When adopting an agile approach, different projects vary considerably in terms of the importance of the requirements elements and their complexities. The more complex the organisation is, the most difficult it is to adopt agile practices without tailoring them to meet the situation they are in. For regulated organisation, compliance isn’t optional, it also isn’t cheap. And with new regulations, mandates and standards being released practically monthly, many organizations are struggling to find a balance between their IT governance and the adoption of agile practices in their Software delivery. Fortunately, there are ways to stretch the agile principles/practices to count for the context you are in. On another hand, the governance needs to adapt to the new ways of developing software.without sacrificing other priorities. This presentation, inspired by Scott Ambler's book, scratches the surface, and explores some best practices that will help reduce the regulations/compliance burden during an agile delivery.
Agile requirements and compliance finding a balance
1. AGILE REQUIREMENTS AND COMPLIANCE:
ACHIEVING A BALANCE BETWEEN GOVERNANCE AND AGILITY
Cherifa Mansoura, Agile Coach/Business Architect
TEKsystems, Montreal
cherifamans@gmail.com
ca.linkedin.com/in/linkedincherifamansoura
2. 2
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat.
'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat.
'- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing
Act
Agile
3. 3
Profile : Large Government organization developing in-house solutions
bound with
§ With a heavy IT governance and regulated with compliance rules such as
ISO, HIPPA, FDA, or SOX..
§ Obviously, compliance /regulations is one of the scaling factor
(complexity) that needs to be catered for, when delivering Software
§ Focus is IT delivery governance
§ As an agile project team, you must comply / meet -- and document
evidence of regulatory requirements: How do you go about adopting agile
in a regulated organization?
Compliance /
Policies, rules,
guidance
Processes/Standards
Control
Governance
Bodies
4. Development organizations, large and small, are striving for more agility in their
software delivery.
Business
analyst
Developer
We are
agile!
Project
Manager
Product
Manager
We can
be agile!
Customers
We need
you to
be agile!
Audit /Compliance
Officer Agile? Not sure I
understand
CxO
We HAVE
to be
agile!
4
5. 5
Compliance is generally perceived in the
software community as a way to evaluate
software process from a formal and
document-based perspective.
AND
Many argue that Compliance/Governance
and AGILE are just not compatible
Motivation for this presentation:
Is to dispel this argument
6. 6
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat.
'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat.
'- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing
Act
Agile
9. 9
1. Management driven
2. Plan and artifacts driven
3. Contract driven
4. Report driven
5. Audit driven Governance Risks
q Deadline not met
q Higher cost
q Poorer quality
?
10. 10
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat.
'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat.
'- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing
Act
Agile
11. § Team environment : Self organizing
team
§ Iterative development approaches
§ Recognize the needs of ALL
stakeholders (including the auditors)
§ Avoid BUFR early and premature
details at top levels
11
§ Keep the Documentation to a minimal
§ “The highest priority is to satisfy the customer through early and continuous
delivery of valuable software.”
§ Commitments as late as possible to avoids rework
§ Meet commitments
§ Work in close proximity to the customers and development team
§ Keep continuous attention to technical excellence.
12. 12
§ Continual customer involvement
! Product owner represents the stakeholders
§ Shared vision
! Understand business needs
! Focus on all stakeholders goals
§ Requirements elicitations
! Conversations, agile modeling, workshops
! Obtain “just about enough” details
§ Requirements analysis
! Performed “just in time”
§ Requirements documentation
! User stories, storyboards, acceptance tests, agile models, acceptance tests
§ Iterative requirements planning & management
! adjusted with planning levels
13. 13
• High levels of management oversight and
hierarchical governance
• Top-Down Improvement Approach
• Aim for business value
• Dictate what “the right thing is”
• Some compliance frameworks expect
measurements
• Business people on site, collaborate
with agile team
• Building trust between developers and
the business
• Transparency
• Deliver “business” value
• Bottom-up Improvement approach
• Motivated team
Can we find common
foundational principles?
14. 14
Established processes
Policies
Established standards…
“Individuals and interactions
over processes and tools”
“Working software over
comprehensive documentation” Evidence in
documentation
“Customer collaboration over
contract negotiation”
Business Rules/
Constraints & regulatory
requirements
Agile
Regulations
Needs
15. Governors’ Perception of Agile Agilists’ Perception of Governance
Uncertainty and lack of predictability
leads to costly delivery & technical
debt
BRUF over YAGNI *
A lack of modelling leads to significant
rework
Comprehensive models slow your
development efforts
A lack of documentation and
traceability lead to significant rework
Comprehensive documentation does not
always add value
Agile is just about construction Following traditional/sequential
approaches and heavy ceremony is a
waste
Agile doesn’t address Enterprise
Issues
Silos and barriers between team are
impediments to successful development
15
*YAGNI=You are not going to need it
16. 16
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat.
'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat.
'- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing
Act
Agile
17. 17
Compliance requirement
Low risk Critical, audited
Interaction over
process and tools
ü Light process is still a process
ü A process that derives value
ü Automation/tools that add value
Working software
over
Comprehensive
documentation
ü Tradeoffs are the “customer” responsibility
ü Choose only documentation that adds value
ü Adopt an easy way to keep track of some requirements artifacts
using tools
ü High quality softwares are as important for compliance officers
Customer
collaboration over
contract
negotiation
ü Continuous stakeholders involvement, including compliance officer
ensures that all intended user needs + constraints are successfully
implemented
ü Common ground: Signed off Product Backlog, lightweight
reviews, usage of automation
Responding to
change over
following a plan
ü Agile puts great emphasis on planning, with better process
management and improvement
ü Common ground: architecture road map, feature road map and
long term Iteration road map
18. 18
Have a hybrid top-down and bottom approach with an agile governance. Build
trust, actively engage business stk. Identify Complexity factors and implement
process and tools for scaling Agile
A Vision that will count auditors as key stakeholders
Milestone-driven and scalable approach to prevent inconsistent execution
Map regulated activities into your SDLC
Select Practices that address Business people (compliance and governance
body)
Get the compliance officers involved at the earliest opprtunities
Project visibility , transparency, built-in traceability between artifacts and
effective collaboration are facilitated with automation.
Team members need to be equipped with the right training, right tooling , be
enterprise aware, and collaborate with the Business, including HR, audit,
Finance…
Team to be well aware of the regulations to prevent misinterpretation
Strategy
Culture
Teams
Tooling
People
19. 19
§ Introduction
§ Governance and Compliance
§ Agility
§ Balancing act: Building common ground
§ Recommendation
“Would you tell me, please, which way I ought to go from here?'
'That depends a good deal on where you want to get to,' said the Cat.
'I don't much care where -' said Alice.
'Then it doesn't matter which way you go,' said the Cat.
'- so long as I get SOMEWHERE,' Alice added as an explanation.
‘― Lewis Carroll, Alice in Wonderland
Compliance
Balancing
Act
Agile
20. 20
Regulatory Drivers
Compliance / Governance
Enterprise complexity
Strategic
§ Small team
§ New projects
§ Simple application
§ Co-located
§ Minimal need for
documentation
§ Maturing projects
§ Growing in complexity
§ Greater need for
coordination, discipline
§ Agile blending slowly into
the enterprise governance
§ Mature or existing projects
§ Many developers
§ Complex applications
§ Need for scalability, and traceability
§ Greater need for documentation and
handoffs
Tactical
Disciplined Agile Approach with
Appropriate
governance
Core Agile
Agility @ Scale
Complexity
Maturity
21. § Understand the Context: It sure counts!!!
§ Adapt and do not anticipate
§ Understand the regulations
§ Understand the real issues at hand and be aware of the regulations
§ Understand the values of the other one: governance versus agile
§ Governance and agile are complementary
21
22. § Disciplined Agile Delivery: A practitioner’s guide to Agile Software
Delivery in the Enterprise; Scott W.Ambler-Mark Lines
§ Rational Innovate 2012 conf: Achieving better requirements on agile
projects: User Stories and beyond ; Cherifa Mansoura
§ Adapting Agile requirements practices for devops: White paper; Cherifa
Mansoura
http://www.ibm.com/developerworks/rational/library/adapting-agile-requirements-devops-
rescue/index.html
22