How Barclays Balances Speed vs. Control in DevOps

SDLC Board Member Jonathan Smart from Barclays Bank had the following article published in TechBeacon in June 2017.

The ability to get customer feedback early and often—and act on it—is what enables organizations to be competitive. But speed alone is fragile rather than agile. In DevOps, you need to excel at both speed and control. Control can be a headwind against agility, but done well, a robust control approach supports “agile with discipline,” and speed enhances control effectiveness. You need to be able to do both to deliver products that delight customers.

Barclays has been on an enterprise-wide journey to increase agility since the beginning of 2015. It is a major undertaking for a 327-year-old company that has 120,000 employees in 40 countries and moves, lends, invests, and protects money for customers and clients worldwide.

Even highly regulated organizations pursuing DevOps can achieve both speed and control. Our core principle is to pursue “big through small,” which means doing small increments of work, organizing small teams, and making small investments toward a big goal, while interacting early and often with control subject-matter experts (SMEs). By making the work increments smaller, we dramatically reduce complexity, so that it can fit in our heads. This makes it much easier to understand and test for control implications (e.g., information security, compliance, legal, PCI, and data regulations such as Europe’s General Data Protection Regulation).

Two aspects of agility are increased collaboration and decreased role specialization, to enhance flow and feedback. This is no different with control professionals in large organizations, who should have a long-lived alignment to the customer value stream and engage early and often with the product teams.

Focus on governance, risk, and control

Financial services is a challenging market in which to transform, not least because it is the most regulated industry, is steeped in legacy, processes significant volumes of data, and has an imperative to maintain trust.

In financial services, as in other industries, we must demonstrate both speed and control. We have done a lot of work in this space, improving and leaning-out our control framework for the delivery of software-related change. We take a context- and risk-sensitive approach, where conversations happen early and often.

We have automated tooling to facilitate the conversations with the control SMEs and to ensure that teams are aware of the possible controls that could apply to them, that the necessary controls are implemented, and that we support incremental and iterative delivery with an emergent design.

We’re also chipping away at another legacy issue by challenging mental models of how to organize people to work together. A powerful example is our creation of “control tribes.”

Control tribes are virtual teams of subject-matter experts from risk control areas that have a long-lived alignment to a customer value stream and to the long-lived product teams delivering products in that area.

With this long-lived alignment, they get to understand the customer need and value proposition, instead of being time-sliced into many different areas.

This is a simple yet radically different approach to that of a traditional temporary project, where people come together to deliver the project and then disband. In that approach, there’s little continuity and understanding of the ongoing customer experience and minimal interaction with the customer. In a traditional approach, control SMEs are engaged at the beginning and the end only, which often leads to unplanned work.

Our people report a much clearer understanding of risk and feel more productive in their efforts to mitigate by solving once, together. The understanding that effective agile, multidisciplinary teams should include representation from control functions, including legal and compliance, is starting to take hold.

High alignment and high autonomy

It is possible to go faster while maintaining control. Just over two years into our pivot toward this new way of working, we’re delivering with increased speed.

Following our “big through small” approach, our teams have seen time to market for new features cut in half, on average, while throughput has doubled.

They did it through a combination of a greater number of smaller features and increased productivity—they are working smarter, not harder. We’ve seen quality measures and employee engagement measures both improve, while at the same time lead time has been reduced.

Fast feedback and fast learning have enabled accelerated increased net promoter score (NPS) ratings, which gauge customer loyalty from customers, too. For example, our Express Kredit loan product for the German market was built in a series of rapid cycles, and we were able to make in-production changes quickly, leading to high NPS ratings from customers.

Empowering teams is a key aspect of an agile mindset and enterprise agility. The key is to have high alignment (clear vision) and high autonomy within control guardrails. Smaller, long-lived, multidisciplinary teams learn and succeed as a group. Teams need to be able to see the lineage of their work, to see how it is part of a broader vision or strategic theme.

One way we’re doing this is by establishing a clear hierarchy of outcomes. We are starting to focus on a quarterly rolling-wave process and hypothesis-driven investment aligned to business outcomes, instead of relying on annual planning with a focus on plan dates. We’re also doing this for regulatory, fixed-scope, and fixed-date work, where there are many different ways to implement any given legislation. Here, a focus on vertical slices of progress significantly de-risks delivery and allows for lobbying of the rule writing, because we get fast feedback on the practicalities of the implementation.

The way forward: Go big through small

Balancing speed and control is not optional. Pursuing a big-through-small approach is both a practical and a progressive way to achieve that balance.

Here’s how you can do it, using our tried-and-tested ideas:

  1. Encourage the setup of small, multidisciplinary teams aligned to the value stream. Organize these around long-lived, independently deployable products. Pivot away from temporary projects and temporary teams.
  2. Focus on small work, small teams, and small investments to achieve big. Small increments enhance control effectiveness, because the level of complexity fits into everyone’s head.
  3. Foster early, frequent interactions with control SMEs, with a long-lived alignment to the customer value stream.
  4. Make it easy for teams to understand what controls may apply to them. And with the control SME, apply a risk-sensitive approach (not a one-size-fits-all approach) that caters to emergent customer needs and design.
  5. Lean out the process of control compliance, and provide tools, libraries, shared services, and automated tests.
  6. Optimize for flow; prioritize economies of flow (lead time, throughput, release cadence) over economies of scale within the budgetary constraint.
  7. Change your system of work. It’s easier to act your way to a new way of thinking than to think your way to a new way of acting.

To win, your teams must balance speed and control with rapid learning. We’ve done that, and you can too.