If you’re like most businesses, you’re exploring more dynamic ways of working as you digitally transform. Whether utilising Agile, BizDevOps, DevOps or DevSecOps, the ways in which you get work done are changing.
These days, they have to. With digitisation raising the table stakes, the ability to differentiate your brand in the market is critical to growth. Transforming into a digital organisation can have substantial benefits like improved time to market, increased innovation, higher quality, positive cultural change, and ultimately, happier customers.
Unfortunately, however, many businesses don’t realise that costly operational disruption, regulatory penalties, and even personal remuneration are at stake when controls aren’t embedded into new practices.
Agile, DevOps, what?
There are many different practices currently being explored by business to enable new ways of working. An Agile transformation of an organisation, for example, is about getting the right people working closer together, orientating around the customer and getting to value sooner, informed by continual feedback loops. With Agile, a business can adapt and innovate productively and cost-effectively. This transformation realigns the entire business including leadership and governance, strategy, operating model and culture.
DevOps on the other hand is a way to ensure that teams have all the capabilities that they need to deliver and provide service to the customer (from development to operations). It focuses more on transforming operating models, technology and infrastructure, similar to BizDevOps, but less focused on the business holistically and more focused on its technical capabilities. And just to throw in another acronym, then there is DevSecOps, which integrates security into DevOps to create accountability between teams and enable the business to provide secure infrastructure for its initiatives.
What could go wrong?
What many businesses don’t know when they implement these solutions is that they can be unknowingly leaving adequate protections behind. By the time internal auditors, external regulators, or other assessment teams expose these weaknesses, it is often too late to avoid significant re-work costs, security fire drills, launch delays, or project failures.
Indeed, if your business was to be scrutinised tomorrow, what would the outcome be?
Companies need to ensure that when they are working differently, they are also working securely. Policies and procedures (frameworks, toolkits, governance) should be updated to reflect the new ways, not the old. If an auditor were to look up how your business operates, would they get an accurate picture? For instance, could you prove, with evidence, that the teams are following new methods?
When it comes to finance, Agile organisations also often need to fund projects differently, embracing investment planning that supports iterative development. Can the finance team fund and account for project spend? And crucially, when it comes to security, are you sure that no one can use the new methods and tools — automation, new technology, artificial intelligence — to introduce malicious or deficient code into production? Are your systems robust and secure? It should go without saying that they need to be.
How to deliver at pace and still have control
Luckily, none of the above working methods and practices necessarily mean being at odds with governance, control and auditability. While not exhaustive, here are six elements that organisations who have embraced digital transformation auditability all address:
- Write integrated (across Agile, DevSecOps etc.) playbooks that help drive consistency and repeatability across teams. Delivery teams’ feedback should be incorporated to enhance their usefulness, while also enabling auditability by design/minimal overhead.
- Ensure lifecycle frameworks are not just in a set of slides; instead they should be instituted as part of the systems used (eg. within Jira, Rally, Chef, Selenium and/or other related tools) to drive adherence to the abovementioned playbooks, compliance, and internal controls. If implemented correctly, quality engineering practices and the use of automated tools immediately establishes the foundation for effective controls.
- Update your risk and control matrices for audit teams to use as the basis for their work, rather than relying on old checklists.
- Align processes and controls for finance, portfolio, HR, procurement, and other teams with IT’s adoption of, or business transformation to Agile.
- Make certain that ways of working are agreed for risk teams (eg. cyber, operational risk, compliance, etc.) so they can provide their expertise and requirements without disrupting the Agile teams’ flow.
- ‘Lock down’ your DevOps continuous delivery pipeline and configure it to enable security and control by design.
How to gain confidence in your delivery
Additionally, businesses can get ahead by developing themselves into ‘auditready’ organisations. Conducting a mock audit, for example, can help to identify gaps before they are found by others — or have developed into serious issues. A mock audit can also uncover opportunities for digitising and automating internal controls. This approach will build confidence without adding overhead or complication — helping realise the benefits of your digital transformation.
An Agile/BizDevOps workplace is one that comes with substantial benefits, not the least being the ability to compete in today’s digital world. Working in these new ways doesn’t have to mean accepting risk, so ask yourself, would your Agile organisation survive an audit? And if your answer is unsure, it’s time to do something about it.
To find out more on assurance processes for new ways of working, explore the United States or Australian transformation assurance sites.