Commonwealth Bank of Australia ensures regulatory compliance with Jira and Confluence DevOps ecosystem

Derek du Preez Profile picture for user ddpreez April 14, 2022
The Commonwealth Bank of Australia is using Atlassian Jira and Confluence tooling to ensure its development work is compliant with financial regulations.

Image of Commonwealth Bank of Australia logo
(Image sourced via Commonwealth Bank of Australia website)

The Commonwealth Bank of Australia (CBA) has created a Software Development Life Cycle (SDLC) hub, built using Atlassian Jira and Confluence platforms, which automates compliance checks for teams. The hub is allowing the financial organization to scale DevOps for 7,000 users, whilst ensuring development happens within the framework of essential financial regulations. 

CBA’s automated management system for development and compliance is the result of a multi-year project to consolidate tooling and streamline the DevOps lifecycle. Andrew Boyagi, Executive Manager at CBA, was speaking at the recent Atlassian Team 22 event, where he explained how the changes have helped improve governance and has led to the overall improved quality of software output. 

In years gone by, DevOp teams at CBA were using a variety of tools across different teams, which were managed in silos. Boyagi said that this was causing inconsistencies across the bank. He added: 

The tool chain was highly fragmented and had inconsistent use across the organization. It's a scenario that I'm sure many large enterprises have found themselves in in the past. To move from the inconsistent fragmented tool chain, to the DevOps ecosystem we have today, we went through a three step process for each phase of the DevOps lifecycle.

The chart below outlines CBA’s Jira journey, which shows how the organization consolidated its Jira instances, moved to Jira Data Center for scale and stability, and created an SDLC Core technology hub. This year CBA plans to move everything to Atlassian Cloud. 

A chart showing Commonwealth Bank Australia’s Jira tooling journey
(Image sourced via Commonwealth Bank of Australia)

Boyagi said that this entire process is about ‘industrializing’ the bank’s toolset and DevOps environments, to ensure high availability, performance and compliance with security requirements.  He added: 

Focusing on Jira, as an example, Jira was selected as the agile tool of choice in 2017 before we industrialized it in 2018. The uptake of Jira within the Commonwealth Bank was phenomenal, with a 451% increase in users in the first year. 

We then scaled the use of Jira by decommissioning rogue instances and migrating on to the industrialized enterprise instance. Jira became the single most used tool by technology to retain within the Commonwealth Bank. I distinctly remember walking between floors and seeing Jira open on almost every screen in the office, which I must admit was very rewarding for our team.

Beyond industrialization of tooling

As CBA matured in the ‘industrialization’ phase of its tooling ecosystem, the organization as a whole was undergoing a significant shift towards agile ways of working. With this shift, Boyagi noticed that this was resulting in lots of variants in the way teams were developing, testing and releasing their systems to production. He added: 

On one hand, it was awesome for teams to have high levels of autonomy and flexibility, but governance teams began introducing manual gates and checks to try and standardize the input into their control processes.

Being a bank we have several regulatory compliance considerations required in the delivery of technology. We saw velocity start to drop with multiple uncoordinated changes to governance processes taking place. 

As a result, the decision was made to develop a modernized SDLC, using Jira and Confluence at the core of the ecosystem, to bring together people, process and technology. Boyagi said: 

So, how do we bring together people, process and technology? We started with a goal which is very similar to the goal that most organizations would have: to create an environment that enables quality software to be shipped at pace. 

We started by engaging multiple software delivery teams and governance teams to understand their pain points from this requires some principles that we use in designing our ecosystem.

An SDLC ecosystem

CBA’s primary guiding principle was to create a solution that was tailored, automated and easy for both delivery and governance teams to use. On the objectives of the SDLC, Boyagi said: 

We were looking to abstract the complexity for delivery teams in understanding what they had to do for the type of release they had planned. And the solution had to be easy for teams, taking work to them, rather than having something abstract on the site that created additional work.

Next, focusing on what outcomes were required was more important than how something was done. This was critical to providing teams flexibility and allowing for teams of varying maturity to get to the desired outcome without being prescriptive on how they got there. 

Finally, traceability and adaptability throughout the system development process to remove manual governance gates and provide transparency across the organization.

With this established, CBA iterated on a solution that was adopted by 7,000 employees in under 10 months. Using Jira and Confluence, an SDLC was created to simplify the delivery experience for teams.

It consists of: 

  • An SDLC framework - what needs to be done by who. Essentially an instruction manual on how to ship high quality software within CBA. 

  • SDLC Core Technology - using Jira and Confluence to take work to teams, making SDLC work “visible” 

  • Integrated DevOps Tools and Pipelines - leveraging CI/CD and macro/micro automation 

  • Learning and Support - people support including training, playbooks, knowledge base and experts network

Explaining how it works, Boyagi said: 

The user journey starts with a member of the scrum team filling in the SDLC wizard, which asks a few questions about the type of work the team is doing. This form is on our SDLC site that's hosted on Confluence. 

Our solution then uses an applicability matrix to determine which SDLC practices are relevant for the team. This is dependent on a number of factors including the criticality of the system and the type of change. 

The solution then creates an Epic in the team's Jira project and creates all the required SDLC practices as tasks within that Epic. One cool feature of this is that the Jira tasks are automatically assigned to the relevant person in the squad. 

At the same time, an SDLC hub is created within the team's existing Confluence space. The Hub provides a list of all the practices…and also contains any template that may be required to complete the practice. 

So for example, if you need to create a test plan, the latest test plan template is automatically created as a page in the info hub and linked back to the Jira task. The team now have all the information they need injected directly into the place where they work within Jira and Confluence.

Boyagi said that there is no need for teams to look for any required processes or templates, as this is now all automated -  teams can now power on with what they do best, with full confidence there will be no surprises down the track. 

Having SDLC practices and templates automatically created in Jira and Confluence means that CBA can also use metadata with these to automate reporting. The bank can now see the process each delivery squad is making against each of the SDLC practices. 

Governance teams are able to view an enterprise wide report on compliance with their controls in place, and lean into support to intervene where required. Boyagi added: 

Our reporting is also a key input into our continuous improvement process where we're able to identify practices and processes that are taking the longest to complete. We use trend data to inform our automation process and optimization prior authorization process, which enables scaled improvements to velocity. Finally, teams are able to ship their software to production with no surprises or manual compliance reporting required.

A grey colored placeholder image