In most technology development efforts, the agile methodology is highly beneficial when understood, properly organized, and realistically deployed enterprise-wide.
Agile’s core principle of introducing incremental “bite-sized” functionality reduces scope creep, sharpens focus, and fosters ongoing improvement. Innumerable dimensions and operations of financial services heavily rely on technology with the agile methodology being a crucial component.
However, adopting the agile approach comes with its own set of trade-offs and additional requirements.
Adapting to agile development within the core business can be challenging as it requires mindset shifts among change leaders. However, with adequate training and time the business often adapts more swiftly than does risk and control, for good reason.
While Compliance Departments can effectively organize and deploy staff to meet agile adoption, it inevitably leads to an increase in regulatory conformance risks. This forces a structural rethinking of risk mitigation strategies and tactics.
Consumer protection regulations, often referred to as regulation “alphabet soup” span more than ten thousand pages, with Reg Z (also known as RegZilla) accounting for over a thousand pages. Most regulations are highly detailed, largely prescriptive (but sometimes subject to interpretation), and heavily reliant on cross-referencing.
In some ways, regulatory requirements resemble a dictionary. They often exhibit a degree of circular logic; understanding one requirement (“a definition”) depends on knowing the meaning of other requirements (“words and definitions”).
Comprehending, defining, and executing appropriate control over existing regulations are extraordinarily complex. Keeping up with changes in regulations and interpretations based on regulator guidance and rulings further compounds managing risk and control.
For agile to be effective, stakeholder involvement and close collaboration are essential through each sprint’s development. Consequentially, compliance and front-line risk must commit to the team, providing ongoing feedback and requirements.
Moreover, as requirements are established and change throughout the sprint, the need for ongoing, iterative risk and control evaluations becomes continuous.
Compliance and front-line risk cannot adopt a “set it and forget it” approach due to the way agile development works. Delivering evolving risk and control requirements, especially those related to preventive and detective control requirements, typically does not align with risk and control governance when delivered “just in time.”
Lastly, and of greatest importance, is the “testy” part of testing in an agile environment. Agile incorporates embedded testing along the way, prior to user acceptance testing (UAT). This has two significant implications for risk and control. First, compliance risk and control testing or, at the very least, a defined step function test plan, requires resources throughout the sprint’s development path. Second, as the methodology results in more frequent releases compared to typical waterfall approaches, compliance risk and control UAT resources must not only be present, but also adept.
No single solution addresses the risk and control fragility imposed by the agile methodology. However, several parallel approaches are consideration worthy to adapt to the agile discipline.
The old adage, “High Quality, Fast Delivery, Low Cost. Choose Two.” holds relevance to what it takes for compliance risk and control to adapt to an agile methodology. However, it overlooks the net “bottom line” benefits from providing incremental business functionality more quickly. Given the low tolerance for compliance and control risk, sacrificing quality is unacceptable. So, does this imply higher costs associated with compliance risk and control? Not necessarily.
Incremental compliance and risk control resourcing (both capital and labor), often to senior management’s dismay, is a starting point. However, when an effective program is designed and established, there is much more blessing than curse. These benefits include:
For more than twenty years, Bridgeforce has served the consumer compliance risk and control needs for clients ranging from money center to small financial institutions. Our contributions and experience range span from strategic adaptation and design to highly tactical, focused execution. Contact us to talk about your regulatory compliance management.