Manage compliance requirements

Enablers

• Confirm project compliance requirements. (ECO 3.1.1)
• Classify compliance categories. (ECO 3.1.2)
• Determine potential threats to compliance. (ECO 3.1.3)
• Use methods to support compliance. (ECO 3.1.4)
• Analyze the consequences of noncompliance. (ECO 3.1.5)
• Determine necessary actions to address compliance needs. (ECO 3.1.6)
• Measure the extent to which the project is in compliance. (ECO 3.1.7)

Deliverables, and Tools

Compliance Requirements

• Most projects have aspects of their solutions that are subject to legal or regulatory constraints.
• The requirements for compliance must be identified, tracked, and managed throughout the project.
• These can include requirements for specific practices, privacy laws, handling of sensitive information, and many other areas.

Risk Register

• During the project you have tracked and managed risks using a risk register *.
• Compliance-related risks might include:
• The identified risk
• Risk owner
• Impact if the risk is realized
• Risk responses
• Create testing and validation plans should be created to ensure that the project's deliverables meet compliance requirements.
• Recommended to perform a summary check of compliance before the end of the project.
• When possible, legal and regulatory compliance for deliverables should be validated on an ongoing basis during the project.

Configuration Management System

• All of the project’s deliverable components should be tracked in a configuration management system, which describes the deliverable, defined key attributes of the deliverable, and allows for tracking, versioning, and control.
• This configuration information should be handed over along with project deliverables and will continue to be tracked in the customer’s configuration management system.
• One of the key attributes you will want to track is compliance information, including proof of validation for each deliverable that it meets the identified compliance requirements.

Risk Responses

Compliance Categories Classification

Types of compliance categories vary based on industry and solution scope.

The appropriate categories will vary for each project based on your unique legal and regulatory exposure.

Some of the areas may include:

• Environmental Risk
• Workplace Health and Safety
• Corrupt Practices
• Social Responsibility
• Quality
• Process Risks

Execution Reports

Project manager regularly creates execution reports.

These include information about:

• Project activities
• Deliverable status
• Overall progress

Important to include status of risks, including compliance-related risks

• Actions to be taken to manage the risks
• Testing and validation activities
• Audits
• Any other actions to verify deliverable compliance

Variance Analysis

Project managers create regularly report on any project variances and any actions taken to control the project and keep things on track.

Variances related to compliance are critical as they could potentially impact the usability of the project’s deliverables.

Variance analysis should detail:

• The variance identified
• Plans for bringing the project or deliverable back into compliance
• Any proposed changes required to meet compliance requirements

Potential Threats to Compliance

There are many potential threats to compliance. These might include:

• Identification of new vulnerabilities.
• Changes in legal or regulatory requirements.
• Errors in testing and validation to confirm compliance.
• Errors or bugs in deliverables.
• Lack of awareness of compliance requirements.

Successful project managers need to ensure that compliance requirements for the project are continually identified, communicated, and managed, and that as changes to compliance requirements are identified, impact is assessed and the project planning is updated to reflect the changes.

Nonfunctional Requirements

Nonfunctional requirements are used to help stipulate the level of service warranty of the deliverables; in other words, can you count on this product or service to be usable. There are many types of nonfunctional requirements:

Nonfunctional Requirements

The project manager may find certain compliance requirements are documented as nonfunctional, and thus need to be tracked and managed to ensure that the solution provides not only the expected functionality but also the needed level of warranty.

Sign-offs and Approvals

Identify the necessary stakeholders authorized to sign-off and approve on deliverables.

The solution and its deliverables must meet compliance requirements.

Sign-off and approval can happen throughout the project or at completion.

After testing and validating deliverables, a compliance sign-off provides the following benefits:

Early warning of potential threats to compliance.

The ability to capture variances and determine a course of action to remediate the issues to avoid:

• Negative impact on the project timeline
• Cost overruns
• Increased project risks

Tolerances

Tolerance * is defined as the quantified description of acceptable variation for a quality requirement.

Tolerance levels enable the project manager to effectively manage certain issues without needing to escalate every issue.

Areas of tolerance might include:

• Budget
• Time
• Quality
• Nonfunctional requirements

For example, you as the project manager can control issues with a budget or time variance of less than 5%, and then be required to escalate any variances that exceed that threshold.

Guidelines to Analyze the Consequences of Noncompliance

During the project, the project manager needs to identify and manage legal, regulatory, and other compliance requirements. Guidelines for analysis include:

• Define the legal, regulatory, and other constraints, and define the business rules based on compliance requirements that will constrain the project solution and improve the likelihood of maintaining compliance.
• Define parts of the potential solution subject to compliance requirements, the scope of the compliance requirement, and the stakeholders responsible for reviewing, approving, and signing-off on compliance of the component.
• Track and manage the review and approval activities related to compliance requirements.
• Track and manage the risks and risk responses related to compliance requirements.

Escalation Procedures

When a noncompliance issue is identified, the next step is to determine whether it is within the tolerance level of the project manager.

• If it's within permitted tolerances, the project manager can work directly with the team to propose changes to resolve the variance.
• If the noncompliance issue exceeds the tolerance allocated to the project manager, the issue must be escalated for adjudication.

For any particular compliance requirement, you should identify the stakeholders who will review the noncompliance issue and adjudicate how the team should proceed.

These procedures should be defined during project and risk planning.

Quality Management Plan

The Quality Management Plan describes the resources and activities needed for the project team to achieve the necessary quality objectives, and is an appropriate place to set expectations for the project's quality requirements.

Quality requirements might include:

• Quality standards to be used.
• Quality objectives of the project.
• Quality roles and responsibilities.
• Project deliverables and processes subject to Quality review.
• Quality Control and Quality Management activities planned for the project.
• Quality tools that will be used.
• Major procedures relevant for dealing with nonconformance, corrective action procedures, and continuous improvement procedures.

Audits

Conducted by a team external to the project, such as an internal audit team or PMO.

Used to verify compliance with organizational policies, processes, and procedures.

Possibly used to verify implementation of change requests.

Designed to accomplish the following:

• Identify that all good and best practices are being used.
• Identify any nonconformity, gaps, and shortcomings.
• Share good practices from other projects in the organization or industry.
• Proactively offer improvements to improve productivity.
• Highlight contributions to lessons learned.

Sampling

• It may not be viable for quality assurance to inspect every single product or deliverable.
• Substitute a sampling of different outputs of the processes and procedures and subject the sampling instead to the quality review.
• Sampling approach can provide similar results in identifying quality issues and reducing the costs of quality.
• Helping to better align the quality assurance costs with the overall value to the project.

QA Tools

Quality management teams might use a number of tools and practices to identify quality issues.

These types of techniques might include:

• Data gathering, which often use checklists and other lists of acceptance criteria.
• Data analysis, including alternatives analysis, document analysis, process analysis, or formal root cause analysis.
• Decision making techniques.
• Data representations such as affinity diagrams, cause and effect diagrams, flowcharts, histograms, matrix diagrams, and scatter diagrams.
• Audit reports.
• Design for X to focus on a particular value X and its impact on design quality.
• Problem solving techniques.
• Quality management methods such as Six Sigma and Plan-Do-Check-Act.

Guidelines to Measure the Compliance of a Project

• Use QA outputs to confirm deliverable and process compliance and identify the needs for corrective actions.
• Establish project tolerances and enable the project manager to either initiate corrective actions within tolerances or to quickly escalate any noncompliance outside of the tolerances.
• Establish a clear Quality Management Plan and execute it on an ongoing basis to identify any noncompliance issues as early as possible.
• Establish where external audit teams can confirm and validate use of appropriate processes and procedures and how audit results can enable the team to identify improvements.
• Leverage effective QA tools and techniques to assess quality deliverables and identify improvements, corrective actions, or defect repairs required.