The smartest organisations are now managing risk through an adaptive governance model that’s appropriate for each scenario, and balances innovation with compliance, says Gordon Van Huizen of Mendix
Sometimes in software development, things can sit on your to-do list for years – and it’s a technology-based disruption that pushes them to the top of your priorities. Remember the move to mobile 15 years ago? All of a sudden, people were rushing to address things they should have already thought about in the web app age. User experience, robust testing, programs that are truly fit for purpose and not just functional – the emergence of mobile highlighted many gaps that organisations had to fill.
In 2025, AI and low code are the innovations having a profound impact on software development. And one, perhaps under-acknowledged, consequence is a shift in how organisations approach risk management and regulatory compliance.
The decentralisation of development
How enterprises develop and deliver technology – for both internal and external use – is changing. Where once technology development was a process led centrally by IT, today, low code and AI are driving a shift to development teams spread across the organisation.
This is incredibly exciting in many ways, as developers can be more responsive to business needs, collaborating directly with the people most aware of what customers, employees and partners require. But at the same time, it changes the business’s relationship with risk.
In the old world, the IT professionals driving development had a holistic perspective of the security concerns, risk profiles and compliance requirements of the organisation as a whole. But now, distributed developers work on smaller pieces of the puzzle, which each present a range of risk management and governance questions. Enterprises are now being faced with managing the risk, as well as embracing the opportunity, of this democratisation.
“Risk is a complex question in the time of distributed development”
The age of adaptive governance
Risk is a complex question in the time of distributed development. Governance and risk mean different things, depending on where the technology sits in the business. Issues, such as whether applications are customer-facing, the sensitivity of data and how it’s stored and privacy considerations will each vary from case to case.
Delivering a mobile banking feature could raise all kinds of questions. How and where is customer data stored? Who has access? What will be in the hands of the customers, and what will be in the hands of employees? With so many interconnected issues, it could be easy to miss something crucial from a privacy, security or regulatory perspective.
It’s more important than ever that individual developer teams get to grips with the risk and compliance implications of their activities. This creates a new role for risk managers and compliance officers. Rather than simply sitting centrally, these specialists need to be embedded in multidisciplinary technology delivery teams across the organisation, sometimes referred to as “fusion teams”. There, they act as a front line for risk management, empowering development teams with the right guidance and oversight of their activities.
The smartest organisations are moving to a model of adaptive governance: risk management that’s appropriate for each scenario, and balances innovation with compliance. It’s here that fusion teams will really deliver. With a blend of experts from the business, software developers and UX specialists, teams can better understand the risk and compliance implications of their work – and proactively protect the organisation.
The invisible shift
The shift to decentralised technology is nothing new. But low code and AI are catalysing the parallel shift to a new risk management and compliance model. It may be less visible – but the consequences will be significant. It’s important that everyone gets to grips with the age of adaptive governance, to ensure that distributed development can deliver on its promise, without compromising the business.
About the author
Gordon Van Huizen is SVP Strategy at Mendix.
Further reading
This article was first published in issue 2 of Business 4.0.