Post on 09-Aug-2015
Intro
Is there a way to combine agile and flexible product development aproach &
requirements of Corporate Governance?
SCRUM – rules and agreements Iterations Each sprint delivers „closed”, working functionality Flexible, allows frequent change of direction Responsibility for the product delivery and quality Accordingly to Product/Story Owner requirements
Characteristics of SCRUM & COBIT
SCRUM• Rapid (Agile), and
iterationary delivery of products
• Moderate to high changeability
• Flexible approach• No guarantee (high apetite
for risk)
COBIT• Stabilization (through using
controls)• Preffered low changeability• „Strict” requirements• Required guarantee (low
apetite for risk)
So we’re done… You cannot provide high changeability
of product and provide stabilization at the time.
Really? What if we look at rules and agreement in
SCRUM?
Roles in SCRUM
SCRUMMaster
Product Owner
Developer
Product Backlog Authorization for
DoD Authorization for
sprints Validation of DoD i
sprints’ products
Coordination SCRUM
„compliance” „Accountancy” of
sprints/team
Estimation Production QA Deployment
Roles in SCRUM (2)
SCRUMMaster
Product Owner
DeveloperDeveloper Developer
QA
QA
QA
DefinitionControl
Validation
ACTIVITY
Develop and implement the process to consistently record, assess, and prioritise change requests.
Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process
Authorise changes
Manage and disseminate relevant information regarding changes.
SCRUM tasks’ types & Products distribution
EPIC
STORY
STORY
BUGBUGBUG
Bug ->Sprints’ technological debt -> Emergency Change
Epic<>Story – ability to use SoD (e.g. Test/Prod deployment done in diff. Stories of the same Epic
Sprint & Product backlog Mgmt - prioritization
SCRUM tasks’ types & Products distribution (2)
Backlog of Sprint 1 Task 1 Task 2 Task 3 Task 4
Backlog of Sprint 2 Task 5 Task 6 Task 7 Task 8
OK, what about
Authorization? We spoke about it yet…
ACTIVITY OK?
Develop and implement the process to consistently record, assess, and prioritise change requests.
Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process
Authorise changes
Manage and disseminate relevant information regarding changes.
Authorization of changes
Product Backlog Authorization for
DoD Authorization for
sprints Validation of DoD i
sprints’ products
Product Owner
Product Owner is responsible for authorization. This role manages both
authorization and prioritization of tasks/products. If there is more
stakeholders – PO is responsible for gaining decisions and final
authorization.
ACTIVITY OK?
Develop and implement the process to consistently record, assess, and prioritise change requests.
Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process
Authorise changes Manage and disseminate relevant information regarding changes.
Information about Changes
We need some assumptions for our SCRUM „agreement”:
1. SCRUM is transparent – we do not hide product nor
information2. SCRUM has wing-2-wing
responsibility for products3. Product Owner is acting as
Customer/users representative.
Makes sense…
Information about Changes (2)
Product Owner
Product Owner is responsible for communication. Depending on product, actual comm actions may differ. They
will cover checks from public access to backlog through sprints scope access
up to specific channels related to particular deploys.
Users, Customer, Other POs, Teams, etc.ACTIVITY OK?
Develop and implement the process to consistently record, assess, and prioritise change requests.
Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process Authorise changes Manage and disseminate relevant information regarding changes.
What about prioritization of CRs…
It’s the simplest thing:1. User Story
2. Product Backlog3. Sprint Backlog4. PO’s decision
Problem Solved!
ACTIVITY OK?
Develop and implement the process to consistently record, assess, and prioritise change requests.
Assess impact and prioritise changes based on business needs
Assure that any emergency and critical change follows the approved process
Authorise changes
Manage and disseminate relevant information regarding changes.
Is that all?Of course we have not shown
everything. Apart from CC (AI 6) there is in COBIT many areas around
changes. However „mind/toolset” is similar. It requires basic knowledge:a) Acknowledgement that SCRUM is
based on Human-2-Human interactionsb) Acknowledgement that meeting the
controls don’t have to be machine interface one. Control Models require
validation/documentation.
What else?
PCI (VISA)
Similar approacha bit different SoD and some details
ISO20000Similar approach ITIL ChM
Other models
I duknow…Dont be afrais of asking!
CMMi
100% compatibility(with given requirements)
100% compatibility(with given
requirements)
Thanks!
Przemek WysotaITSM/IT Management ExpertContactMail: przemek.wysota@outlook.comTweet: @pwysotaLinkedIn: https://pl.linkedin.com/in/przemekwysota