New York Office Leader; Managing Director & Senior Partner
In industry after industry, companies are experimenting with agile ways of working as they try to increase productivity and foster greater innovation, and many are making the move to agile at scale and trying to get agile right. The benefits are substantial—companies often achieve 25% to 35% reductions in cost while improving quality by 20% and accelerating the delivery of new products and services by 100% to 200%. But the transition involves changes to every part of the organization, requiring senior management to rethink internal processes and commit to a shift toward cross-functional teams. And the benefits may remain elusive if companies neglect risk management and compliance and don’t make the necessary changes to support the new ways of working.
Take a common example from financial services. Working in agile sprints, a bank quickly developed a new functionality that allows customers to log into their mobile accounts and execute transactions faster than before. But a few days before the release, the risk function found that the new feature did not require two-factor authentication from users—a serious breach of compliance. The release had to be suspended and the feature fixed, adding months of development time, which could have been avoided had the risk function been included early in the agile development process.
Agile is not inherently more risky or prone to missteps such as this one, but adopting an agile approach also means that companies need to adapt risk management to the new ways of working so that risk and compliance keep pace with agile teams as they iterate through product delivery. Companies can manage financial, operational, and compliance risks in a robust manner while business teams reorient their focus toward better serving customer and business needs. In our experience, firms can secure the many benefits of agile while maintaining effective risk management and compliance processes that, for regulated industries, also address regulatory expectations. (See the exhibit.)
Agile is all about speed and time to market. To unlock these efficiencies, companies need to modify key risk management practices by developing an agile-specific risk assessment and a continuous-monitoring program.
At the start of a project, each agile team performs its own early-stage assessment of the types of risk that may manifest during the development process. The risk assessment catalogs and analyzes the kinds of risk that are incumbent in agile processes—such as the need for compliant security procedures in the development of the custodian-client trading feature described previously—and integrates this appraisal into the company’s, or function’s, agile-governance procedures.
So far, so good. But risk profiles change over the agile development life cycle, which is why continuous monitoring is needed to regularly reassess the risks associated with a particular project. Consider an initiative that at first involves no need for customer data. As the project moves through its sequence of iterations, however, the team adds functionality that accesses customer data and potentially exposes the company to data privacy risk; that risk then needs to be assessed. Now consider that this scenario plays out in multiple agile teams each week in business units spread across markets around the world. Manual or conventional tracking cannot possibly keep up.
The solution involves dynamic, real-time monitoring of risks by digitally integrating risk assessment results into existing workflow management systems. Designing the technical architecture requires a thorough understanding of the company’s current technology landscape and typically includes the development of back-end systems to share, aggregate, and prioritize data among workflow tools. We have worked with numerous clients to develop appropriate agile-specific risk assessment and monitoring programs along with the workflows and digital tools to support them. (See the video for an illustration of our approach.)
A big—and new—challenge for risk and compliance functions is handling the requests for assistance, which can take many forms, including risk reviews, project input, and participation in team meetings and agile “ceremonies.” Addressing the challenge involves two objectives: not overwhelming the risk and compliance function’s resources so that every request receives adequate attention and not slowing down fast-moving agile development teams because they have to wait for risk and compliance to catch up.
Not every new product, service, or solution development project requires the same level of risk and compliance involvement. One effective solution is a coverage model that matches the intensity (high, medium, or low) and nature (for example, operational, reputational, or compliance) of risks with the amount and type of support required from the risk and compliance function.
Several coverage models ensure adequate risk management oversight. For example, an agile team working to redesign a bank’s customer-onboarding process likely needs a compliance subject matter expert, while the development of a new online customer complaint form for an airline may require only periodic risk and compliance input during a few agile ceremonies. The key for the risk and compliance function is to first understand the composition of the agile portfolio and its characteristics. Management can then prioritize according to the impact of the risk and compliance function’s involvement, making sure that the right skills and expertise are allocated to maximize coverage while ensuring efficient resource utilization. A good risk coverage model also helps highlight gaps in existing talent and identify where reskilling or new hiring is required.
Agile isn’t only for other functions. While various parts of the company are becoming more efficient and effective, the risk and compliance function also needs to assess how it can adopt agile ways of working to streamline collaboration and unlock efficiencies. To start, this involves identifying which projects are well suited to agile and reimagining how key business-as-usual risk management processes can leverage agile methodology and tools.
For example, BCG recently assisted a firm in developing a modern microservices platform for market and counterparty credit risk by applying agile, which reduced the project budget from $100 million to $50 million and accelerated delivery time by 50%. By applying agile to business-as-usual risk processes, such as model development or stress testing, firms can realize up to 25% efficiency gains, freeing up resources to be deployed in other priority activities or simply generating bottom-line savings.
A strong governance structure underpins the three pillars, supported by new roles and responsibilities for risk and compliance as well as the business in a reimagined process. Policies and procedure modifications document the systematic integration of risk management along the agile life cycle and demonstrate strong governance—both for the board of directors and for industry regulators. Common modifications include changes to continuous-monitoring or software development life cycle procedures. Many companies use panels of subject matter experts and program management offices to oversee the integration of risk management into the broader enterprise’s agile programs.
Key stakeholders throughout management need to have a candid conversation about where they believe risk management in agile stands today and the potential implications of a lag in agile development of the risk and compliance function. If they fail to address the issue, agile benefits could remain elusive and frustration could arise in other parts of the organization as new products and services are delayed and reworked when risk and compliance issues are caught too late in the process. Many of our clients have found a short diagnostic of their risk management practices for agile environments to be valuable in identifying the needs and principal roadblocks to moving an agile transformation forward and capturing its value. The earlier that the needs are identified, the less disruptive the solutions will be and the sooner that risk and compliance will be onboard with the overall agile transformation.