The Product Delivery Organisation consists of all the people, process and technology needed to define and deliver software products for an Organisation’s external and internal customers. The size of a Product Delivery Organisation varies greatly, from a single Product Team delivering a single Product to hundreds or thousands of Product Teams delivering a portfolio of Products to customers around the world.
The accountable decision-maker for the Product Delivery Organisation is the Head Of Product Delivery Organisation, most likely a Chief Technology Officer (CTO), Chief Product Officer (CPO), or combined role (CPTO). For larger Product Delivery Organisations there may be other decision-makers in specialised roles, such as a Chief Information Security Officer (CISO). You can extend this framework’s policy with additional objectives that assign specific accountability to these people where needed.
The above diagram shows how the Head Of Product Delivery Organisation is accountable for all responsibilities of the Product Delivery Organisation.
One of the goals of this framework is to clearly, fairly and scalably assign accountability for maximum effectiveness. There are four things needed to fairly assign accountability:
- Understanding: the accountable person has to fully understand what they’re being held accountable for
- Information: they have to have the information available to them to ensure what they’re accountable for is being done to an acceptable standard
- Empowerment: they must have enough time in their working day to carry out the tasks required to ensure what they’re accountable for is being done
- Control: they must have decision-making power with the people responsible for doing what the accountable person is being held accountable for
The Product Delivery Organisation can take steps to put the first three requirements in place if any are missing, but if the person being held accountable doesn’t have decision-making power over the group or groups responsible then you are almost definitely assigning accountability to the wrong person.
Another goal of this framework is for the desired outcomes to be emergent from simple, repeatable processes that can self-correct and adapt quickly to changes in the business environment of the Organisation. To achieve this, it requires the Product Delivery Organisation to manage two continuous improvement cycles.
Risk Management Cycle
The framework requires a cycle of continuous improvement by the Product Delivery Organisation in identifying, quantifying and mitigating risks.
The above cycle diagram shows how the Product Delivery Organisation maintains three artefacts that work together to form a continuous risk management improvement loop. Documented Risks inform and support the Product Security Policy, which defines the scope of the Agreed Ways Of Working, which reveals and quantifies Documented Risks.
With an initial set of Documented Risks (the Why) informing a relevant and practicable Product Security Policy (the Who and the What), the Product Delivery Organisation creates Agreed Ways Of Working (the How) that clearly define how it operates to meet its compliance requirements and deliver suitably secure products to its customers.
As Agreed Ways Of Working are followed, the Product Delivery Organisation will identify and quantify new risks. Two types of risks are of particular importance in this framework:
- Alignment Risk: The gap between Agreed Ways Of Working and how people and teams are actually working. The framework explicitly captures these deviations and either Agreed Ways Of Working are improved to make them more practicable or Documented Risks are updated and the risk is known and managed
- Product Risks: The framework utilises the Four Big Risks for Products as defined by Marty Cagan in INSPIRED to categorise risk in product delivery
These newly identified and quantified risks drive any changes required in the Product Security Policy, which result in improvements made to Agreed Ways Of Working and the risk management cycle continues.
Strategic Improvement Cycle
Strategy is an often misused and misunderstood word. The framework clarifies strategic improvement by requiring the Product Delivery Organisation to maintain a Programme for Continuous Security Improvement. These are the changes to people, process & technology that aim to improve how the Product Delivery Organisation operates to meet its compliance obligations and deliver suitably secure products to its customers.
The above cycle diagram shows how the Product Delivery Organisation maintains a Programme for Continuous Security Improvement, which improves the effectiveness of Agreed Ways Of Working & Product Security Levels, which causes changes in Measures of Agreed Ways Of Working & Product Security Level, which inform and support the Programme for Continuous Security Improvement.
The strategic improvement cycle makes the Programme for Continuous Security Improvement data-driven by being informed by measurements that are made of Agreed Ways Of Working (how the Product Delivery Organisation is delivering products) and of Product Security Levels (how secure the products delivered to customers really are). Any activity planned within the Programme for Continuous Security Improvement can predict its ROI by the impact on these measures and then prove that ROI.
Use the navigation links on the left to explore the individual policy objectives for the Product Delivery Organisation, grouped by the artefacts it maintains.