Project Management Institute

Agile compliance

To navigate strict regulatory compliance while using agile methods, project managers must find a middle ground.

BY JESSE FEWELL, CST, PMI-ACP, PMP, CONTRIBUTING EDITOR

If you've ever heard that “agile means no documentation” then, like me, you probably rolled your eyes and moved on. That kind of management approach does not work in regulated industries such as finance, defense or healthcare.

However, if we're honest, delivery is often slowed by the extra reports, audits and authorizations that come with regulatory or corporate oversight. That leaves us with a problem: How do we complete all the compliance paperwork while implementing agile methods?

Here are some practical tips to do just that:

In one corner, security auditors argue that documents and gate reviews are the only way to ensure quality is achieved and regulations are met. In the opposite corner, agile experts insist that documents add no value. Both are wrong.

A strong project manager finds a balance between too much and too little and makes the case to implement changes on both sides.

Engage Auditors Early

The best way to craft a custom strategy for managing regulations is to work with the auditors directly. Many times, they won't have the availability to do a full audit, so set up quick and regular collaboration meetings to keep everyone aligned on what's been done—and what's still needed. Show the auditors how to achieve “lightweight compliance” with nontraditional documentation, such as whiteboard photos and rolling wave plans. The auditors may even grant you a few process waivers, so you have less compliance work to do. The sooner you have these conversations, the better. Otherwise, you might get an unpleasant surprise during your security audit.

Define ‘Done’

One agile technique is to establish a “definition of done.” This is a simple checklist spelling out what a high-quality product needs to be “shippable,” meaning ready for consumer use. But there's also a separate checklist of additional work spelling out how to “ship” the product into operations—or get it into the consumer's hands. This distinction between “shippable” versus “shipped” can also apply to compliance.

For example, for a project to be “auditable,” we use a checklist that helps us store copies of all artifacts, peer review minutes and customer feedback. However, we wait until much later to collate and send those materials to be “audited.” You can save a lot of overhead if you avoid doing all the compliance work all the time and instead do just enough for right now.

Sacrifice Scope (If Necessary)

Sometimes, a competitor's newly announced medical device has our business sponsor scrambling to go to market immediately. However, we still have to go through government review. If that review takes two months, it makes sense to bite the bullet, do the review and ship. Of course, that translates to some hard trade-offs on some unfinished device features, but that is simply the nature of the game. Alternatively, we can absorb the risk of deferred compliance work and build momentum with customer demos, prototypes and early previews.

All projects encounter trade-offs, and our job as a leader is to know how to strike the right balance.

Be intentional, engage your auditors, put in the effort and you may well become the project manager who can be agile with compliance. PM

img

Jesse Fewell, CST, PMI-ACP, PMP, participated on the core team of the Software Extension to the PMBOK® Guide. He can be reached at [email protected].

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.

PM NETWORK JULY 2015 WWW.PMI.ORG

Advertisement

Advertisement

Related Content

  • PMI White Papers

    How Agile are Companies in Germany?

    By PMI Cologne Chapter Until recently, Agile was considered as a set of principles and practices relevant only to software development projects. However, Agile is now spreading to other parts and types of organisations,…

  • White-Paper-Cologne-thumbnail.jpg

    How Agile are Companies in Germany?

    By PMI Cologne Chapter Until recently, Agile was considered as a set of principles and practices relevant only to software development projects. However, Agile is now spreading to other parts and types of organisations,…

  • PM Network

    Agile Capacity

    By Parsi, Novid Wrong resources? Right resources at the wrong time? Both can cripple project momentum—and send shock waves across the project portfolio, even threatening the organization's bottom line. And the…

  • PM Network

    Capacidade ágil

    By Parsi, Novid Recursos errados? Recursos certos na hora errada? Ambos podem prejudicar a dinâmica do projeto e enviar ondas de choque por todo o portfólio de projetos, ameaçando até os resultados da organização.…

  • PM Network

    Capacidad ágil

    By Parsi, Novid ¿Recursos incorrectos? ¿Recursos correctos en el momento incorrecto?Ambas cosas pueden restarle impulso al proyecto y repercutir en el portafolio de proyectos, llegando incluso a poner en riesgo los…

Advertisement