Compliance with existing laws, rules, policies, standards, and recommendations constitutes project compliance. It guarantees that the project is executed in accordance with the organisation’s policies and processes, as well as any applicable laws and regulations.
Compliance is a Non-negotiable aspect of the project and must be prioritizes as mandtory
Project compliance can involve various aspects;
- Financial compliance,
- Legal or Regulatory compliance, such as Requirements for specific practices, Standards, Privacy laws, or Handling of sensitive information
- Environmental compliance,
- Ethical compliance.
The PM is in charge of ensuring that project activity and outcomes remain are aligned with legal or regulatory standards, as necessary, because non-compliance can lead to financial penalties, legal actions, negative impacts on the environment, and damage to an organization’s reputation.
Steps Taken to Ensure Project Compliance
- Identify all applicable regulations and standards needed for the project
- Establish compliance requirements which a project must meet
- Ensuring the incorporation of compliance requirements into project planning
- Assign compliance responsibility to a specific team member
- Monitor compliance
- Document all compliance-related activities
- Conduct period compliance to ensure that the project remains compliant
Compliance Categories
Compliance categories are types or areas of compliance that organisations may be required to address to satisfy regulatory and legal requirements. The particular compliance categories will vary according to the organisation’s sector, solution scope and region, but some examples include:
- Financial Compliance, such as the Sarbanes-Oxley Act (SOX),
- Data privacy and security compliance, such as the General Data Protection Regulation (GDPR)
- Environmental compliance
- Occupational health and safety compliance, such as the Occupational Safety and Health Administration (OSHA)
- Security Compliance, such as the Payment Card Industry Data Security Standard (PCI DSS) or the ISO/IEC 27001 standard.
- Software development compliance, such as such as the Capability Maturity Model Integration (CMMI) or the International Organization for Standardization (ISO) 12207 standard
- Anti Corruption
- Anti Corruption compliance, such as The International Organization for Standardization (ISO) 37001
- Social responsibility compliance, such as Corporate Social Responsibility (CSR), UN Global Compact or ISO 26000
Threats to compliance
- Lack of awareness or understanding: If employees, contractors, or partners are not aware of compliance requirements, or do not fully understand them, they may inadvertently violate them.
- Inadequate training: Even if employees are aware of compliance requirements, if they have not been trained on how to comply, they may still unintentionally violate them.
- Pressure to meet targets or deadlines: When there is pressure to meet business targets or deadlines, some individuals may be tempted to cut corners or bend the rules in order to achieve their goals.
- Cultural differences: When doing business across borders, cultural differences can create misunderstandings about compliance requirements or acceptable business practices.
- Rapidly changing regulations: As regulations and laws change, organizations may struggle to keep up and ensure that they are still in compliance.
- Cybersecurity threats: With the increasing reliance on technology and digital systems, organizations are at risk of cyber attacks that can compromise data security and lead to violations of data privacy and protection regulations
Requirements versus Compliance
A requirement is defined as “a condition or capability that must be met or possessed by a system, product, service, result, or component to satisfy a contract, standard, specification, or other formally imposed document. Requirements include the quantified and documented needs, wants, and expectations of the sponsor, customer, and other stakeholders.” (Project Management Institute, 2008, p. 445)
Versus
Compliance is the act of conforming to rules, regulations, standards, or laws that are relevant to a particular activity, industry, or organization. It involves meeting legal or ethical requirements, as well as adhering to internal policies and procedures. Compliance is often associated with risk management, as it helps organizations avoid legal and financial penalties, reputational damage, and other negative consequences that may arise from noncompliance.
The International Organization for Standardization (ISO) defines compliance as the “fulfillment of a requirement” and “the ability to demonstrate that a requirement has been fulfilled.”
The European Union Agency for Cybersecurity (ENISA) defines compliance as “the ability of an organization to adhere to legal, regulatory, and contractual requirements related to security and data protection.”
According to Merriam-Webster dictionary, compliance is “the act or process of complying to a desire, demand, proposal, or regimen or to coercion.” It also refers to “conformity in fulfilling official requirements” and “the act or process of doing what you have been asked or ordered to do.”
Compliance as part of WBS or Product Backlog
Incorporate compliance into the WBS or Product Backlog needed to be done once the compliance requirements have been identified. They should be incorporated into the project plan by adding specific tasks or user stories that address the compliance requirements. These tasks or user stories should be added as part of the WBS or Product Backlog and should be given appropriate priority and effort estimates. We should also assign a team member who is responsible for completing it. This will help ensure that the compliance requirements are met as part of the project.
Compliance as part of the Project Lifecycle
When it comes to project management, compliance should be considered throughout the project lifecycle, from planning to closure. Compliance requirements should be identified and incorporated into the project plan, including the project scope, schedule, budget, and resources. Compliance-related risks should be identified and mitigated throughout the project.
During the project execution phase, the project team should monitor and document compliance-related activities, including testing, reporting, and remediation.
In the project closure phase, compliance documentation should be reviewed and archived for future reference
Impact of EEF’s and OPA’s of the Organization
Compliance in Predictive, Adaptive and Hybrid approaches
In a predictive approach, the Quality Management Plan (QMP) is used to define compliance expectations as part of non-functional requirements. The QMP is a document that outlines how quality will be managed throughout the project, including quality control and quality assurance activities. Compliance requirements are incorporated into the QMP to ensure that the project meets all necessary legal and regulatory requirements. The QMP also defines the specific activities, owners, roles, and responsibilities related to compliance, as well as the tools that will be used to manage compliance.
On the other hand, Agile projects do not have a specific quality process as part of the Agile life cycle. However, each resource is responsible for ensuring that their own delivery meets compliance requirements. This is done by incorporating compliance requirements into the Definition of Ready (DoR) and Definition of Done (DoD), user stories, acceptance criteria, and non-functional requirements. Additionally, dedicated compliance activities may be used throughout the Agile life cycle to ensure that all necessary compliance requirements are being met.
Documents that may have Compliance related Information
- Business Need and Need Assessment
- Project Charter
- Risk Register or dedicated Compliance Registers
- Quality Management Plan
Compliance Register
Sample of a compliance register:
Compliance Requirement | Relevant Laws/Regulations | Compliance Status | Compliance Owner | Compliance Due Date |
---|---|---|---|---|
Data privacy and protection | General Data Protection Regulation (GDPR) | Compliant | Project Manager | June 30, 2023 |
Health and Safety | Occupational Safety and Health Administration (OSHA) | Non-compliant | Safety Officer | July 15, 2023 |
Environmental regulations | Environmental Protection Agency (EPA) | Compliant | Project Manager | Ongoing |
Anti-corruption | Foreign Corrupt Practices Act (FCPA) | Compliant | Compliance Officer | Ongoing |
This compliance register lists the compliance requirements, relevant laws and regulations, compliance status, compliance owner, and compliance due date for each requirement. The compliance owner is the person or team responsible for ensuring compliance with the requirement, and the compliance due date is the date by which compliance must be achieved. This compliance register provides a simple overview of the compliance status of the project.
PMI’s PMP Exam Content Outline Coverage
Domain – III : Business Environment
Task 1 : Plan and Manage Project Compliance
- Confirm project compliance requirements (e.g., security, health and safety, regulatory compliance)
- Classify compliance categories
- Determine potential threats to compliance
- Use methods to support compliance
- Analyze the consequences of non-compliance
- Determine necessary approach and action to address compliance needs (e.g., risk, legal)
- Measure the extent to which the project is in compliance
Overall, incorporating compliance into project management requires collaboration between the project team, compliance officer, and other stakeholders to ensure that compliance requirements are met and the organization’s risk of non-compliance is minimized.