Mark Bloom, Global CIO, Aegon
Assuming you are an IT professional/executive, what is your first reaction when you hear the word ‘compliance?’ Fear? Trepidation? Do you think it’s an impediment to progress? Or do you see it as critically important? A trusted partner given the expectations of customers and regulatory bodies that your industry deals with?
This range of perspectives is dependent on everything from the company you work for and people you work with, to the company’s operating environment, a particular project or initiative. There is not really a right or wrong answer to the question I asked. However, what everyone would agree upon is that disregard for compliance will lead to very bad outcomes. And those outcomes could have a negative impact on you and/or your company.
Getting a Vote of Confidence
What I have learned over the years is that the best way to deal with compliance is to embrace it. Figure out how to turn compliance into a positive for your company and your organization. By means of example, being compliant with IT controls such as protecting customer/confidential information and proper segregation of duties will yield a vote of confidence from any external audit or from any government or regulatory body associated with your industry. What’s more, compliance with IT controls also helps minimize the impact from cyber-attacks that your company may encounter. Being compliant with recognized IT controls won’t prevent a cyber-attack, but it will hopefully ensure that the residual outcomes do not have as severe reputational effects as they could have been.
“Figure out how to embrace compliance as it is an expectation of your customers, your company’s leadership, and any external government or regulatory body”
A second example of embracing compliance is engaging the compliance department earlier in the lifecycle of a project. I have seen many examples over the years where a project has gone through the software design and development process, and as part of obtaining any necessary sign-offs to move the software project into production for customers, compliance has identified an issue that stops the project from moving forward. I suspect that many of you have experienced similar situations, where tensions rise between the various parties, and fingers are pointed at one another.
Figure out how to embrace compliance as it is an expectation of your customers, your company’s leadership, and any external government or regulatory body
Focusing on what could have been done Differently
Rather than dwell on the consequence of not keeping the project moving and the friction created between the project team and the compliance department, focus on what could have been done differently to arrive at a more positive outcome. Could the compliance team have been engaged earlier? Was compliance invited to be part of the project when it was initiated? Did they ask to sign off on any artifacts such as requirements documents or use cases or user stories or design documentation? Pace of change is now high on every organization’s agenda. We all read blogs and articles about being more customer-focused, and an organization’s ability to react to customer feedback and ideas quickly is really impacting all the traditional software development practices and processes.
Many organizations are moving or have already moved to a more iterative software development practice, typically following one of the several variants of Agile. Iterative development creates an interesting dynamic in terms of the interaction model with organizations such as compliance.
In looking at the example above, where compliance was not engaged until the production readiness approval, the suggestion was to involve compliance earlier in the project lifecycle. In an iterative development, however, it does not follow a linear development cycle, so how do you follow the spirit of my strong recommendation to engage compliance earlier in a project?
The answer is that you figure out how to engage compliance through each iteration of your development. I have seen organization create a concept of ‘scrum of scrums’ which follow scrum Agile and allows for a regularly scheduled interaction between compliance and the project scrum teams. I have also seen where organizations embed compliance within a scrum team, and compliance participates on a regularly agreed upon cadence, whether that is weekly, every other week, etc…
Aligning Performance Goals
One other best practice I can suggest as a way to embrace compliance is to align performance goals. The compliance department’s role—as I stated above—is to protect the reputation and brand of your company and your company’s customers. Notice that role says nothing about any project execution and delivery milestones. Working with the compliance department to introduce project execution and delivery milestones tends to influence the compliance department’s behavior. The converse is also very true. Working with the IT department to introduce IT control metrics and goals tends to influence the IT department’s behavior.
In summary, compliance can be a competitive advantage or disadvantage. Figure out how to embrace compliance as it is an expectation of your customers, your company’s leadership, and any external government or regulatory body. Hopefully, some of the recommendations for how to work most effectively with the compliance department will enable you and your company to create a competitive advantage that will make your competition take notice.
