Last we checked, it is, indeed, the year 2021. We’re more than 10 years into the DevOps journey and FinServ companies are some of the most tech-forward on the planet. Yet some of the hottest topics at conferences (like DevOps World 2021) revolve around audit, governance and compliance—many led by FinServ companies.
Why is that?
DevOps was supposed to make everything run like a well-oiled machine. “Automation,” as Anders Wallgren, our VP of Technology Strategy, says, “is auditing,” after all. The automation (pipeline run) is the description of what you are supposed to be doing. The pipeline run does what you say you’re going to do, and the data it creates proves you did things according to plan and regulation. It’s the difference between attestation (“Yes, I did what I said I was going to do”) and validation (“Yes, I did what I said I was going to do—and here’s the immutable proof”).
That’s the theory, but it turns out the theory is the easy part.
The reality is that many banks still have onerous change management processes. One marquee global bank we know has 247 manual approval steps in a production software release. You read that right. Nearly 250 times, the process stops. Nearly 250 times, someone must be notified, and then must actually approve that portion of the release before things move on to the next manual approval. Nearly 250 times, these steps repeat. Changing this process involves convincing people they can trust the automation and not go to jail.
And then there are the regulators themselves. They struggle as much as practitioners to keep up with technological change. They have to be able to trust the data and evidence you provide, as well.
We also happen to know that financial services aren’t the only ones struggling with these issues. A telecom company we know takes their entire DevOps tools team offline for a month—twice a year—just to do an audit.
One final point: if auditing and compliance is a costly, demotivating burden, you don’t have an audit problem—you have a software delivery problem. Fixing audit means you’ll be fixing software delivery. What could be better than that?
That leads to why we put together the next installment of the Software Delivery Leadership Forum “How To Nail DevOps Governance and Compliance in a Highly Regulated Industry” on July 28 at 1:00 p.m. ET. Ger McMahon, analyst Mitch Ashley and our own CISO Prakash Sethuraman (late of HSBC Bank) will get into the details and best practices of how to make audit and compliance a non-event. They’ll cover how to improve your automation, how to build trust in the tools and automation so you can change the process and how best to work with the regulators to make your—and their—lives better.