Regulated industries such as finance or pharmaceutical are obligated to comply with regulations when developing a new product. As such, the requirements that the product team need to implement must include both the customer needs and the compliance standards.
When companies from these industries want to reach enterprise agility, not only their product development but also the control of their development process need to be agile. One path to achieve this is to embed agility in their quality management framework.
THE TRADITIONAL COMPLIANCE FRAMEWORK
Quality or Risk management frameworks is the standard to achieve regulatory compliance by addressing the business risks that are impacting their companies. It relies on
- an understanding of risks such as legal risks, security risks, credit risks, privacy risks, financial crime risks...
- an ownership of risk compliance usually through a 3 lines of defence model: operation management owning the risks, risk management setting the standards, and audit providing assurance of regulatory compliance
- a risk assessment process to identify, resolve and monitor risks on projects and operations
AN AGILE COMPLIANCE FRAMEWORK
Regulatory agility means to embed this framework in the core of the agile development process. To address this, here is a standard I developed, tested and implemented while working in pharmaceutical and finance companies:
- risk story: similarly to user stories, risk stories are items on the backlog that describe the business risks in layman terms. E.g. To mitigate privacy risks, I want to ensure only a limited set of approved users can access the personal information of a customer so that the risk of personal information disclosure is reduced.
- risk owner: similarly to the product owner who identifies, refines and prioritizes user stories based on customer need, a risk owner is a member of the product team in charge of assessing, evaluating and prioritizing risk stories based on compliance standards.
- risk impact process: similarly to user story mapping, the risk impact process assesses the baseline of risk standards that the product needs to comply with (SOX, CFR21, ISO27001...), identifies risk stories that arise when adding user stories in the backlog, and monitors the impact of changing requirements on the current compliance state of the product.
This framework provides a solid, high-level, tested base of agile principles to ensure flexible, adaptive and interactive regulatory compliance to industry standards.
Read more here Why the need for agile compliance