes “simple” works best!
However, for more complex and challenging environments that require more onerous compliance schemes, it follows that we need more sophisticated solutions. In part 2, we will explore some proven techniques to address those trickier situations.