agile requirements and compliance finding a balance
TRANSCRIPT
AGILE REQUIREMENTS AND COMPLIANCE: ACHIEVING A BALANCE BETWEEN GOVERNANCE AND AGILITY
Cherifa Mansoura, Agile Coach/Business Architect TEKsystems, Montreal [email protected] ca.linkedin.com/in/linkedincherifamansoura
2
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat. 'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat. '- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing Act
Agile
3
Profile : Large Government organization developing in-house solutions bound with
§ With a heavy IT governance and regulated with compliance rules such as ISO, HIPPA, FDA, or SOX..
§ Obviously, compliance /regulations is one of the scaling factor (complexity) that needs to be catered for, when delivering Software
§ Focus is IT delivery governance § As an agile project team, you must comply / meet -- and document
evidence of regulatory requirements: How do you go about adopting agile in a regulated organization?
3
Compliance / Policies, rules, guidance
Processes/Standards
Control Governance Bodies
Development organizations, large and small, are striving for more agility in their software delivery.
Business analyst
Developer
We are agile!
Project Manager
Product Manager
We can be agile!
Customers
We need you to
be agile!
Audit /Compliance Officer Agile? Not sure I
understand
CxO
We HAVE to be agile!
4
5
5
Compliance is generally perceived in the software community as a way to evaluate software process from a formal and document-based perspective. AND
Many argue that Compliance/Governance and AGILE are just not compatible
Motivation for this presentation: Is to dispel this argument
6
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat. 'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat. '- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing Act
Agile
7
7
Enterprise Governance
IT Governance
Delivery
Operations
Data Security
Technology
*If you do not understand what you are governing you cannot possibly govern it effectively
*Scott Ambler: Disciplined Agile Delivery (DAD)
IT Delivery
Rules
IT governance
Regulations Process, Standards Artifacts, Reports, Audit
Governing Bodies PMO, QA , EA, Audit, etc...
IT Delivery
Policies, Rules/ requirements
Teams SDLC
Technical initiatives, projects
Enforcing Enforcing
8
Oversee
Enforcing
9
1. Management driven 2. Plan and artifacts driven 3. Contract driven 4. Report driven 5. Audit driven Governance Risks
q Deadline not met q Higher cost q Poorer quality
?
10
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat. 'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat. '- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing Act
Agile
§ Team environment : Self organizing team
§ Iterative development approaches
§ Recognize the needs of ALL stakeholders (including the auditors)
§ Avoid BUFR early and premature details at top levels
11
§ Keep the Documentation to a minimal § “The highest priority is to satisfy the customer through early and continuous
delivery of valuable software.”
§ Commitments as late as possible to avoids rework
§ Meet commitments
§ Work in close proximity to the customers and development team
§ Keep continuous attention to technical excellence.
12
§ Continual customer involvement ! Product owner represents the stakeholders
§ Shared vision ! Understand business needs ! Focus on all stakeholders goals
§ Requirements elicitations ! Conversations, agile modeling, workshops ! Obtain “just about enough” details
§ Requirements analysis ! Performed “just in time”
§ Requirements documentation ! User stories, storyboards, acceptance tests, agile models, acceptance tests
§ Iterative requirements planning & management ! adjusted with planning levels
13
• High levels of management oversight and hierarchical governance
• Top-Down Improvement Approach • Aim for business value • Dictate what “the right thing is” • Some compliance frameworks expect
measurements
• Business people on site, collaborate with agile team
• Building trust between developers and the business
• Transparency • Deliver “business” value • Bottom-up Improvement approach • Motivated team
Can we find common foundational principles?
14
Established processes Policies Established standards…
“Individuals and interactions over processes and tools”
“Working software over comprehensive documentation” Evidence in
documentation
“Customer collaboration over contract negotiation”
Business Rules/Constraints & regulatory requirements
Agile
Regulations
Needs
Governors’ Perception of Agile Agilists’ Perception of Governance Uncertainty and lack of predictability leads to costly delivery & technical debt
BRUF over YAGNI *
A lack of modelling leads to significant rework
Comprehensive models slow your development efforts
A lack of documentation and traceability lead to significant rework
Comprehensive documentation does not always add value
Agile is just about construction Following traditional/sequential approaches and heavy ceremony is a waste
Agile doesn’t address Enterprise Issues
Silos and barriers between team are impediments to successful development
15
*YAGNI=You are not going to need it
16
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat. 'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat. '- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing Act
Agile
17
Compliance requirement Low risk Critical, audited
Interaction over process and tools
ü Light process is still a process ü A process that derives value ü Automation/tools that add value
Working software over Comprehensive documentation
ü Tradeoffs are the “customer” responsibility ü Choose only documentation that adds value ü Adopt an easy way to keep track of some requirements artifacts using tools ü High quality softwares are as important for compliance officers
Customer collaboration over contract negotiation
ü Continuous stakeholders involvement, including compliance officer ensures that all intended user needs + constraints are successfully implemented ü Common ground: Signed off Product Backlog, lightweight reviews, usage of automation
Responding to change over following a plan
ü Agile puts great emphasis on planning, with better process management and improvement ü Common ground: architecture road map, feature road map and long term Iteration road map
18
Have a hybrid top-down and bottom approach with an agile governance. Build trust, actively engage business stk. Identify Complexity factors and implement process and tools for scaling Agile
A Vision that will count auditors as key stakeholders
Milestone-driven and scalable approach to prevent inconsistent execution Map regulated activities into your SDLC
Select Practices that address Business people (compliance and governance body)
Get the compliance officers involved at the earliest opprtunities
Project visibility , transparency, built-in traceability between artifacts and effective collaboration are facilitated with automation.
Team members need to be equipped with the right training, right tooling , be enterprise aware, and collaborate with the Business, including HR, audit, Finance…
Team to be well aware of the regulations to prevent misinterpretation
Strategy
Culture
Teams
Tooling
People
19
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat. 'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat. '- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing Act
Agile
20
Regulatory Drivers Compliance / Governance Enterprise complexity
Strategic
§ Small team § New projects § Simple application § Co-located § Minimal need for
documentation
§ Maturing projects § Growing in complexity § Greater need for
coordination, discipline § Agile blending slowly into
the enterprise governance
§ Mature or existing projects § Many developers § Complex applications § Need for scalability, and traceability § Greater need for documentation and
handoffs
Tactical
Disciplined Agile Approach with Appropriate governance
Core Agile
Agility @ Scale
Complexity
Maturity
§ Understand the Context: It sure counts!!! § Adapt and do not anticipate
§ Understand the regulations § Understand the real issues at hand and be aware of the regulations
§ Understand the values of the other one: governance versus agile
§ Governance and agile are complementary
21
§ Disciplined Agile Delivery: A practitioner’s guide to Agile Software Delivery in the Enterprise; Scott W.Ambler-Mark Lines
§ Rational Innovate 2012 conf: Achieving better requirements on agile projects: User Stories and beyond ; Cherifa Mansoura
§ Adapting Agile requirements practices for devops: White paper; Cherifa Mansourahttp://www.ibm.com/developerworks/rational/library/adapting-agile-requirements-devops-rescue/index.html
22