Compliance Project Management Best Practices

Published January 12, 2017 by 5 min read

 

 

 

Compliance Project Management Best Practices

 

“You can get a great deal done from almost any position in an organization if you focus on small wins and you don’t mind others getting the credit.” – Roger Saillant

How do you eat an elephant? One bite at a time.

We’ve all heard the project management advice to eat an elephant one bite at a time.  People react in a number of ways when they first receive the news that they’ve landed a big, high-profile compliance project.  First, you have the project manager who revels in the accolades they’re sure to receive upon its successful completion.  Others fret about the number of ways the project could go awry, spelling sure professional doom.  Most of us are probably somewhere in the middle.  However, whatever your initial reaction, the goal remains the same.  Deliver the project.  Eat the elephant.

Surely, the number of possible sizes and scopes of the compliance projects you’ll face in your career will rival the number of ways you could approach them.  But, whether it’s a revamp to your PCI compliance program, a new technology added to your AML transaction screening procedures, or some other compliance related task, a technique that’s worked well for me, in coaching new hires, is to visualize each project as having three main phases.

You plan. You do. You deliver.

For each project a director faces, there will be a planning phase, an execution phase, and a delivery phase.  If you start with this in mind, it’s much easier to divide your project into more digestible, delegable parts – and set up your project plan for some small wins, as well as making it easier to work in some delegation too.  Small wins communicate the success of your project, and encourage others to lend a hand, or even time and money.  In the land of cost centers like compliance, project progress updates and interim deliverables can be nearly as effective as a corporate currency as project completions and implementations.

Where to start

Planning is a tough sell.  It’s not flashy.  It requires concentration and thought, which are tough investments to make in our multi-tasking lives, and, no matter how colorful or detailed your compliance project plan is, it won’t scan your transactions for red flags or update your training manuals.  It won’t even get that elephant onto a dinner dish for you.

Planning can be sort of invisible.  But, like the foundation supporting your house, plan your project poorly, and your house will collapse, or, worse, never even get built.  Plan your project well, and the execution and reporting phases will run much more smoothly.  In the most successful departments where I’ve worked, planning budgets comprised anywhere from 35% to even more than 50% of the project’s total time commitments.  An investment up front pays dividends down the road.  For example, if you know that you will need transaction scanning procedures to monitor an SBU’s activity for potential non-compliance, the planning stage is the best time to consider where those data will come from, which fields they will include, and who will be the best business contact to provide them.     

Common themes

In planning any compliance project, you’ll see common themes emerge:

  •      RESOURCES:  What Subject Matter Experts (SMEs) will you need?  What sort of time commitment will the compliance project require?  Will you need approvals so that the SMEs can participate on the project?  Will you need to secure authorizations for special access for your project team so that they can work with potentially sensitive compliance data?
  •      CONTACT PROJECT STAKEHOLDERS:  Early on in planning, you’ll want to contact the stakeholders who own the processes that will be affected by your project.  If there are blackout periods, conflicting initiatives (like impending acquisitions, or worse, emerging potential compliance concerns elsewhere), or if Joe the VP is planning a week off in February, you’ll want to know that.
  •      PROJECT SCOPING:  You can’t conquer Rome in a day, but maybe you’ll want to pick out a task or two where you can focus your efforts.  After you’ve had some initial discussions with management in lining up resources and determining stakeholder availability for your compliance project, you’ll have a better sense of just how deep and wide your project can be.  Sure, there are must-haves in every compliance project, but maybe this isn’t the best time to roll out the color-coordinated trouble tickets or the e-book version of the AML procedures manual.
  •      PRIORITIZING THE PROJECT:  Once your project scope is determined, prioritize the project’s moving parts, so that you’ll be able to focus on the highest priorities.  There are resources that your compliance project can’t go live without.  Make sure you have those identified early-on in project planning.  For many compliance projects, this list almost always includes establishing the correct tone at the top, or getting buy in from CISO’s and other executives.  As we all know, executives have schedules that fill in quickly.  Be proactive in identifying and communicating precisely when and how much executive time you’ll need to make your compliance project successful.
  •      INITIAL DATA REQUESTS:  What data do you need for your project?  Which data fields will you require?  What time frame will these data represent? Who can deliver the data?  How long will the report take to prepare?  How will you ensure that you’ve received complete and accurate data?  These are all considerations that, when left to chance, can lead to delays and confusion later.

Even if these themes could remain invisible in some project planning, identify them as planning deliverables in your project plan.  As you accomplish each of these tasks, they become small wins – deliverable to management in project status updates, and an indication that your project is launching successfully. With compliance projects, any indication that a compliance project is progressing as expected, and likely to meet its goals, will help the project team–and everyone else–sleep better at night.     

Planning, In Conclusion

There are so many analogies that are tempting to insert here.  I could add one related to well-built foundations leading to sturdy houses.  I could also point out that 90% of an iceberg (like your planning) is underwater and invisible to the casual observer, but without that 90%, the entire iceberg (and your project) would be invisible.  But, I think the point is made.  Planning is paramount to the success of any compliance project, and should not be under-budgeted.  Done right, planning itself can provide deliverables, and help your project sponsors rest easier that, in the end, your project will produce its deliverables and everyone will eat well.

Check back soon for the next installment in the Project Management series, when we will discuss strategies or a successful project launch and execution.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo