Skip to main content
BlogDigital Transformation & Product Strategy

From Waterfall to Agile: A Practitioner's Guide for Regulated Industries

Digital Transformation Practice2 min read

The waterfall to agile transition is one of the most discussed shifts in technology delivery, and one of the most badly executed. Especially in regulated sectors. Water utilities running an AMP cycle, energy networks inside a RIIO settlement, banks living under operational resilience policy, all face delivery constraints that look nothing like a consumer software shop.

There are reasons waterfall took hold here. Capital programmes are approved on five-year regulatory windows. Ofwat sets totex allowances and performance commitments at PR24 for the 2025 to 2030 AMP8 period [2]. Ofgem's RIIO-2 framework runs on a similar multi-year shape with output delivery incentives and uncertainty mechanisms [1]. UK banks operate under the joint Bank of England, PRA and FCA operational resilience regime, which from March 2025 expects firms to stay within impact tolerances for important business services [3]. The EU has gone further with DORA, in application since 17 January 2025, on ICT risk and resilience testing [5]. None of that is incompatible with iterative delivery. It is, however, incompatible with pretending that governance does not exist.

The mistake we see most often is treating the move to agile as a methodology swap. Teams are sent on Scrum training. A Spotify-style poster goes up. Sprints start. Around them, very little changes. Funding is still annual capex. Governance still wants a fixed scope plan in month one. Procurement still issues fixed-price tenders against a hundred-page specification. The result is what Steve Denning labelled fake agile, and what practitioners on the ground call agile theatre [14]. Standups inside a waterfall organisation.

We treat the transition as an organisational change programme, not a methodology adoption. In our practitioner experience, four pillars have to move together, and the order matters less than the fact that none of them get to lag.

The first pillar is governance reform. Iterative delivery needs governance that reviews working software rather than RAG status decks, and that decides in days rather than monthly steering committees. Regulators do not require Gantt charts. They require evidence of control, traceability, and tested resilience. RIIO-2 even has uncertainty mechanisms that allow within-period reopeners [1]. PR24 includes Outcome Delivery Incentives that reward measured performance, not plan adherence [2]. Governance can be redesigned to fit, if the organisation is willing.

The second pillar is funding. Annual capital cycles cannot service quarterly reprioritisation. Scaled Agile's Lean Portfolio Management offers a workable pattern: fund persistent value streams instead of projects, set guardrails, and reallocate at quarterly increments [6][7]. Disciplined Agile from PMI sets out a goal-driven version of the same idea [9]. LeSS comes at it from the descaling angle, with feature teams as the unit [8]. The framework label matters less than the funding mechanic underneath it.

The third pillar is procurement. Most regulated estates run on large fixed-price systems integrator contracts written for a different delivery world. Outcome-based, time-and-materials, or hybrid commercial models are needed instead. That requires retraining commercial teams and rewriting templates, which takes longer than anyone budgets for.

The fourth pillar is capability and culture. This is where Scrum training fits, but it is one element. The published cases worth studying include ING's tribe and squad reorganisation in retail banking, covered in HBR and McKinsey [10][11], Capital One's parallel cloud and product-team rebuild [16], and the UK Government Digital Service's discovery, alpha, beta and live model now codified in the GOV.UK Service Manual [12]. None of those moved through a single training programme.

A grounding note. The Standish Group CHAOS data is often quoted to argue agile beats waterfall by a wide margin [13]. The headline ratios are striking. The methodology behind them is also proprietary and contested, so we cite it as directional, not definitive.

What does this look like for a board sponsor in a UK water company entering AMP8, or a treasury bank scoping its DORA programme? Less new vocabulary, more honest conversations about who controls money, who signs off scope, and how the supplier panel actually works. The teams will learn Scrum. The harder change sits above them.

Coderex advises boards, transformation sponsors, and finance functions in regulated industries on the operational shape of these decisions: governance redesign that satisfies the regulator without slowing decisions, funding reform that moves money to value streams without breaching the totex envelope, supplier reform that takes longer than anyone budgets for, and capability investment that compounds over years rather than through a single training wave.

Expect AMP8 to surface several published cases of UK water companies running outcome-based PMOs against Performance Commitments before 2028. Expect DORA's first wave of supervisory findings during 2026 to put pressure on EU financial firms still treating operational resilience as a point-in-time compliance project rather than a continuous-evidence regime. Expect at least one UK central government department to publish a structured retrospective on a high-profile fake-agile transition before the next spending review.

Methodology note: This piece draws on UK and EU regulator publications (Ofwat, Ofgem, BoE/PRA/FCA, EBA, Official Journal), official framework documentation (SAFe, LeSS, PMI Disciplined Agile, GDS Service Manual), and published case literature (HBR and McKinsey on ING, Capital One Tech, Forbes on fake agile). It reflects what we observe in practitioner work in regulated UK and EU contexts. Standish CHAOS figures are cited as directional given known methodological debate.

References

16 sources, all verified at the time of writing

  1. [1]Ofgem, 2022. RIIO-2 Network Price Controls: Decision. Office of Gas and Electricity Markets. https://www.ofgem.gov.uk/energy-policy-and-regulation/policy-and-regulatory-programmes/network-price-controls-riio.
  2. [2]Ofwat, 2024. PR24 Final Determinations: Our final determinations for the 2025-2030 price review. Water Services Regulation Authority. https://www.ofwat.gov.uk/regulated-companies/price-review/2024-price-review/.
  3. [3]Bank of England et al., 2021. Operational resilience: Impact tolerances for important business services (PS6/21, PS21/3, SS1/21). Bank of England. https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-policy.
  4. [4]European Banking Authority, 2019. EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). European Banking Authority. https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management.
  5. [5]European Parliament and Council of the European Union, 2022. Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2022/2554/oj.
  6. [6]Scaled Agile, Inc., 2024. Lean Portfolio Management. Scaled Agile Framework. https://framework.scaledagile.com/lean-portfolio-management/.
  7. [7]Scaled Agile, Inc., 2024. Operational Value Streams and Development Value Streams. Scaled Agile Framework. https://framework.scaledagile.com/value-streams/.
  8. [8]Larman, Craig and Vodde, Bas, 2024. Less is More: An introduction to LeSS. The LeSS Company. https://less.works/less/framework.
  9. [9]Project Management Institute, 2024. Disciplined Agile: The Tool Kit. PMI Disciplined Agile. https://www.pmi.org/disciplined-agile.
  10. [10]Barton, Dominic et al., 2018. One Bank's Agile Team Experiment. Harvard Business Review. https://hbr.org/2018/03/one-banks-agile-team-experiment.
  11. [11]Mahadevan, Deepak and Schaal, Pamela, 2017. ING's agile transformation. McKinsey Quarterly. https://www.mckinsey.com/industries/financial-services/our-insights/ings-agile-transformation.
  12. [12]UK Government Digital Service, 2024. Service Manual: Agile delivery. GOV.UK. https://www.gov.uk/service-manual/agile-delivery.
  13. [13]Standish Group, 2020. CHAOS 2020: Beyond Infinity. The Standish Group International. https://www.standishgroup.com/sample_research_files/CHAOS%20Report%202020-FINAL.pdf.
  14. [14]Denning, Steve, 2018. Understanding Fake Agile. Forbes. https://www.forbes.com/sites/stevedenning/2018/05/23/understanding-fake-agile/.
  15. [15]Bossert, Oliver et al., 2018. Unleashing the power of small, independent teams. McKinsey Digital. https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/unleashing-the-power-of-small-independent-teams.
  16. [16]Capital One, 2020. Capital One's journey to the cloud. Capital One Tech. https://www.capitalone.com/tech/cloud/all-in-on-aws/.