Agile and regulatory compliance

This content is syndicated from Agility@Scale: Strategies for Scaling Agile Software Development by ScottAmbler. To view the original post in full, click here.

One of the scaling factors called out in the Agile Scaling Model (ASM) is "regulatory compliance".   This name is a bit of a misnomer because this scaling factor really addresses two issues: complying to regulations imposed upon you from external sources and choosing to adhere to internal regulations willingly adopted by your organization.   It is relatively common for agile teams to find themselves in such situations.  For example, in the 2009 Agile Practices Survey one third of respondents said that they were applying agile on projects where one or more industry regulations applied.

First let's consider external regulatory compliance.  In these situations you may face the need to undergo an audit by an external regulatory body with consequences for non-compliance ranging from anywhere to a warning to a fine or even to legal action.  Sometimes even a warning may be a grave thing.  A few years ago I was working with a pharmaceutical company which had discovered that a warning from the FDA for non-compliance with their CFR 21 Part 11 regulation, when reported in major newspapers, resulted on average in a half-billion dollar loss to their market capitalization as the result of a dip in their stock price.   There are financial regulations such as Sarbanes-Oxley and Basel II, informational regulations such as HIPAA which focuses on health information  privacy, technical regulations such as ISO 27002 for security practices, and even life-critical regulations such as some of the FDA regulations.  

External regulations are typically managed by a government organization or industry watchdog will range in complexity and can have a myriad of effects on project teams.  For example, you may need to be able to prove that you had a documented process and that you followed it appropriately; you may need to produce extra artifacts, or more detailed artifacts, than you normally would; you may need to add extra features to your solution, such as tracking financial information, that you wouldn't have normally implemented; you may need to produce specific reports to be submitted to the regulatory body; or you may even need to submit your team to audits, sometimes scheduled and sometimes not, to ensure regulatory compliance.  Interestingly, even though many of those requirements go against the agile grain, the 2009 Agility at Scale Survey found that organizations were successfully applying agile techniques while still conforming to external regulations.  So yes, it is possible to scale your agile strategy to address regulatory compliance.

Second, let's consider compliance to internally adopted, or sometimes even developed, "regulations" which you will be potentially evaluated/appraised against.  Perfect examples of these are process improvement frameworks such as CMMI and ISO 900x.  Similar to external regulations, the 2009 Agility at Scale Survey found that some agile teams are succeeding in situations where they have chosen to adopt such frameworks.  It's important to note that frameworks such as CMMI aren't primarily about ensuring the compliance of development teams to a standard process, regardless of what CMMI detractors may claim, but instead about process improvement.  Process improvement at the IT department (or beyond) is an enterprise discipline issue from the point of view of ASM, implying that frameworks such as CMMI affect more than one scaling factor.  

When you find yourself in a regulatory situation, whether those regulations are imposed or willingly adopted, the best advice that I can give is to read the regulations and develop a strategy to conform to them in the most agile manner possible.  If you let bureaucrats interpret the regulations you'll likely end up with a bureaucratic strategy, but if you instead choose to take a pragmatic approach you will very likely end up with a very practical strategy.  Part of that strategy is to treat the regulatory representative(s) within your organization as important stakeholders whom you interact with regularly throughout the project.

Leave a Reply

What is 2 + 7 ?
Please leave these two fields as-is:
Please do this simple sum so I know you are human:)