Blog
DORA Metrics Meet Governance in Banking
Mike Long, Nathan Harvey and I discuss how DORA metrics can be aligned with governance frameworks in the banking industry. We posted the resulting article under the Team Topologies Expert View series.
Regulatory Environments Moving Quickly?
Industries that operate under regulatory constraints often find tension between these constraints and moving quickly. DORA (DevOps Research and Assessment) as a body of research material and reflection on practice has long since established that moving quickly doesn’t have to compromise stability. You can move quickly and safely.
I think this is particularly relevant for the world of governance and compliance. As a regulated industry, can we learn from the DevOps practices around speed and stability and apply them to the world controls and controls engineering?
That’s something that Mike Long from Kosli, Nathan Harvey from Google’s DORA group and I discussed recently in the Team Topologies article.
DORA Metrics
DORA metrics include the “four keys” - four performance indicators that measure software delivery effectiveness:
- Deployment Frequency - How often code changes are deployed to production
- Lead Time for Changes - The time from code commit to production deployment
- Mean Time to Recovery (MTTR) - How quickly the team recovers from a production failure
- Change Failure Rate - The percentage of deployments that cause production incidents
The Governance Challenge
In banking, governance requirements often prioritize:
- Change control - Formal approval processes for production changes
- Audit trails - Complete documentation of who changed what and when
- Risk management - Careful assessment of potential impact before deployment
- Compliance - Adherence to regulatory frameworks like Basel III, MiFID II, and others
At first glance, these objectives seem incompatible with the high deployment frequency and rapid lead times that DORA metrics encourage.
The Path Forward: Controls Engineering
However, organizations are demonstrating that high governance standards and high-performing, fast moving teams can coexist. The key is shifting from blocking changes and traditional fear driven cultures to applying DORA engineering principles to the governance problem. This means embedding systems thinking and engineering into governance processes, designing irrefutable, technology driven audit trails that are harmonized with the developer flow state, not working against it.
Key Strategies
1. Automated Compliance Checks
Embed governance rules directly into your CI/CD pipeline. Rather than waiting for manual approval, automated checks validate compliance requirements as part of the build process. This maintains audit trails while reducing cycle time. For consistency and easier conversations with audit professionals, choose centralised governance and compliance rather than centralalised governance and federated compliance.
2. Risk-Based Approval
Not all changes carry equal risk. Implement tiered approval processes where low-risk changes (e.g., documentation, configuration) bypass lengthy approval, while high-risk changes (e.g., core payment systems) receive additioanl scrutiny. Don’t mention the C-word (CABs).
3. Observable Systems
High observability enables faster recovery from failures. When MTTR improves through better monitoring and alerting, you reduce the impact of any production incidents, supporting both compliance (incident response) and performance metrics. Apply the same principles to the compliance problem. If the conditions by which you evidence controls are a black box, you will get extra scrutiny from auditors. If you systems are self documented (think tracer rounds), those conversations will be much easier.
4. Version Control as Audit Trail
Modern version control systems (like Git) provide immutable audit trails. Combined with signed commits and other techniques, they can meet governance requirements via strong provenance trails. The journey to production typically starts with a commit and can be the backbone to demonstrating provenance in the software supply chain.
5. Containerization and Infrastructure as Code
Codifying your infrastructure enables governance at the code review stage, rather than at deployment time. This allows faster deployments while maintaining compliance. Traceability is key. Containerization (as well as offering other benefits) allows for easy provenance checks with systems like Kosli being able to provide real-time observability on your production estate, demonstrating traceability from commit to running environment.
Real-World Implementation
The convergence of DORA metrics and governance is increasingly evident in banking technology. Teams are:
- Deploying daily while maintaining regulatory compliance
- Recovering from incidents in minutes while satisfying audit requirements
- Increasing change frequency while reducing failure rates
This isn’t achieved by choosing between compliance and performance. Instead, it requires thoughtful integration of governance into the development workflow itself. Shifting left on compliance by applying the same engineering principles DORA promotes to the governance process. This focus on automation and systems thinking is something we’re starting to call “controls engineering”.
Conclusion
Banking organizations no longer need to choose between traditional governance and modern software delivery practices. By embedding governance into automated systems, prioritizing observable architectures, and implementing risk-based controls, teams can achieve high DORA metrics while maintaining the rigorous compliance standards the industry demands.
The future of banking technology depends on organizations that can move quickly and safely. DORA metrics and the practices that affect them, properly applied to governance frameworks, are the step change modern regulated companies need to keep up.