BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Podcasts Chris Matts & Tony Grout on IT Risk Management Framework as a Catalyst for Change

Chris Matts & Tony Grout on IT Risk Management Framework as a Catalyst for Change

Bookmarks

In this podcast Shane Hastie, Lead Editor for Culture & Methods, talks to Tony Grout and Chris Matts about building an IT risk management framework at a large bank and using that as a catalyst for a digital transformation.

Key Takeaways

  • Just deploying another prescriptive method will not make an organisation agile and adaptive
  • A risk management framework can be a catalyst for change
  • The components of a simple framework which enables adaptation at the team level while ensuring alignment to organisational outcomes
  • The importance of an organisational-level backlog which is transparently prioritised to ensure the teams who need to collaborate have clarity about cross-cutting priorities
  • Ensuring that controls are as easy to evidence as possible and that there very low overhead in gathering the metrics
  • 0:22 Introductions & background
  • 1:00 The challenges faced by a 250 year old bank which wants to become digital
  • 1:48 Just deploying another prescriptive method will not make an organisation agile and adaptive
  • 2:12 The importance of regulation and risk in banking
  • 2:20 Being able to use risk and regulation as a framework for new ways of thinking and working
  • 2:33 Describing the four drivers in the framework:
    • You have to deliver value quickly
    • You have to measure lead time
    • You have to have sustainable quality
    • You have to manage risk
  • 2:55 Describing how the team, team-of-teams and portfolio structure fits the framework
  • 3:06 The importance of governance and enabling functions
  • 3:33 Finance and HR as enabling functions
  • 3:40 The simplicity in the framework made it easy for people at all levels and roles to accept and engage with the approach
  • 4:10 The drivers and outcomes acted as an alignment function that all stakeholders could agree with
  • 5:06 The challenges in the conversation around “reducing waste” – what is necessary or good waste vs bad waste
  • 5:28 The simplicity was the result of lots of thought and careful design  
  • 5:40 The influence of Cynefin and Dave Snowden’s work on “negotiable boundaries”
  • 5:56 Describing the metrics hierarchy which identifies value
  • 6:35 Using the metrics hierarchy to expose that some of the business cases were not delivering value for the organisation
  • 6:50 The ability to negotiate and identify what is and what is not valuable in the context
  • 7:05 Examples of the type of metrics which actually realise value   
  • 8:35 Explaining how executive responsibilities are imbedded in the model
  • 9:00 Executives are required to show that they are looking at the metrics, not that the metrics are changing
  • 9:18 The strict rule at the portfolio level that there must be a single, ordered list – no two items can be classified at the same level of importance
  • 9:38 The framework enabled the identification of detailed controls which can be measured against   
  • 9:55 Explaining how risk and controls are applied in the regulated financial industry
  • 10:36 Showing how the controls are applied without burdensome paperwork through tooling and report automation
  • 11:05 Lead time as an important metric, and how it can be used
  • 11:36 Explaining weighted lead-time and how it allows aggregation of results across the portfolio
  • 12:25 Ensuring that the controls are as easy to evidence as possible and that there very low overhead in gathering the metrics
  • 12:50 Some of the challenges the new way of reporting raised
  • 13:15 More accurate evidence because the metrics were produced automatically    
  • 14:01 The challenges around socialising the new ideas across the senior levels of the organisation 
  • 15:34 The importance of getting the audit function engaged with the new way of working from the very beginning
  • 17:05 Examples of how engaging the audit function smoothed the adoption of changes in roles and structures
  • 17:58 The immersive training experience using the Lego game which socialised the new way of working
  • 19:10 A strategy of ensuring that managers feel they can win in the new game
  • 20:05 Using the culture to change the culture    
  • 20:35 Getting a “green” audit result open the opportunities to doing additional things
  • 20:48 Engage allies to help get the message across
  • 21:43 At the team level the teams implemented scrum
  • 22:05 Empowering the teams to adopt different approaches as long as they discuss the implications with a coach
  • 22:17 Scrum exposes the existing disfunctions – tackle those rather than changing the framework    
  • 23:10 Scrum has the mirrors and edge points which enable teams to identify the challenges and begin to tackle them for themselves
  • 23:38 There are a set of controls which teams have to be able to show that they are following
  • 23:52 Examples of some of the control metrics the teams must be able to report on
  • 24:12 Building the compliance reporting into the automation tools (Jira)  
  • 24:28 Teams have flexibility on how the work, and are constrained to meet the controls
  • 24:52 Mapping the controls to the framework and providing the teams with guidance around how the controls can be met using specific approaches
  • 25:26 Community of practices so knowledge can be shared across teams
  • 26:04 Technical practices described in toolkits which were mapped to the controls
  • 26:57 The importance of not being prescriptive – the teams are empowered to adopt the practices and approaches they want, provided they can show that they’re meeting the controls
  • 28:05 Integrating CD/CI practices into the framework through the community of practice
  • 28:32 The controls are enabling constraints
  • 28:58 In a highly regulated environment it is risky to be first, so sharing this story shows other organisations that it is possible
  • 29:28 The influence of systems thinking and complexity theory on the decisions not to be prescriptive
  • 29:50 The importance of having a very senior person who can validate the ideas and champion the approach
  • 30:27 Cross team collaboration is a social problem not a technical problem    
  • 30:56 The importance of an organisational-level backlog which is transparently prioritised to ensure the teams who need to collaborate have clarity about cross-cutting priorities
  • 31:25 “Are we agile” is the wrong question to ask – rather ask “are we better than we were?”    
  • 32:03 Changing the direction of the inertia in the organisation towards improvement using the four drivers and transparent metrics
  • 32:40 The flawed assumption that you can outsource risk in complex environments
  • 33:04 The importance of ownership for the key metrics at the executive level which drives collaboration at all levels in the organisation
  • 33:57 Advice for others who want to adopt this approach – it’s not for the faint-hearted
  • 34:32 This was a two-year journey – change won’t happen quickly
  • 34:40 The zeroth constrain in the theory of constraints is having credibility to enable you to make the changes needed
  • 34:56 Explaining some of the things Tony did to build that credibility
  • 36:20 The framework is relatively easy – the biggest challenges are building the credibility to be trusted and respected to make change
  • 37:05 The simplicity in the framework is the result of lots of deep thinking and learning
  • 38:05 Where to find the details of the framework on the IT Risk Manager blog

Mentioned:

More about our podcasts

You can keep up-to-date with the podcasts via our RSS Feed, and they are available via SoundCloud, Apple Podcasts, Spotify, Overcast and the Google Podcast. From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.

Previous podcasts

Rate this Article

Adoption
Style

BT