Part 2: Compliance – a New ApproachCompliance is the process of making sure that the applicable laws, regulations, ethical practices, and internal policies are followed for the organization. Achieving compliance is an on-going organizational effort which involves planning, collaboration and on-going management.
In the first installment of this series we described the need for compliance and explored some of the common challenges organizations face on their compliance journey. In this installment, we’ll explore how to successfully address these challenges.
Risk Management and Compliance Shift LeftWe have all heard about the shift left of testing and the tremendously positive impact that has had on development work. Well, we want you for a moment to think about how the shift left of risk management and compliance could significantly improve your company’s ability to manage risk and maintain compliance, as this is sure to be the next shift left wave that will completely transform the way companies do business. With Atlassian tools such as Jira and Jira Align, we have tremendous abilities to embed both risk management and compliance right into your day to day processes!
Enterprises are beginning to look at scaling to improve operational alignment and transparency for their delivery work; yet, it is equally if not more important to look at and improve scaling risk management and compliance. When following any scaled framework, it is important for leaders to know the future roadmap of compliance needs and impacts to the enterprise strategy and vision. This is so that they can use scaled frameworks to layout the process of integrating risk management and compliance needs directly into their day to day to reduce silos and improve transparency.
Solution– When thinking about the solutions to these challenges, the question becomes: do leaders need to come up with different complex overhead processes to resolve these? In our opinion, the solution should be supporting the mindset and culture of the organizations. Most of the industry leading Enterprises are transforming to lean mindsets by scaling with Agile best practices for their portfolios. One solution that can help in resolving these challenges and not creating process overhead is ‘Scaling Compliance’ processes. When Compliance processes are integrated with a Lean agile mindset, Enterprise Strategy, and Portfolio Management, then it can help in breaking the silos by bringing better visibility of the scope and execution of compliance needs. Scaling compliance management can support decentralization, transparency, and alignment across the enterprise, which will eventually eliminate delays in product launch and time to market activities. Addressing compliance needs in a timely and organized manner can also help in risk reduction and better innovation. Here we have explained in detail how scaling compliance management can help resolve these challenges.
Breaking down silos by scaling compliance managementCompliance needs can be part of Portfolio Initiatives when defining the ‘LBC’ in the Analysis phase for any organization where Agile best practices are scaled all the way to their Portfolios. Often, compliance needs are filled in the NFRs column. This way, leaders from different areas like business, sales, finance, technology, supplier management, etc are aware of high-level compliance needs and solutions when approving the Initiative. This way, the solution of compliance needs is also unified for that portfolio.
Sometimes compliance is considered as an independent solution when an Enterprise Architect defines the architectural runway which helps in defining the common technology and approach to deliver that solution. That way, multiple people are not trying to solve for the same solution from different approaches. Since different programs and solutions are tied up with the same portfolio, the chances of various silos become minimal. This approach also helps in getting the unified status of compliance needs and solutions since they are part of the Epic tracking process and helps leaders to pivot or persevere with their decisions.
Both Jira and Jira Align provide fantastic granular and roll-up views of real-time data and information. This helps to provide leadership with more consistent and holistic views of information instead of traditional, out of date and siloed information which is provided via PowerPoint or Excel documents.
Check out our webinar on demand for a demo of top reporting capabilities in Jira Align.
We also have the incredible ability to use dashboards to bring back data across your entire enterprise, which significantly breaks down the silos that once existed and enables companies to manage and monitor work happening all across their organization. This seamlessly breaks down traditional silos while also providing the ability to view and engage real-time with Jira dashboards that report back on-demand with real-time data. An added benefit is that teams no longer need to spend weeks providing data to your risk managers, compliance officers, and even leadership. Instead, that information is seamlessly being provided to them on demand so your teams can continue to focus on their work.
For example, one client had significant issues with ensuring that a small development team maintained compliance with all of the technology standards which were ever-evolving. The team itself was made up of just two developers who were responsible for making updates to the code behind the company’s financial reports. These reports were being published and shared with the company’s shareholders, so the risk associated with a mistake was very high. These developers were among the best of the best coders, but they were not by any stretch of the imagination experts in risk management or compliance. So, the company made the decision to imbed risk management and compliance needs right into the developers’ process so that they didn’t have to keep up with all of the changes to maintain compliance. Instead, they were connected with their risk manager and compliance officer, both of whom monitored to ensure that all risk management protocols and compliance needs were met. This was all done using Jira!
Improving transparency by scaling compliance managementDefining and integrating compliance needs with portfolio initiatives helps in creating the visibility of compliance needs. As explained above, approval of compliance needs by representatives of different areas creates visibility of upcoming compliance scope. This scope then gets broken down into deliverables for execution. Since these deliverables are tied up with the backlog and execution, they are subjected to be constantly prioritized and de-prioritized based on the changing needs of the compliance. Creating compliance as an independent solution also helps to consolidate and integrate different needs. All of the compliance management activities related to an initiative are eventually tied up with the higher compliance solution which helps in pulling up the integrated view of needs, changes, and execution metrics.
Both Jira and Jira Align have tremendous abilities to allow for engagement of risk managers and compliance officers during the day to day process which enables them to be proactive instead of reactive. This can be accomplished in a variety of ways depending upon varying requirements.
In Jira, by simply capturing the risk manager on any issue card, the risk manager is then able to monitor all work for which they are designated the risk manager. In Jira Align, risk and compliance managers have real-time access to the “trace this” screens which provide a robust matrix of all related activities, work items (parent and child) as well as detailed team level information including success and acceptance criteria. This allows risk managers to monitor work across many different teams and even lines of business providing them true transparency and enabling them to engage early to identify risks and close gaps in real-time throughout the process.
All of the required compliance information, reviews, and sign-offs can also be captured right in Jira and right on the Jira card itself, so the team no longer has to archive tons of emails and then dig them all up once a year for the audit, nor do they have to create and store separate compliance documents. Using custom fields on which both the risk manager and compliance officers can be tagged enables them to then monitor the work seamlessly as it is all brought to their own dashboard. They are able to review all of the compliance information for completeness and engage the team proactively instead of reactively if there are questions or if additional information is required. There is even the ability to make certain compliance fields mandatory to ensure that they are not left blank. Upon completion of the process, the team, risk managers, compliance officers, and leadership can all feel confident that the entire issue card and all contents have been reviewed and confidently close the issue card knowing they have met all compliance requirements.
Updating processes following scaling methodsDifferent organizations follow different approaches to execute compliance needs. The approach can be finalized based on the nature of compliance needs. Here I have outlined several ways of addressing the execution methods:
- Once Compliance is part of the strategy, vision, and Portfolio epic it can be categorized in solutions and features. As part of the solution and feature refinement, compliance needs can be detailed out and refined as well. This way compliance becomes part of the backlog and can be prioritized. The prioritized features can then be split into multiple stories for teams to understand the compliance needs and execute them as part of a sprint. This is known as the backlog driven approach of compliance which ties the compliance execution back to the portfolio vision.
- Integrating compliance factor with every story, feature, and solution. In this approach meeting, compliance needs are part of ‘Definition of Done’ at the story level, feature level, and solution level. This is an approach to handle compliance needs that do not change often and have to be met constantly on a regular basis. That way, new stories/Features/solutions are not created repeatedly to address the same type of compliance needs each time.
- The third approach is more of a bottom-up approach where teams save capacity upfront to handle the compliance needs. This method is used when compliance requirements are dynamic and can be refined much upfront.