Core Tools Playbook
Compliance by design / Continuous compliance
The word ‘compliance’ alone fills many product teams with fear and loathing: they way compliance is traditionally implemented is simply not suitable to cater for the today’s demands of fast paced product development, global supply chains, aggressive competition and increasingly complex compliance requirements. But there is a better way: compliance by design, or, continuous compliance.

Compliance by design booklet
This (first draft) free booklet outlines ideas on how we can make compliance not only less painful, but actually valuable (and more robust) by heavily drawing on methodologies, value and principles we know work across other disciplines, such as lean, agile, user centricity, DevOps, system thinking etc. and apply them to compliance.
What does it cover?
- What compliance is
- Why we need to care
- The state of compliance and why the traditional approach does not work
- A proposed new approach to compliance covering culture and process and how to ‘get’ there
Why bother?
Compliance is getting more complex
Compliance is here to stay
Compliance is valuable
Compliance is more than just adherence to laws and regulations
Traditional compliance processes cannot cater for demands of fast paced, reliable, high quality product delivery in an environment of constant product and compliance requirement change.
What and why?
Continuous compliance / Compliance by design enables delivery of desirable business outcomes at lower cost, increased compliance quality and increased resilience (if we fuck up).
We need to consider compliance as part of the product design and implementation process as well as subsequent operation of the product. So we need to think of compliance implementation and compliance operation.
We need a shift from assuring compliance to enabling compliant value delivery.
We achieve this by shifting culture and process
- Culture from reactive, prescriptive compliance assurance to proactive, value focussed achievement of organisational goals.
- Process from siloed, one-off, end-of-process, gate-keeping to integrated, continuous, enablement that support rather than impedes lean and agile delivery.
Seamless compliance, upstream and throughout. As we work with ‘any’ other discipline.
How
Shifting culture
- Define stance on ethics and risks
- Define desirable outcomes / goals
- Identify compliance concerns and priorities
- Identify compliance stakeholders
- Align with compliance stakeholders (as-is goals, concerns and process, where you need them to shift). Address concerns.
Adapting process
Adopt agile (iterative!) delivery lifecycle standard best practices, but specifically
- in discovery define identify compliance concerns and potential risks and impact
- in the subsequent inception identify top-level compliance requirements and compliance stakeholders
- during analysis and design activities to refine requirements and define solutions
- during delivery and quality assurance deliver compliance features and assure compliance
- as part of deployment and release conduct any final compliance assurance required (note that ideally you bring all activities forwards to prevent potentially blocking late gates)
- during operation monitor compliance performance and status, react to change in the compliance requirements, and manage incidents and at hoc audit or compliance assessment
Apply lean principles
Shift blocking concerns upwards, and make them continuous. Keep development cycles as short as possible. (Allow, where necessary for specific larger assurance cycles or ad hoc compliance activities).
Build on a foundation agile best practices
Apply these practices to delivery and operation, then transfer to / include compliance.
Continuously design, develop, integrate, test and assure, deploy, release (if you must release on demand as and when ready).
Draw what you can from DevOps / automate everything
Underpin compliance with infrastructure (tooling / process) to enable continuous verification, validation and assurance. This includes a heavy focus on process automation, capabilities to trace needs-requirements-risk-features-tests-certification and automatically create required artefacts, as well as system observability so teams can monitor system performance (compliance and other) and act accordingly.
Contextualise
One-size does not fit all. The approach to continuous compliance will need to be tailored to fit organisation and initiative.
Transform step by step
Avoid radical change. Take a step by step approach to moving towards continuous compliance.

Inception Playbook

Lean Inception Toolkit

Inception Introduction
Conference Talk + Presentation Deck
Want to know more?
Here are a number of additional resources that you might find interesting…
