Skip to content

August 24, 2022

Investments Unlimited: A Novel About DevOps, Security, Audit Compliance, and Thriving in the Digital Age (Sneak Peek)

By IT Revolution

In the vein of bestselling titles The Phoenix Project and The Unicorn ProjectInvestments Unlimited will help organizations radically rethink how they handle audit, compliance, and security for their software systems. By introducing concepts, tools, and ideas to reimagine governance, this book will catalyze a more humane way to enable high-velocity software delivery that inspires trust and is inherently more secure. Read the sneak peek of this upcoming book in this post.

Susan Jones had been the CEO of Investment Unlimited, Inc. (IUI), for five years. She was quick on her feet and always appeared to ask the right questions and make the right decisions. The board trusted her. But right now—although you couldn’t tell from her demeanor—she was panicking. 

“How did you find out?” Susan said into the phone, nearly gasping. It was family pizza night, but she had stepped away from the kitchen to take the urgent call. Behind her the noise of her family, Rich and Lucas making Rich’s famous pizza seemed to disappear. All she could hear was the beat of her own heart and Jason on the phone. 

“I met with Bernard this evening at our regular two-finger Scotch session. He let me know that the MRIA will be issued to IUI.” Jason paused. He knew this news was going to rattle Susan. He could already hear it in her voice. He continued, trying to provide some assurance. “You know, it may feel like regulators are out to get us, but they’re really there to help us and help protect our customers.” 

“You could have fooled me,” Susan replied, half under her breath. She didn’t think Jason heard her as he kept talking.

“It’s not uncommon for an MRIA to be informally notified through back channels so there’s no surprise when it’s issued. Bernard has a good relationship with the director of the regulatory agency approving the MRIA. That director reached out to Bernard as a show of good faith,” Jason said.

Susan took a deep breath. She was familiar with an MRIA, a Matter Requiring Immediate Attention, but only in concept. Actually being issued one was alarming. Federal regulators only issue an MRIA when something is seriously wrong at a bank. They aren’t handed out like candy. Susan had heard horror stories from other institutions, but she’d never had one issued at a bank she worked at—let alone the bank she ran.

“Do you know what the MRIA is about?” Susan asked.

“Yes, and it’s frankly embarrassing. There are over fifteen MRAs that have been issued to IUI over the past year. Our team has asked for several extensions on those, and there doesn’t seem to be a clear plan in closing them. That’s why this MRIA is being issued. Our team hasn’t provided any evidence of progress, and the agency now feels that we really have a huge problem.”

“I see,” Susan said. But really, she didn’t understand at all. How did my team let this happen? she wondered. How did I let this happen? Her CAO (Chief Audit Officer) had repeatedly assured her that everything was in order with these MRAs. Clearly that wasn’t true. 

“As you know, it’s a big issue,” Jason said. “Just remember, you’re in that CEO spot because Bernard thinks the world of you and knows you are extremely capable. I reminded him that he couldn’t have retired without you. He agreed.”

“Thanks for the kind words, Jason. We’ll have to get the whole team together first thing in the morning to tackle how we found ourselves in such a mess. There’s nothing more we can do tonight.”

“Sounds good,” responded Jason. “I’m sorry to interrupt your evening, but I knew you would want to know. I’ll talk to you tomorrow. Have a good night.”

“Yes, thanks, Jason. I’m glad you called. Good night.” Susan ended the call and sat down at the dining room table. It was a long table that fit over fifteen people, and it was always made up as if there was a dinner party starting at any moment. The orderly array of dishes in front of her seemed to mock her as she processed the implications of the call with Jason. Her mind was racing for answers and solutions.

She sat there, waiting for the numbness to wear off, waiting for her thoughts to slow down to a crawl. 

“Love, are you ok?” Rich said softly as he walked out of the kitchen. 

“Yes, I’m fine. Give me a minute and I’ll come in to help with the pizza,” Susan said back. She could smell the old Sicilian tomato sauce recipe that Rich was cooking up. It was a favorite of his, handed down from his great-grandmother to his mother to him. She took a deep breath. The delicious aroma was like therapy. Maybe she was starting to feel better—or maybe she was just hungry. Either way, she walked into the kitchen.

As Susan looked around, all she could see was a mess. White flour covered the countertops and floors. It looked like a fresh coat of Aspen snow had covered their kitchen.

“Well, this is certainly a ‘matter requiring immediate attention’ if I’ve ever seen one,” Susan said, walking over to her six-year-old son, Lucas, happily drawing smiley faces in the flour on the countertop.

“No need to meet Jason this evening?” Rich asked, bringing Susan an apron. 

“Nope, the phone call did enough damage for one night,” Susan responded, tying the apron on. 

“Ohhhhh, did Mommy get in trouuuble?” Lucas asked as he wiped his flour-covered hands all over Susan’s once-clean apron.

“Oh, Lucas,” Rich reprimanded gently. “Mommy didn’t get in trouble. There’s just a problem at her work. But she’ll fix it. That’s why she’s the boss,” Rich said with a smile toward his wife. He placed a big round of pizza dough on the counter in front of them. Flour flew up into the air and Lucas laughed.

“What kind of problem?” Lucas asked as Susan spread sauce over the dough. “Did you talk while your boss was talking? Or break a rule? ’Cause Xian broke a rule at recess today, and he had to sit for the rest of recess and not play at all.”

“No, I didn’t break a rule,” Susan said. “There’s just some housecleaning at work that hasn’t been getting done like it should. And now we have a whole lot of cleaning to do in a short amount of time.”

“Is it like when Grandma comes for a visit and you get all crazy?” Lucas asked, dramatically flinging his arms around.

Rich stifled a laugh and turned to grab the toppings.

“No, no. It’s more like when I ask you to clean your room. That’s like an MRA—what we call a Matter Requiring Attention,” Susan said, adopting her most serious movie-trailer voice.

“I hate when you tell me to clean my room.”

“Yes, well, what’s happened is we’ve been asked to clean our room lots of times, but apparently no one has done it, or at least not very well, so now we have to deal with a MR-I-A, a Matter Requiring Immediate Attention.”

Lucas’s eyes widened.

“Think of it like you’re on your last warning and you’re about to get a time out,” Rich added. “Or get sent to the principal’s office.”

“Wow. Mommy really did get in trouble,” Lucas said, and then he reached for a huge handful of mozzarella and dropped it in the center of the pizza.

Susan suddenly realized that she needed to inform her leadership team and set aside time tomorrow for assessing the situation.

“Rich, give me about five minutes before we decorate the pizzas. I need to do one last thing.”

Susan hurried back into the dining room and fired off a quick message to her senior staff using the inter-office chat system.

“Sorry to break into your evening, everyone, but this news can’t wait. Bernard and I were informed of an MRIA coming our way. Please do what you can to clear your schedules between 10 and 2 tomorrow. We have a lot of work to do.”

She pressed send and started walking back into the kitchen. 

Susan settled into her side of the bed as Rich pulled up the latest episode of the comfort TV show they were watching these days.

“So, you’ve got quite a firestorm to settle at the office, huh?” Rich asked.

“Yes. An MRIA is no joke,” Susan explained. 

“If I recall correctly, isn’t the next step some type of formal action by the regulators?” asked Rich. 

“Yes, it is. Something like that would have a devastating impact on IUI and everyone who works there. No doubt it could end Bernard’s time as chairman, end my career, and stain me for the rest of my working life. If it gets to that point, there are many companies looking to purchase our assets in a fire sale,” Susan responded.

“You’ll figure it out. They didn’t make you CEO for nothing,” Rich smiled. He clicked the button on the remote and started the show.

Susan’s mind wandered. She reflected back on how IUI had started fifteen years ago as a small company in a crowded industry clamoring for business. Like those nearby research centers, they sought to discover new ways to deliver investment and banking value to the world. She remembered the lean years where they struggled to get by. 

In just the past twelve years, this small but big-hearted company had managed to not only survive but also thrive with its winning strategy of focusing on socially responsible investing. This differentiator resonated in the market and soon began to pay off. Three years later, the 100-person firm had expanded to 1,000 employees and just topped $400 million in revenue. Things were looking pretty good.

They had also recently begun a digital transformation utilizing the business-accelerating principles of Agile and DevOps. Jason was hired to help with this. He was given the charter to take their digital products to the next level. He had a bold vision. He wanted to completely redesign the user experience, making complex financial transactions and products approachable, easy, safe, and reliable. He was doing all of this while helping the team adopt more modern and agile ways of working. The first releases of these intuitive tools proved to be way better than expected. Feedback from customers was astounding and conversion rates for new accounts were growing faster than ever. It felt like the next voyage of IUI was just about to set sail!

But now things were looking a little more like a sinking ship.

Susan wasn’t sure how she had found herself in such an uncomfortable position. She had assembled a great team to lead IUI into the future. Her CIO, Jennifer Limus, was brilliant. As a developer turned leader, Jennifer always seemed to have her finger on the pulse of technological innovation. Her adoption of DevOps practices and modern tools had allowed IUI’s products to be developed ahead of the competition. 

How did we miss this? Susan thought to herself. Surely Tim Jones, the CISO I hand-picked for the job, would have known this was coming. Why weren’t we prepared?

Susan wondered if she would be able to sleep. Her mind was spinning, searching for answers. Eventually she was able to drift off, dreaming of boardroom meetings, messy kitchens, and sinking ships.

Susan arrived in the company board room ahead of everyone else. Her admin had preceded her. She set up the virtual teleconference, placed the MRIA documents on the table, and adjusted the lighting. Susan took her seat and looked out of the window. Clouds were gathering. An apt metaphor, she thought to herself.

Jennifer, IUI’s CIO; Tim, the CISO; Bill Lucas, VP of Product; and Jada King, the Chief Risk and Compliance Officer (CRCO), arrived a few minutes later and took their seats around the table. It was clear that everyone was anxious and tensions were high

“Well, you all know why we’re here today,” Susan began. “I need answers, and fast. But first, I’d like to announce to everyone that effective today, Jada will act as Chief Risk and Compliance Officer, heading both Audit as well as Risk.” Murmurings began to fly around the room. Susan quickly held her hand up, a clear sign for everyone to quiet down. “I want to make this clear. No one has been fired. Fredrick has been looking to retire, and he has taken this as an opportunity to finally spend more time at that cabin of his and teach his grandkids to fish. I wish him the very best. I’ll be looking to fill this void, but it will take awhile. I have every confidence in Jada’s abilities until then.”

Despite Susan’s attempts to quell fear in the room, it was clear that everyone was tense. She understood. It had been a hard discussion with Fredrick early this morning. Despite her best attempts to assure Fredrick that she didn’t pass blame to him, he had made it clear that he didn’t feel he was up to the task anymore and that he had full confidence in Jada taking over.

“Okay, everyone. Now that that is out of the way. Let’s get down to business. I’ve heard what Fredrick had to say, but now I want to hear from all of you. How did we get to the point where the OCC has hit us with an MRIA?”   

Immediately, Jada spoke up. Jada had been with IUI at least as long as Susan, and she was always quick to offer her opinions. Her passion had made her a great CRCO, and hopefully a great CRCO. But that same strength also made her come across as rigid and abrasive at times.

“I’ve been warning everyone about this for the past year,” Jada answered. She added, “Yet consistently I was told that product release deadlines were a higher priority.”

“Come on, Jada. You know we had no choice,” Bill said. As VP of Product, Bill was obsessed with shipping features and products that would delight clients and drive revenue. He was always pushing to get things done and could always be counted on to defend his team. He had been with IUI longer than anyone else in the room and knew the customer well. His tenure sometimes meant he was slower to accept new mindsets and ways of working, but his intentions were right. “Without these new features and updates, the apps would be deemed unusable and our customers would vote us off the island. It’s like the Risk team doesn’t even know we’re running a competitive business here.”

“Of course we know that, Bill. We’re trying to help protect IUI and its competitiveness,” Jada responded. “We can’t be competitive if our applications and customer data aren’t secure. I’ve been cautioning you guys that in the name of DevOps and digital transformation, we’ve let our delivery teams do whatever they want—we have no control. For heaven’s sake, we are a bank!”

Susan leaned back in her chair. She wasn’t pleased by the blame that was being thrown around the room.

“Jada’s right,” Tim began in his typical firm yet calm voice, obviously trying to reign in a discussion that was quickly taking a bad turn. “We’re all looking out for IUI.” 

Tim had a commanding and official presence about him that fit his role as CISO. When he entered the room, people paid attention. His resume included a long list of leading financial cyber groups, as well as some large IT audit firms. “To be fair,” he continued, “we have all of these MRAs listed in the product backlog. Why hasn’t the Dev team been delivering on them?”

Bill rolled his eyes. “Honestly, it seems to take forever to just get features out,” Bill said. “I don’t know what our Dev teams do all day. They clearly can’t keep up.”

“Keep up?!” Jennifer looked perplexed. She was probably one of the youngest executive leaders at a company the size of IUI, but her knowledge and skill far outweighed many of her peers at other institutions. “I think everyone understands that we attack whatever is in our multiple backlogs with the engineers we have available. But each product’s backlog is growing on a daily basis with new features and demands.” Jennifer looked over at Bill and continued, “The problem is that we never get enough time to address the technical debt, much less the frequent ‘urgent new feature’ fire drills that the Product team keeps hitting us with.”

“So hire more people!” Bill shot back.

“You think it’s that easy? It’s just not that simple. The demand for quality engineers is extremely competitive, and then we still have to onboard those we do hire. We have many open spots right now, and the new engineers we just hired are still coming up to speed. I don’t think any of us saw the tsunami of new feature work that would be hitting us.” Jennifer seemed to calm down, suddenly realizing that none of this would help IUI. She looked over at Susan. 

Susan sat at the head of the table, quietly watching and listening as her team bickered like teenagers. 

Susan had expected some finger-pointing, but this was worse than she thought. Most of all, she was just confused. She had been receiving enthusiastic reports from all of her VPs about the great progress they had made with DevOps over the past few years. And after IUI had brought Jason in a year ago as SVP of Digital Transformation, the progress had only increased. However, now it seemed like the left hand didn’t know what the right had been doing.

“Look, this isn’t productive,” Susan said, standing up. “I need some real answers. What is the current situation with the MRAs and what are we going to do about it? I need to show the board that we have a clear plan of action.” She was exasperated. “The regulators have informed us that we have just three months to address all of their concerns and show we have a plan to move forward. Three months before IUI gets hit with a formal enforcement action from the regulators. Three months before every one of you and every person who works for you is suddenly out of job or IUI is taken over by the government. Three months before everything we have built comes crashing down around us.

“Now, I don’t think anyone in this room wants to have to tell their entire team that their leaders failed them.” Susan paused and looked at each person around the table. She was pleased to see some of them squirm slightly under her gaze.

“We get it,” Jada said, breaking the silence. She took a breath. “The MRAs deal with a lot of issues related to our IT governance—the way we develop, run, and manage software. We’ll get a summary list for you.”

“Thank you,” Susan said, sitting back down in her chair and looking at Tim, who was sitting next to Jada. 

Tim looked at Jennifer, then back to Susan. “I’ll work with Jennifer to put together our action plan to get these addressed. But it isn’t going to be easy. We have a lot of work going on right now…”

“There’s always a lot of work going on,” Susan interrupted Tim. “And I don’t need to be told that this will be hard. What I need are solutions. IUI’s survival could be in jeopardy, with serious consequences to our thousands of employees and their families. This must be our top priority.”

Susan looked around the room and worked up a grim smile. “I know we can get through this. There’s plenty of talent in this room and on your teams. We have just months to fix this mess or it’s game over. It’s as simple as that.” 

Susan stood again. “Now, I have to go and meet with the board, who will likely want us to bring in an external auditor to review and sign off on our closure package with regulators. But I want regular updates on your progress. My assistant will be putting a weekly huddle on all of your calendars. I expect great things from you all. Let’s figure this out. Let’s make this happen.” 

Heads nodded. Susan grabbed her tablet and exited the room.

Read more in the upcoming book Investments Unlimited: A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age by Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Tapabrata Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis. Coming to a book store near you September 13, 2022.

- About The Authors
Avatar photo

IT Revolution

Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.

Follow IT on Social Media

No comments found

Leave a Comment

Your email address will not be published.

Jump to Section

    More Like This

    Map Camp: Weird Mapping – How to Create a Revolution
    By David Anderson

    A version of this post was originally published at Dave Anderson, author of…

    Serverless Myths
    By David Anderson , Michael O’Reilly , Mark McCann

    The term “serverless myths” could also be “modern cloud myths.” The myths highlighted here…

    What is the Modern Cloud/Serverless?
    By David Anderson , Michael O’Reilly , Mark McCann

    What is the Modern Cloud? What is Serverless? This post, adapted from The Value…

    Using Wardley Mapping with the Value Flywheel
    By David Anderson , Michael O’Reilly , Mark McCann

    Now that we have our flywheel turning (see our posts What is the Value…