We often hear that agile is great for simple situations but as soon as you face compliancy issues that it doesn’t work. Is it possible to be agile when you face regulatory compliance, such as PCI and FDA compliancy? Is it possible to be agile when you face organizational compliance, such as working in a CMMI regime? Important questions that we decided to look into.
The following diagram summarizes the responses to our question around agile teams and compliance from our 2016 Agility at Scale study. As you can see, 62% of respondents indicated that their agile team faced some form of regulatory compliance, 20% some form of organizational compliance, and 15% said both. In fact, two-thirds of agile teams operate under one or more compliancy requirements.
For further reading about compliancy, please read our detailed blog posting Agile and Regulatory Compliance.
Our experience is that to make agile and CMMI co-exist effectively is that four things need to occur:
In the next blog in this series we will explore how Disciplined Agile Delivery (DAD) maps to the CMMI framework.
We’re occasionally asked whether agile and CMMI are compatible, so we thought we’d write a short blog posting on the subject. The quick answer is yes, but you need to know what you’re doing. In this article we explore whether organizations are actually combining agile and CMMI in practice and then address some of the rhetoric around this topic.
The Dr. Dobbs Journal (DDJ) Summer 2012 State of the IT Union Survey examined this issue. The goal of the survey was to explore whether organizations were successful or unsuccessful at various levels of the scaling factors called out in the Software Development Context Framework (SDCF). One of the SDCF scaling factors is regulatory compliance, including both legal compliance such as Food and Drug Administration (FDA) compliance as well as self-imposed compliance such as CMMI or ISO 900X. This survey found that of the respondents whose organizations had achieved success apply agile techniques in practice, 44% indicated that one or more of their project teams had done so when self-imposed compliance requirements were in place. Of the respondents whose organizations had experienced one or more failed agile projects, 30% indicated that one or more of their projects had self-imposed compliancy requirements. More recently the DDJ Spring 2014 State of the IT Union Survey found that 44% of agile software development teams (and 43% of non-agile teams) face some sort of compliancy requirement. The following figure shows that agile teams, just like non-agile teams, are in fact working at scale.
The survey results lead me to three important observations. First and foremost, people are in fact successfully applying agile and CMMI together. Second, it can be a rocky road when doing so because some organizations are running into problems. Three, there isn’t any blatantly obvious evidence for or against applying the two together. Granted, this third observation is based on averages – your organization may have very good reasons to apply the two together. In particular, I suspect that the organizations applying CMMI and agile together are the ones where they already have a strong-CMMI culture and are now in the process of increasing their productivity through agile and lean techniques.
Reality Over Rhetoric
One only has to spend some time online to discover that when it comes to applying agile and CMMI together there is some questionable rhetoric being bandied about. We feel it’s important to surface this rhetoric and describe the reality of the situation. Common agile CMMI rhetoric includes:
In the next posting in this series I’ll discuss how Disciplined Agile Delivery (DAD) and CMMI can potentially fit together.
A common question that we get is whether it’s possible for a team to take an agile approach in a regulatory environment. The answer of course is a resounding yes, although your approach will need to be tailored to reflect the constraints of the applicable regulation(s).
Let’s explore issues pertaining to compliance:
Disciplined Agile Delivery (DAD) addresses regulatory compliance issues via several key strategies:
In short, yes it is possible to successfully follow a disciplined agile strategy given the constraints of regulatory compliance. Contact us at Scott Ambler + Associates if you’d like to hear more.