agility meets regulatory compliance
Post on 14-Sep-2014
1.988 views
DESCRIPTION
How can we reconcile the light touch approach of agile development teams to the governance and information security requirements such as Data Privacy and Regulatory Compliance? I discuss how to bring together the apparently conflicting needs of information security and agile, and show by example how agile teams actually approach tough regulatory requirements and good governance.TRANSCRIPT
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
agility meets regulatory compliance
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Why should it be more difficult to apply Scrum where IT governance & regulatory compliance is enforced?
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
what is driving growth in agility?
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Growing Software Complexity
Software complexity in FORD vehicles quadrupled in 5 years
0
2.5
5
7.5
10
2005 2006 2007 2008 2009 2010
10
6
4.5
3.42.8
2.4
Software lines in FORD vehicles over the past 5 years
x4
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Growing Software Complexity
Compared software complexity growth in aerospace and automotive
F-22 Raptor
F-35 Joint Strike
Boeing 787 Dreamliner
S-Class Daimler 98.6
6.5
5.7
1.7
x10
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Time to MarketDue to globalization effects, and other economical changes, the time to market over time decreased significantly
Deepa Chandrasekaran, Gerard J. Tellis - Marshall School of Business, University of Southern California, Los Angeles, California
1915 1939 1972 1976 1983 1994 1998 2000 2002 2004
13.5 years
3 months
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
why does that matter?
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Change from this...Defined Process, suited to produce faster with constant inputs
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
... to thisR&D based process suited to uncertain and changeable environments
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
what is governance and regulatory compliance?
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
IT Governance Goals
The primary goals for information technology governance are to: 1. Assure that investment in IT generates business value, and 2. Mitigate the risks associated with IT
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Comparing the goals
1234
QualityProductivityPredictabilityBusiness Value
Business ValueRisk Management
Effectiveness
Exceed requirements
governance agility
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Interpreted to be prescriptive
"The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
Australian Standard
"… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives"
IT Governance Institute
“The structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.”
ISACA
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Achieving agility vs. compliance
Communica)on
Empowerment
Transparency
Adaptability
Itera)ve & Incremental
Defined Process & Standards
Plan › Analyze › Develop › TestTraceability
Formal review and approval
Configura)on Management
governance agility
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
how to reconcile agile and governance processes
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Scrum process
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
0
1
2
3
The wrong way to manage governance
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Scrum process
1. Documenta)on
2. Interac)ons
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Documentation
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Is documentation waste?
“Everything that does not add value to the product is waste”
1st principle of lean development
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Is documentation waste?
“If you must produce paperwork that adds little customer value, there are three rules to remember: Keep it short. Keep
it high level. Do it offline.”
“Safety-critical systems are frequently regulated and are often required to have written requirements, traceable to
code. In this case, formatting the requirements so that they can easily be evaluated and checked for completeness may qualify as a value-adding activity. Look for a table driven or template driven format that reduces the requirements to a
condensed format that both users and development can rapidly understand and validate.”Mary Poppendieck, Lean Software Development
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Changing role of specifications
RequirementsSpecifica7ons
Design
Code
Tests
Requirements Specifica)ons drive implementa)on
Requirements document system as-‐built
Requirements Specifica7ons
Epics
User StoriesAcceptance Criteria
Design
Code
Validate /Update
Define /Execute
Tests
governance agility
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Changing role of standard operating procedures
Standards reduce varia)on and allow untrained people to make decisions.
WriKen standards are to be followed, not changed.
A Standard defines goals for a team to reach, and constraints to observe.
An Agile Team will use it as a baseline for con)nuous process improvement.
governance agility
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Changing role of document review and approval
This document is now approved as input for the next development phase.
This document is now part of a consistent product increment.
The Defini)on of Done and Defini)on of Ready allow sePng of minimal requirements to pass to
the next phase.
governance agility
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Merging agile and governance needs
1. Documenta7on• Document system as-‐built
• Opera)ng procedures serve as baseline
• DoR, DoD serve as minimal requirements
• Document is part of product increment
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Interactions
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
CONCEIVE DESIGN IMPLEMENT DEPLOY
A typical product development process
time-to-market
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
CONCEIVE DESIGN IMPLEMENT DEPLOY
valueadding
non-valueadding
Mapping the value stream
time-to-market
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
CONCEIVE DESIGN IMPLEMENT DEPLOY
valueadding
non-valueadding
Common non-value adding steps include...
time-to-market
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Merging agile and governance needs
2. Interac7ons• Role of involved stakeholder
• Defines minimum requirements to be met
• Reviews Requirements & User Stories
• Provides reviews/direc)on within Sprint
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
so what?
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Conclusions
• Agility and IT Governance & Regulatory Compliance share the same objectives
• Differences in HOW they are implemented drives potential conflict
• Agility and IT Governance can co-exist:
• Definition of Ready and Definition of Done server as minimal requirements (replacing Standards)
• Involve IS/Compliance Manager as involved Stakeholder, providing reviews/direction within Sprint
• Deliver compliance documentation is part of product increment
agile42 | We advise, train and coach companies building software www.agile42.com | All rights reserved. Copyright © 2007 - 2009.
Questions? & Answers!
For any further comment and or question, feel free to contact us [email protected]
Further References:
Scrum Alliance: http://www.scrumalliance.orgControl Chaos: http://www.controlchaos.com
Implementing Scrum: http://www.implementingscrum.comJeff Sutherland Blog: http://jeffsutherland.com/scrum
Mike Cohn “User Stories”: http://www.mountaingoatsoftware.comagile42 Website: http://www.agile42.com/