making scrum stick inside heavy regulated industries (2012)

1 Copyright ©2012 CollabNet, Inc. All Rights Reserved.

About today’s presenter

Laszlo Szalvay

Laszlo Szalvay is one of the foremost Scrum experts in the software industry. At CollabNet he

oversees the company’s global Scrum business, helping organizations adopt and scale Scrum-

based initiatives to drive productivity and quality improvements. He creates engagement

frameworks to forge lasting Agile-process transformations at customer sites, using a personal

approach to teaching and implementing Lean/Agile/Scrum processes as a means of achieving

greater IT agility. He is expert at leading successful distributed Agile environments (usually with

an Indian or Chinese offshore model), and addressing cultural nuances, replication issues, and

capital and headcount resource requirements.

Prior to CollabNet, Szalvay co-founded and led operations for Danube, a leader in Scrum tools

and training, before it was acquired by CollabNet. He is an active industry thought leader, having

written and contributed hundreds of articles, presentations and blogs on improving software

delivery through Scrum. Since mid-2010, Szalvay has traveled more than 330,000 miles

throughout Europe, Asia and North America, working with CollabNet customers and partners to

gain a unique perspective of the complexities and success strategies of a globally distributed

software organizations.

2 Copyright ©2012 CollabNet, Inc. All Rights Reserved.ENTERPRISE CLOUD DEVELOPMENT

Making Agile Work in Regulated Industries

Laszlo Szalvay

VP Worldwide Scrum Business

August 2012


Compliance is Top of Mind

To become a mainstream methodology, Agile had to

overcome many potential obstacles. The first was

geography…One of today’s most daunting obstacles is

compliance, often bringing heavyweight documentation,

required procedures that are very waterfall-ish, complex

approval workflows, and complicated approval processes.

July 2011

Forrester Research, Inc.

“Compliance Is A Hurdle, Not A Barrier, To Agile”

Tom Grant, PhD


About CollabNetR

eco

gn

itio

n

Founded

Subversion

Open ALM Platform

Build

Lab Management

Founded

Agile PM

#1 Scrum Trainer

Dev Tools Hosting

Development

Communities

Collaborative

ALMALM

Hybrid Cloud

Development

Platform

1999 2000 2007 2008 2009 2011 2012

Th

emes

dPaaS


Agenda

Review of Agile and

GRC

Review our

Technology & Process

Approach

Closing

2007, 2011

COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and Compliance Processes

Robert R. Moeller


Problem Statement

Dec 2011

Compliance Doesn't Have to Be Painful for Banks

Bank Systems & Technology

Bryan Yurcan

Undoubtedly, the Dodd-Frank bill has driven the biggest

risk management changes for banks; Dodd-Frank’s

2,300-plus pages contain hundreds of new rules and

spell out dozens of studies and reports that regulators

are required to conduct. But many of the law’s new

regulations have yet to be implemented or, in some

cases, still remain undefined. And many of the new

rules don't have a set implementation date.


• Agility and Compliance not only co-exist but

thrive when used together

• What is interesting and worth pointing out as a

paradox is that compliance is seen as a negative.

Yet companies that invest in process regardless of

government requirements are always the better

and more profitable organizations.

Our BHAG (big hairy audacious goal)

8 Copyright ©2012 CollabNet, Inc. All Rights Reserved.8 Copyright ©2012 CollabNet, Inc. All Rights Reserved.

Agility


market trends

“Scrum is the Modern way to work” October 2010

Tieto In person meeting in Helsinki”

Mika Koivuluoma, VP Software Development and Tools


roles, meetings, and artifacts

Scrum is a means to an end.


GRC


This is not what external compliance is


• Ever changing

• More scrutiny due to Sept 2008 crash and general 'anger' at Wall Street

(e.g. Occupy Movement)

• Many faces, although Singapore emerging as leaders (strategic)

• Not familiar with internal corporate vernacular, culture, or even

software development

Compliance is complex


• Singapore sees compliance as a strategic

differentiator and Singaporeans have taken

a very taken a very hard position within the

banking industry. As such, they are now seen

as the international standard.

• Complex set of cross-border rules that can be contradictory,

incomplete, or vague

• Have seen this in other industries (e.g. Postal)

– Customs is where the most senior people from DHL, FedEx, UPS sit

Singapore – emerging standard


What are we seeing in the industry?


Scrum and XP are the #1 choice in heavily regulated industries

Source: Forrester/Dr. Dobb’s Global Developer Technographics® Survey, Q3 2010

0%

5%

10%

15%

20%

25%

30%

35%

40%

Agile Iterative Waterfall Structured Chaos

Regulated

Unregulated


Our Approach Introducing the Enterprise Cloud Development Maturity Model


Enterprise Cloud Development


• Visibility

• Centralization

• Standardization

• Information security audit log

• IP security

• RBAC reports

Step 1: Embrace the Cloud


• Map business / enterprise architecture

(project hierarchies, workspaces, artifacts, roles)

• Create a social environment ? Why?

A lesson from Open Source. Did you know…

Why? Lets ask Dan Pink

Step 2: Implement Community Architecture

30% of developers who

work in regulated

industries contribute to

open source projects

during their free time.

July 2011


“App Dev Teams Dispel The Compliance Boogeyman”

Tom Grant, PhD


Thought Leader Perspective

2009

TED Conference

Dan Pink “These lessons are worth

repeating, and if more

companies feel

emboldened to follow Mr.

Pink's advice, then so much

the better.”Wall Street Journal

“Pink is rapidly acquiring

international guru status…

He is an engaging writer,

who challenges and

provokes.”Financial Times

In Drive, Dan Pink examines the three

elements of true motivation—

Autonomy over time, task, team,

technique led to 20% time at some of the

most innovative companies in the world.


Analyst Perspective

July 2011


“App Dev Teams Dispel The Compliance Boogeyman”

Tom Grant, PhD

The real difference between developers in the most-

regulated and less-regulated industries lies in their

reasons for contributing to open source…developers in

more-regulated teams see open source as an outlet

for what they may not get from a more-regimented

workplace: opportunities for collaboration

and a personal sense of accomplishment.


Your developers want to collaborate and be part of a community

– step 2 enables that through…

– Inner-source (Corporate Open Source)

– Transparency (breeds trust which drives reuse)

– Workspaces and Wikis (Federated)

Back to Step 2 Implement Community Architecture –

what are the benefits?

Wiki is the oldest and simplest software that lets a community of strangers work together to build something of surprising and lasting value.

Ward Cunningham

Inventor of the Wiki

Sent to Laz via LinkedIn in March 2012


So does Dan Pink’s motivation

concept hold water?

So how did SCM market play out?

2007 Forrester Research

The Forrester Wave: Software Change and Configuration Management

autonomy, mastery, and purpose = innovation and market leadership


Step 3: Codify Development Processes

• Support Scrum and XP

• Codify workflows and vernacular

• Gain end to end visibility and traceability

• Use the retrospective meetings as a point to make

evolutionary changes to process that map to external

compliance standards


Agile workflow management (gated approvals based on RBAC)

Explain how CTF workflow matches to Basel II


Paper Trails (reporting and reconstruction)

Explain how CTF maps to reporting and reconstruction using associations and threaded conversations


Single source of truth – Developers View

CTF data integrality is maintained even though the roles differ


Single source of truth – The Businesses View



Single source of truth – The Auditors view



• Scrum is a means to an end and it improves learning

organizations

• Leverage mandatory compliance and Scrums popularity as a

means to:

– Embrace the Cloud

– Implement Community Architecture

– Codify Dev Processes

• You will be compliance ready, your employees will see a

better way to work, and you will improve the effectiveness of

your enterprise

Lessons to Take Away


Previous Solution CollabNet

Solution Cost

Three Times More Cost-Effective

Benefits

• Less complicated

• More graceful

• Easier to administer

• Easier to train and use

Source: Business Trends Quarterly

Instead of a one-size-fits-all solution, we

could, for more risk-averse platforms, have

a thicker process with more controls; and

for platforms that needed to be more

agile, we could have a more agile process.

Brian Roberson

Principal

Barclay’s Global Investors


© 2012 CollabNet, Inc., All rights reserved. CollabNet is a

trademark or registered trademark of CollabNet Inc., in the US

and other countries. All other trademarks, brand names, or

product names belong to their respective holders.

CollabNet, Inc.

8000 Marina Blvd., Suite 600

Brisbane, CA 94005

www.collab.net

+1-650-228-2500

+1-888-778-9793

blogs.collab.net

twitter.com/collabnet

www.facebook.com/collabnet

www.linkedin.com/company/collabnet-inc

making scrum stick inside heavy regulated industries (2012)

Technology

collabnet customers

tools9 copyright

phd3 copyright

agility8 copyright

grc11 copyright

scrum tools

compliance doesnt

artifacts scrum