How to overcome regulatory challenges in an agile development approach?
In modern enterprise strategy, digital transformation is the holy grail that CEOs expect from their CDOs and CIOs. Unfortunately, if you ask 10 people, you’re likely to get 11 opinions about the full scope of digital transformation. However, once you cut through all the buzzwords, the two key pillars of a digital transformation strategy are most often cloud and agile.
Cloud provides infrastructure (IaaS), platform (PaaS) and software (SaaS) as a service, enabling businesses to move without long Capex cycles. Agile provides a way to implement business services on third-party cloud services while managing peripheral risks. While the importance of cloud in the digital landscape has been widely accepted, there have been numerous debates about whether agile can be adopted across all business settings.
One of the most important factors cited in these debates is the need to account for the regulatory aspects of a solution within the software development process.
Every business has to comply with certain regulatory requirements, which may vary across industries and jurisdictions.
For example, manufacturing businesses must comply with good manufacturing practice (GMP); healthcare companies must comply with the Health Insurance Portability and Accountability Act (HIPAA); life sciences must abide by with DEA and FDA regulations; payment organizations must conform to payment card industry data security standards (PCI-DSS).
Despite a vigorous debate around agile, there still isn’t a very clear understanding of how to incorporate regulatory requirements into the agile way of working.
Every business must comply with regulatory requirements, but there’s no clear understanding of how to meet these in an agile context. Fortunately, there are ways to integrate regulatory compliance with agile cycles without losing sight of the key benefits: fast delivery with a feedback loop.
The challenges often cited are:
- Agile works in very short cycles (sprints), and regulatory requirements may not fit within that timeline
- In every sprint, agile focuses on delivering functional features that provide the highest business value and regulatory requirements may not be at the top of this list
- Agile prioritizes feature implementation over detailed documentation, yet complying with regulations may require detailed documentation
While these are all genuine challenges, we have ways to overcome them in an agile approach. We can integrate regulatory compliance with the agile cycles without forgetting their objective – fast delivery with a feedback loop.
A phased approach for regulatory compliance with agile
To begin, we divide the overall product development in three phases: foundation MVP, scale-up and maturity. Foundation MVP is about building minimum features for users interested in achieving specific business objectives without complete regulatory compliance built in. It may require deep probing, but you will find that many users in the organization are interested. Although they may not use the MVP for all their needs, it may still serve many of their functional objectives. During this phase, you select only a subset of those users.
In the scale-up phase, we bring the rest of the users identified in the previous phase and start developing stories that serve their needs. This will lead to a product that meets most of the functional objectives of the product and the organization. You should identify a few stories from the regulatory compliance backlog and allocate a part of each sprint to achieving them.
This phase ends with two or three dedicated sprints devoted to meeting regulatory requirements, which may involve collecting historical evidence through regression testing of the existing product features, preparing documents and certifying the product features as required by the relevant regulatory frameworks.
If the amount of work required to certify predeveloped features is quite high, it might be beneficial to set up a parallel dedicated team to achieve this objective. By the end of this phase, the product should have achieved a minimum set of functional features required by the users and a minimum threshold required by regulations.
The maturity phase of product development involves integrating each new functional feature with an associated regulatory requirement. If you are following Scrum methodology, each story will have a set of regulatory aspects that must be implemented along with the functional requirements. In this phase, all epics, stories, enablers, and risks will be linked with their corresponding test plan, test sets and pre-conditions, test execution and any reported bugs.
While the foundation and transition phases can be executed with the minimum toolset required for agile project management and documentation, the maturity phase brings sophistication in the way existing toolsets are integrated through available plug-ins and a new set of tools to drive automation.
Even though we build the foundation MVP with minimum regulatory coverage at the start, we cover the ground in the scale-up phase and incorporate the regulatory compliance requirements for every epic and story released during the maturity phase. We speed-up the process through an automation-first approach that employs the right tooling. For instance, we can combine agile project management tools like Jira and document management tools like Confluence with out-of-the-box plug-ins that help automate documentation, workflows, and electronic signatures.
This way, while you start reaping the business benefits very early in the product development cycle, the product your regulatory team can use is ready from the scale-up phase onwards, and fully compliant by the maturity phase.