Updated: Nov 16
Compliance. Even the word sounds heavy. It’s a chore— something that must be done. My point in this post is to try to introduce a different way of thinking to make the subject of compliance more compelling.
Tom Sawyer, a classic novel by Mark Twain, is the tale of a trickster who lives with his Aunt Polly. One of the more memorable stories in this book is when Aunt Polly tells Tom that he must whitewash her fence. Of course, this mandate is not something that Tom wants to do. However, being a smart young man, he decides to treat the mandate as an opportunity. He sells the idea of whitewashing to his friends as something that they want to do by changing their perspectives so the task appears more important or entertaining.
Soon, of course, Tom gets lots of the town kids involved doing the work while thinking that they are doing something for themselves. Tom is free to make sure it all comes together correctly and ends up not doing any of the work at all.
The story is a favorite of many and illustrates a key principle behind the concept of Dynamic Compliance Management. Regulations have historically been a chore for most organizations, done only because “they have to”.
Dynamic Compliance Management flips this paradigm. By breaking a mandate down into requirements, architects and business analysts can make them much more digestible. Organizations are constantly changing and commissioning projects to deliver incremental improvements, so why not just incorporate requirements as part of each change? When done effectively, project stakeholders are helping to paint the fence by thinking of effective and efficient ways to satisfy compliance requirements.
I have been involved in several elicitation sessions where stakeholders use the compliance requirement as a tool to “get an edge” in a competitive marketplace. The project sponsor will involve marketing resources as consulted stakeholders. These folks are fantastic at repackaging what “has to be done” into “what makes us better”— a skill that Tom Sawyer would undoubtedly be quite good at.
What is the “Dynamic” Part?
Breaking down mandates into requirements might help manage compliance initially, but unlike a fence that occasionally needs a good whitewash, the worldwide regulatory environment is constantly changing. For example, Europe has different privacy mandates than we have in the United States.
As of now, California just passed a new law requiring very detailed carbon reporting for any organization with revenues over 1 billion USD. I used the “as of now” intentionally because it is likely that the laws I just stated will change significantly in the coming months, adding to the problem.
Current compliance management approaches are static in the sense that they measure “lagging indicators”. What I mean by this is that:
The organization decides it must comply with a law
Some kind of Governance Regulation Compliance [GRC] tool is bought
A policy is issued to direct how the organization will comply
Different parts of the organization try to implement the policy
The GRC tool captures performance effects associated with compliance
Policy makers adjust the policy, trying for a better balance between organizational effectiveness and legal compliance
GRC tools are great platforms for measurement, but the process itself uses lagging indicators because the focus is on what has already occurred. Using another metaphor, it is like taking aim at where something was versus where it is today. By considering regulations as requirements, they can be managed like any other requirement. This is important because:
Requirements are traceable – Analysts and architects regularly trace requirements to the source. In this case, the source is the law. With traceability in place, policy leaders know exactly where compliance occurs as business changes are being made.
Requirements are reusable – A mandate often affects the rules by which an organization delivers outcomes – business activities, key decisions, information needed, etc. These rules need to be reused as much as possible to preserve organizational agility. Ensuring these rules are “tuned” to ensure compliance to one or more mandates adjusts the way the business operates immediately. Operation decisions can be made at a detailed level to optimize performance versus compliance and recommendations from most knowledgeable sources (those who do the work) drive how compliance can be sustained.
Requirements are meant to be analyzed – The focus of business analysis is to apply analytical techniques as tools to improve requirement quality before a solution is delivered.
Requirement impacts can be modeled – Architects use methodologies like Architecture-Based Analysis to provide context around requirements by modeling impacts to affected people, processes, technologies, and organizations. Performance risk analysis is conducted proactively so that the performance / compliance balance can be adjusted beforehand. Modeling also helps uncover innovative ideas that allow the organization to take advantage of market disruptions which might be caused by the mandate and adjust strategies (strategic requirements) accordingly.
Managing compliance requirements dynamically assumes change will occur to the mandate, shifting the focus to leading indicators – measures which help policy makers understand future impacts associated with policy implementation.
It should be noted that Dynamic Compliance Management [DCM] complements your current compliance management approach. You can use the same GRC dashboards, just with better quality source data.
What Does It Take to Implement DCM?
Making compliance management dynamic is not as difficult as it might seem. Most likely, your organization has most of the resources and tools to sustain a DCM approach. The most difficult component is in the area of organizational change management – shifting the way your organization manages compliance and incorporating methods that not only improve compliance implementation, but also improve project outcomes in general.
2md provides advisory engagements which are designed to assist with the transition. Our goal is to demonstrate the improvements of DCM, optimize the approach to fit your operating model and culture, then transfer that knowledge to your team. Once in place, you will be able to whitewash your own fence without our guidance.