Skip to main content

Compliance by design

The way we ‘do’ compliance traditionally is a disaster. Not only is it painful, but it also doesn’t work particularly well. Neither does it support business needs nor does it make compliance itself efficient or massively effective. But there is a better way: compliance by design / continuous compliance.

Core Tools Playbook

Compliance by design / Continuous compliance

The word ‘compliance’ alone fills many product teams with fear and loathing: they way compliance is traditionally implemented is simply not suitable to cater for the today’s demands of fast paced product development, global supply chains, aggressive competition and increasingly complex compliance requirements. But there is a better way: compliance by design, or, continuous compliance.

Compliance by design booklet cover

Compliance by design booklet

This (first draft) free booklet outlines ideas on how we can make compliance not only less painful, but actually valuable (and more robust) by heavily drawing on methodologies, value and principles we know work across other disciplines, such as lean, agile, user centricity, DevOps, system thinking etc. and apply them to compliance.

What does it cover?

  • What compliance is
  • Why we need to care
  • The state of compliance and why the traditional approach does not work
  • A proposed new approach to compliance covering culture and process and how to ‘get’ there

Why bother?

Compliance is getting more complex
Compliance is here to stay
Compliance is valuable
Compliance is more than just adherence to laws and regulations

Traditional compliance processes cannot cater for demands of fast paced, reliable, high quality product delivery in an environment of constant product and compliance requirement change.

What and why?

Continuous compliance / Compliance by design enables delivery of desirable business outcomes at lower cost, increased compliance quality and increased resilience (if we fuck up).

We need to consider compliance as part of the product design and implementation process as well as subsequent operation of the product. So we need to think of compliance implementation and compliance operation.

We need a shift from assuring compliance to enabling compliant value delivery.

We achieve this by shifting culture and process

  • Culture from reactive, prescriptive compliance assurance to proactive, value focussed achievement of organisational goals.
  • Process from siloed, one-off, end-of-process, gate-keeping to integrated, continuous, enablement that support rather than impedes lean and agile delivery.

Seamless compliance, upstream and throughout. As we work with ‘any’ other discipline.


Shifting culture

  1. Define stance on ethics and risks
  2. Define desirable outcomes / goals
  3. Identify compliance concerns and priorities
  4. Identify compliance stakeholders
  5. Align with compliance stakeholders (as-is goals, concerns and process, where you need them to shift). Address concerns.

Adapting process

Adopt agile (iterative!) delivery lifecycle standard best practices, but specifically

  • in discovery define identify compliance concerns and potential risks and impact
  • in the subsequent inception identify top-level compliance requirements and compliance stakeholders
  • during analysis and design activities to refine requirements and define solutions
  • during delivery and quality assurance deliver compliance features and assure compliance
  • as part of deployment and release conduct any final compliance assurance required (note that ideally you bring all activities forwards to prevent potentially blocking late gates)
  • during operation monitor compliance performance and status, react to change in the compliance requirements, and manage incidents and at hoc audit or compliance assessment

Apply lean principles
Shift blocking concerns upwards, and make them continuous. Keep development cycles as short as possible. (Allow, where necessary for specific larger assurance cycles or ad hoc compliance activities).

Build on a foundation agile best practices
Apply these practices to delivery and operation, then transfer to / include compliance.
Continuously design, develop, integrate, test and assure, deploy, release (if you must release on demand as and when ready).

Draw what you can from DevOps / automate everything
Underpin compliance with infrastructure (tooling / process) to enable continuous verification, validation and assurance. This includes a heavy focus on process automation, capabilities to trace needs-requirements-risk-features-tests-certification and automatically create required artefacts, as well as system observability so teams can monitor system performance (compliance and other) and act accordingly.

One-size does not fit all. The approach to continuous compliance will need to be tailored to fit organisation and initiative.

Transform step by step
Avoid radical change. Take a step by step approach to moving towards continuous compliance.

Inception Playbook cover

Inception Playbook

A detailed description of how to design, plan and run inceptions, covering the overall flow, collaboration&visualisation tools&techniques and facilitation methods.
Lean inception blueprint

Lean Inception Toolkit

A toolkit for the planning, design and facilitation of Lean Inceptions. We use this toolkit as starting point whenever we have to run an inception.

Inception Introduction

Conference Talk + Presentation Deck

This is where you might want to start, an introduction with case-study examples of what inceptions are, how they unfold, and how to do them…
Watch conference talkDownload Deck
Download presentation with speakernotes.
Contact us

Get in touch

We’d love to hear from you if you want to chat about an opportunity or challenge we might be able to help you with, if you want to work with or for us, or if you fancy chat to exchange thoughts.
Contact us