I have been working in the B2B SaaS space for nearly a decade, and throughout that time my goal has been to perpetually grow revenue. There are many different ways to achieve this goal but the consistent factor across them all, which is crucial to success, is good project management.
Over the past two years I’ve been speaking with seasoned experts at large enterprises and consultancy agencies, such as Everbridge and Mirai Security, to learn more about this niche industry called GRC, or Governance, Risk, and Compliance. If you’ve landed here, you’ve probably heard about it and may even be looking to learn how to implement a compliance program for your company or client.
I wrote this short guide to help highlight key project management knowledge areas and best practices that the experts say are crucial to successfully implementing compliance programs in practically any organization.
What Is a Compliance Program?
While it can be defined a variety of different ways, a compliance program is essentially a “system of processes, policies and procedures, and controls that are developed to ensure compliance with all applicable rules, regulations, contracts and policies governing the actions of the organization.”
Manual Methods vs GRC Tools
One of the first decisions a project manager will need to make is whether to leverage GRC tools or use manual methods. Implementing compliance programs with manual methods (spreadsheets, word docs, emails, etc.) has the benefits of low up-front costs, customization to your company’s needs, and potentially being completed faster than using an automated system.
The downside to using manual methods is that they are not scalable and can quickly become unmanageable as the company’s compliance needs grow. The more compliance frameworks you need to adhere to, the more team members and stakeholders will be required to support them.
This means you will need to grow your compliance team, which carries the biggest cost in managing compliance manually: salaries. A whitepaper on the cost of compliance for mid-size banks revealed that personnel account for more than 70% of compliance costs.
Scalability is often the reason that project managers opt for GRC solutions when implementing and managing compliance programs. In addition to cost savings, other benefits include an increased overall performance due to process automation, reduced non-compliance, and more organization-wide visibility.
Whether you choose to implement compliance programs with a manual approach or a GRC tool, the following knowledge areas and best practices will be applied equally.
Related Read: What Is StandardFusion? Overview & Tour Of Features
What Are Project Management Knowledge Areas?
You may already be pretty familiar with these concepts as project managers already use them in their daily work life, but I'll do a quick refresher.
As with any successful project, implementing a compliance program needs careful planning, organizing, and execution from start to finish. The Project Management Institute (PMI) created a framework called the Project Management Body of Knowledge (PMBOK). It standardizes all the terminologies, guides, best practices, and processes that project managers follow.
Within the PMBOK (now in its 7th edition) you’ll find concepts called process groups and knowledge areas. Process groups are the general stages of a project and knowledge areas are groups of individual processes that can be followed.
Essentially, these guides break down the project into digestible stages and steps so your compliance implementation can be executed successfully.
The Key Knowledge Areas for Implementing a Compliance Program
Integration is fundamental to compliance programs. There’s a lot of information that needs to get to the right stakeholders at the right time to ensure visibility and accountability. Integration pulls together the ongoing individual processes and tasks needed to meet compliance regulations.
Lack of communication, lack of understanding, and lack of planning are all leading causes of non-compliance. Integration can be the toughest to keep efficient and timely, especially as compliance programs scale.
To reduce duplication, error, lost work, and lost time spent connecting the dots, it’s best to create a centralized system. A GRC tool provides organization members with a centralized, accessible compliance program. These are easier to manage and fully integrate throughout the company. Distribute tasks accordingly and delegate them to their respective owners.
When defining your scope statement for a compliance implementation, it’s best to focus on objectives needed to comply with your specific certification. Take note of all the applicable regulatory compliance requirements that are relevant to your industry and country, and align your organization’s objectives, stakeholder expectations, and available resources.
Quality management is not about perfection, it’s about delivering consistency across your projects. In the scope knowledge area, we talked about understanding your stakeholders’ expectations. The other half of this is setting reasonable agreements between the stakeholders and your implementation team.
There are bound to be gaps when first building a compliance program. Performing gap assessments and internal and external audits will help you identify:
- the effectiveness of controls and policies
- how your controls and policies align with your scope
- what’s missing or not making sense
Asking a third party to carry out an unbiased assessment is also recommended.
Risk management is all about identifying, categorizing, and prioritizing risks so that you can make plans on how to mitigate them. When implementing compliance programs, your focus should be on assessing the risks that are relevant to that specific implementation.
This means looking at controls, policies, and procedures and documenting what is being done by whom, for which purpose, whether it has been done, and how it should be done with step-by-step instructions. Some frameworks provide a structured checklist to define controls for compliance programs to mitigate risks.
After defining controls, policies, and procedures, you need to assign owners and stakeholders to the controls and policies, as well as give team members responsibility for that process and hold them accountable to manage it.
One of the big advantages of using a GRC tool is the ability to automate the monitoring and management of controls, especially at scale. This is where manual methods can really bog down workflows and could create gaps and non-conformity.
Your team is your most important resource, and resource management is more than simply assigning tasks. It is key that you understand the abilities of your team, work within their bounds, identify knowledge gaps, provide them with opportunities to grow, and track their progress.
Either through training or tools, it is your responsibility to support your team and allot the necessary resources to do so. GRC systems can assign ownership of controls so you know exactly which resources you would need for that part of the implementation.
Communication management is paramount among the knowledge areas. Project managers can spend roughly 90% of their time communicating as it keeps everyone involved informed of every aspect of the project, or in this case, implementation.
Your communication management plan is crucial in determining how changes and updates are communicated, identifying who needs to know what, and when, before implementation begins. Depending on the frameworks you wish to comply with, you will need to generate reports to demonstrate compliance and for stakeholders.
It Doesn’t End with Implementation: Plan for Non-Conformities
This is a general guide of project management knowledge areas and process groups that tend to have the biggest impact on the success of implementing a compliance program. But in some ways, implementation is only the beginning.
For example, you’ll need to create correction actions and remediation plans for when non-conformities do occur. These plans outline tasks that should be performed in order to make the required fixes.
After performing corrective actions from the remediation plan, what’s left is the process of continuous and ongoing monitoring. Controls should be tested regularly and setting up automated recurring tasks helps to ensure the maturity of your compliance program.
For more on implementation and compliance programs, as well as more on GRC software tools subscribe to The Digital Project Manager newsletter.
Ever heard of self-managing teams? If you're wondering what that could mean for you, check this out: Project Teams Without Project Managers: Exploring The PM Dilemma (with Julia Ryzhkova from Railsware)