Faux Compliance

Crappy BumperOne of the nice things about living on a golf course is that there’s plenty of well-maintained scenery. Since we don’t play golf, we’re able to take nice, long walks unencumbered by clubs, balls, bags, and the need to keep score. While on our walk this morning, we passed by a car had apparently encountered an inattentive driver. Bumpers are legally required here in Nevada, so the owner removed the outer portions of the smashed rear bumper and used a hank of clothesline to support the inner plastic core, now in two pieces. I’m not sure whether the Metro Police Department will object to his handiwork or simply chuckle and drive on, but it plainly isn’t going to absorb the impact of his next collision.

True Compliance

Most of my projects over the last thirty years or so required compliance with some regulation, standard, or guidelines published by some external authority. In many cases, it was administrative rules interpreting some legislation; in others, it was standards like GAAP. In all cases, compliance was one of our critical success factors. In many cases, we were self-auditing; in others, we had inspectors or auditors review our work. But compliance testing was a part of every plan. To that end, we tried to understand the nature of the regulation – what is it trying to accomplish, or prevent? It isn’t enough to just go through the motions of compliance. Your subject matter expert has to think like the inspector, and ensure that you are truly in compliance with both the letter and the spirit of the regulation.

Mitigating Bad Outcomes

The impact of a finding of non-compliance in an inspection or audit is a business risk in itself. In some cases, the bad outcomes that the regulations were designed to prevent or mitigate are also an operational risk. This is especially true when safety or privacy is at issue: the organization has a stake in preventing bad outcomes during the project and in operation. Consequently, compliance should be part of your project risk analysis. Think of the regulation or standard as a proven risk response; your goal should be to make it effective, so the organization doesn’t have to assume additional risk.

Like risk management, compliance management is part of a practicing IT project manager’s professional tool kit. You don’t have to be the subject matter expert on the regulations; you simply have to manage the efforts taken to comply, and ensure that compliance is effective, rather than merely cosmetic. Like that trussed-up bumper, for example.

This entry was posted in Quality Management and tagged , , , by Dave Gordon. Bookmark the permalink.

About Dave Gordon

Dave Gordon is a project manager with over twenty five years of experience in implementing human capital management and payroll systems, including SaaS solutions like Workday and premises-based ERP solutions like PeopleSoft and ADP Enterprise. He has an MS in IT with a concentration in project management, and a BS in Business. In addition to his articles and blog posts, he curates a weekly roundup of articles on project management, and he has authored or contributed to several books on project management.

2 thoughts on “Faux Compliance

  1. Dave, I appreciate your pragmatic take on compliance.

    This is a key insight: “o that end, we tried to understand the nature of the regulation – what is it trying to accomplish, or prevent? It isn’t enough to just go through the motions of compliance.”

    I have seen too many compliance efforts collapse into “tickbox efforts”

  2. Thanks, Bruce. I wonder how many of these retail chains would have been saved a lot of public embarrassment and liability if their project managers had taken PCI compliance seriously? Every time I hear about a breach, I wonder what shortcuts were taken, and whether anyone learned from the experience. It’s the little things that cause all of the damage.

Comments are closed.