Regulatory compliance is the requirement that no business can avoid or neglect for long. But it's not easy to balance it with the rest of your business. Compliance is time-consuming work that you must do to stay in business, but contributes nothing to the bottom line. It's also the kind of work that developers and engineers dislike, sometimes so much that they head to a different job in order to avoid it.
How do you balance compliance with the rest of your business? Can you successfully navigate a digital transformation while meeting legal and industry obligations - all without slowing down the software delivery process?
Yes, you can. DevOps World 2022 hosted a session with Tim Johnson, Senior Product Marketing Manager at CloudBees, that will help you figure out how. Let's look at Tim's answer to the compliance tax.
The Compliance Tax
What's the compliance tax?
According to Tim, it's the effort companies spend assessing, asserting and proving compliance. This effort is a tremendous burden on organizations, and it diverts precious resources from working on other business priorities.
In The Compliance Tax and How It Is Slowing Innovation Tim discusses how, despite their importance to staying in business, compliance efforts don't add competitive value to an organization or its products. Compliance means spending time and money on work that hinders innovation and slows down delivering software to clients.
CloudBees conducted a survey with C-Suite executives in 2022 and found that most organizations say that their teams are spending, on average, 37 full days a year on compliance-related activities. That's a 15% cost that everyone realizes. That's why it's a tax.
The first step in dealing with the compliance tax is being aware of it. Tim says "…you want to make sure you're spending time working on the right stuff, and making defensible decisions that prove that you're working on the right stuff."
But there's more you can do. Let's look at a few key points from the talk.
Assessing the Impact
You can't avoid the compliance tax; you need to manage it. And, as we all know, measuring is an important part of management. That 15% number is frightening, and it sounds accurate, but you need to make your own effort to measure the exact cost to your teams.
Tim covered three different methods of calculating what the compliance tax is costing your organization. Each of these methods comes from a CloudBees client that responded to the 2022 survey.
The first method is opportunity cost. If you're spending time and money on efforts that don't add value to your products or your customer results, then it's a lost opportunity. Tim uses a real world example of opportunity cost to fill out the form below.
In this example, a customer has 100 staff working on compliance activities at any given time. They rotate development staff in and out of these tasks in 90-day intervals because they realize no one wants to do the work full time.
This form reflects the staffing costs and, most importantly, the opportunity costs.
The number on line 3a shows the amount in revenue that each employee is expected to generate, in this case the client estimates twice their salary. Remember, opportunity cost is the total cost of the employee plus the revenue they're not generating when they are working on compliance.
Above and Below the Line
The next method is the Above/Below the line method.
In this approach, work that employees do to generate value is above the line. Below the line is anything else. This slide has some good examples for both categories.
These estimates come from a major financial services firm. They want to be at 80% above the line, but are currently at 40%. But, the State of DevOps report in 2019 put the breakdown at 50-50 for top performing firms based on DORA metrics.
Categorization is a detailed approach where you categorize your efforts and workloads. The client that shared this method uses four broad classifications: innovation, risk and compliance, technical debt, and defect repair.
This slide illustrates where clients want to be, and where they are. This client - a well-respected and tech-forward financial services firm is still spending 35% of their efforts on Risk and compliance and less than 20% on innovation.
The Problem with Shift Left
We’re seeing clients that are spending 35% or more of their time on compliance. Why?
Nearly 80% of the organization's CloudBees surveyed said that they're doing shift left. But, almost 60% of those companies said that it's become a burden on their development teams.
Shift left, in its current form, is a DevOps anti-pattern. It places too much responsibility on development teams, requiring them to translate regulatory and governance policies into actions and then deciphering and prioritizing issues that come back from all their scanning tools. This takes too much time away from innovation - what they want and need to be doing instead.
Tim highlighted a few real-world examples of how DevOps teams are distracted from focusing on customers and value.
Writing rego code and building regulatory controls
Stopping pipelines in order to perform audits
Contacting emergency audit "fire drills"
Inspecting logs and diagnostic tools for audit information
Spending times in meetings to discuss audit issues
To some, this sounds like a typical laundry list of developer complaints, but Tim highlighted a few examples of companies paying a heavy penalty for compliance, including a cell phone carrier that takes their pipeline off line for a month of scheduled time every year.
Shifting left has shifted security and compliance work back to developers, and shifted them away from adding value and revenue.
Shift Left Done Right
So, how do you shift your workloads so that you're spending the right amount of effort on adding value?
The first step is to measure the current impact of the Compliance Tax. Pick one of the methods outlined above and see where your efforts are going. Tim points out in the talk that if your company isn't categorizing your efforts yet, the opportunity cost method is probably the easiest to kick things off.
After you selected a method and gathered some data, you can start to model solutions. How you do this will depend on your methodology.
For example, with the opportunity cost method you'll see if you can free up employees and assess how much value they'll add. If you're using Above/Below the line, you'll try to adjust the numbers on each side. Finally, for tagged work, you can try to rebalance each category.
Each approach will lead to internal discussions about why your teams are spending time in each area, which takes you to the next step.
What can you do to change these numbers? How can you reduce the amount of time spent on compliance?
In the talk, Tim discusses the types of approaches CloudBees recommends, and how to think about them. One of the most important things you can do is look for solutions that take a holistic and continuous compliance, as opposed to one-time scans and point-in-place views that just add to the Compliance Tax. Look for a solution that comes with regulatory controls and standards built-in, so you don't have to implement them yourself.
Finally, it's time to socialize your solution. Explain to your development and DevOps teams how this is a game-changer for them because they'll have more time to work on tasks they enjoy, instead of living in dread of the next audit or flood of compliance alerts.
You Can Lower the Compliance Tax
Compliance is a burden that no company can avoid, but that doesn't mean it has to limit your ability to improve your product and increase the value you deliver to your customers. As Tim Johnson demonstrates in his DevOps World talk, you can tackle the compliance tax by measuring it, finding the right balance for your company, and shifting your efforts to the right balance between compliance and delivering value.
CloudBees has tools that can help, with out-of-box regulatory support, and the visibility you need to monitor your efforts. Contact us now to learn more.