Project Manager
24 PM NETWORK JULY 2015 WWW.PMI.ORG
Jesse Fewell, CST, PMI-ACP, PMP, participated
on the core team of the Software Extension
to the PMBOK® Guide. He can be reached at
email@jessefewell.com.
AGILE COMPLIANCE
To navigate strict regulatory compliance
while using agile methods, project
managers must find a middle ground.
BY JESSE FEWELL, CST, PMI-ACP, PMP, CONTRIBUTING EDITOR
If you’ve ever heard that “agile means no docu- mentation” then, like me, you probably rolled your eyes and moved on. That kind of management approach does not work in regulated industries uch as finance, defense or healthcare. However, if we’re honest, delivery is often slowed by the extra reports, audits and authorizations that
come with regulatory or corporate oversight. That
leaves us with a problem: How do we complete all
the compliance paperwork while implementing
agile methods?
Here are some practical tips to do just that:
Find a Compromise
In one corner, security auditors argue that documents
and gate reviews are the only way to ensure quality is
achieved and regulations are met. In the opposite corner, agile experts insist that documents add no value.
Both are wrong.
A strong project manager finds a balance
between too much and too little and makes the
case to implement changes on both sides.
Engage Auditors Early
The best way to craft a custom strategy for managing regulations is to work with the auditors directly.
Many times, they won’t have the availability to do
a full audit, so set up quick and regular collabora-
tion meetings to keep everyone aligned on what’s
been done—and what’s still needed. Show the audi-
tors how to achieve “lightweight compliance” with
nontraditional documentation, such as whiteboard
photos and rolling wave plans. The auditors may
even grant you a few process waivers, so you have
less compliance work to do. The sooner you have
these conversations, the better. Otherwise, you
might get an unpleasant surprise during your secu-
rity audit.
Define ‘Done’
One agile technique is to establish a “definition of
done.” This is a simple checklist spelling out what
a high-quality product needs to be “shippable,”
meaning ready for consumer use. But there’s also
a separate checklist of additional work spelling
out how to “ship” the product into operations—or
get it into the consumer’s hands. This distinction
between “shippable” versus “shipped” can also apply
to compliance.
For example, for a project to be “auditable,” we
use a checklist that helps us store copies of all artifacts, peer review minutes and customer feedback.
However, we wait until much later to collate and
send those materials to be “audited.” You can save
a lot of overhead if you avoid doing all the compliance work all the time and instead do just enough
for right now.
Sacrifice Scope (If Necessary)
Sometimes, a competitor’s newly announced
medical device has our business sponsor scrambling to go to market immediately. However, we
still have to go through government review. If
that review takes two months, it makes sense to
bite the bullet, do the review and ship. Of course,
that translates to some hard trade-offs on some
unfinished device features, but that is simply the
nature of the game. Alternatively, we can absorb
the risk of deferred compliance work and build
momentum with customer demos, prototypes
and early previews.
All projects encounter trade-offs, and our job as
a leader is to know how to strike the right balance.
Be intentional, engage your auditors, put in the
effort and you may well become the project manager who can be agile with compliance. PM
