My presentation (in EN) from itSMF Pomorze (Poland) meeting. It shows how to combine SCRUM agility in product development with Corporate Governance controls from COBIT.
2. Intro
Is there a way to combine
agile and flexible product
development aproach &
requirements of Corporate
Governance?
3. SCRUM – rules and agreements
Iterations
Each sprint delivers „closed”, working functionality
Flexible, allows frequent change of direction
Responsibility for the product delivery and quality
Accordingly to Product/Story Owner requirements
5. Characteristics of SCRUM & COBIT
SCRUM
• Rapid (Agile), and
iterationary delivery of
products
• Moderate to high
changeability
• Flexible approach
• No guarantee (high apetite
for risk)
COBIT
• Stabilization (through using
controls)
• Preffered low changeability
• „Strict” requirements
• Required guarantee (low
apetite for risk)
6. So we’re done… You cannot
provide high changeability of
product and provide
stabilization at the time.
Really? What if we look at
rules and agreement in
SCRUM?
8. Roles in SCRUM
SCRUM
Master
Product
Owner
Developer
Product Backlog
Authorization for DoD
Authorization for
sprints
Validation of DoD i
sprints’ products
Coordination
SCRUM
„compliance”
„Accountancy” of
sprints/team
Estimation
Production
QA
Deployment
9. Roles in SCRUM (2)
SCRUM
Master
Product
Owner
Developer Developer Developer
QA
QA
QA
Definition
Control
Validation
ACTIVITY
Develop and implement the process
to consistently record, assess, and
prioritise change requests.
Assess impact and prioritise changes
based on business needs
Assure that any emergency and
critical change follows the approved
process
Authorise changes
Manage and disseminate relevant
information regarding changes.
10. SCRUM tasks’ types & Products distribution
EPIC
STORY
STORY
BUGBUGBUG
Bug ->Sprints’
technological debt ->
Emergency Change
Epic<>Story – ability
to use SoD (e.g.
Test/Prod deployment
done in diff. Stories of
the same Epic
Sprint & Product
backlog Mgmt -
prioritization
11. SCRUM tasks’ types & Products distribution (2)
Backlog of Sprint 1
Task 1
Task 2
Task 3
Task 4
Backlog of Sprint 2
Task 5
Task 6
Task 7
Task 8
OK, what about
Authorization? We spoke
about it yet…
ACTIVITY OK?
Develop and implement the process to
consistently record, assess, and
prioritise change requests.
Assess impact and prioritise changes
based on business needs
Assure that any emergency and critical
change follows the approved process
Authorise changes
Manage and disseminate relevant
information regarding changes.
12. Authorization of changes
Product Backlog
Authorization for DoD
Authorization for
sprints
Validation of DoD i
sprints’ products
Product
Owner
Product Owner is responsible for
authorization. This role manages both
authorization and prioritization of
tasks/products. If there is more
stakeholders – PO is responsible for gaining
decisions and final authorization.
ACTIVITY OK?
Develop and implement the process to
consistently record, assess, and
prioritise change requests.
Assess impact and prioritise changes
based on business needs
Assure that any emergency and critical
change follows the approved process
Authorise changes
Manage and disseminate relevant
information regarding changes.
13. OK, We got 3 of 5 controls
checked. 2 remaining?
Lets see…
14. Information about Changes
We need some assumptions for
our SCRUM „agreement”:
1. SCRUM is transparent – we
do not hide product nor
information
2. SCRUM has wing-2-wing
responsibility for products
3. Product Owner is acting as
Customer/users
representative.
Makes sense…
15. Information about Changes (2)
Product
Owner
Product Owner is responsible for
communication. Depending on product,
actual comm actions may differ. They will
cover checks from public access to backlog
through sprints scope access up to specific
channels related to particular deploys.
Users, Customer, Other POs, Teams, etc.
ACTIVITY OK?
Develop and implement the process to consistently record, assess, and prioritise
change requests.
Assess impact and prioritise changes based on business needs
Assure that any emergency and critical change follows the approved process
Authorise changes
Manage and disseminate relevant information regarding changes.
16. What about prioritization of
CRs…
It’s the simplest thing:
1. User Story
2. Product Backlog
3. Sprint Backlog
4. PO’s decision
17. Problem Solved!
ACTIVITY OK?
Develop and implement the process to consistently record, assess, and
prioritise change requests.
Assess impact and prioritise changes based on business needs
Assure that any emergency and critical change follows the approved
process
Authorise changes
Manage and disseminate relevant information regarding changes.
18. Is that all?
Of course we have not shown everything.
Apart from CC (AI 6) there is in COBIT
many areas around changes. However
„mind/toolset” is similar. It requires basic
knowledge:
a) Acknowledgement that SCRUM is based
on Human-2-Human interactions
b) Acknowledgement that meeting the
controls don’t have to be machine
interface one. Control Models require
validation/documentation.
19. What else?
PCI
(VISA)
Similar approach
a bit different SoD
and some details
ISO20000Similar approach ITIL ChM
Other
models
I duknow…
Dont be afrais of
asking!
CMMi
100% compatibility
(with given
requirements)
100% compatibility
(with given
requirements)