Project Management

Agile and Regulatory Compliance

From the Disciplined Agile Blog
by , , , , , ,
This blog contains details about various aspects of PMI's Disciplined Agile (DA) tool kit, including new and upcoming topics.

About this Blog

RSS

View Posts By:

Tatsiana Balshakova
Mark Lines
Mike Griffiths
Curtis Hibbs
James Trott
Bjorn Gustafsson
Scott Ambler

Past Contributors:

Joshua Barnes
Michael Richardson
Daniel Gagnon
Valentin Tudor Mocanu
Kashmir Birk
Glen Little
Klaus Boedker

Recent Posts

DA 5.6 is released

Disciplined Agile 5.5 Released

Choose Your WoW! Second Edition Is Now Available

Requisite Agility applied in Project Management

Disciplined Agile and PMBoK Guide 7th Edition

Categories

#ChoiceIsGood, #ChooseYourWoW, #ConsumableSolution, #ContinuousImprovement, #CoreAgilePractices, #experiment, #Experimentation, #GuidedContinuousImprovement, #Kaizen, #LifeCycles, #ProcessImprovement, #TealOrganizations, Adoption, agile, agile adoption, Agile Alliance, Agile Business Analyst, Agile certification, agile data, agile governance, agile lifecycle, agile metrics, agile principles, agile transformation, Agile2018, Agile2019, Agile20Reflect, AgileData, Analogy, announcement, Architecture, architecture, architecture owner, Articles and publications, Asset Management, Atari, Backlog, Barclays, being agile, benefits, bi, blades, book, Branching strategies, Browser, Business Agility, business intelligence, business operations, capex, Case Study, Certification, certification, charity, Choose your WoW, CMMI, cmmi, Coaching, Collaboration, Communication, Compliance, Compliancy, Conference, Construction, Construction phase, Context, Continuous Improvement, coordination, COVID-19, Culture, culture, Cutter, DA, DAD, DAD Book, DAD discussions, DAD press, DAD roles, DAD supporters, DAD webcast, DADay2019, Data Management, database, dependencies, Deployment, Development Strategies, DevOps, disaster, Discipline, discipline, Disciplined Agile, disciplined agile delivery, disciplined agile delivery blog, Disciplined Agile Enterprise, disciplined devops, Documentation, Domain complexity, dw, DW/BI, Energy Healing, Enterprise Agile, Enterprise Architecture, Enterprise Awareness, enterprise awareness, Essence, estimation, Evolving DA, Executive, Experiment, facilitation, FailureBow, feedback-cycle, finance, Financial, FLEX, Flow, foundation layer, Funding, GCI, GDD, Geographic Distribution, gladwell, global development, Goal-Driven, goal-driven, goals, Governance, GQM, Guideline, Hybrid, Improvement, inception, Inception phase, India, information technology, infosec, Introduction, iterations, Kanban, large teams, layer, lean, Lean Startup, learning, Legal Project Management, LeSS, Lifecycle, lifecycle, Manifesto, mark lines, marketing, MBI, Metaphor, Metrics, metrics, mindset, Miscellaneous, MVP, News, News and events, Non-Functional Requirements, non-functional requirements, Non-solo development, offshoring, Operations, opex, Organization, Outsourcing, outsourcing, paired programming, pairing, paper, People, People Management, phases, Philosophies, Planning, PMBoK, PMI, PMI and DA, PMI Chapter, Portfolio Management, post-format-quote, Practices, practices, Principle, Process, process improvement, process tailoring, Product Management, product owner, Product Owners, productivity, Program Management, Project Management, project-initiation, Promise, Quality, quality, rational unified process, Refactoring, Reiki, Release Management, release management, Remote Training, Remote Work, repeatability, requirements, Requirements Management, research&development, responsibilities, retrospectives, Reuse, Reuse Engineering, ride for heart, rights, Risk, Risk Management, Risk management, Roles, RUP, SAFe, sales, Scaling, scaling, scaling agile, Scheduled Workshops, SCM, scorecard, Scrum, ScrumMaster, SDLC, Security, security, self-organization, SEMAT, serial, skill, solutions software consumable shippable, Stakeholder, strategy, Support, Surveys, Teal organizations, team development, Team Lead, team lead, Teams, Technical Debt, Teleconferencing, Terminology, terraforming, test strategy, testing, time tracking, Tool kit, Toolkit, tools, traditional, Transformation, Transition iteration, transition phase, Uncategorized, Upmentors, Using PMI Standards, value stream, velocity, vendor management, Virtual Training, Workflow, workflow, workspaces

Date



Agile Regulatory Compliance

A common question that we get is whether it’s possible for a team to take an agile approach in a regulatory environment.  The answer of course is a resounding yes, although your approach will need to be tailored to reflect the constraints of the applicable regulation(s).

Let’s explore issues pertaining to compliance:

  1. The regulations vary.  Not all regulations are created equal.  For example, financial regulations such as Sarbanes Oxley (SoX) are typically less stringent than life-critical things such as the various Federal Drug Administration (FDA) regulations.  So, one regulatory compliancy strategy does not fit all and your team will instead need to tailor their agile strategy to reflect the applicable regulations that you face.
  2. Agile teams are working in a regulatory compliance scenarios.  The quick answer is yes.  As you can see in the chart above, the 2016 Agility at Scale study found that two-thirds of agile teams face either regulatory, organizational, or both forms of compliance.
  3. Organizations are succeeding at applying agile within a regulatory regime.  The 2012 Agility at Scale study found that some respondents indicated that their organizations had successfully applied agile strategies with regulatory situations. As you can see in the chart below they are applying agile in all types of regulatory environments, including but not limited to life-critical and financial.  If other organizations are succeeding at doing so perhaps yours can as well.
  4. Organizations are failing at this too.  The 2012 Agility at Scale study also asked if organizations had agile project teams that failed within regulatory situations and respondents indicated that they had.  If other organizations are struggling with agile and regulatory compliance then yours might too, so please consider the advice provided below.
  5. The regulations rarely tell you how to work.  Regulations typically provide criteria that your process needs to meet.  For example they may call out the need to have independent testing, but they won’t say that you need to have an onerous testing phase nor that all testing needs to be done this way.  There you could adopt parallel independent testing in addition to your whole team testing efforts to conform to this requirement.  The implication is that you can tailor your solution delivery process to be as agile as you can while still being compliant – you don’t need to take a waterfall/V-model style approach.
  6. Sometimes compliancy is self imposed.   Some compliancy requirements are not legislated, such as FDA and SoX, but are instead willingly adopted by your organization.  Examples of this include compliancy regimes such as ISO-900X and CMMI, strategies which may have been adopted for marketing reasons (typically by IT service providers) or perhaps process improvement reasons.  As you can see in the chart organizations are both succeeding and failing at applying agile in these situations.
  7. You need to read the regulations.  Our experience is that many organizations will let their more bureaucratic-leaning staff members interpret how to conform to regulations.  Not surprisingly their strategy often involves a lot more paperwork, activities, and checkpoints than is actually needed.  When pragmatic people are asked to interpret regulations you often end up with a more pragramatic response.  So, if you’re in a regulatory environment we’ve found that it behooves you to take the time to read the regulations so that you can streamline how your agile team addresses them.  Fair warning: Most regulations are incredibly dry reading.

agileRegulatoryCompliance2012

Disciplined Agile Delivery (DAD) addresses regulatory compliance issues via several key strategies:

  1. Adopt a hybrid process.  DAD is a hybrid tool kit that adopts strategies from a range of sources including Scrum, XP, Agile Modeling, Kanban, Unified Process, and many more.  Regulations typically cover a wide range of issues and as a result you need to adopt supporting practices from numerous sources.  This may include management practices from Scrum, agile development practices from XP, agile documentation practices from Agile Modeling, data quality practices from Agile Data, and so on.  The DA toolkit has already done the heavy lifting for you by showing how these practices fit together, unlike methods such as Scrum which leave this work up to you.
  2. Adopt a full delivery lifecycle.  Most regulations address the full delivery lifecycle, not just construction.  DAD supports a full delivery lifecyle, in fact it supports several such lifecycles (a Scrum-based lifecycle, a lean lifecycle, a continuous delivery lifecycle, and so on) to reflect the differing contexts faced by teams in typical enterprise environments.
  3. Focus on solutions, not just software.  Disciplined agile teams produce consumable solutions, not just “shippable software”.  DAD recognizes that delivery teams are working on solutions that have a software component, that run on hardware, that are supported by documentation, and that the team may even change the business process around the usage of a system and even the organization structure of the people using it.
  4. Take a goal-driven approach. Recognizing that solution delivery teams find themselves in unique situations, DAD doesn’t prescribe how they should work.  Instead, it focuses on providing advice for how teams can tailor their strategy to reflect that context of the situation that they find themselves in.  DAD does this by promoting a process goal driven approach.  This strategy guides teams through the process decisions that they’re making, some of which will be driven by regulatory compliance.  The DA tool kit has already done a lot of the heavy lifting regarding how to tailor your agile process to meeting scaling concerns such as regulatory compliance, large teams, geographically distributed teams, and other issues.  
  5. Adopt an explicit governance strategy.  DAD has agile governance strategies built right in, including explicit light-weight milestones, metrics, named phases, and many other aspects of governance expected by many regulations.  Once again, DAD has done a lot of the heavy lifting for you.
  6. Be enterprise aware.  DAD promotes the concept of enterprise awareness, the recognition that agile teams do not work in a vacuum.  This includes strategies for engaging with enterprise architects, how to deal with enhancement requests and defect reports coming in from operations, and how to work with other enterprise professionals.  These can be key issues to understand when tailoring agile to be compliant within an existing organizational ecosystem – your entire process needs to comply to the regulations, not just the development portion of it.

In short, yes it is possible to successfully follow a disciplined agile strategy given the constraints of regulatory compliance.  

Posted by Scott Ambler on: October 09, 2013 05:58 AM | Permalink

Comments (1)

Please login or join to subscribe to this item
avatar
Jill Dakin Program Manager| John Deere Financial Beamsville, Ontario, Canada
This is really helpful. Thank-you for preparing this information.

Please Login/Register to leave a comment.

ADVERTISEMENTS

"The only way to keep your health is to eat what you don't want, drink what you don't like and do what you'd rather not."

- Mark Twain

ADVERTISEMENT

Sponsors