Sure you come back from conferences willing to change the world in one (let's say two) weeks, and got a bit of frustration needing a few additionnal monthes... 😉

lol or years 😜

Any transformation is a long journey, days or months or years depends on the culture and commitment

Frustrating, and yet it helps me keep the faith. It isn’t just my imagination, these things exist in the world!

we've changed organisation structures many times over the last three years so it often feels like starting again with new leaders!

If culture and mindset don't change, probably you can exhaust all available leaders and stay in the status quo indeed

Don't underestimate the therapy effect of this conference. It helps with the enthusiasm gap to know that we are not alone and many companies have the same problems and are solving them!

thats a great point, with all the setbacks this does help to reinvigorate and provide the energy to keep pushing!

Unicorn Project quote - "Human Error" 🙂

i heard a quote once… “the really hard problems are not with the hardware, software, or firmware… they’re with the peopleware.”

Tech issues so much easier than human ones... Hopefully some powerfull AI once doesn't come to this conclusion...

Classic book: https://www.goodreads.com/book/show/67825.Peopleware

I think I got “all problems are people problems” from https://www.goodreads.com/book/show/566213.The_Secrets_of_Consulting

indeed!

@jonathansmart1 played a huge part in helping us frame the networking at DOES and @dominica for many years brought leadership and collaboration to our Lean Coffee sessions!

Thank you @jonathansmart1 and @dominica!!!! Fantastic work, keep it up

The networking time is such a huge part of what makes DOES a fantastic experience. Thank you @jonathansmart1 and @dominica. Let us know how we can help make it better.

...and hopefully continuing some virtual conferences or integrating virtual and physical, once the world gets back to normal.

your "CRAP" lightning talk is top class for me :)

I hope they find a way to blend the physical and virtual together (and have some virtual only conferences as well). This will be a very interesting topic for experimentation, feedback and improvement.

says the expert product manager 😂

fastest feedback loop you can get…

Will the Q&A from Slack be integrated into each video in the Video Library? It would be useful.

@nickeggleston that would be terrific. it’s in the backlog!

...and those not using Gather Town are missing the other <large percentage>

I’m looking forward to being there today! Wasn’t able to join yesterday… and felt I was missing out. 😞

I wrote about this in the morning - everyone seems to be thirsty for in-person more than last year https://www.linkedin.com/pulse/live-from-does-learning-devops-heroes-agile-covid-duena-blomstrom/?published=t&amp;trackingId=lgwVDpA1RYWyTQ4L7QItiA%3D%3D

Happy to get involved in those discussions. I attend some regular meetups which would have been in person in Edinburgh. As it’s virtual, we get people from across the globe, so increases our diversity. They are trying to get their head round this too. I do miss meeting people in person. I attended DOES 18 in London and it was a game changer for me.

Also happy to get involved with this, since I am one of those who have found the virtual experience even more valuable than in-person. There's a risk that will be lost, without being very deliberate as in-person ramps up again.

It was a great talk indeed

thanks remembering me to re-read the book

If you enjoy listening to Mik, make sure you catch his talk today on OKRs and Flow Metrics (12.05 BST), as well as checking out his podcast with incredible guests including Gene Kim, Brian Solis (Salesforce), Maya Liebman/Ross Clanton (American Airlines), Pieter Jordaan (TUI Group), Adrian Cockroft (Amazon), Dr. Nicole Forsgren, Don Renertsen and more, the list in endless...https://projecttoproduct.org/podcast/

I think the org sub is a great way to share the videos internally, as well as raising awareness of DOES and providing funding for growth.

I love @mik’s podcast 🙂

Thanks for pointing out @patrick.anderson

Pleasure! Helps fill the void between DOES every year 😁

Well my audible account is packed with tens/hundreds of books including all of itrevolution, Dr Goldratt... But didn't know this podcast, thanks!

For now, Track 2 is captionless if you prefer!

Captions are useful - use preference to turn on / off will be good one

BTW where could I find the Twitter handles for these speakers?

Definitely automated captions, yet useful (spotted religious -> releases 🙂 )

What's in a name...

@colas.a well, of course not! 😉

I had been thinking the same thing

Reminds me of @jonathansmart1 Certified Really Agile Practioner talk...

Can you share more about this in detail... such as the questions and answer sets and how you scored them? And how frequently and in what form you did follow-up...

It's the leaderboard nature of this that is the "Aha!" moment. It is always going to drive teams

Gary Gruver has a DevOps certification that uses this same analogy

Did you bring in any of @jonathansmart1's rebranding of Agile+Devops as "Better Value, Sooner, Safer, Happier"?

@colas.a would be great to catch up in one of the breaks if you are around

@nick.kritsky Yes, we are using BVSSH

Sweet!

I often feel that money isn't the problem, it's how you waste time/money in a large org that is the problem.

I agree @matthew.cobby, and actually too much money can then be a barrier to improvement, because it allows us to continue the waste.

💯

Very much our hypothesis in Agile Conversations.

https://docs.google.com/document/d/17nHB3aDOsUI2f3W5EShyoFQiK7NMwIJ8QFkUCANVPbk/edit# And https://www.goodreads.com/list/show/162704.DevOps_Enterprise_Summit_2021_Reading_List Tries to collect most of them as well 🙂

Neils Pflaeging, Organise for Complexity (2014, 2020) 🔖 https://www.nielspflaeging.com/books/ https://www.amazon.co.uk/Organize-Complexity-High-Performance-Organization-Publishing/dp/0991537602 About half of it is in these slides https://www.slideshare.net/npflaeging/special-edition-paper-organize-for-complexity-part-iii

This is a huge win, congratulation on that! Are you pursuing a centralised Agile tooling approach or a more “let the teams choose what they work with”? And what’s your rationale behind it?

The answer is both. We have a number of tools managed centrally. In some areas, we even have several tools managed centrally as they meet slightly different use cases or needs. In some areas, we do not provide any central tool for now. Still, we foster collaboration within a Community of Practice so that we learn from each other. Eventually, some of them may become centrally managed if there is a scale advantage (but that is not mandatory).

@colas.a @olimpia.nitti this and how did you measure (if you did)?

Within Pampers we run all our digital products (mobile apps, eCom) using agile

Thank you for clearing this up Olimpia!

this was a big learning for me… i experimented with both and found the teams that owned both, time and time again, had much better outcomes!

...and that's what blows my mind. Looking forward to what's next!

Was the progress towards KPIs reported via OKRs?

Yes to both questions - all KPIs are shared within the full team - the team members have to know what’s being valued

many thanks Olimpia.

@olimpia.nitti How much of the solutions devising was done on ground level by the teams to help test what will deliver towards the targets? I am interested in the empowerment part especially.

I surely will use that quote. 😂

And then you had them hold workshops and trainings in their respective departments with your support if necessary?

In my experience it is far too common to impose timelines from the outside. I think it's brilliant that you empowered the team to decide on their own. Thanks for sharing!

There is a 5m break today, that wasn’t consumed by talks going late like yesterday. 🙂

and also scrolling through all the slack questions, answers & important pointers

Yes, while I like the -plenary channel, so I don't have to switch between channels, it would also be nice to have the Q&A in a channel per presentation (and/or maybe per author or group). I realize this is difficult.

Also, threading of the Q&A and queueing to make sure questions aren't missed is another place for improvement.

I'm watching the videos on my phone, so I can go to the bathroom or kitchen as needed, but then I have to play catch-up on the Slack.

It's also hard for the speakers as the Q&A goes on for a while after their video ends, so they don't get a chance to be part of the audience for the video that follows.

Isnt that the ask the speaker more channel?

That breaks the flow... I see that as more of a channel to ask questions later when something occurs. Threading is definitely an unsolved problem here.

we have an unofficial goal that a new developer should make his first commit PR on the second working day.

Excellent, I have mission - 3 day to do PROD deployment

Talk to me later @lbmkrishna. Also Dharmesh Gordhan back at BNZ.

This is a great topic for more discussion. Let us know where you continue... maybe we can get a new channel set up? @alex or a suggestion of a better way to greate topic groups that persist...

Great idea @nickeggleston - what should we call the channel?

I once wrote an internal paper on how much it cost to replace an engineer. A very conservative estimate was AU$100K, probably more but it was harder to quantify. It's more efficient to keep your hearts & minds than to get a new one, no matter how fast it is to prod.

@matthew.cobby - Few individuals like us we are still fighting for that "freedom" - we are yet to get liberate mate

haha - thanks :rolling_on_the_floor_laughing:

Maxine - oh poor Maxine 🙂

Still day-to-day business in some companies 😮

Since almost two years The Unicorn Project - The developer onboarding is still the same 🙂

@genek what real world examples were the inspiration for this? (redacting names as necessary)

💯 creates psychological safety !! helps normalize "i dont know, but let's find out"

now that our Slack is for our entire enterprise, not just Tech, I wonder what kind of questions would get posted now :thinking_face:

We have one called "I'm looking for..."

#absolutelynoidea now live!

#absolutelynoidea now live!

Thanks!

Hi @philipp.boeschen650 which bubbles are you referring to?

those 🙂

I would like to create this channel here

Seems like I do not have the rights

Can someone pls create it?

@alex

#absolutelynoidea now live!

So true! But when they do - magic happens!

Exactly, I think it's worth striving for this kind of safety in a team.

I find it common for people to keep splintering off into private channels because “we don’t want to spam people”.

Agreed, I find myself thinking that way and not wanting to bother the large community with questions that may be obvious or already answered elsewhere.

A good setup for messaging applications helps a lot with that. For example in Slack: having specific channels for asking about help on a certain topic, having channels with very specific topics for discussion, and always encouraging people to use threads to keep the spam in the "main" channel low.

formal no but we have done informal / ad hoc bookclubs

Awesome idea. Do you have one?

Yup. We started with Accelerate and now are currently reading Agile Conversations.

currently in the process of setting one up.

Yes, similar to Adrienne! Started adhoc/informal

@eazyd247 what's the first book/report on your list?

Yes, we have a book club in the org.

@becky.woof at the moment we've got as far as assemble the group (not many at the moment but think thats a good thing). Then to get everyone to nominate a book, a reason why we should look at it and then we vote on it. My preference probably would be for Accelerate, project to product or Unicorn project. So many to choose from now 🙂

We started with a similar process as @eazyd247 mentioned. We found we started with about 10% engagement from our department. I'd like to find ways of including more individuals from across our company in the future though.

have you had much issue keeping the momentum, people keeping up with the reading and the attendance?

We did notice that in the first one. I feel like that is somewhat to be expected. We did a retro exercise after that one to attempt to make things better for the current (second one).

We found that even if we had a small group, we could share our high-level findings more widely (on slack, or wider departmental syncs)- just bite-sized points. A few more people got involved that way!

Useful content become articles, guardrails or patterns!

Is this naturally promoted or is there a specific team/person behind that?

#absolutelynoidea now live!

We have appointed topic owners in the community, examples could be around API & Events or Cloud. They are monitoring the chat-channels and also update articles, patterns & practices. But then the community also step in and answers and make suggested changes based on their inputs.

definitely interested in this one too. Great question

Same

me too

I think when we could prove actual value was a first. But it's a long and gradual journey. Then more studies, science and success stories around devops / cloud also emerged. We also had some leaders believing in the "new" ideas.

Thanks @jakob.knutsson657!

We make it part of the Definition of done, to hsare the work with the community.

On what level? Each story? Which community? Topic specific?

On the idea of slack this is a great post about it https://fs.blog/2021/05/slack/ Many roles become less effective the more efficient their time is managed

It is not that I am not aware of this bu tin many cases the situation is pretty complex. I wrote a piece about it actually: https://rruzitschka.medium.com/the-challenge-of-internal-communities-in-an-enterprise-it-organization-fbe198b1f0e4

We have appointed topic owners in the community, examples could be around API & Events or Cloud. They are monitoring the chat-channels and also update articles, patterns & practices. But then the community also step in and answers and make suggested changes based on their inputs.

Like the naming of "Business Tech" to make it visible to everyone

@jakob.knutsson657 said H&M is still a fashion business, not a tech business

Always surprised/shocked when discussing outside of the company, people telling me you're quite knowledgeable on the business, and you work in tech? Is it supposed to be mutually exclusive?

Clear objectives and direction.

Can you pls clarify what that means?

DevOps was about bridging silos, collaborating at a larger scale. Continuing that trend is getting collaboration across the silos of business and technology. So H&M creating a “Business Tech” group seemed like the end state of where the ever expanding collaboration takes us. That make sense @vladyslav.ukis?

Understood. Thanks!

…because it’s all our business.

We are the business

and our business serves our customers

We collectively serve our customers

BTW, how you found the balance what to learn on both sides to raise that understanding to the next level?

I really enjoyed the auditor talks from that year. It helped me understand their perspective and partner better with Audit internally. We even initiated a value stream analysis to get audit more integrated and automated into the process.

the “paid by the finding” comment had me laughing out loud.

reminds me of the stories of testers being paid by the number of bugs they found… and developers by the number of bugs they closed.

I love stories about perverse incentives

Wait. There were some QA shops that were bonused on # of defects found, right? After all, if they don’t find anything, what are they doing all day? 🙂

Nobody expects the Spanish inquisition.

I won't put that on the reading list from the conference 😂

Then again, it might just be interesting to read anyway :thinking_face:

I noticed strategic placement of The Phoenix Project and The Unicorn just outside each shoulder 🙂

Could be but also think GDPR or anything relating to data privacy

Could be legal compliance as well (depending on industry)

@david.read There are InfoSec or Compliance Audits as well

Good question, they look into so many things. Depends on the industry as well

Or any compliance, thinking PCI DSS for instance

We also run open source audits at Synopsys so it can really mean anything

could be regulatory, compliance, risk, governance / GRC

Audit can apply to anything that a business may want assurance of..

Basically any part of dev or business that requires or comes with an external ruleset can be audited

Internal Auditors look into risks that could prevent an organization from achieving its objectives. Those can be financial risks, compliance risks, operational risks...

i.e. if theres risks there an audit for it

Tune into our break-out session tomorrow (DevOps and Audit: A Great Partnership Part 2). We'll briefly review Internal Audit's role in an organization

@lucasc5 - one thing that I hate - when we ask developer to fill and answer the risk control Excel spread sheet 🙂

@lbmkrishna - I'm cringing right now 😆 That's how we as auditors get a bad rep.

Everyone hates spreadsheets right? 😕

I see that manager easily delegate to Developers / Engineers

It's in the office waiting for me when I return to in-person meetings :)

i love this book for so many reasons, but had forgotten that topic was in there. one more reason to love it.

Yeah it was a real gem of a concept and I found it helped in a huge way with our most recent audit, which we PASSED by the way! After 2 failed audits, we were really proud of it.

I feel like this conversation will require a reclining couch. 😂

Internal Audit can definitely shed light on areas that need improvement. Management can definitely leverage that as an opportunity to implement DevOps practices to address those gaps. Great idea!

100%

I do find a massive communication gap in this success though.

IT leaders and managers dont want to understand purpose of audits

Auditors for some reason also fail to explain this well. This is probably also not encouraged fully by the larger audit firms that larger companies end up working with

Check out our break-out talk tomorrow (DevOps and Internal Audit: A Great Partnership Part 2). We may address your question in greater detail there. If not, I'd love to get more insight from you on how we can address it.

Sounds great

You missed this https://devopsenterprise.slack.com/archives/C015DQFEGMT/p1621418576449200

Oh, I saw that. Just thought you’d enjoy this view as well.

Are those books organized by color colour (<- since we are in London)?

Get also the Dev team understand the controls early on as requirements 🙂

exactly. Then you can start to do things like compliance-as-code.

Tune in to our break-out session tomorrow (DevOps and Internal Audit: A Great Partnership Part 2). We talk about some of the ways we're shifting left :)

What happens when everything is shifted left? 😉

We anchor back to the IIA Standards/red book! :)

PS: I learned last year from @lucasc5 that there’s no actual physical “red book” anymore. 🙂 Thank you again so much for the talk — you, too, @lewir7

It was our pleasure! Thank you for giving us a platform.

Agree, transparency also on the controls and test...:-)

@tim.wyatt - hearing that breaks my heart! We hate surprising our clients. If my client's are surprised at the end of an audit, I didn't do my job very well.

absolutely!

The best thing by far

I think it comes down to a similar effect like when you're having cross functional teams, more viewpoints mean overall better coverage

i think they resonate and help us story tell that DevOps isnt just a tech problem. I noticed a lot of questions/interest during the P&G talk about getting the Biz Leadership on board. I think these boundary spanning really help our brains firm things up

:thumbsup: Y’all are going to love some of the talks coming up, then! 🙂

We see this a lot too. I visually cringe when someone tells me they're doing something because audit told them to. Either we didn't explain well enough why the gap was important, or it wasn't truly a risk. In the past few years, we added a scorecard metric for ourselves to encourage us to identify cost savings and efficiency opportunities. That helps with some of the overengineering too.

Yes! This!

Start with why as would S. Sinek say (but not only), you'll get more buy in when people understand why they're asked to do things, and knowing it from start rather than as a gate at the end, would certainly to better results and less reworks and better image of the audit. Looks quite similar to security which can either be seen as enabler and bringing value or just as a blocker breaking plannings

100% I and many others can't invest in doing something if we don't understand why or we're doing it. Filling in a spreadsheet because Legal say so isn't good enough

Security in DevOps is to prevent problems down the line no developer likes being called in to help fix P1 issues or similar but by following good security practices they could prevent future pain thats worth a little effort now to avoid future pain

Most auditors make an attempt to use neutral language but legalize and developer shorthand are problems for both groups

TLAs don't help have you ever counted how many acronyms you use in your org/team daily/weekly

and the teams are bothered too much by cumbersome tooling that must be used to fulfil the regulations

you might like the next session....

My view is that its also important to understand why the regulation exist look at the UK and USA talking about cyber crime and IoT security its being discussed and talked about because its a problem. I'd always suggest people use regulation as the organization stick to implement good changes. Don't worry about the exact specific but make sure your doing what right for your team/product

Fully agree to this @robertso: Why is always super important. My main issue was that in my experience engineers embrace freedom and hate regulation like the plague.

Yes, because it adds burdned often without good reasoning

@vladyslav.ukis Being able to satisfy regulatory requirements is a reason as good as it gets. It is non negotiable. But of course it needs to be explained.

Regulation very rarely wants to limit innovation or freedom but encourage best practices. Regulations can be interpreted in a million different ways and I've worked with orgs who take the very strict approach vs the more open model. Its about understand what problem the regulation is trying to solve look at the key recommendations and implement those how they make the most sense for you.

Here, @steve773 ! https://doesvirtual.com/watch

Hi, Steve!

Hi Gene. Am I in the right place. I think so. Intelligent control guy right before Richardson?

You're in the exact right place!

Thank you @annp !

nice branding

Or constraints stimulate creativity 🙂

the do, but naive creatives temperamentally seem to dislike them

what we long for

You've already had a couple of absolutely GOLD quotes in here mate - I'm going back through and stealing shamelessly to use "back at the ranch" on posters with your face on 🙂

I'll look out for those.... :rolling_on_the_floor_laughing:

I still like Mark Schwartz language around 'enabling' rather than 'corrosive' controls - this is the agenda for me 🙂

indeed. his perspective that a CI/CD pipeline is simply an “automated bureaucracy” (full of rules and controls) blew my mind.

Totally that - we are using this language/phraseology directly with @mark.rendell and @leanne.bridges here - 'enabling and embedded controls'

'automated bureaucracy' is worse than 'manual bureaucracy' if a control doesn't add value, we shouldn't operate it at all..

I can't wait to use this phrase!

Good Morning @katharine.chajka... we're aiming to find the balance for 'safety + agility'. We've learned that fewer, easier to understand parameters enable folk to work with autonomy

It's actually the name of Leanne, Mark and my home Community back at Nationwide - Resilience &amp; Agility

I almost just spit out my coffee haha!!!

Made that mistake at a public sector client. Visited again a few months later, scribbles were still on the board 😊

In that case @jonathansmart1 was probably a good thing. If you once come at our place, I'll make sure you have only permanent markers 😉

I think it's critical. We apply a bit of a 'forensic' approach to understand how we'd review the outcome before we build it.

We're in the process of learning this the hard way, lots of policies got put in place without any effort into traceability, they are definitely creating pain down the line now

I feel your pain @philipp.boeschen650 sometimes policies are created like sticking plasters... if you've too much ambiguity from the policy layer, the control tier becomes un-workable. Reach out if you wanted to explore further on that one..

This was one of the most illuminating learnings from audit for me. cc @lucasc5 @leanne.bridges @lewir7 @mark.rendell

It's especially important when things go really wrong... it's also usually where you end up with 'over control' (often in reaction to a previous 'really bad' situation).

That's a tough one. I don't want teams doing unnecessary, over control activities. However, being able to find and rely upon a backup control when the primary one fails has saved us in an external audit. Layers of control, defense in depth, can be nice to have.

I'm glad that you've seen the value of this @andy.hinton - it's solid learning when you go through those processes and realised the value of what might otherwise be seen as burdensome

Someone (@jonathansmart1) has a chapter in a well-loved book dedicated to that particularly anti-pattern 😄

I know you posted this in jest, but risk should be assessed up front and should be updated as you learn more.

we continuously adjust the risk profile created early on, the the product evolves, the risk evolves and we can apply controls proportionate to that point in time..

it makes the world of difference... you know what you're getting into before you get going.

Thanks @jlpryan - certainly!

me too

we'd be delighted to share 🙂

(wanting a copy -- I can't claim to be a colleague of @jonathansmart1)

They’ll also be in the Video Library — @alex will be posting it shortly.

https://www.dropbox.com/sh/lb2j4dbn2xcmcxg/AAA1mlN_AYiwjtzGCxZLyoUKa?dl=0&amp;preview=DOES_Leanne_Mark_DIST.pptx

@jlpryan @nickeggleston https://videolibrary.doesvirtual.com/?video=550704454

:thumbsup:

I love this analogy

This could become a book

if there's value in doing this work it's to enable traceability; creating the data that tells the story of how and why the product was built makes a huge difference when you're trying to provide any kind of assurance..

😂 Maybe some informed executive could find out she makes more value for the business and the product team less miserable? Hypothesis... 🙂

Hi @genek101 and @christian.lefevre - I always say that I need to 'do myself out of a job'. When an organisation has achieved 'control by design' and operates continuous assurance, you don't need as many people like me telling you whether you need to worry - because you understand the risk inherent in your own work... So weirdly, my personal objective is to enable lasting change that supports continuous improvement for an organisation.... but I'm a problem solver so guessing that's where this becomes rewarding for me..

What's Thoughtspot?

it works really well. We wanted to ensure we were 'system agnostic' and flexible in terms of the data we could pool. Thoughtspot enables us that 'layer' that we can adjust based on the depth of data available to inform that 'real-time' view

Think Tableau with a google search like engine for your data underneath, it's some pretty interesting tech https://www.thoughtspot.com/

We use ThoughtSpot in a number of ways to support our BVSSH journey - @zsolt.berend and @marc.price can give the 'inside track' on how we leverage to support measurement/visualisation of flow, golden thread and embedded control 🙂

Oh interesting! What's BVSSH tho :thinking_face:

Hehe another thing to note for future investigation

Bring Value Sooner Safer Happier - Super book by @jonathansmart1

Right, yeah 🙂 Heard of it it's still on my shelf to be read... so many books so little time

T/S provides a rich front-end, it is great for self-serve data, insights consumption

Have you seen benefit in the self service aspect, do people actually actively explore the dataset? We never got to a big enough PoC to find data for that

yes, they do - we treated our dashboard as a product from the beginning. Start-up way, started small with some innovators, early adaptors as customers, establishing feedback loop. Now we have 700+ active customers, colleagues at all level, all based on pull.

it has been a journey to unlocking measurability and through conversations unlearning fear of data, and experts providing reports to measure for learning behavioural

That is super cool! Did you face any problems getting your data into the right shape underneath? Thanks for answering these! 🙂

yes, we did, we pull data from jira and snow and e1 - and cont. improving the data models for more flexible insights creations. However it has also been the goal to keep it as agnostic to ways of working as possible so e.g. there is no mandate on using a set of states (it would be an antipattern as context is unique so flow of work will differ) so we made lead time calcs. e.g. agnostic

Something of note here; we’re in the process of migrating to dashboards for our Data and Analytics Value Streams. The Intent is that this will supersede our need to ‘report’ on risk and move toward use of real data to inform the risk positio…

more than happy to give a view of Thoughtspot if anyone would be interested 🙂

Yes @tim.bassett and Metrics and Insights are a key part of our overall Ways of Working enabling function //cc @berendzs

partially - where a control is automated or semi-automated, we can enable dynamic data.

Ah sorry, yes I meant the dashboards driven by Jira data. Those are automated.

What could not / cannot be automated?

Hi @vladyslav.ukis sometimes a control is manual (i.e. that decision needs to be made at that tier of committee to ensure that it's within governance' so you end recording that the event happened and logging associated documents to support the execution of the control. That help?

Well that escalated quickly 😆

“when risk people show up, everyone gets the shivers.” 🙂

Totally.

those are the days when you're really grateful for how you made records of the build....

I’m sure I wouldn’t know. 🙂

I’ll have to ask one of my friends if they can relate. 🙂

HEy @berendzs - glad you're here... @philipp.boeschen650 had a Q on ThoughtSpot... you'll be able to enrich that thread with your mega-knowledge..

Also @tim.bassett was interested too... maybe we need a session on data-centric controls assurance informing risk??

yes - our problem is that we want to automate "stuff" but people forget about dashboards.....we have agility metrics under control (sort of - v1 at least), however we are now gathering metrics for other "stuff" - but manually. Always interesting to see how others do it...

one of "my things" is reporting/data should fall out of the process and not be additional work....

Yeah we were at a similar point when we played with it, but the price point was just too high for us to get enough ROI

yes, I fear Excel wins out - although Jira/ADO etc do provide basic reporting

The whole, metrics should just fall out, that seems to be hard to create though, is there something special you're doing towards data schemas or when collecting data to get it more "in line"?

Hi... this bit is the bit that is often overlooked... I say (almost everyday) that we have to build the data that enables us to measure. The key here is JIRA because we can get a status for manual, semi-automated or automated controls as a data point that we can add to dashboards. This is how we're able to then streamline the assurance (if we don't enable this data creation, we end up doing the work twice)

"I say (almost everyday) that we have to build the data that enables us to measure." I think that's the key thing that needs to be driven from the top, I've unfortunately been in some positions were we never got time or resources to build proper data foundations and then got pushed to deliver, deliver, deliver which never worked out as people thought...

@philipp.boeschen650 -a large part of my career was spent in the Public Sector focussed on maximising value for the money we invested. One of my personal aims is to achieve as much of this as possible with existing enterprise licensed tooling minimising investment. Much of our 'build' is driven through internal enthusiasm rather than investment and we're currently experimenting with Power BI as it's within our Teams licensing and is widely available. This should cost less than the alternative.

@tim.bassett ref excel.... we're experimenting with Power BI/Power Platform in Teams for increased availability..

Yeah I do think sometimes, especially we as engineers, tend to want to re-develop rather than using existing stuff - Trying to get ahead of that problem seems like a very good use of time! 💯

we would be happy to present 🙂 next time

Definitely....

the work that @berendzs and @marc.price have done on metrics is awesome

more than happy to @richard.james v

full credit on that one to @jonathansmart1

Huge credit to @leanne.bridges with their show and tells. The open invitations to those regularly attract a very diverse and senior group of people - and not just to observe - loads of ideas flowing :)

the best thing about those @mark.rendell is how much we get out of it too 🙂

we align risk people to the work.. once the risk assessment is complete and thereafter continuous, we align a risk partner to be the persistent and primary point of contact... They'll bring in any additional specialist risk support to ensure that the depth and breadth of risk is understood and the right control stories are surfaced

one of our absolute favourite adopted phrases from @jonathansmart1 ❤️

used regularly by our Chief Operating Officer, as well as across our WoW community and colleagues 🙂

In addition to the great work done at Nationwide, see chapter 6 in Sooner Safer Happier, a chapter just on this topic.

have read it more than once 🙂

That's great to hear - thankyou. I'd be happy to share more detail on anything specific..

what can make it change a climate of psychological safety? Trust?

@christian.lefevre Yes. A need to intentionally nurture psychological safety. As per Amy Edmondson, (1) Set the stage (2) Invite participation (3) Respond positively

Thanks @jonathansmart1 I’m considering a dojo as well to help people train and gain confidence too, but shouldn’t substitue to demonstrating trust by handing the keys of the real world too I guess.

Yes, sounds good. And there needs to be safety to experiment and fail. If not, even with new knowledge, there will be no empowerment taken

I've quite often seen 'learned helplessness' with everyone shrugging their shoulders, pointing at someone or something else

I like the idea of L David Marquet in turn the ship around, of having people declare intention and validating, I would guess such endorsement will reinforce confidence in taking the empowerment, which should transition to a stronger ownership tranforming the declaration of intention to informing. (kinda removing the small wheels to the bicycle)

Totally this - we use Mark's language around "enabling bureaucracy" rather than "corrosive bureaucracy" in our context ❤️

definitely... it's just about getting the right balance

Personally, I'm very wary of anything that is described as 'intelligent' - it's usually to do with hubris of the inventor

The talk about replacing the word intelligent with control reminds me of this chrome plugin I've used in the past https://chrome.google.com/webstore/detail/ai-just-some-if-statement/ihdinhfmngbefhhajfjankbpphnflfbd?hl=en

See also: SmartTVs (sigh), Smart Meters (sigh), Smart Home (😬 ), Smart Cities (🙈 )

The word connected just isn't as sexy

Right now.... Split brain

I answered up there but will repeat here: e align risk people to the work.. once the risk assessment is complete and thereafter continuous, we align a risk partner to be the persistent and primary point of contact... They'll bring in any additional specialist risk support to ensure that the depth and breadth of risk is understood and the right control stories are surfaced

Sounds a lot like the adjust support teams @jonathansmart1 talked about in his videos

@nickeggleston Safety Teams. Multidisciplinary GRC type SMEs aligned to value stream, long lived. e.g. InfoSec, Data Privacy, Compliance, Fraud, Anti Money Laundering, etc.

Agree @nickeggleston and as @jonathansmart1 highlights - having the right group of people, with the right capabilities makes the world of difference to how we build things

what kind of safety checks are you trying?

we use OPA too

curious to learn what we can improve

the primary stuff right now is about validating that dependencies you put in approved/not marked as risk

That's a great topic @gus.paul what we're doing with Intelligent Control is partly about tying together smart technology solutions like that with the formal official controls.

That's a hot topic and work in progress @matthew.cobby Just last week the Data and Analytics community got Inner Source access so that they can make contributions!

Interesting.... I'd like to follow up and see how you are going. We have an Inner Source programme and one of our products is our compliance as code. It's been a sleeper so far but we have ambitions

Sounds great @matthew.cobby

@jonathansmart1 references the 'narrow' (Tech) or 'broad' (Org) definitions of DevOps - we talk increasingly about how we are bringing Change and Run together as the broader agenda 🙂

I need to read the book! I think the problem is that departments that are not mentioned are not included, so there needs to be a way of describing that inclusivity

my reference to the 'must do and the should do' is because that helps you work out who 'must' be in the room and who doesn't really need to be there... The other challenge though is having a trust environment where folk 'not in the room' are ok with that and trust their colleagues to bring them in if they need to be there.

empathy and shared goals.... has anyone found a way to ctrl+c ctrl+v this everywhere? :rolling_on_the_floor_laughing:

definitely - by having a 'critical friend' in the room to answer the thorny questions - can help you go faster..

Definitely - we need to work as a team, working together to build good things

Thankyou for having us along

Yes. The formal Controls are context sensitive depending on the risk profile and risk appetite

Not one size fits all set of Controls (lowest common denominator) as is usually the case.

Hey @rshoup - do you mean the 'wrapper' for the work or through the work?? We use the outcome of the URA to provide a baseline risk profile and define 'why' controls are required and to what extent they're mandatory. It helps us prioritise the work in that way but gives us a persistent line of sight to 'what happens' if we don't invest in that specific control activity, how does that affect the risk profile... We didn't dive into that on this session but I'd be happy to explore further with you.

I totally agree @rshoup but there is also often a significant volume of established controls processes that you need to meet where they currently are.

@leanne.bridges Sorry, I meant that we need to frame the problem in terms of the Risk, not in terms of the Control. Reducing the Risk is the outcome / goal / business value. A particular Control is one candidate way to achieve it, but there may be others, as you pointed out. The Controls are not themselves valuable! I've had so many conversations with auditors that take this path. "Tell me your process and prove you are following it", they say. And I try to reframe the conversation around the Risk itself and how we can reduce that.

Your model sounds great. I'll be sharing it with our internal auditors 🙂.

Glad to have helped…. The experience you mention though makes me think of human-robots… we have to challenge processes and controls to ensure that they add value (otherwise audit is valueless)

Thankyou - is great to be able to reflect and share our journey

It's that systems thinking that allows us to release our teams from a blame dynamic and fix the system collectively