Most companies are subject to some form of regulatory obligation, whether you’re building a product, or providing a service, you have to operate within a certain set of rules which have been created to ensure that your product or service is not only safe for use, but also provides value to your customers. Compliance at its core is being able to prove that you are doing what is expected according to this prescribed set of rules.
Compliance requirements are usually derived from industry-level standards or formal certification bodies, like being ISO 9001 compliant in the manufacturing world, or PCI complaint when handling credit card payments, but it can also refer to organisational level requirements which are aligned with a company’s vision, mission and goals.
Traditionally compliance was seen as somewhat of an add-on after your core delivery was complete. This was because everyone accepted that compliance, particularly regulatory compliance, took time and therefore required its own focus. But within an agile context, this no longer works. Compliance now needs to be an integral part of your iterative delivery process.
So how do you include compliance without slowing down delivery?
- Ensure that compliance activities are included into your backlog
Compliance activities don’t necessarily need to be their own user stories, but they do at very least need to be part of the acceptance criteria for delivery or feature-focused stories. Your team needs to understand that you can’t mark story “X” as done until the associated compliance items have been achieved.
- Break compliance requirements down into workable items
Stop thinking about compliance as one big, often very intimidating, piece of work. Consider the smaller stepping stones needed to get you to a particular compliance level. Once you understand the smaller components which allow you to reach overall certification, it’ll be easier to include these activities into your delivery sprints.
- Prioritise, prioritise, prioritise
Not all compliance regulations are created equal. In most instances you should be able to distinguish between a non-negotiable for day 1 versus something you can work towards over time. In order to do this, you need to have a clear understanding of the impacts of each compliance requirement (or non-compliance for that matter) in order to assign the appropriate priority.
- Include compliance representation as part of your core squad
Having access to someone who can help guide your development process from a compliance perspective will make all the difference. In this way you’ll have access to someone who can help sanity check your progress along the way instead of only pointing out blockers for deployment right at the very end.
- Automate as much as you can
Where possible, compliance tests should be automated. In this way, you can rerun them with ease during every sprint to ensure that there has been no compliance regression as new features are added. As more and more people are realising the need to focus non-functional requirements such as compliance, automation tools that specialise in this area are on the rise. This means more and more options for businesses wanting on invest in this space.
Battling to strike the perfect balance between compliance and agility within your organisation? Give us a call on 021 447 5696 or email firstname.lastname@example.org and let’s look at ways in which we can help guide you through this process.