Embracing Agile to Enhance Compliance Risk and Control in Your Bank

Adaptation of compliance risk and control into an agile methodology can be accomplished if an effective program is designed, established and monitored. Here are the considerations to take when embracing agile in your compliance management system.

Agile as the Bomb – When Done Properly

In most technology development efforts, the agile methodology is highly beneficial when understood, properly organized, and realistically deployed enterprise-wide.

Agile’s core principle of introducing incremental “bite-sized” functionality reduces scope creep, sharpens focus, and fosters ongoing improvement.  Innumerable dimensions and operations of financial services heavily rely on technology with the agile methodology being a crucial component.

However, adopting the agile approach comes with its own set of trade-offs and additional requirements.

Exposed Risk: the Agile Methodology’s Tradeoffs

Adapting to agile development within the core business can be challenging as it requires mindset shifts among change leaders.  However, with adequate training and time the business often adapts more swiftly than does risk and control, for good reason.

While Compliance Departments can effectively organize and deploy staff to meet agile adoption, it inevitably leads to an increase in regulatory conformance risks. This forces a structural rethinking of risk mitigation strategies and tactics.

Regulations are Not Agile

Consumer protection regulations, often referred to as regulation “alphabet soup” span more than ten thousand pages, with Reg Z (also known as RegZilla) accounting for over a thousand pages. Most regulations are highly detailed, largely prescriptive (but sometimes subject to interpretation), and heavily reliant on cross-referencing.

In some ways, regulatory requirements resemble a dictionary. They often exhibit a degree of circular logic; understanding one requirement (“a definition”) depends on knowing the meaning of other requirements (“words and definitions”).

Comprehending, defining, and executing appropriate control over existing regulations are extraordinarily complex.  Keeping up with changes in regulations and interpretations based on regulator guidance and rulings further compounds managing risk and control.

The Challenge of Fitting Agile

For agile to be effective, stakeholder involvement and close collaboration are essential through each sprint’s development.  Consequentially, compliance and front-line risk must commit to the team, providing ongoing feedback and requirements.

Moreover, as requirements are established and change throughout the sprint, the need for ongoing, iterative risk and control evaluations becomes continuous.

Compliance and front-line risk cannot adopt a “set it and forget it” approach due to the way agile development works.  Delivering evolving risk and control requirements, especially those related to preventive and detective control requirements, typically does not align with risk and control governance when delivered “just in time.”

Agile: an “Embedded” Testing Approach for Functionality

Lastly, and of greatest importance, is the “testy” part of testing in an agile environment. Agile incorporates embedded testing along the way, prior to user acceptance testing (UAT).  This has two significant implications for risk and control. First, compliance risk and control testing or, at the very least, a defined step function test plan, requires resources throughout the sprint’s development path.  Second, as the methodology results in more frequent releases compared to typical waterfall approaches, compliance risk and control UAT resources must not only be present, but also adept.

How to Ensure Compliance and Control in an Agile Environment

No single solution addresses the risk and control fragility imposed by the agile methodology.  However, several parallel approaches are consideration worthy to adapt to the agile discipline.

1. Establish a development sprint “triage” team that is well versed with the regulatory landscape and agile methodology. This team’s objectives are to quickly assess each sprint’s risk and control implications, including:

• Providing regulatory applicability, existing environment touchpoints and associated risks
• Assessing the degree to which existing controls will absorb change, and
• Providing control requirement expectations.

2. To keep up with change initiatives, the first and second lines of defense compliance environments will greatly benefit from embedded technology resources who “speak IT” and can design and persistently drive automated control solutions. The concept may be counterintuitive to senior leadership as it deviates from a centralized, enterprise IT function. (In many financial institutions, internal and external audit teams, have had their own technology resources for many years.)  However, the benefits far outweigh the costs because compliance violation risk is reduced, the control environment becomes more robust, and the ability to meet sprint demands is improved.

3. Compliance testing, often a responsibility of the Compliance Department, is typically associated with ongoing or targeted testing activities. However, with the agile methodology, the benefits of deployment speed necessitate the inclusion of iterative sprint and UAT compliance testing and validation.

Agile:  A Wake-Up Call for Compliance Risk & Control

The old adage, “High Quality, Fast Delivery, Low Cost. Choose Two.” holds relevance to what it takes for compliance risk and control to adapt to an agile methodology. However, it overlooks the net “bottom line” benefits from providing incremental business functionality more quickly.  Given the low tolerance for compliance and control risk, sacrificing quality is unacceptable.  So, does this imply higher costs associated with compliance risk and control?  Not necessarily.

Incremental compliance and risk control resourcing (both capital and labor), often to senior management’s dismay, is a starting point.  However, when an effective program is designed and established, there is much more blessing than curse.  These benefits include:

• Capitalizing on the agile methodology’s benefits without sacrificing, and often reducing, compliance and control risk
• Designing control environments for immediate and future scalability and scope
• Incorporating multi-faceted resources to break down cultural “silo” barriers
• Integrating essential skillsets to transition the risk and control environment from more analog to more digital
• Enabling, in summary, compliance risk and control to be agile

For more than twenty years, Bridgeforce has served the consumer compliance risk and control needs for clients ranging from money center to small financial institutions.  Our contributions and experience range span from strategic adaptation and design to highly tactical, focused execution. Contact us to talk about your regulatory compliance management.