How FIs should reimagine the IT production journey

To keep pace with rapidly changing customer expectations, business requirements and IT landscapes, financial institutions (FIs) must embrace innovation, while continuing to manage IT risks and compliance mandates. An automated, risk-managed path to production (ARMP2P) framework, which combines agile methodology with a traditional Dev-Risk-Ops framework, is one increasingly popular way to reimagine and re-engineer traditional IT delivery methods and production journeys.

Enterprise change delivery (ECD) is getting more attention from auditors, regulators and IT and business leaders. Rapid changes in technology are making deployments more frequent, yet most FIs lack the metrics or mechanisms needed to provide the end-to-end transparency and release traceability required to fully understand project benefits and value. Compressed ECD timelines often do not allow risk and control stakeholders to validate that their requirements are met, creating potential regulatory and compliance challenges.

The ARMP2P framework, based on established industry practices, such as COBIT5/2019, ISO/IEC 27001, NIST CSF and SOX 404, addresses these concerns by employing an automated, permit-based workflow that allows FIs to govern and manage the journey of IT products and services from ideation to post-implementation monitoring in a faster, more scalable and stable manner. It can be adapted to manage business-process changes with similar effectiveness.

Key ARMP2P benefits

The ARMP2P platform incorporates automated process, risk and control requirements, continuous monitoring and audit expectations to provide a holistic and integrated IT delivery workflow. Key benefits include:

Faster speed to market

ARMP2P enables IT departments to make smaller, more frequent deployments. The framework includes reusable architecture patterns, standardizes delivery practices and automates permit approvals, accelerating production turnaround times.

Improved stakeholder engagement and traceability

ARMP2P creates standardized workflows for all stakeholders and centralizes storage of stakeholder approvals. Earlier engagements allow for more effective identification and confirmation of nonfunctional risk and control requirements, and encourage innovation.

Enhanced governance

ARMP2P automates risk, control and process enforcement and exception notifications to enable earlier identification of technology debt, work duplication and compliance gaps. Automated evidence collection makes the audit process more efficient.

More-effective portfolio management

ARMP2P leverages continuous budget assessments to improve portfolio prioritization and enables funding to flow to projects that promise the greatest financial benefits. Traceability and financial transparency are greatly improved.

The ARMP2P permitting process

The ARMP2P framework creates a robust permit-based workflow that promotes early engagement with stakeholders and incorporates automation to continuously monitor and comply with organizational governance, process, risk and control and regulatory compliance requirements.

The process consists of five key elements:

Permit to launch (ideation)

After an idea is formulated, program teams request a permit to launch (PtL). During this phase, teams conduct customer research and proof-of-concept tests, the results of which are used to help prioritize the portfolio. A PtL ensures that capital investments are prioritized for projects that provide the best potential returns or benefits.

Permit to plan (initiation)

During the initiation phase, formal business cases are prepared, risks and resource requirements are assessed and service and product delivery roadmaps are developed. Stakeholders are identified and notified to provide time for resource capacity planning and to provide input. An automated permit to plan (PtP) confirms program alignment with strategic enterprise and IT goals and establishes funding transparency.

Permit to design/build (planning)

During the planning phase, additional impact assessments are performed to confirm incremental mandatory process, risk and control and nonfunctional requirements, which are automatically added to the product backlog. Procurement processes are initiated and minimum viable architectures are developed, based on approved enterprise technology, business, security, resiliency and data patterns. A permit to design/build (PtD/B) confirms that applicable process, risk and control groups have agreed on functional and nonfunctional features prior to delivery.

Permit to operate (delivery)

During the delivery phase, releases are registered and systems are built using ARMP2P’s agile methodology. Where possible, automated system tests are performed, while automated readiness reviews confirm that unnecessary operational risks are not introduced into the production environment. Automated traceability is established to track release benefits and provide feedback to enterprise portfolio prioritization. A permit to operate (PtO) is only awarded if the reviews confirm that agreed-upon risk thresholds are being met and the system is fit for use.

Run and monitor

In this phase, releases and production environments are continuously monitored to ensure that assets and services are available as requested and managed safely and soundly. Operational data is gathered against agreed service and asset metrics and to support service resolution and continuous improvement. Assets are configured to automatically detect, log, diagnose and escalate disruptions. The run and monitor phase includes service maintenance, metering and reporting, as well as frequent backups to ensure uninterrupted delivery of services to end users and customers.