Compliance Transformation: How to Implement External Standards Successfully
Lessons learned from Deepwater Horizon 🧩 What is Compliance Transformation 🧩 What is my Compliance Transformation methodology 🧩 Busting the top 10 compliance myths
Is compliance holding you back or propelling you forward?
For companies ready to grow, compliance isn’t just a necessity; it’s a competitive edge. When integrated from the start, it boosts efficiency, builds client trust, and safeguards against costly surprises. But wait too long, and you risk severe fines, damage to your reputation, and operational disruptions.
Smart companies begin early - and here's how you can do it, too.
Read on 👇
⛽️ Deepwater Horizon Oil Spill
In 2010, BP faced a crisis that would change its future forever. The Deepwater Horizon drilling rig exploded in the Gulf of Mexico. It caused the largest marine oil spill in history. The disaster unleashed millions of barrels of oil into the ocean. It devastated local ecosystems and harmed fishing and tourism along the Gulf Coast.
After the incident, BP faced intense pressure from U.S. regulators and the public. This resulted in record fines and costs of over $65 billion. To manage the crisis, BP had to pay for the cleanup and legal settlements. It also had to overhaul its safety and environmental practices.
BP had to put in place new operational protocols. They covered everything from better blowout preventers to improved emergency response measures. This overhaul included independent safety audits and strict new environmental rules. BP made a large investment in training and technology. They had to meet higher standards and regain the trust of regulators and the public.
The compliance burden was monumental. Regulatory costs and safety audits raised expenses. The new protocols slowed operations, making them less flexible and more costly. To meet the higher standards and fund them, BP had to sell major assets. This helped BP stabilize its finances but also reduced its market share. It made it harder to compete with other big oil companies.
BP emerged from the crisis with a commitment to safety and the environment. Yet, the transformation came at a significant cost. BP's shift to renewable energy hurt its long-term profits and growth. It showed the high costs of prioritizing safety and compliance only after a crisis. Instead, safety and compliance should have been daily priorities from the start.
♻️ Compliance Transformation
What is compliance?
Compliance means following the laws, regulations, and best practices that apply to organizations in specific industries (global rules) and geographies (local rules). These rules set a certain standard for quality, which companies must meet at all times. As the rules change, companies need to stay aware and adapt to them, even though they themselves evolve and scale up or down.
What is Compliance Transformation?
Compliance Transformation is how organizations implement these external laws, regulations, standards, frameworks, or methodologies. The aim of such a transformation is twofold:
to enhance operational efficiency (internal goal = same as in Business Process Management), and
to build trust with customers, partners, and other stakeholders (external goal).
Without compliance, businesses risk facing hefty fines, reputational damage, and operational disruptions. But even more importantly, there can be irreparable damage to property, the environment, animal and human lives, etc., as seen in the above example with Deepwater Horizon.
What exactly does compliance transform?
In short: our processes. Compliance is about making small changes to how we do things. And when we make these changes, we’re always driven by two key questions:
Are we doing the right thing? This focuses on effectiveness. It’s about ensuring we’re achieving the goals that we need to achieve.
Are we doing the thing right? This focuses on efficiency. It’s about achieving our goals optimally. “Optimal” means delivering the highest quality with the least amount of resources. Of course, quality and resources pull in opposite directions, so finding that middle ground - our balance point - defines what’s optimal for us.
Together, effectiveness and efficiency form our performance. And our performance is the result of our operations, i.e. of our internal ways of working.
Both effectiveness and efficiency are crucial. We cannot have one without the other - that will not make any business sense. For example, we can have a product-market fit and plenty of customers, but we'll be draining ourselves dry if don't operate efficiently - and it will be very hard to reach our profit targets. Similarly, we can be extremely good at what we do, running like a well-oiled machine, and it won’t matter at all if we don’t deliver the right product to the right customers.
When should we do a Compliance Transformation?
Compliance should be part of daily operations from the start. This will ensure that regulations are consistently met, reducing the risk of costly fines, legal issues, and reputational harm. Early integration embeds compliance naturally into workflows. It avoids disruptive changes later and supports smoother, more efficient operations as the company grows. Also, this approach builds a culture of responsibility and trust that strengthens the relationship with clients, partners, and regulators.
If compliance isn’t addressed from the start, a Compliance Transformation will inevitably be needed later on. However, fixing compliance later is costly, time-intensive, and disruptive to the business. It requires overhauling ingrained processes and culture, implementing new technologies, and retraining staff. Delaying compliance also risks regulatory fines, reputational damage, and operational setbacks. That's why early compliance is the safer and more efficient choice.
✅ Compliance Transformation Methodology
Here’s an overview of my 5P methodology, which I’ve developed and refined over the years:
From the very beginning, before we even start the transformation, I focus on Purpose. During the transformation, I also ensure we keep each cycle of this methodology as short as possible, following the Agile principles. And we cannot end the transformation - or even consider it a success - without closing this loop at least once.
Let’s take a closer look at each pillar:
🟠 Purpose
The Purpose is the foundation; everyone involved must understand what we’re trying to achieve and why. We need to get to the root cause of why a full transformation is needed, as this insight will drive every aspect of the program. This will be our North Star. Without it, we cannot proceed.
The Purpose pillar answers the questions:
Where do we want to be? What is the problem we want to solve?
Why is this a problem to begin with?
What is the impact of this problem?
How urgent is this problem?
What would it look like when this problem is fixed?
What happens if we don’t fix this problem?
🔵 Present
Present focuses on understanding our current situation compared to our goal. In a Compliance Transformation, this involves a Process Audit (aka Gap Analysis), repeated at regular intervals. The analysis done in Present sets the framework for our solution and keeps it relevant.
The Present pillar answers the questions:
Where are we now?
What are the gaps to where we want to be? How did we conclude that?
What is the full scope of what we need to address? What is out of scope?
What are our available budget, time, other resources?
What are our assumptions?
What are our constraints?
🟢 Path
Path is about defining the solution, explaining how we arrived at it, and planning its implementation. With each cycle of 5P, we refine the solution, but we ensure we keep records of our past versions. This helps not only to measure the efficiency of our program but also to avoid solutions that we already proved are not working.
The Path pillar answers the questions:
What is the solution to the problem?
Why is this the optimal solution? What other solutions have we considered? Why did we reject them?
How are we going to implement this solution (within the time, budget, resources, and other constraints we have)? What processes, tools, etc. are we going to use?
What are the solution interfaces and dependencies?
What are the risks we anticipate?
What are the currently known issues?
🟡 People
People includes everyone involved, affected, or interested in the program. We assess and assign roles based on skills, provide training, and communicate frequently. In addition to these management tasks, we also use leadership skills to guide everybody through the change. I won’t focus on it now, but if you’re interested in Change Leadership, check out PROSCI.
The People pillar answers the questions:
Who are the parties driving the program: sponsor, lead, team?
Who are the additional stakeholders: teams to work with, affected teams, interested parties, others?
Who is doing what, when, and how? And who is making sure each of these gets done? (See here for more details on Responsibilities and Accountabilities.)
What kind of authorities does each party need? How are those ensured? (See here for more details on Authorities.)
What is our skills assessment? What are the gaps to the desired skills and our training plan?
What is our program’s communication plan?
⚫️ Progress
Progress is about tracking our journey and ensuring we stay on the right path. We define measurements to monitor our progress, troubleshoot when issues arise, and then go back to Purpose in an Agile loop.
The Progress pillar answers the questions:
How will we know we have arrived at where we want to be? How will we know we have solved the initial problem?
Even before that, how will we know we’re on the right path to there?
What kind of manual checks we’ll need along the way?
What are the automatic checks we already have in place?
Where and how do we report progress?
Where and how can someone receive information on the progress?
🪁 Top 10 Compliance Myths
Common myths and misconceptions can slow down or even block a Compliance Transformation. That’s why it’s essential to tackle these early on to shift the company’s culture and set the stage for success.
Here are the top 10 myths I’ve encountered in my career:
Myth 1: “External standards are very bureaucratic and add no real value.”
At first glance, standards might seem like an administrative nightmare. But their real purpose is to increase efficiency, quality, and customer satisfaction. Standards are based on industry-proven best practices and, when implemented effectively, they improve operations, reduce risks, and build trust.
That said, implementing standards and frameworks only halfway will never work - even if they’re the best ones out there. Standards are designed with so many interdependencies that literally everything connects to everything else. We can and should adjust the best practices to fit our operations. But we cannot completely skip a part unless we fully understand what it’s meant to achieve and we’re already achieving it in another way.
How to address this myth:
To begin with, and as mentioned earlier, we must close the 5P Methodology loop at least once. The 5P Methodology is built on top of the PDCA/PDSA/3E logic of Continuous Process Improvement. Therefore, the first and most important rule is not to end the Compliance Transformation prematurely.
In addition, we must always communicate the purpose behind everything: why we’re doing a transformation program, why we need compliance, why we need a certain process, why a process step looks like it does, etc. Read more about purpose here:
Myth 2: “Compliance is just an extra cost with no return on investment.”
As with every other long-term investment, compliance comes with a significant cost. But we make long-term investments in the first place because we know they bring us higher returns down the line. Compliance prevents costly fines, reduces operational inefficiencies, improves trust from our clients, partners, and the public, and opens new revenue streams in regulated markets. So, while there is a big initial investment, the long-term savings and growth potential outweigh the costs.
How to address this myth:
We use metrics to highlight the importance of compliance. Two types of metrics come in handy:
High-level, strategic metrics: The ratio of Cost of Quality vs. Cost of Poor Quality must remain smaller than 1.
Low-level, process metrics: Processes must include KPIs which show that, with compliance in place, we now have fewer security incidents, faster onboarding of regulated clients, improved customer retention, etc.
Myth 3: “Only big companies need to worry about compliance.”
Big companies operate on a larger scope, which is why they often have to step into regulated industries. Smaller companies (startups or scale-ups) can focus on a single product in a specific market niche and, thus, stay away from regulators. However, that will also prevent them from scaling up and expanding into new markets.
Additionally, compliance requires structure and processes. Even though small companies are notorious for the creative chaos they operate in, they need order as they grow because scaling up chaos leads to even more chaos. This is crucial when seeking funding, as investors often favor structured, risk-aware management.
Lastly, smaller companies are more vulnerable to compliance risks due to the limited resources that accompany the fast pace of their growth. Taking care of compliance early on protects them from unexpected issues down the road and avoids the pressure of retrofitting compliance under a tight deadline.
How to address this myth:
This is down to the Leadership Team: If they believe in early compliance measures, they will advocate for them from the start. And if they don’t believe in them, they’ll unfortunately have to learn the hard way (as BP did in the above example with Deepwater Horizon).
Myth 4: “Compliance is just an IT or Security team issue.”
Processes have one very distinct feature: everything relates to everything. The same goes for external standards and process frameworks. While it might seem that they have a target scope, e.g. IT Security, in reality, they touch on aspects of quality, safety, customer service, data management, and so on, which affect every department. That’s why compliance is a company-wide responsibility and requires collaboration across all teams to be effective.
How to address this myth:
Compliance must be embedded in the company processes and not be seen as something separate. There shouldn't be compliance processes vs. company processes. There is only one set of processes and that’s the company processes. All of them must be alive and well. If any one of them is not used, it must be archived.
Myth 5: “External standards are rigid and don’t fit our business model.”
Many standards are designed to be flexible and adaptable to different industries, company sizes, and business models. Their goal is not to dictate a rigid process but to offer a framework that we can tailor to our specific needs. Even though standards refer to their requirements as “best practices”, “process areas”, or even “processes”, they're still just frameworks. And frameworks need to be customized, not followed word for word without considering the business's unique situation.
How to address this myth:
We first have to understand the intent behind each requirement - what it’s meant to accomplish, why it exists, and why it’s recognized as a best practice. Once we understand the purpose, we can figure out how to achieve it within the constraints and goals of our environment. We can think of the best practice as a strong recommendation, not an absolute rule.
And don’t worry about the auditors! As a Process Auditor myself, I can tell you this: If you meet the intent and purpose of the requirement and ensure no process connections are broken, no auditor will flag it as a gap. Remember, auditors have to follow rules and regulations too, and our work is audited as well - we have to prove we’re doing a good job! 😉
This is exactly where an external consultant can be a huge asset, whether they’re leading or supporting the Compliance Transformation. Consultants have extensive experience tailoring standards to fit real-world scenarios. They’ve seen countless solutions that work (and that don’t 🙄), so there’s no need for companies to reinvent the wheel - this knowledge is already out there.
Myth 6: “External standards limit innovation and flexibility.”
Out of all the compliance myths, this is probably the one I hear the most. As already covered in Myth 5, external standards are suggestions that we customize to fit our business needs. If we end up stifling our innovation and flexibility, then that’s on us - we've clearly failed to design company processes that address all our operational and stakeholder needs.
How to address this myth:
Same as with Myth 5. And I'll emphasize again how beneficial an external consultant can be - not only because we’ll tap into a vast knowledge of possible process solutions, but also because an organizational transformation will drain all our resources. We need all the help we can get.
Myth 7: “Compliance just means more and unnecessary paperwork.”
Documentation is indeed a part of compliance, but it should already be a part of our daily operations too. Documentation serves a critical purpose: When done properly, it clarifies responsibilities, reduces ambiguity, standardizes processes, and provides a basis for ongoing improvements. This in turn improves efficiency, transparency, and accountability.
Every professional should want to document their work thoroughly. We know that documentation accompanies everything. We cannot expect, for example, the client to read our software code to understand how the app works, or the newcomer to the team to magically know what to do and who to contact for what. Besides, when we know we’ve done a good job, we want to let everyone know it. We want to explain in the simplest way possible what a great thing we brought into existence. We want to share our art with the world - because art that’s not shared doesn’t serve any purpose.
How to address this myth:
To justify the need for anything, not only documentation, we have to show why it’s important, what purpose it serves, and what happens when we don’t have it. In the case of documentation, we need to show teams (with real-life examples, where possible) how it drives consistent results, enables them to replicate successful processes while avoiding known issues, provides clear guidance during audits, helps onboard new employees, etc. - ultimately saving time and effort in the long run.
Additionally, we can simplify documentation by focusing only on what’s necessary and providing useful templates and tools. To keep this true as our processes evolve, we can, for example, hold an annual organizational retreat dedicated to streamlining - spend a few days each year removing unnecessary complexity from our processes, systems, and related documentation.
Myth 8: “We’re starting from scratch; we have zero compliance in place.”
I can guarantee you that every company out there already has some degree of compliant practices in place. When we are operational in the market, delivering products and services to our customers, we certainly have repeatable methods of working, security protocols, quality checks, client communication, and so on. And the majority of these are part of external standards.
Moreover, each standard is a set of global best practices. Meaning, a lot of international experts came together, exchanged their ways of working in a specific area, and created a standard out of them. That’s why external standards are not theoretical - they come from real life by design.
How to address this myth:
Every Compliance Transformation program starts with a Gap Analysis against the given standard that will be implemented. The Gap Analysis reveals the existing compliance elements and identifies the areas for improvement. This serves two purposes:
enables us to plan the Compliance Transformation program better, and
helps teams see compliance as an extension of what they already do, not an overwhelming new project.
Furthermore, as with any other big program, it’s important to break it down into smaller chunks, set realistic goals within realistic timelines, make progress transparent, and celebrate small wins. This shows teams that achieving compliance isn’t as daunting and helps maintain momentum and morale.
Myth 9: “We just need to implement the processes and templates exactly as outlined in the standard.”
While standard processes and templates provide a foundation, they need to be customized to fit the specific operational environment of each organization. I'll say it again: Blindly following any standard by the book without aligning it to our business leads to ineffective, impractical, or utterly meaningless processes - and that doesn’t meet the actual compliance requirements. Besides, force-fitting every team into the same shoe size is simply not feasible. What we need to implement is the spirit of the standard, not the letter.
How to address this myth:
The teams have to own their solution, i.e. their customized and improved team processes, and for that they have to be involved and in the driver’s seat from the start. That means we need to:
educate relevant team members from the beginning on what the standard aims to achieve, as well as coach them throughout the Compliance Transformation program, and
guide them in customizing their processes to ensure they align with both the standard’s requirements (the part we know) and the organization’s ways of working (the part they know).
Additionally, we must define a level of standardization for the whole company and Tailoring Guidelines for when a team has to branch out and follow a slightly different process. This doesn’t have to be anything complicated, but it needs to be there to provide clarity to all on what “compliance” and “standardization” actually mean.
Myth 10: “Once we’re compliant, we don’t have to think about it again.”
The goal of any compliance is to ensure a sustainable level of product or service quality. And sustainable quality means Continuous Process Improvement. When we want to, for example, engage with a client or a partner long-term, we can praise our products and services all we want, but what the client/partner is actually interested in is:
what our level of product/service quality is, and
how we can prove that it’s sustainable.
The answer to these questions lies in our processes. We have to plan them, execute them as planned, monitor and measure them, and constantly improve them. Also, we have to keep ourselves updated and aligned with the evolving external standards and regulatory requirements.
Therefore, maintenance is key. Treating compliance as a one-time project not only puts the organization at risk but also brings operational costs up because every time a client/partner asks for proof that we’re compliant, we have to start implementing standards all over again. That’s why, once we implement any standard, this is only the beginning - from there on, we have to ensure we stay compliant at all times.
Some external standards, such as ISO 9001, address the lack of compliance maintenance head-on by enforcing a yearly certification schedule: Once we receive our certification, we can expect auditors to come and audit us each year. And if in any given year they find out we have too many major non-conformities, our certification is at risk.
How to address this myth:
Continuous Improvement has to be baked into everything we do - not as a separate item but as part of each team process. We’re playing the long game and we have to equip ourselves accordingly. Every decision, every process step, everything we come up with, we have to ask ourselves: “How does this serve the company in the long run?” Moreover, we have to ensure we have people within our teams with available resources to ask this question and take the necessary corrective actions. Quality cannot be an afterthought or an outsourced responsibility - it has to become the essence of what each of us does daily.
And that’s how we steer our organization toward long-term success. By seeing compliance as a driver of growth and security, rather than a burden, we not only cultivate a culture of quality and continuous improvement but also position our business as a reliable provider and partner.
Happy World Quality Week 2024!
Next, see how to manage the human side of a transformation:
Thank you for reading 💝
Till next time,
Irina
Whenever you’re ready, contact me so I can help you:
Implement global standards, frameworks, and methodologies and get your IT or Software Development organization certified.
Improve your management practices.
Navigate freelancing / solopreneurship if you’re new to it.