Recently, organizations across industries have faced a wide range of challenges and crises. From supply chain disruptions, to the European energy crisis, to rising inflation rates, to industry-specific disruptions, companies are operating in increasingly volatile markets. The importance of organizational resilience has become paramount for companies to not only survive, but to capitalize on opportunities in these turbulent times. Being in control and managing risk efficiently and effectively is now a critical success factor for any business.
Do you feel that your organization is not fully in control after adopting Agile and DevOps? Are you finding that you are not fully realizing the efficiency and effectiveness gains promised by Agile adoption? Our Quality by Design® methodology combines all first and second line requirements at the right time in the Agile way of working. Quality by Design helps Agile and DevOps teams take ownership of risk and gives risk and compliance the tools they need to stay in control.
This results in well-managed risks that directly add value to Agile organizations in the following ways:
- Alignment of strategic goals allowing features to contribute to broader business objectives
- Balanced view of team performance enabling more informed decision making
- Increase in stakeholder confidence though demonstration of risk management and compliance
- Consistence in the quality of implementation, increasing velocity and proactivity of teams
Risk, compliance and quality in Agile organizations
Agile organizations approach governance, risk, and compliance (GRC) differently than traditional organizations. Agile organizations focus on creating a culture where responsibility is delegated lower in the organization to encourage quick decision making and ownership.
Moving from a policy dictation model to policy implementation in agile organizations means moving from passive compliance to active guidance. Instead of acting as gatekeepers, GRC functions are now more like traffic cops, proactively helping teams comply. This makes owners responsible for all aspects of quality, including GRC aspects, of their products. The agile approach encourages the establishment of clear frameworks and guidelines, while allowing teams to experiment within those boundaries. This shift facilitates a more responsive and flexible approach to risk management and allows owners to decide what level of quality is appropriate within their constraints.
Redesigning the approach to risk and compliance
At Eraneos, we emphasize the need to redesign the traditional approach to managing (operational) risk and compliance. With the rising costs associated with risk management and compliance, especially with all the new European cybersecurity and resilience legislation such as DORA and NIS2, there is a need to focus on control efficiency. The goal is to reduce the cost of control efforts while empowering risk and compliance departments to make data-driven decisions. By linking policy requirements to the systems and processes in which they are implemented, and using tools such as CI/CD and process mining, organizations can demonstrate the existence and operational effectiveness of regulatory requirements and implement meta-controls for oversight. This approach is not only cost-effective, but also enhances compliance efforts and improves risk systems and processes.
This means that organizations must ensure that they are empowering product owners and their teams to manage their product quality aspects with effective and automated control efforts. To do this efficiently, the modern organization should rethink its implementation of the 3-Lines model. In traditional implementations of the 3-lines model, the second line, typically consisting of risk and compliance, often focuses on policy, risk monitoring and advisory. Often, these roles include oversight of the first line, which is generally responsible for control execution. This is to maintain balance of power as a fundamental governance tool for risk management.
In Agile-oriented organizations, the focus should remain on countervailing powers, but with the second line in the role of coach and supporter. From a coaching perspective, second lines should focus on supporting teams with knowledge and tools to successfully achieve the desired quality metrics that the second line has formalized in policy as part of the control effort. From these metrics, second lines can continue to play their oversight role and, where necessary, address risk and compliance issues that may be lagging in the actual product development.
Risk & Agile in 2 minutes
Our ‘Agile Risk and Compliance governance: A growth model’ poster illustrates in 2 minutes how Governance, Risk & Compliance can be properly embedded in Agile and DevOps organizations.
Digital transformation and quality
From this perspective, the second line shifts to actively supporting the first line, helping them develop and maintain the skills necessary to implement and maintain effective controls and achieve auditable compliance. A core element of this shift-left for risk and compliance-can be defined as working “by design. Security and privacy by design are not new concepts and provide a solid foundation upon which to add the broader scope of risk and compliance to achieve a holistic quality by design approach. A typical approach includes the “comply or explain” concept. The second line defines the guardrails that the first line uses (comply), and only in cases of non-compliance are other measures applied (explain). These measures aim to manage the risks of the deviation and can vary from risk treatment to additional technical measures.
In the digital age, quality is built into every aspect of a team’s work. The transition from bolt-on quality practices to built-in quality practices is necessary to ensure that changes at each increment adequately meet all relevant and appropriate standards. This built-in quality approach requires building controls into quality standards and capturing them as requirements during the design phase of each change.
By building quality issues into the development and refinement processes, they can be addressed as early as possible, so that the feedback loops around problems in products resulting from these issues are as short as possible. This means that issues are identified and reported to the developers in the teams as soon as possible after they occur. For risk and compliance, the value is that risk and compliance are then continuously managed by the owners and their teams. It is no longer a one-off risk assessment, a project start assessment, or an annual cycle, but an ongoing part of the integrated development process. This means that quality by design can add real value to risk management in a volatile world.
Organizing support for teams in this way can be accomplished in many ways. Often a (CoE) for quality is useful at the beginning of the quality journey. Such a CoE can set the stage for success by providing support such as:
- Implementation and use of quality tools
- Risk management supported by threat modeling
- Quality standards for architecture
- Subject Matter Expertise
- Maturity assessments
- Quality reporting metrics and dashboards
Working in this way, the owners and teams are enabled in their work to achieve quality by design.
Conclusion
Organizations must adopt an integrated approach to GRC and continuously manage risk to thrive in the digital age. Digital transformation empowers the 3-lines and ensures that quality becomes the future status quo. This requires a shift in mindset and the acquisition of new skills by professionals in all parts of the organization. Risk and compliance professionals need to move from oversight to support roles, and owners and their teams need to invest in deep technical knowledge of the risks in their products. In this way, the balance of power is maintained and the 3-lines model for success in the digital era is implemented. By embracing the changes brought about by digital transformation, organizations can build resilience and navigate the complexities of modern business challenges.
Discover how to stay in control under pressure and master risk management in DevOps – watch the recording of our webinar (in Dutch) for practical strategies and expert insights!