Imagine your developers are the world’s fastest relay team. In terms of design, testing, and qualification, they are the quickest on the track. The finish line is unfortunately hidden outside of the stadium. Now you are beginning to comprehend regulated DevOps.

How did they find themselves participating in this absurd race? Well, enhanced tools and practices have led to a radical transition from annual software releases to a world in which teams can deploy multiple times per day. 

DevOps teams in industries such as fintech, automotive, and healthcare still must adhere to compliance standards. Effective change management processes for annual releases are no longer applicable here.

In contrast to construction, testing, and security, change management has not adopted automation. This suggests that it is becoming a hindrance for regulated teams, prompting the question of what should be done to address the issue. 

How can a compliance culture be incorporated into DevOps?

Key insights

• DevOps generates volumes of change that IT cannot effectively manage
• External software release approvals are both slow and hazardous
• Integrating compliance into your DevOps permits faster and more effective release cycles

What are the implications of DevOps for compliance and change management?

Understanding the effect of DevOps on technology organizations is confounded by the multiple definitions of change management and compliance.

Managing change and ensuring compliance have always been the primary responsibilities of the IT department. Typically, they consult the ITIL framework for direction on how to manage changes to IT systems. There are numerous types of change that require management.

Included are infrastructure, server, and hardware alterations, data migrations, enterprise resource planning, web updates, and performance enhancements. All of this was historically referred to in a very general sense as “change management.”

Compliance is a related and similarly expansive concept that entails a number of IT-related topics. There is open source compliance, policy compliance, compliance with industry standards, compliance with internal standards, compliance with regulations, etc.

Change administration during software delivery

The software release process is one aspect of change management and compliance that is significantly impacted by DevOps. 

In regulated industries, production teams must be aware of the software in use and its source. They must monitor and document all modifications to production to ensure that their process is compliant.

The IT department’s responsibilities for change management inherently included software releases. 

Before the emergence of DevOps, this made a great deal of sense. 

You would compose a large number of changes, submit a change request to a change advisory board (CAB), obtain their approval, and then distribute the changes during a holiday weekend, just in case something went awry. There was an extensive, manual approval process in place to mitigate the risk.

It is even worse than not having any transformation at all

Even with regard to risk mitigation, these procedures fall short. The following is now known as a result of extensive DevOps research: “External approvals had a negative correlation with advance time, deployment frequency, and recovery time, but no correlation with change failure rate. In conclusion, approval by an external entity (such as a manager or CAB) has no impact on the stability of production systems, as measured by the time required to restore service and the change in the failure rate. However, this significantly slows things down. It is even worse than not having any approval procedure at all”

Therefore, not only slow but also hazardous. Considering the increasingly dynamic methods of software delivery, it is clear that the traditional approaches to managing change are not only inefficient, but potentially catastrophic.

DevOps and manual change process automation

Continuous delivery and DevOps generate change volumes that the IT department was never designed to manage. How should IT manage software releases effectively when DevOps teams can deliver hundreds of changes daily?  How is compliance to be meaningfully ensured when highly automated software delivery pipelines are manually stamped?

As discussed in a related post, it is evident that no amount of requests, manual approvals, CAB meetings, or documentation can effectively manage change at these volumes; ITIL is ineffective for DevOps.

What happens if the IT department transfers administration of software release administration to DevOps teams? 

IT should focus on its strengths, such as server administration, migrations, and hardware management. DevOps teams need their own change management automation for dynamic software delivery techniques.

Creating a DevOps culture that prioritizes compliance

In contemporary technology organizations, there are no traditional separations between software development, quality assurance, and IT Operations. This has been replaced with cross-functional DevOps teams accountable for the entire value stream of a software system. This new DevOps methodology enables businesses to reduce handoffs, improve collaboration, and ultimately generate more innovation.

As businesses progress, so do their supporting technology strategies. In addition to infrastructure as a service in the cloud that is metered, businesses are employing automated build, test, and security tools. With the help of this automated DevOps delivery, high-performing teams can implement changes 973 times more frequently than non-performing teams. 

What should businesses do if they are required to be compliant but external approvals and administration are ineffective?

Continuous Delivery, Continuous Integration, and Continuous Compliance

This significant increase in the number of changes necessitates innovative and enhanced software process compliance and change management strategies. Organizations must replace manual and gated checks with continuous, automated checks in order to support DevOps teams. Compliance requires the application of the continuous integration and continuous delivery principles learned.

Using this method, teams can not only increase their work output, but also their conformance.

The implementation of test automation does not render evaluators obsolete. Instead, it eliminates monotonous and repetitive duties so that testers can concentrate on exploratory testing at a higher level.

Similarly, Continuous Compliance does not signify the end of compliance work, but rather enables compliance officers to focus on higher-value investigations.

The benefits of implementing a DevOps Compliance Culture

The DevOps principles of culture, automation, lean, measurement, and collaboration can help teams increase compliance activities while reducing waste. The five major benefits of adopting a DevOps Compliance Culture are as follows:

1. Culture: gives teams agency to lead risk management responsibilities
2. Automation: drives higher compliance conformance and reduces waste
3. Lean: results in continuous improvement in risk control posture
4. Measurement: ensures compliance becomes data-driven
5. Sharing: makes compliance work visible to empower compliance and security functions

Especially if they’re releasing software in a regulated industry, DevOps teams must cultivate a culture of conformance. DevOps generates large quantities of change that IT cannot manage, and relying on IT for change management at software release is both slow and risky.

As part of DevOps, regulated teams must automate change management to rapidly and compliantly release software.