We live in a world of increasing regulatory constraint-
So how the heck can we make Agile work with compliance?
In the first part of this blog post, we explored the challenges inherent to making Agile work in a regulated environment. We also looked at some potential basic solutions for scenarios where the regulatory constraints are light. In this new edition, we will continue our journey by looking at more robust solutions required in highly regulated environments and scenarios. These ideas are derived, in part, from real-world case studies formulated during engagements in the field with companies operating in pharma, financial services, medical device manufacturing, and defense contracting.
The Agile QMS
The concept of the Quality Management System (QMS) is ubiquitous in the traditional waterfall/linear delivery space. In broad terms, it usually acts as a records repository for projects. In our case, it may also fulfill the need for a compliance database where regulatory control checks, and corresponding supporting data, are held and retained. Furthermore, as well as providing an audit trail of oversight and tracking related activities, it may also serve as a vehicle for planning and tracking by acting as the equivalent of a backlog to manage compliance-related Enablers/Stories.
Life Cycle Compliance Mapping
Most regulated organizations are required to demonstrate alignment, or compliance, with their targeted regulations, policies, or standards. A defined Agile Life Cycle flow that describes the delivery process, roles, practices, and artifacts (with a supporting detailed Playbook) can provide an effective vehicle to proactively map specific practices, artifacts, and organizational roles to the source regulatory requirements. So, in effect, this can act as the equivalent of a Compliance Traceability Matrix (CTM) that culminates in a clearly-defined process environment, which directly demonstrates the required alignment. Also, if implemented appropriately, this proactive step has a significantly greater chance of being relied upon by an auditing/compliance function.
The Role of the Agile Playbook
The Agile Playbook can be used to augment the Lifecycle flow and provide even more levels of detail at a practice and role level. Due to the nature of some regulatory controls, detail may be important factor. In other words, the more definition, the higher likelihood that a control will be effective, and an audit review will be successful.
If used wisely (ensuring that all constituencies have a voice in shaping those improvements), the Playbook can provide a means to establish a mutually agreed common frame of reference. On top of that it can also act as a vehicle for relentless improvement, which in turn supports cultural institutionalization and shared ownership.
In order to understand where they are heading, an organization on an Agile adoption journey really needs to know where it is starting from. Based upon a sampling methodology, the Assessment focuses on gathering data that measures current process performance and feeds a transformation program with actionable improvement ideas. At the same time, this function can also be used to verify that the actual execution of delivery processes is compliant, and maintains alignment, with relevant regulations.
Is it a bird? Is it a plane? Or is it a CMO?
In higher-risk, complex, or highly regulated environments, it is sometimes necessary to create an additional “Line of Defense” by assigning compliance specialists, in the guise of a “Compliance Management Office” (CMO), to administer track and report compliance records. This group might also combine their role with Agile Adoption by housing Transformation specialists and leadership.
Resistance is Futile
Most regulations exist for good reason. In many cases, they safeguard individuals, communities, and even corporations. They are a necessary part of the social fabric in both commercial and public institutions. However, as we have seen, in many cases they can represent a real challenge to implement effectively and efficiently. But hopefully, by examining some potential best practices, we have made a case that not only can Compliance peacefully coexist with Agile methods, but Agile methods and Regulatory frameworks may be mutually supportive of each other.
Don’t be a stranger - let me know what you think.