Standard : Policy enforcement is automated across environments

Purpose and Strategic Importance

This standard ensures that policy enforcement-covering security, compliance, and quality-is automated across all environments. It enables consistent governance without slowing down delivery or relying on manual checks.

Aligned to our "Inclusive & Diverse Engineering Culture" and "Resilience Over Uptime" policies, this standard promotes fairness, reduces human error, and strengthens organisational trust. Without it, enforcement is patchy, reactive, and hard to scale.

Strategic Impact

Clearly defined impacts of meeting this standard include improved delivery flow, reduced risk, higher system resilience, and better alignment to business needs. Over time, teams will see reduced rework, faster time to value, and stronger system integrity.

Risks of Not Having This Standard

  • Reduced ability to respond to change or failure
  • Accumulation of technical debt or friction
  • Poor developer experience and morale
  • Decreased confidence in releases and features
  • Misalignment between technical implementation and business priorities

CMMI Maturity Model

  • Level 1 – Initial: Policy enforcement is manual or reactive.

  • Level 2 – Managed: Teams use basic static checks, inconsistently applied.

  • Level 3 – Defined: Policies are codified and embedded in pipelines.

  • Level 4 – Quantitatively Managed: Policy adherence is measured and reported.

  • Level 5 – Optimising: Policies evolve continuously, and feedback from violations informs proactive governance.Security, compliance, and quality policies are expressed as code and applied consistently through automated checks.

Key Measures

  • Adoption metrics relevant to the standard (to be defined)
  • Quality, throughput, and system health metrics aligned to capability
  • Maturity scores based on structured assessment