Compliance against regulatory requirements is traditionally a burdensome process, requiring considerable time and energy to develop compliance artifacts in Word documents and Excel spreadsheets that are instantly out of date the moment they are created. Manual data calls are issued to pull information from various sources, place them into templates and output them in various formats to multiple stakeholders both inside and outside an organization. Conversely, organizations need to either buy or build new technology, frequently in the cloud, to compete in today's economy. Compliance documentation and processes are inherently static whereas today's systems and applications are inherently dynamic. How can we solve this cadence mismatch to safely allow IT to move at the speed of business?
The DevOps Model as defined by Amazon Web Services is "the combination of cultural philosophies, practices, and tools that increases an organization's ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes." DevOps employs practices to automate processes that historically have been manual and slow, using a technology stack and tooling that help staff to operate and evolve applications, as well as enable engineers to independently accomplish tasks that normally would require help from other teams.
How can we bring the fundamental principles of DevOps to Compliance? I believe the time has come for RegOps (Regulatory Operations). Given my personal affinity for standards and definitions, I'd like to posit the following definition:
RegOps is the combination of cultural philosophies, practices, and tools that increases an organization's ability to ensure compliance of applications and services against regulatory standards at high velocity: evolving and improving compliance and trust at a faster pace than organizations using traditional compliance artifact development and compliance management processes.
My fellow co-founder and CTO, Travis Howerton, posited a Compliance Manifesto recently with the following 10 principles:
Regulations exist to maintain our privacy while keeping us safe and secure - we should honor them
Maintaining compliance as a business should be affordable, transparent, and easy
Compliance processes that are boring and repetitive should be automated - it is good for the business, good for the regulator, and good for the employee
Audits should be simpler and less risky for the business
Evidence should always be readily accessible and as near real-time as possible
Producing high quality compliance artifacts should be more profitable for the producer while consuming these same artifacts should be cheaper for the consumer - driving mutually beneficial incentives
Technology will change over time so any solutions must be extensible to take advantage of future innovations and minimize technical debt for the future
Getting started with compliance should be free with the goal of pulling out costs and accelerating business
We should build on industry compliance standards while accelerating their adoption
Do no harm - if the solution doesn't improve privacy, safety and/or security, we should not do it
As with the DevOps movement, it will take cultural transformation coupled with tools to drive fundamental change. The time has come to transform regulatory compliance. Let's work together to bring DevOps to Compliance...long live RegOps.