Agile GRC Development Process

As we have blogged about in the past, when we start an Archer engagement with a new client we usually perform a Roadmap exercise that walks them through identifying their current GRC processes and rated on the basis of complexity, maturity, cost, etc. Once we have the processes defined and prioritized we organize them into a roadmap for execution. It’s at this point questions arise about the best process or approach for executing the roadmap. A Roadmap plan usually contains a lot of future work and that can definitely be overwhelming. The natural question becomes, “Now that we have our Roadmap, how do we get started?” There are several approaches to project management and system development, however, there is one that I’ve found to bring the most success. It is a hybrid Agile / Waterfall development process that combines the agility and flexibility of agile development, but in a phased/scheduled project plan that builds new features and functionality upon what was accomplished in each prior phase. This method works well because it is targeted around the unique design and configuration processes of GRC tools. Requirements are gathered through collaboration between project teams and business stakeholders. This process promotes adaptive planning, iterative design and development, continuous improvement, and encourages rapid responses to change. The benefits of this method are:

  • Though many clients (and other consultants) may not realize it, requirements cannot be fully collected at the beginning of the development cycle. As they say, “you don’t know what you don’t know”, and as the client learns more, requirements are added and evolved. Continuous stakeholder involvement is very important.
  • Involvement, motivation, and interactions with the team members selected for the effort occur first and foremost, setting roles, driving collaboration, and establishing a sense of ownership.
  • Working through iterations of configurations are more useful and helps the team better understand the functionality of the eGRC system than just presenting slides or documents devoid of context.
  • Agile methods allow for quick responses to change and continuous development. However, as the team gets more savvy to what their chosen GRC tools can and cannot do there may be a tendency to over develop solutions. Waterfall planning and scheduling help reign that in.

Those using Rally or similar project management tools will welcome this method because features and applications are developed in a series of sprints, each overlapping the development of business use cases. In a later post I will expand into more detail of each phase and the how to execute an engagement efficiently. We’ll also discuss how to align identified business processes to GRC tool functions or out-of-the-box configurations. As we dig in further, we will expand on the advantages of this methodology, and why it’s been a key part of our success with our clients.