Agility under control

How to? Combining SCRUM with Corporate Compliance (COBIT AI.6)

Intro

Is there a way to combine agile and flexible product development aproach &

requirements of Corporate Governance?

SCRUM – rules and agreements Iterations Each sprint delivers „closed”, working functionality Flexible, allows frequent change of direction Responsibility for the product delivery and quality Accordingly to Product/Story Owner requirements

COBIT – Change Control (AI6)

Characteristics of SCRUM & COBIT

SCRUM• Rapid (Agile), and

iterationary delivery of products

• Moderate to high changeability

• Flexible approach• No guarantee (high apetite

for risk)

COBIT• Stabilization (through using

controls)• Preffered low changeability• „Strict” requirements• Required guarantee (low

apetite for risk)

So we’re done… You cannot provide high changeability

of product and provide stabilization at the time.

Really? What if we look at rules and agreement in

SCRUM?

Problem Statement

How to, using SCRUM mechanisms, deliver proof of following COBIT

controls???

Roles in SCRUM

SCRUMMaster

Product Owner

Developer

Product Backlog Authorization for

DoD Authorization for

sprints Validation of DoD i

sprints’ products

Coordination SCRUM

„compliance” „Accountancy” of

sprints/team

Estimation Production QA Deployment

Roles in SCRUM (2)

SCRUMMaster

Product Owner

DeveloperDeveloper Developer

QA

QA

QA

DefinitionControl

Validation

ACTIVITY

Develop and implement the process to consistently record, assess, and prioritise change requests.

Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process

Authorise changes

Manage and disseminate relevant information regarding changes.

SCRUM tasks’ types & Products distribution

EPIC

STORY

STORY

BUGBUGBUG

Bug ->Sprints’ technological debt -> Emergency Change

Epic<>Story – ability to use SoD (e.g. Test/Prod deployment done in diff. Stories of the same Epic

Sprint & Product backlog Mgmt - prioritization

SCRUM tasks’ types & Products distribution (2)

Backlog of Sprint 1 Task 1 Task 2 Task 3 Task 4

Backlog of Sprint 2 Task 5 Task 6 Task 7 Task 8

OK, what about

Authorization? We spoke about it yet…

ACTIVITY OK?

Develop and implement the process to consistently record, assess, and prioritise change requests.

Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process

Authorise changes

Manage and disseminate relevant information regarding changes.

Authorization of changes

Product Backlog Authorization for

DoD Authorization for

sprints Validation of DoD i

sprints’ products

Product Owner

Product Owner is responsible for authorization. This role manages both

authorization and prioritization of tasks/products. If there is more

stakeholders – PO is responsible for gaining decisions and final

authorization.

ACTIVITY OK?

Develop and implement the process to consistently record, assess, and prioritise change requests.

Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process

Authorise changes Manage and disseminate relevant information regarding changes.

OK, We got 3 of 5 controls checked. 2 remaining?

Lets see…

Information about Changes

We need some assumptions for our SCRUM „agreement”:

1. SCRUM is transparent – we do not hide product nor

information2. SCRUM has wing-2-wing

responsibility for products3. Product Owner is acting as

Customer/users representative.

Makes sense…

Information about Changes (2)

Product Owner

Product Owner is responsible for communication. Depending on product, actual comm actions may differ. They

will cover checks from public access to backlog through sprints scope access

up to specific channels related to particular deploys.

Users, Customer, Other POs, Teams, etc.ACTIVITY OK?

Develop and implement the process to consistently record, assess, and prioritise change requests.

Assess impact and prioritise changes based on business needs Assure that any emergency and critical change follows the approved process Authorise changes Manage and disseminate relevant information regarding changes.

What about prioritization of CRs…

It’s the simplest thing:1. User Story

2. Product Backlog3. Sprint Backlog4. PO’s decision

Problem Solved!

ACTIVITY OK?

Develop and implement the process to consistently record, assess, and prioritise change requests.

Assess impact and prioritise changes based on business needs

Assure that any emergency and critical change follows the approved process

Authorise changes

Manage and disseminate relevant information regarding changes.

Is that all?Of course we have not shown

everything. Apart from CC (AI 6) there is in COBIT many areas around

changes. However „mind/toolset” is similar. It requires basic knowledge:a) Acknowledgement that SCRUM is

based on Human-2-Human interactionsb) Acknowledgement that meeting the

controls don’t have to be machine interface one. Control Models require

validation/documentation.

What else?

PCI (VISA)

Similar approacha bit different SoD and some details

ISO20000Similar approach ITIL ChM

Other models

I duknow…Dont be afrais of asking!

CMMi

100% compatibility(with given requirements)

100% compatibility(with given

requirements)

???

…

Discussion?

Thanks!

Przemek WysotaITSM/IT Management ExpertContactMail: przemek.wysota@outlook.comTweet: @pwysotaLinkedIn: https://pl.linkedin.com/in/przemekwysota