Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News How the Financial Industry Is Doing DevOps

How the Financial Industry Is Doing DevOps

This item in japanese

The second DevOps Enterprise Summit (DOES) Europe, once again held in London, brought together the DevOps enterprise community. The financial industry was well represented, giving the attendees a unique perspective on the challenges facing this heavily regulated industry and how DevOps is helping to overcome them.

One of DOES' main goals is to gather high-fidelity experience reports and to gather evidence that negate the objections to the adoption of DevOps in an enterprise environment. The set of presentations by large financial institutions highlighted their common challenges: legal, compliance, security requirements and the prevailing bureaucratic and siloed culture of such organizations. The approaches taken to takle those challenges also have commonalities: automated continuous delivery pipelines; lean approaches and organization alignment based on value streams; automated testing; automated compliance and security checks; close collaboration with legal and compliance departments. Some organizations are also moving away from outsourcing and into insourcing.

SIX is a financial company that operates the infrastructure underpinning the Swiss financial sector, among other financial services. It is a striking example of a successful DevOps transformation in the finance industry both organizationally - it is reshaping itself by aligning to its value streams - and technically. For example, its ATM network relies on container management of smaller services, with automated test and deployment. 

Robert Scherrer, head of application engineering, highlighted the 5+1 dimensions of DevOps at SIX. People have to adapt their skills to become Π-shaped: great in one specialty, familiar with others, learning a new area. The organization has to move from functional to cross-functional teams. The justification for a process must be well-grounded or else it must be adapted or eliminated. Infrastructure provisioning must be automated. Software systems architecture must be well scoped and based on APIs. To enable those five dimensions, the right mindset and attitude is mandatory. To enable and speed up DevOps adoption, SIX uses gamification approaches (Haka awards) and teams present every few weeks their new achievements in front of a large audience.

SIX puts a lot of effort on simplifying processes. It uses value-stream mapping to eliminate waste by removing unnecessary steps. IT works closely with compliance officers and auditors to ensure that internal regulations are not more bundersome than required by public laws and regulations.

Capital One, a very large bank in the US, started the journey in earnest in 2014. It started with a waterfall process, closed source software and lots of manual processes. It was organized around vertical silos and was mostly outsourced. Over the past three years, it reorganized around agile processes, insourced its development and eliminated the silos. "Topo" Pal, product manager at Capital One, explained how they built a fully automated pipeline, moved to the cloud and open sourced parts of its software, most famously Hygieia. Hygieia dashboards allows the organization to measure key metrics such as the time from commit to production. The deployment pipeline features 16 gates, including vulnerability scans, automated change orders and auto provisioning of immutable servers.

Capital One is planning to open source a secure and compliant pipeline model, based on LGTM, which helps to implement a model with around 30 practices to satisfy audit and compliance.

Fig. 1. Capital One's Delivery Pipeline

Brian Timmeny, head of DevOps & engineering processes at BBVA, discussed how a global bank with 70 million customers is using DevOps to improve time-to-market while increasing application reliability. BBVA is tackling common challenges: inconsistent manual processes; low levels of automated testing and siloed delivery teams. BBVA devised a DevOps maturity strategy to tackle these challenges and deliver on those goals. BBVA's maturity strategy as six key areas: automate a single process framework; visible metrics; automate everything; nurture open source communities; automate behaviour enforcement; and mature through continuous pilots.

BBVA is building an automated delivery pipeline with automated approval criteria and behaviour enforcement, including security, financial and revenue affected policies. On the cultural side, it is establishing communities around disciplines, such as DevOps. Given its global status, it has community country leaders to drive pilot candidates and to drive global improvements into the local geography and vice-versa. It is also creating Centers of Excellence to drive common capability hubs around DevOps and the single process framework.

Fig. 2. BBVA's Delivery Pipeline

ING was another example of how the banking industry is moving into heavily automated delivery pipelines, including automated security, compliance and performance checks as well as more common functional tests. Dr. Daniele Romano, product owner continuous delivery as a service, described how despite a sophisticated delivery pipeline, they were still not satisfied with time-to-market and quality. ING engaged with scientists from Italian and Dutch universities to adopt a scientific, data-based approach to improvement. They built a custom tool to provide over 50 metrics to measure and monitor their pipeline and thus improve the process further. Over 740 applications now go through one delivery pipeline.

Regarding compliance, Dr. Romano argued that by adopting immutable servers patterns ING is able to better control the IT risk footprint. Given that it's impossible to change the server after deployment, everything is fully audited and so a number of controls can simply be dropped.

Fig. 3. ING's Delivery Pipeline

Barclays delivered an updated experience report on their organizational transformation. Over the past few years Barclays is undergoing a profound change to enable agile and lean practices, starting in IT but moving into other parts of the organization. 

Jonathan Smart, head of development at Barclays, focused on their lean approach both to control ("do the thing right") and portfolio management ("do the right thing"). Barclays approach to control moved to an early and regular communication with the control "tribes", with long-lived assignments to product and business outcomes. Along this continuous collaboration, the process is risk context sensitive and made more agile by providing a menu of risk stories to choose from. On portfolio management, Barclays is experimenting with "hypothesis driven investment" to focus on business outcomes and enable and incremental build of business cases. Their hypothesis statements are loosely inspired on user stories: "We believe <this capability> will result in <this outcome> and we will have confidence to proceed when <we see a measurable signal>."

One useful insight they got from their experience is that "it's easier to act your way into a new way of thinking rather than think your way to a new way of acting". This insight turns on its head the idea that one should start with a culture change to drive new values and attitudes and finally change the way the organization does its business.

The slides of the sessions can be found on GitHub and videos are being published on YouTube.

Rate this Article