An Agile Approach to Compliance
by Dan Williams
Compliance means different things to different people. As I am using the term, compliance is about proving to someone – often an auditor, whether internal or external – that a company is following the processes and procedures that it says it does. These processes are most often put in place to support regulations that constrain the industry segment in which the company operates. In this post, I want to suggest some ways in which Agile methods and perspectives address compliance.
Scrum, a light-weight Agile project management framework, promotes transparency, reporting, and risk mitigation through short iteration delivery of value. Extreme Programing (XP) promotes automated testing, continuous integration, and close-client involvement. By combining these Agile frameworks, "compliance” becomes part of an Agile culture of value delivery.
The following bullets outline an approach to an “Agile Compliance Culture”:
- Identified Compliance Control Objectives become part of the Product Backlog as User Story Acceptance Criteria.
- Control Activities, which are derived from Control Objectives, are automated in testing when possible. An example would be automated logging.
- Automated test suites are run continuously, providing a compliance health check, thus reducing risk.
- Compliance is built up iteratively rather than in a big bang fashion, thus reducing cost.
- Compliance becomes part of the Agile delivery culture.
Compliance is not optional, nor an add-on to standard software development and delivery. Agile values of transparency, risk mitigation, reporting, high customer involvement, and continuous testing readily support a highly-valued compliance software delivery culture.