One of the nice things about living on a golf course is that there’s plenty of well-maintained scenery. Since we don’t play golf, we’re able to take nice, long walks unencumbered by clubs, balls, bags, and the need to keep score. While on our walk this morning, we passed by a car had apparently encountered an inattentive driver. Bumpers are legally required here in Nevada, so the owner removed the outer portions of the smashed rear bumper and used a hank of clothesline to support the inner plastic core, now in two pieces. I’m not sure whether the Metro Police Department will object to his handiwork or simply chuckle and drive on, but it plainly isn’t going to absorb the impact of his next collision.
Most of my projects over the last thirty years or so required compliance with some regulation, standard, or guidelines published by some external authority. In many cases, it was administrative rules interpreting some legislation; in others, it was standards like GAAP. In all cases, compliance was one of our critical success factors. In many cases, we were self-auditing; in others, we had inspectors or auditors review our work. But compliance testing was a part of every plan. To that end, we tried to understand the nature of the regulation – what is it trying to accomplish, or prevent? It isn’t enough to just go through the motions of compliance. Your subject matter expert has to think like the inspector, and ensure that you are truly in compliance with both the letter and the spirit of the regulation.
Mitigating Bad Outcomes
The impact of a finding of non-compliance in an inspection or audit is a business risk in itself. In some cases, the bad outcomes that the regulations were designed to prevent or mitigate are also an operational risk. This is especially true when safety or privacy is at issue: the organization has a stake in preventing bad outcomes during the project and in operation. Consequently, compliance should be part of your project risk analysis. Think of the regulation or standard as a proven risk response; your goal should be to make it effective, so the organization doesn’t have to assume additional risk.
Like risk management, compliance management is part of a practicing IT project manager’s professional tool kit. You don’t have to be the subject matter expert on the regulations; you simply have to manage the efforts taken to comply, and ensure that compliance is effective, rather than merely cosmetic. Like that trussed-up bumper, for example.