Can Risk & Compliance be more Agile?

Andrew Millward

Follow us on LinkedIn

4 Feb 2022
Topics
  • Compliance and Regulation

Introduction

If your organisation has or is going through an agile transformation, you might be asking yourself how to adapt. Agile methods tend to favour system development projects so you might be asking yourself what relevance it has to you as a risk and compliance practitioner. Or perhaps you might be looking for how to improve the effectiveness of your risk and compliance function.

In this article I attempt to summarise some ideas borrowed from existing agile models, frameworks and principles that I believe can be applied by risk and compliance functions and which I’ve seen done successfully at various organisations. These ideas include both ways of working with other agile teams as well as becoming an agile team. Some are simply common-sense ways to run a solid risk and compliance function and others might be new to you.

Empower your stakeholders

Agile models emphasise placing trust in teams who are multi-disciplined and empowered to own their work from end-to-end within a particular product or value stream focus. It relies on reducing the dependencies and handoffs between teams so work gets done faster and closer to the customer. For a risk and compliance team that means it is critical to get out of their way and avoid being a bottleneck. Instead, focus on empowering teams to apply risk and compliance practices themselves where possible.

Self service solutions

Make sure you have a ‘front door’ where staff can help themselves to all the templates, procedures, checklists, FAQs and so on that they need to manage risk and compliance. This could be in the form of a SharePoint site, Confluence page, GRC Portal etc. Speaking of GRC, ideally your GRC solution should be simple and open so that anyone in the business can raise incidents, manage actions etc with risk and compliance resources only needing to review, monitor and/or approve.

Risk champions and communities of practice

Many scaled agile models have a concept of communities of practice, sometimes known as ‘guilds’, to align people across similar interests or disciplines. Identifying a network of risk champions and keeping them engaged through a community of practice is a great way to embed a strong risk culture and keep your ear to the ground in a rapidly changing business environment. It provides a two-way flow of communication to seek feedback on risk and compliance practices across the business, and for the risk and compliance function to disseminate information.

Risk training

The concepts of ‘life-long learning’ and ‘growth mindset’ are closely tied to agile ways of working. To empower risk champions and other staff to self service and embed risk and compliance processes within their business areas, it is critical to provide them with ongoing training. Ideally this would be delivered interactively and face-to-face, starting with your risk champions and community of practice.

Integrate with agile teams

In cases where risk and compliance teams do interface with other business areas, it is important to gain their buy-in by respecting their agile ways of working and minimising disruption.

Adopt a business partner model

Aligning individuals within risk and compliance functions to the agile teams they support is key. Depending on the model, “agile teams” could be variously referred to as platforms, tribes, release trains or something else, and are typically aligned to a particular product offering or value stream. In less mature environments, aligning across traditional organisational boundaries is also beneficial. Having cross-functional risk and compliance professionals aligned to these other teams builds effective relationships and ensures that the risk and compliance priorities and capacity match that of the area they are supporting.

Participate in agile ceremonies

For risk business partners to understand the work and priorities of the teams they support it is important for them to participate in key agile ceremonies. Planning sessions, variously referred to as portfolio planning, program increment planning and/or release planning, are important to gauge relevant priorities and provide dynamic risk advice. Meanwhile, attending showcases and demos can provide a better understanding of value being delivered. When delivering work for an agile team it can also be useful to provide updates at their daily stand-up meetings.

Engage with team backlogs

Reviewing team backlogs, particularly at the portfolio/epic level, can provide a wealth of insight about planned work and identify any early gaps in risk and compliance requirements. For example, you might notice new regulatory requirements have been misinterpreted or that there are plans to engage in new outsourcing arrangements. Where agile teams need to dedicate time to work with risk and compliance teams, for example to provide input to risk assessments or evidence for assurance activities, make sure to work with them to integrate capacity for that into their backlog.

Eliminate process waste

Tightly coupled with agile ways of working is the “lean” mindset of optimising processes and eliminating waste. In many organisations, risk and compliance in its current form as a discrete discipline is quite new. As a result of changing regulatory requirements and community expectations, some processes didn’t exist as little as a decade ago. As such, there are often significant opportunities to apply lean thinking.

Agree your service catalogue

Many risk and compliance functions will typically spend over half of their time responding to ad-hoc on demand requests by direct approach – usually email. There is little to no structure to the services they provide, and advice provided by one risk manager is often invisible to their colleague next to them who might receive the same request next week. Start with a documented list of all the services and advice you provide and the steps they go through from start to finish. This is the foundation from which you can then simplify, measure, streamline and automate. Ideally you can make these services requestable and trackable in a ticketing solution alongside your self-service solution.

Visualise work and limit work in progress (‘Kanban’)

Use a task tracker, ticketing system or even sticky notes on a wall to start visualising work and making it transparent as it moves through the pipeline. Using this approach patterns will emerge and it will be clear where there are bottlenecks, overallocations and potential efficiencies. It can be helpful to set limits to the amount of work in each stage or allocated to each person. For example, you might allow someone to be allocated a maximum of three risk assessments at any one time. The less parallel work in progress, the greater the overall throughput – less is more.

Sync up at daily stand-ups

Use daily stand-ups to monitor the queue of new and in progress work, hold each other accountable and share knowledge among the team. Make sure the backlog of work is prioritised and that the team are aligned on their relative priorities. It is also a chance for the team to escalate any blockers. Careful not to let it become a talk fest – keep to a strict per person time limit with just four simple questions: what did you do yesterday, what are you doing today, what are your blockers and who speaks next. It can be helpful to nominate someone to keep the time and call out when a conversation should be a separate meeting.

Continuously improve

One of the most important, and often overlooked, agile concepts is continuous improvement or ‘kaizen’ as it is traditionally known. Every agile framework incorporates the idea of making iterative improvements both in the product or service itself and the processes that deliver them.

Measure and improve

As the saying goes “you can’t manage what you can’t measure.” Identifying metrics to track the baseline effectiveness of risk and compliance processes is the key starting point from which to improve. When defining metrics it is important to distinguish between Key Risk or Control Indicators (KRIs/KCIs) that risk and compliance resources may have limited control over versus process measures such as average time to acknowledge requests or number of controls tested per month for example. Aim to prioritise a handful of metrics that you can track and improve over time.

Dedicate time for self-improvement and innovation

“I don’t have time to sharpen the saw, I’m too busy sawing.” Sometimes we get so lost in ‘busy work’ we fail to recognise the need to set time aside to make adjustments. Time to reflect, improve and innovate is often built into agile frameworks whether in the form of ‘retrospectives’ (Scrum) or time bound ‘innovation and planning iterations’ (SAFe) for example. 
Technology companies in the past have even gone as far as dedicating up to a day a week for staff to develop innovative ideas of their own. Another technique common in the technology industry are ‘hackathons’ which set aside days or even an entire week to experiment with innovative new ideas. This can also work quite well for risk and compliance functions too, for example to rapidly prototype new templates, reports, models, automations etc.

Showcase and pilot for rapid feedback

Another important approach for continuously improving is to make use of showcases and demos with stakeholders to show work in progress. Traditionally applied to software with a regular cadence (e.g. fortnightly), there are also opportunities to adopt the same approach for many types of deliverables, for example walkthroughs of in progress risk assessments or draft policies. When working on new or improved processes it can be useful to combine this with an approach to piloting in a specific team or department. The aim of both showcases and piloting is to introduce early feedback loops that allow you to tweak and improve as you go.

Rotate roles or specialisations

When it comes to self-improvement and embracing the idea of cross-functional ‘T shaped’ teams, it can be extremely powerful to consider opportunities to rotate individuals between different roles or specialisations within the risk and compliance function. For example, if you have separate teams for risk versus compliance, you might agree individuals from each team to switch for a period of time which can help spark innovative ideas for improvements, improve communication between the teams and give individuals the opportunity to grow and learn new skills. As an added bonus it also helps reduce key person risk.

Conclusion

In this article I have discussed how agile models, frameworks and principles can be applied to risk and compliance teams. Empowering stakeholders through self-service solutions, communities of practice, and business risk training can free up risk teams to focus on high value strategic work and closer integration with business teams. While the last two agile concepts of eliminating process waste and continuously improving allow risk and compliance teams to remain lean and efficient without sacrificing innovation and creativity.

Can Risk & Compliance be more Agile?
Download the article

You may also like

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?