When working in high compliance environments like medical systems, aerospace, defense, and financial institutions, portions of the agile manifesto – such as working software over comprehensive documentation – seem as though they are at odds with what is required to remain compliant with applicable regulations. Compliance is the adherence of a system, product, or solution to applicable guidelines, laws, specification, and regulations. It is multi-faceted, requiring the appropriate documentation, testing, inspections, demonstrations, and analysis. There are generally two types – compliance of the solution itself and compliance of the process to build the solution.
However, traditional waterfall projects have always had issues with late verification, assessments, and options to produce a compliant system. Additionally, there are limited feedback loops to improve compliance and overall system health. By truly understanding the type of compliance, and following some key principles laid out, agile can work very nicely and in fact better support high compliance needs than waterfall approaches.
1) Compliance is the responsibility of everyone on the team
Compliance becomes responsibility of all everyone involved. Traditionally in waterfall projects compliance was the duty of a few people – typically some worked on the requirements and design of the solution, some worked on compliance of the process, and others worked on the verification and validation of the solution. This approach often led to siloed knowledge about what it meant to be compliant and how the solution met the needs to be and remain compliant. It also occasionally led to adversarial relationships between parties where they would work to catch errors and place blame on other parties in the process or workflow.
In an agile organization, compliance becomes the responsibility of everyone involved in the work. All team members seek to understand the need for and how compliance will be measured, and they work to build that into the team’s work, process, and artifacts. Collaboration between the various parties improves the flow of information and to ensure that all parts of the process are understood, followed, and improved when needed. Organizations will often still need experts in compliance areas that can serve as subject matter support for teams, but it no longer rests solely on their shoulders to remain compliant.
2) Break compliance down and build in incrementally
When delivering in an agile organization, teams break work down and deliver value incrementally. The same approach can be used with compliance. Issues of compliance of the solution such as traceability, ability to audit, and documentation can be built in an incremental approach and updated as the solution is defined and refined through incremental work. Compliance of the process can be shown by having clear rules that govern behavior and workflow, and these are easily done within the common frameworks of Scrum and Kanban through having clear definition of done, defined process flows, and living artifacts such as user stories.
The team should work to continually define, build, review, and refine their solution and process and how it meets with applicable compliance standards. Using regular feedback loops to gain improved understanding and feedback will help the teams converge toward the optimal solution while still maintaining the ability to verify and validate the overall product if they have regularly verified and validated pieces of it as they iterated.
3) Automate compliance verification and validation where possible
One way to improve incremental delivery and compliance is to automate checking both the solution and process when possible. If you can write tests that check aspects of compliance - such as security tests, business rules, verification and validation of data processing – and automate these tests to run on each incremental code change, you can ensure compliance to applicable regulations exists in the developing solution.
As I heard in a recent planning session for an organization working in a high compliance area – “We can’t screw this up. People depend on us.” In an environment like that we need to depend on our people to build compliance in and automate proof that the system is behaving as needed. Lives may depend on it.
4) Make documentation useful and living
Documentation should have two components – be useful and be up to date. In the past, a lot of documentation was produced simply because it was required, but then lived only to serve as a paper weight or fancy pile on a bookshelf in someone’s office. When working in a high compliance environment we need to provide documentation that is useful and living to support the incremental changes and constant updates that are the reality of most solutions.
Documentation can take on many forms, and it doesn’t have to be the traditional system requirements specifications, design documents, or test plans. Documentation can be user personas, epics, features, and user stories to capture required outcomes, comments within code to highlight what areas are doing, automated test scripts and cases that cover system functionality, and user documentation that lives within the solution itself such as online help files. By automating the process that produces documentation and links documentation to the living system we can more easily keep the documentation up to date and more useful to all who need it.
In summary, being agile can work in a high compliance environment and in fact I’d argue supports the compliance activities better than traditional approaches. By making it everyone’s responsibility, breaking compliance activities down and building them into the process, automating verification and validation, and making documentation living and useful, we can meet compliance requirements while still delivering value incrementally and providing a better outcome to our users.
- Beth Hatter
Director of Agile Training