Agile and compliance: (How) do they fit together?

Although the principles of the Agile way of working have been around for decades, it is a relatively new concept for most financial institutions. Inspired by stories from Silicon Valley and the tremendous success of rapidly emerging players such as Spotify, Airbnb, and Uber, executives in financial institutions have started exploring the management techniques behind these successes. They see that the world around us is changing faster, product cycles are getting shorter, and traditional players are increasingly threatened by newcomers in the market.

Consumers expect faster services, also from traditional financial service providers. Therefore, the financial sector needs to adapt more quickly to the changing world and become more agile. Result: Agile has entered the scene as a development methodology for systems and products. No longer departments with hierarchical and functional reporting lines, but Tribes, Squads, Chapters, and Guilds. No more waterfall planning, but Sprints, Backlogs, and Minimum Viable Products.

Agility and continuous Improvement

In recent years, we have seen more and more organisations making this transition. All with the believe that it allows for more flexible development, enabling products and services to become available to customers more quickly. Creating something in a few weeks and then go live with a Minimum Viable Product. Based on feedback and/or new insights the next iteration is done.

Periodically reviewing a product or service, followed by a project to adapt it to new requirements is no longer the standard.

The mantra of continuous improvement also guides organisations towards the Agile way of working. Existing products and services need to be adapted to market changes and evolving insights more rapidly. Periodically reviewing a product or service, followed by a project to adapt it to new requirements is no longer the standard. Instead, products, services, and processes are constantly subject to changes that are developed and implemented in short iterations of a few weeks.

Does agile fit in a highly regulated sector?

But does this way of working fit in a strictly regulated world like the financial sector? Iterative processes, where adjustments to products, systems, etc. follow each other rapidly, of course raises the question whether all the requirements imposed by laws and regulations are consistently met. There is no extensive upfront documentation defining in detail what a product will look like. And without a phase of extensive testing and evaluation, where everything can be carefully reviewed to see whether all regulatory requirements are complied with. The traditional Product Approval and Review Process (‘PARP’) no longer works in this new context. The same goes for risk management departments like Compliance in their traditional setup. They can no longer work the way they used to if they want to remain effective. This being the case, how do you ensure effective management of compliance risk in the company?

With the introduction of Agile in the financial sector, we see that compliance departments are struggling.

With the introduction of Agile in the financial sector, we see that the compliance departments involved are struggling. As a rule, Compliance officers tend to be risk-averse and look for certainty in everything they do. Agile introduces more uncertainty and therefore it increases the risk level, at least in the minds of Compliance people. This all leads to the tendency from Compliance to make less statements about the status of compliance and thus, it becomes increasingly challenging to sign off on a product as being good enough.

However, we believe that there are possibilities for organisations to remain compliant, also when the way of working in a company is Agile. Compliance professionals can continue to function adequately and provide added value in an Agile setting. As a start, compliance departments must embrace the change and adapt to the changing world. Not embracing the new way of working will only lead to less effective risk management.

Secondly, Agile, in our view, requires a more mature organisation in terms of compliance. The time and possibilities to consult Compliance to verify if all regulatory requirements are complied with, no longer works. With the multitude of changes and faster turnover times, it is impossible for Compliance officers to be involved timely in each and every step in the process.

To continue meeting all requirements, compliance needs to be integrated in the organisation’s DNA.

To continue meeting all requirements, compliance needs to be integrated in the organisation’s DNA. The “business” must be better equipped to consider the regulatory requirements when executing (change) processes. Agile working provides an enormous opportunity to achieve what numerous compliance departments have been dreaming of for many years: compliance risks are an integral part of various business processes, where they are managed accordingly.

What does this require of Compliance?

Working in an Agile environment requires a different approach and different emphases from the compliance organisation. Some key points to consider:

Ensure that you have an overview of all the changes the organisation is working on and keep track of where changes are being made. Then determine where you want Compliance, as a function, to be involved. For significant, major changes, you want to be part of the process. This doesn’t seem to be that different from a more traditional organisational setup. However, it requires active participation in the Agile way of working of the business to help create the right overview and insights in the different change processes.

We believe that compliance can operate effectively in an Agile environment. In fact, it presents new opportunities.

Make it a prerequisite that regulatory requirements are always part of the “Definition of Ready” (you know all the requirements before starting a Sprint) and the “Definition of Done” (they are also applied in the product delivered in a Sprint).

Monitor from Compliance whether these prerequisites are met. By imposing the prerequisites mentioned before and the fact that you cannot be present everywhere to assist the business in meeting the regulatory obligations, it means that you need to enable the organisation to do it itself, so empower the stakeholders:

• Ensure accessibility to relevant templates, procedures, checklists, FAQs, etc. If someone cannot find the answer there, it should trigger involving Compliance at an early stage in the ongoing process;
• Place (even) more emphasis on training and awareness;
• Establish compliance-focused Guilds within the business: these are your front-line ambassadors!

The mindset of continuous improvement applies to Compliance itself as well. This means that the information you make available to the organisation must be adjusted, improved, and expanded on a continuous basis. In our view, this aspect is key to a well-functioning compliance mechanism in the organisation. If knowledge and information within the business are not effectively shared, all the work will once again end up at the compliance departments. Or worse, the organisation develops all kind of things without adequately considering regulatory requirements.

We believe that compliance can operate effectively in an Agile environment. In fact, in our view it presents new opportunities. However, it does require a different way of working from both Compliance as well as from the business.

Roundtable Discussion: “The Agile Way of Working and Compliance”

We are curious how the compliance community perceives working in an Agile environment and would like to have a conversation on this topic. Therefore, we will organise a roundtable in The Netherlands, with the intent to learn from each other and dive deeper into topics such as:

• Do Agile and compliance actually go together?
• Do we see Agile as a catalyst to create a more mature organisation in terms of compliance?
• What works and what doesn’t work from a second line perspective?
• Do we already have best practices?

Do you want to participate? Reach out to us here.

About Projective Group

Established in 2006, Projective Group is a leading Financial Services change specialist. With deep expertise across practices in Data, Payments, Transformation and Risk & Compliance.

We are recognised within the industry as a complete solutions provider, partnering with clients in Financial Services to provide resolutions that are both holistic and pragmatic.  We have evolved to become a trusted partner for companies that want to thrive and prosper in an ever-changing Financial Services landscape.