Agility In A Highly Regulated Environment

I have worked in a lot of highly regulated industries from banking to pharmaceutical and I want to explore some ways we may be able to challenge our thinking around how we deliver value in these environments while achieving the greatest level of Agility possible. Let’s look to unlock the organisations potential, we hold the key…

In order to explore this, I thought I would go into one of the pieces of work that people often struggle to build agility into which is external regulatory change. There is often resistance to changing the way in which we approach these pieces of work as there is the fear of fines etc. if something goes wrong…..

Let’s start by breaking down some of the challenges we may face into with the regulatory changes. From there we can then explore the different ways we could lean into them to gain a greater level of Agility…

The first one we can explore is cost…

Regulatory changes cost a large proportion of the expenditure for organisations and don’t necessarily relate to an end customer need. The way these changes are usually costed is based on time and materials principles. Taking the requirements, the available people to work on it and planning the whole delivery based on what has been done previously. This then forms the bucket of money that will be used for this change….

Even before we have deeply explored the needs of the customer, in this case, the regulator, we have determined the money we will spend on the realisation of the change. What I would suggest here is that we move towards a more flexible funding model and fund against the measures we set ourselves for success at each point. For example what funding do we require to explore the requirements and potential solutions with our customers? If we focus on funding moving towards the measures we also know when to stop funding. (X number of solutions for X number of requirements)

The next piece I would like to look at is Clarity of Scope…

For this type of work, the clarity of scope is usually something that greatly affects the way in which it is achieved. What may happen is that we take the requirements provided to us on face value and plan to put a solution in place to meet all those requirements. These requirements are usually fed into us from other parts of the organisation and this can result in a blend starting to appear in terms of external and internal regulatory requirements and it can be hard to see what that blend is…..

The risk here is that a good portion of the scope can possibly be related to internal priorities that don’t necessarily help us comply with the external regulations, they could be there as they have built up over time…

In order to ensure we can satisfy only the need of the customer at this point while learning and evolving as we go, we should challenge the scope with powerful questions and only go after what will meet the need right now.

Again once we have this understood we can explore what the multiple solutions to these requirements could be and select the ones that allow us to get something consumable into our customer’s hands to learn…

Let now explore the challenge of Frequency…..

The frequency of regulation changes seems to rise year on year in order to meet the ever-evolving needs of our customers and changes in the markets. This is a challenge for organisations as this frequency increases the pressure, scope of change and complexity required to comply with all these regulations.

One of the most typical ways I have seen this be tackled is by organisations creating teams and parts of their organisation focused around the specific regulations. Some of the most recent examples I can think of are GDPR and PCI. With these dedicated areas setup, it is their responsibility to work across the organisation to ensure that these regulations are in place within the relevant areas.

In my experience, this can result in a number of challenges. The main ones that jump out for me are Clarity of Focus, Dependency Management, Cost and Value. With the area acting as an interpreter for the customer(regulator), there is a risk of misinterpretation happening which would result in ‘Wasted Human Effort’, as the information is passing through filters and not going from source straight to destination this can result in reduced ‘Clarity of Focus’.

The team managing the regulation implementation is co-dependant on the areas involved which get exponentially more difficult as this increases, resulting in a lot of time and effort being spent on ‘Dependency Management’. The cost of setting up, forming and helping a team in this space get to a performing state is huge and can take a while. In my experience these areas also form 12month and beyond plans and deliverables and thus are funded against it, this funding is then usually not only fully utilised but usually goes over given the uncertainty ahead, all of this greatly impacts the ‘Cost’. With this type of work, it is also quite easy to lose sight of the value we will realise by achieving it. Often the path is set and rarely revisited until the destination is in sight and this can result in something being done that doesn’t add ‘Value’. All of these in my experience are key factors to what the ‘Time to Realised Value’ will be.

The next area I would like to focus on is the immovable dates around regulatory changes.

I often think of this as the unstoppable force of organisations meeting the immovable object of dates set by the regulator….

There is usually a lot of frustration and concern that builds quite quickly around these dates and they become more and more the topic of conversation for the organisation. I often think that in this situation there is only one answer… Surrender

From this space of surrender, we can allow the dates to not dominate the conversations and instead we can focus on questions like the following:

What is the need of the customer/stakeholder?

What is at risk for them if we don’t meet that need?

What is at risk for us if we don’t meet that need?

What is the simplest way to meet the need to have it be consumable?

I would now like to focus on the potential risk-averse culture that may exist…

Often what I see in these areas is the fact that not only are you trying to meet the needs of regulators but you are also working within a system that has built so many layers of internal complexity over the years. When they have faced an issue in the past they have placed a process or internal control in place to mitigate the risk of this happening again.

This, of course, seems sensible at the time to take the learning and put something in place to avoid that happening again, however, this generally only serves to slow people down to the point that they can’t deliver and realise value frequently. It’s done with the best intentions but doesn’t enable real agility and is often the cause of more problems as its harder to meet the need of the regulator with these added into the mix.

I would encourage organisations to ensure the internal controls and processes are as lean as possible and just enough to ensure we don’t cause widespread impacts, but flexible enough to learn quickly by producing something consumable.

The final area I wanted to touch on is gold plating a solution…

When regulations come out like GDPR, organisations will set up groups/areas/teams etc to focus in on what it is they need to do. I have seen it where the regulator says something like:

‘If a customer requests their data to be deleted you must have a mechanism in place to remove it within 30 days’

This is a fair requirement and the response I have seen is for an organisation to then start to look at their architecture, plan the technical changes required across their systems to make this happen and fully automate the solution. That is what I would consider ‘Gold Plating’.

If we look at the example above again and break it down, we have:

If the customer requests: This is a big unknown as we have no idea how often the customer would request this and we must first see this to understand the demand for this feature

Data to be deleted: The first thing here is complete visibility so what is the simplest way to see the customers data. Do we already have a way to see it? Could we do this manually?

A mechanism: The mechanism for deletion could be someone going in and manually deleting their data.

Removal in 30 days: This is a good length of time and if we look at our empirical data and the scope of capacity to delete the data for customers could we handle a manual process short term until we know our customer better in this space?

Its all about creating a Minimal Viable Consumable Product (MVCP) as early as possible and I will be talking more on MVCP in upcoming posts.

Regulations come out and then evolve rapidly as they are explored and questioned, it’s vital we have agility here to evolve with them and meet the ever-changing needs of the customer.

Again, thanks for reading my thoughts and I would love to hear yours 😊

Leave A Comment

Your email address will not be published. Required fields are marked *