Looking ahead, Herbert, who is also Atlassian’s risk futurist, believes that there will also be more openness in the transmission of information across an organisation. And, that more and more companies will embrace Agile management techniques, just as ANZ recently has in a bid to transform to a leaner and more responsive bank.

"A lot of organisations realise that they need to be more adaptable because the market is changing so fast now," he says. "They need the adaptability that Agile gives them".

An Agile culture certainly helped Herbert when he joined Atlassian four years ago after more than 20 years of working in risk at companies such as Westpac, Macquarie, Ericsson, Optus and Pfizer.

"I remember the guy that hired me telling me that Atlassian is a ‘do-ocracy’. You need to do things instead of just telling people to do them," he recalls.

"That really comes through at Atlassian. As part of the Agile way, the teams actually do things. It’s about being in that stand-up meeting every day, saying what you did yesterday and actually having that mean something."

In fact, Atlassian has always been Agile ever since it was started with by Mike Cannon-Brookes and Scott Farquhar in Sydney in 2002, financed with $10,000 in credit card debt.

"We have always tried to meet the customer’s needs," says Herbert.

VIEW ALL

Today, Atlassian, which develops collaboration tools and software for software developers, project managers and content management, is worth more than $14 billion.

Headquartered in Sydney, it has offices in San Francisco, Austin, Amsterdam, Tokyo and Manila and now serves over 100,000 customers worldwide, including NASA and 85 of the Fortune top 100 companies.

But Herbert says: "At the time I joined, we really didn’t have many compliance obligations. It wasn’t that hard from a risk and compliance perspective. We weren’t listed anywhere and we didn’t have to report to anyone. The only people looking at our financials were our external auditors.

"Since then, we’ve listed on Nasdaq. That means that we have to do Sarbanes–Oxley (SOX) audits for US regulators. We also do a Service Organization Control or SOC 2 report for our customers on the quality of our processes so that, I like to say, they know that we are not a bunch of fly by night cowboys. We also have customers in Europe, so there are a lot of privacy obligations there.

"We went from not having any SOX controls to having a SOX audit conducted by our external auditor in about an 18-month time frame. We went from zero to pretty close to perfect. No qualifications or material weaknesses was a nice outcome for us."

There were, of course, challenges.

Herbert says one of the biggest ones was taking the traditional ways of thinking about risk and compliance and applying that in an organisation that is quite adaptable and likes to change quickly.

Another was getting people who hadn’t been thinking about compliance obligations to start thinking about them.

"What made it easy was that Atlassian has a really good culture,’ he says.

"Atlassian is, by its very nature, Agile at its core. The teams here are quite small. That means that people can take ownership of the risks and other things that are happening in their teams and space.

"And that makes risk management really easy because people own the risks and their compliance obligations."

So what is Agile?

Herbert says Agile originally started as a way to build software faster nearly 20 years ago.

"Other people in the organisation began seeing the improvements in technology that came through when implementing Agile and they have tried to use those processes to become more adaptable themselves."

Agile even has its own manifesto which ranks priorities for teams – for example, individuals and interactions over processes and tools, and responding to change over following a plan.

"Today, it’s not just limited to how you build software. It is about how you deliver any process," says Herbert.

Overtime, many Agile frameworks have emerged such as Scrum, Kanban, Lean, and Extreme Programming (XP). Each embodies the core principles of frequent iteration, continuous learning and high quality in its own way.

"With Agile you get more decentralised decision-making," says Herbert.

"The teams are smaller and they tend to form and reform as they are doing things. They will also change process as they are doing things. At the end of each piece of work, with Agile, you run a retrospective so that you can learn from the things you just did. It’s about creating feedback loops. If they are doing something and it doesn’t work, the idea is that you then change so that it does work."

There’s no “big bang” launch. Instead, an Agile team delivers work in small increments. A lot of organisations are trying to become Agile, but Herbert sees many mistakes being made.

"Some organisations are rolling out the formula for Agile instead of actively being Agile. They do the stand ups. They have the Post-It notes. They build Agile walls of all the things they need to do, but they are actually not being any more Agile."

These companies, he says, are embarking on the traditional or “waterfall” rollout of Agile, where they treat different parts of a project as discrete phases, instead of starting with a small engaged and empowered team and seeing where that goes.

While Atlassian’s small teams and culture of ownership made risk management easy for Herbert, he warns that these can also create risks for an organisation.

What if the team goes off and becomes almost rogue? The solution, he says, is setting boundaries for their scope and decision-making.

He also expects diversity in teams to become more important.

"At the moment, most organisations are measuring diversity in terms of gender and perhaps racial backgrounds, but we are also looking for diverse thinking, so you need people from different skills backgrounds to get diverse thinking in those teams," he says.

Herbert notes that Agile doesn’t make it harder or easier to comply with any regulatory requirements.

"You just have to be smarter about it and that’s where getting your compliance function to really think how it will work is very important," he says.

"That raises the question: should the risk, compliance and audit function consider going Agile? You’d get a bunch of smart people in the room to think about what can go wrong in the organisation and how ready you are to deal with these, and you’d work from there."

Herbert certainly believes there could be benefits from an audit function becoming Agile in how it works with the business.

"By responding and adapting to the changing business, it will make the organisation more resilient," he says.

"Following the plan from last year is quite likely to miss the changes that have happened or need to happen for the business to be successful."

Guy Herbert will be presenting at Governance Institute of Australia’s Governance and Risk Management Forum 2018 in Sydney.