by Steve Ostermiller (Ed.)
The 14th Annual State of Agile™ Report provides some significant insights and support for why regulated industries and agile techniques make sense. The report found that 28% of respondents believe automated audit compliance and governance across control points are very valuable. That’s up from 10% last year. The report surmises this is due to an increase in agile adoption among companies with compliance requirements. Those adopters also said the reason was more because of reducing project risk (37% compared to 28% the previous year) than reducing cost (26% compared to 41% the year before).
Are Regulated Industries and Agile Techniques a Suitable Match?
If your organization fits into this bucket, you may be wondering how well agile and lean approaches, such as scrum or kanban, can work in your environment. Your current experience may include significant overhead and burdens related to documentation, development journey inspections, and delays of quality and user acceptance testing after completing code engineering.
Contrary to what might be a common perception, agile approaches work well in highly regulated environments. In this article, we’ll explore a few of the facets of this matchup.
Auditing and Risk
Regulatory agencies expect critical software and systems audits. These audits require documentation, other proofs, and functionality information. From this, auditors can understand the impact on risk and compliance from decisions and processes.
The agile principle, “Simplicity—the art of maximizing the amount of work not done–is essential,” is a guiding principle for documentation, even in regulated environments. A scrum team looks to the product backlog to describe what it is they will be delivering. What may be “just enough” for the team to do their work may not be enough to meet auditing requirements. However, you can identify what is “barely sufficient” for the auditors. It’s sufficient, but just barely.
Auditing Needs and Agile Approaches
For example, you weave into your story writing the check of “does this adequately describe what it is, and how we validate it to meet auditing needs?” If additional documentation is necessary, a description of and possible repositories for it should be part of the story.
Documentation can take all sorts of forms, from the written briefs and architectural drawings to whiteboard snapshots and proof-of-concept code demonstration captures. A working program is more useful than comprehensive documentation in understanding a feature or function.
Quality and User Acceptance Testing
Another aspect of risk management is quality and user acceptance testing. These should be woven in with development, rather than following code completion. You can reduce risk by addressing errors or omissions while they’re still fresh in developers’ minds. Incremental creation ensures a trustworthy product. It also enables auditing against features in the building stage, not after product delivery.
A developer would more accurately explain what he or she did in the past few weeks rather than something from six months ago.
IT Assessment Automation
Automating IT assessments to validate control compliance is beneficial in verifying servers, applications, databases, networks, and endpoints to ensure they meet regulatory and security requirements. Examples of controls to verify include:
- Changing of default passwords
- Application of software patches
- Locking down network ports
- Appropriate use of encryption in the transmission and storage of sensitive data
- Tracking IT assets
It’s easy to have an “us versus them” relationship with auditors. They expose what you do. Instead, view auditors as part of the whole team working to improve your organization. Then it becomes easier to work with them to learn what they need in terms of documentation and proofs.
FinTech Goes Lightweight
To illustrate the suitability of regulated industries and agile practices, let’s look at a FinTech company. They transitioned from a waterfall to an agile approach. The company desired to learn how its robust documentation translated with moving toward scrum.
They discussed the option with their auditing firm. The firm advised they had clients using agile approaches and were happy when documentation was more “lightweight.”
A photo of a whiteboard discussion about an architectural approach was just as valuable from the auditor’s perspective, as a longer document with Visio diagrams and text-heavy boiler-plate sections. The auditors found it easier to see the process without the extra clutter. The “big design up front” mindset and “comprehensive” documentation weren’t necessary.
Insight from An Energy Organization
A governmental energy organization developed a process to snapshot their backlog and associated document repository. This technique produced a reasonably complete point-in-time view of the project. The auditors could look back at the project’s history if they had questions. They automated the snapshots. It was as simple as running a script. It didn’t increase the burden of work and satisfied the regulatory requirement.
Healthcare Iterates Validation
A healthcare company incorporated HIPAA compliance into its definition of done and engineering practices. The organization’s software development process assured compliance with standards. They provided an example of only mock customer databases being accessible for development and testing.
When releasing to production, they tested with actual data, in an isolated and controlled environment. The scrum teams built into their processes to consider regulatory aspects when creating backlog items. They were then able to validate that they met all regulations.
Their approach to integrating HIPAA into development was seamless. This instilled confidence in the product and its usability in the real world. They also gathered user feedback while delivering features and made improvements along the way.
Regulated Industries and Agile Approaches: Achieve Compliance with Confidence
Using agile techniques helps manage risk, even as product development becomes more efficient and effective. Empowering agile teams allows them to thrive in regulated environments. Turns out, agile techniques are a great fit!
Are you trying to become more agile in a regulated environment? We’ve done it. Contact us to see how we can help you do it.
