To apply principle five in practice, start by targeting three key areas of focus.

The first focus area is clarity, which, as shown in Table V below, strives to ensure that both GRC managers and product teams understand the purpose of governance, risk and compliance and how to apply it appropriately within a technology powered, customer-first, product-centric, continuous delivery model.

By creating this clarity, many organizations will be able to move away from a one-size-fits-all approach to GRC and use an evolutionary approach that is measured and rational. The key benefit of this approach is that when done well, lead times and time to value can dramatically improve.

The second focus area is integration, which attempts to solve the siloed, linear and niche-based approach to governance, risk and compliance by assembling long-lived, cross-functional GRC teams with the ability to continuously support product teams.

As shown in Figure I below, GRC teams are essentially coalitions of risk and compliance experts that work with product teams in a continuous review flow.

The last focus area is tooling, which when applied appropriately, can significantly reduce manual effort and bureaucracy while also improving the overall alignment between disparate management levels within the organization. Getting the right tools in place can be incredibly helpful as it is often the case that disparate and unconnected tooling tends to pollute the organization and its functions with disconnected, duplicated and inaccurate data. But this can be solved through intelligent tooling, which enables organizations to connect their core tools and provide the business with a unified view of product value stream data and the associated risk and compliance data in a single, accurate and automated view. Learning to do this will of course take some time and effort. To get started, it may be helpful to review Dr. Mik Kersten’s book Project to Product.