Plan and Manage Project Compliance
Lập kế hoạch và Quản lý Sự tuân thủ Dự án
Compliance không bao giờ là tùy chọn — là non-negotiable constraint. PM phải identify tất cả compliance requirements sớm và ensure chúng được embedded vào project scope, không phải afterthought.
📖 Types of Compliance Requirements
🇺🇸 English
Compliance requirements come from multiple sources and all must be satisfied:
- Legal compliance: Laws and regulations in the jurisdictions where the project operates. Non-compliance = legal liability.
- Regulatory compliance: Industry-specific rules from regulatory bodies (financial regulators, data protection authorities)
- Organizational compliance: Internal policies, governance standards, security policies, brand guidelines
- Contractual compliance: Obligations in contracts with customers, partners, vendors
- Ethical compliance: Professional and ethical standards — aligned with PMI Code of Ethics
PM's role: Identify all requirements early, include them in project scope, monitor compliance continuously, and escalate violations immediately.
Key principle: When compliance conflicts with schedule or budget, compliance wins. A PM who skips compliance to meet a deadline creates organizational risk that far outweighs the project impact.
Reference: PMI Code of Ethics and Professional Conduct
🇻🇳 Tiếng Việt
Compliance requirements đến từ nhiều nguồn và tất cả đều phải được thỏa mãn:
- Legal compliance: Luật pháp tại các khu vực tài phán nơi dự án hoạt động
- Regulatory compliance: Quy tắc ngành cụ thể từ cơ quan quản lý (tài chính, bảo vệ dữ liệu)
- Organizational compliance: Chính sách nội bộ, tiêu chuẩn quản trị, chính sách bảo mật
- Contractual compliance: Nghĩa vụ trong hợp đồng với khách hàng, đối tác, nhà cung cấp
- Ethical compliance: Tiêu chuẩn chuyên nghiệp và đạo đức — aligned với PMI Code of Ethics
Nguyên tắc then chốt: Khi compliance xung đột với lịch trình hoặc ngân sách, compliance thắng.
🌏 Compliance in Fintech Context
| Compliance Area | Requirement | Impact on Project | PM Action |
|---|---|---|---|
| Data Privacy (GDPR/Local) | PII must be encrypted, consent required, right to deletion | All data models, APIs, logging must handle PII correctly | Include data privacy review in DoD; engage DPO early |
| Financial Regulation | Lending processes must meet BSP/OJK/BNM requirements | Credit decision logic must be auditable and documented | Engage compliance officer as stakeholder from Sprint 1 |
| Security Standards | PCI-DSS for card data; SOC2 for data security | Architecture must meet security controls; annual audit | Security review in architectural decision gate |
| Partner Contracts | API SLAs, data sharing agreements, exclusivity clauses | Technical implementation must reflect contractual terms | Legal review of partner agreements before technical spec |
| Employment Law | Labor laws in VN and PH for team management | Overtime, remote work policies, contractor obligations | HR review of resourcing plans |
🔧 Compliance Management Approach
Compliance Requirements Tracking
ID | Requirement | Source | Impact | Owner | Evidence Required | Status
C-01 | PII encryption at rest | Data Privacy | HIGH | Arch | Pentest report | ✅ Done
C-02 | Audit log all credit | BSP Reg §4.2 | HIGH | Dev | Audit trail review | In Progress
C-03 | Data retention 7 years | Tax Law | MED | DBA | Retention policy doc | Planned
C-04 | Partner DPA signed | GDPR Art.28 | HIGH | Legal | Signed DPA copy | ✅ Done
C-05 | API rate limiting | Partner SLA | MED | Dev | Load test results | Planned
── COMPLIANCE RISK ──────────────────────────────────────
Non-compliance consequences:
• Regulatory fines (up to % of revenue)
• License revocation
• Reputational damage
• Contract breach penalties
• Criminal liability (in some cases)
RULE: Compliance requirements are NEVER negotiable for schedule.
If schedule conflict → scope-reduce other features, not compliance.
Exam Tips — Compliance
- Compliance is non-negotiable — on exam, if asked to choose between meeting deadline and compliance, choose compliance
- PMI Code of Ethics: Honesty, Responsibility, Respect, Fairness. PM must demonstrate all four.
- When a team member violates compliance, PM must address immediately, not ignore or cover up
- Legal compliance in one jurisdiction ≠ compliance in another. International projects must consider all applicable laws.
- PM has ethical obligation to report compliance violations through proper channels, even if it risks the project
- Privacy impact assessments (PIA) should be part of project planning for data-handling projects
💼 Thực chiến / Scenario
FinTech Company X — Compliance vs Deadline Conflict
Situation: 1 week before go-live. Compliance team raises a blocking issue: the loan application system logs user PII (National ID numbers) in plain text in application logs — a clear data privacy regulation violation in both VN and PH markets.
Business pressure: Marketing has launched campaigns. Partner Bank A has prepared. Hundreds of signups. PM is asked: "Can we go live anyway and fix it in the next sprint?"
PM's position: "No. Going live with this compliance violation would expose FinTech Company X to regulatory fines, potential license suspension, and breach of our data processing agreement with Bank Partner A. A 1-week delay to fix this properly is mandatory."
Resolution: Dev team masks PII in logs (National ID → first 3 + last 3 digits). Compliance officer reviews and signs off. Partner Bank A notified of 1-week delay with reason. Go-live proceeds 7 days later, fully compliant.
PMP lesson: Compliance problems never get cheaper if deferred. The PM who pushes back on this is protecting the company — and demonstrating PMP-level professional responsibility. Saying "yes" to going live in violation would be a career-defining mistake.
✏️ Practice Questions
Question 1
The project is 2 days from launch. A developer discovers the system does not meet a mandatory data privacy regulation. Fixing it will delay launch by 1 week. The sponsor asks the PM to launch anyway and fix it post-launch. What should the PM do?
- A. Follow the sponsor's direction — they have the authority
- B. Launch with a disclaimer noting the compliance issue
- C. Refuse to launch in non-compliant state; present the legal and reputational risks to the sponsor and recommend delaying 1 week to fix
- D. Let the team decide since it's a technical matter
✅ Answer: C — PMs have professional and ethical responsibility to ensure compliance. Even when the sponsor directs otherwise, the PM must present risks clearly and recommend the compliant course of action. The sponsor has organizational authority, but the PM has professional responsibility — they should make the risks explicit so the sponsor can make an informed decision. A PM who knowingly launches a non-compliant system has failed their professional duty under the PMI Code of Ethics.
Question 2
A project team member discovers that a subcontractor is using pirated software to deliver project work. What should the PM do?
- A. Ignore it as long as the work quality is acceptable
- B. Address it immediately — require the subcontractor to use licensed software, document the issue and corrective action, as this is both a legal compliance and ethical responsibility
- C. Inform the team but not the subcontractor
- D. Replace the subcontractor without explanation
✅ Answer: B — Under the PMI Code of Ethics, PMs have responsibilities around honesty, responsibility, fairness, and respect — which extend to ensuring the project operates legally. Using pirated software exposes the organization to legal liability (copyright infringement), regardless of work quality. The PM must address it directly with the subcontractor, document the issue and the corrective action taken, and verify compliance. Ignoring it (A) makes the PM complicit. Replacing without explanation (D) fails the transparency principle.
Question 3
A new government regulation requires additional security features that were not in the original project scope. The implementation will cost $40,000. Who should make the final decision on how to proceed?
- A. The PM, using the project contingency reserve
- B. The development team, since it's a technical requirement
- C. The Project Sponsor or CCB, after the PM presents the impact analysis and options
- D. The legal team
✅ Answer: C — A regulatory change that adds $40,000 to project cost is a significant scope and budget decision that exceeds what the PM can authorize unilaterally. The PM's role is to assess the impact (scope, schedule, cost, risk), identify options (e.g., fast-track implementation, phased approach, delay launch until compliant), and present the analysis to the sponsor or CCB for decision. Using contingency without authorization (A) is unauthorized. The legal team (D) advises on requirements but does not make project decisions.
🤖 AI Tools for PMs
How AI Augments This Process
AI helps PMs identify compliance requirements, analyze regulatory impact on projects, generate compliance checklists, and track compliance posture across project phases.
Sample Claude Prompts
Compliance requirement identification
Help me identify compliance requirements for my project.
Industry: [fintech / healthcare / logistics / government]
Geography: [countries where the project operates — e.g., Vietnam, Philippines, Singapore]
Data handled: [personal data / financial data / health data / government data]
Project type: [customer-facing app / internal system / data platform / payment processing]
Regulations I'm already aware of: [list]
Regulations I'm unsure about: [list areas of uncertainty]
Identify compliance requirements across:
1. Data privacy: [GDPR / PDPA / local equivalents — what applies]
2. Financial regulations: [central bank requirements, AML/KYC, consumer protection]
3. Information security: [ISO 27001, SOC2, PCI-DSS — which apply]
4. Accessibility: [WCAG requirements if customer-facing]
5. Industry-specific: [any sector regulations]
For each requirement:
- What it mandates
- Penalty for non-compliance
- How to demonstrate compliance (audit trail / certifications / documentation)
- Who owns it in the project (legal, security team, PM)
- Timeline to achieve compliance before go-live
Compliance gap analysis
I need to run a compliance gap analysis for my project before go-live.
Project: [name and description]
Applicable regulations: [list regulations that apply]
Current compliance status per area:
[Regulation 1]: [what we've done / what's missing]
[Regulation 2]: [what we've done / what's missing]
[continue]
Go-live date: [YYYY-MM-DD]
Days remaining: [count]
Legal/compliance team available: [yes — who / limited / none]
Perform a gap analysis:
1. For each regulation: current status (Green/Amber/Red), specific gaps, remediation actions needed
2. Priority order for closing gaps (by risk level and time-to-close)
3. Items that could block go-live vs. items that can be closed in parallel with operations
4. Estimated effort to close each gap
5. Recommendation: is this project ready to go live? What's the minimum compliance bar?
6. Ongoing compliance monitoring plan post-launch
Compliance-related change request analysis
A regulatory change has been announced that affects my project. Help me analyze the impact.
Regulation change: [what changed — new law / amended regulation / new central bank circular]
Effective date: [when it takes effect]
Project context: [current phase, days to planned go-live]
What the regulation requires: [specific technical or process changes needed]
Current architecture/process: [what we have now]
Gap: [what we need to add or change]
Analyze:
1. Is this a hard deadline (cannot go live without it) or a transitional requirement?
2. Technical impact: what specifically must change in the system?
3. Process impact: what workflows or procedures must change?
4. Effort estimate and timeline feasibility
5. Change request type: emergency regulatory change (fast-track CCB)
6. Draft the change request documentation
7. Communication plan: regulator, partner banks, operations team
Jira / Confluence Template
Confluence — Compliance Tracking Dashboard
── CONFLUENCE: COMPLIANCE TRACKING DASHBOARD ────────────
Project: [Project Alpha] | Markets: [VN / PH] | Last updated: [YYYY-MM-DD]
Go-live: [YYYY-MM-DD] | Days remaining: [count]
── COMPLIANCE STATUS BY REGULATION ──────────────────────
Regulation | Status | Owner | Gap | Action Due
────────────────|────────|────────────|────────────────────────|──────────
PCI-DSS Level 2 | 🟡 | Security | Penetration test needed | Sprint 10
BSP Circular XXX| 🔴 | Legal+PM | Cooling-off feature missing | Sprint 9
PDPA (PH) | 🟢 | Legal | All controls in place | Ongoing
AML/KYC | 🟢 | Compliance | Processes documented | Ongoing
WCAG 2.1 AA | 🟡 | Frontend | Color contrast issues | Sprint 10
── GO-LIVE BLOCKERS ──────────────────────────────────────
Hard blocks: [Regulations that MUST be green before go-live]
Soft items: [Items that can be remediated post-launch with plan]
── AUDIT TRAIL ───────────────────────────────────────────
Evidence folder: [Confluence link] | Legal sign-off: [ ] Obtained [ ] Pending