To navigate strict regulatory compliance while using agile methods, project managers must find a middle ground.
BY JESSE FEWELL, CST, PMI-ACP, PMP, CONTRIBUTING EDITOR
If you've ever heard that “agile means no documentation” then, like me, you probably rolled your eyes and moved on. That kind of management approach does not work in regulated industries such as finance, defense or healthcare.
However, if we're honest, delivery is often slowed by the extra reports, audits and authorizations that come with regulatory or corporate oversight. That leaves us with a problem: How do we complete all the compliance paperwork while implementing agile methods?
Here are some practical tips to do just that:
In one corner, security auditors argue that documents and gate reviews are the only way to ensure quality is achieved and regulations are met. In the opposite corner, agile experts insist that documents add no value. Both are wrong.
A strong project manager finds a balance between too much and too little and makes the case to implement changes on both sides.
Engage Auditors Early
The best way to craft a custom strategy for managing regulations is to work with the auditors directly. Many times, they won't have the availability to do a full audit, so set up quick and regular collaboration meetings to keep everyone aligned on what's been done—and what's still needed. Show the auditors how to achieve “lightweight compliance” with nontraditional documentation, such as whiteboard photos and rolling wave plans. The auditors may even grant you a few process waivers, so you have less compliance work to do. The sooner you have these conversations, the better. Otherwise, you might get an unpleasant surprise during your security audit.
One agile technique is to establish a “definition of done.” This is a simple checklist spelling out what a high-quality product needs to be “shippable,” meaning ready for consumer use. But there's also a separate checklist of additional work spelling out how to “ship” the product into operations—or get it into the consumer's hands. This distinction between “shippable” versus “shipped” can also apply to compliance.
For example, for a project to be “auditable,” we use a checklist that helps us store copies of all artifacts, peer review minutes and customer feedback. However, we wait until much later to collate and send those materials to be “audited.” You can save a lot of overhead if you avoid doing all the compliance work all the time and instead do just enough for right now.
Sacrifice Scope (If Necessary)
Sometimes, a competitor's newly announced medical device has our business sponsor scrambling to go to market immediately. However, we still have to go through government review. If that review takes two months, it makes sense to bite the bullet, do the review and ship. Of course, that translates to some hard trade-offs on some unfinished device features, but that is simply the nature of the game. Alternatively, we can absorb the risk of deferred compliance work and build momentum with customer demos, prototypes and early previews.
All projects encounter trade-offs, and our job as a leader is to know how to strike the right balance.
Be intentional, engage your auditors, put in the effort and you may well become the project manager who can be agile with compliance. PM
Jesse Fewell, CST, PMI-ACP, PMP, participated on the core team of the Software Extension to the PMBOK® Guide. He can be reached at [email protected].
PM NETWORK JULY 2015 WWW.PMI.ORG