The Iron Triangle of Compliance
ErikaHorrocks 270004AK9X Visits (864)
Jeff Hammond of Forrester Research (and formerly of Rational, by the way) talks about the “iron triangle” of software development. “Schedule, features, cost…pick any two,” is the way he describes it. He often brings this up in the context of open source and multi-source development taking the position that open source lets dev teams soften up the iron and improve on all three dimensions.
There’s another iron triangle that has to do with compliance. Productivity, Risk and Compliance (any sort of risk and compliance). In the same way software teams wrestle with development tradeoffs, so is the case with the other triangle. You can be highly productive if you flout the rules and don’t worry about compliance, but it’s risky. You can minimize risk with a bulletproof compliance program, but nobody gets real work done. Maintaining productivity and reasonable risk puts pressure on the compliance program.
There’s no magic bullet and each company must make tradeoffs based on its specific situation, but certainly a key is making compliance a part of the way people do work. When it comes to software, this means essentially building compliance into the software similar to the concept of building in quality or building in security. The “magic” if there is any, is simply that doing something right the first time is much cheaper than fixing it after the fact (Capers Jones suggests that when it comes to software it’s on the order of 10-100X less costly to do things right the first time). So building in compliance requires education, processes and ultimately tools to give developers visibility into the issues early and to help guide them to make appropriate tradeoffs.
Rational is helping development organizations tackle this issue through Collaborative Lifecycle Management (CLM). http
For more information, check out the Rational/Black Duck May 2nd webinar: How to Ensure Compliance without Compromising Innovation.