Aspects of Compliance



When applying prescriptions (norms) or assessing them on conformance, several aspects or dimensions of compliance should be taken into account (Foorthuis and Bos, 2011):

A prescription should be applied correctly. Its use, or lack of it, should also be justified (relevant) in the respective situation. Another issue is whether related prescriptions are applied consistently. A final concern is whether the complete set of (mandatory) norms is applied, as opposed to merely a convenient subset.

Click here to see other aspects of compliance.


Comments:
When assessing compliance, the aspects above can be seen as compliance checks or aspects to assess (Foorthuis et al., 2009, 2012):

           Correctness check: verifies whether a given prescription (norm) is applied by the regulatee in a way that is in accordance with its intended meaning, rationale and usage. In other words, this check verifies whether the application of the prescription deviates from the prescription as it was intended by the policy maker.


           Justification check: verifies whether the (lack of) application of a given prescription (norm) is justified, depending on its relevance in the specific situation. The justification check's actual execution is dependent upon certain conditions. First, if the application of a prescription deviates from its intended application (which is determined by the correctness check), it needs to be ascertained whether the alteration is justified. Second, if a prescription is not applied, it needs to be ascertained whether it is justified not to apply it. Third, if a prescription is applied correctly, it needs to be checked whether it is indeed justified to apply it. This last sub-check aims to avoid 'blind' conformance that could harm the goals of the enterprise or the regulatee (e.g. a unit, project or individual employee) in the specific situation. In short, the justification check verifies whether the regulatee has made the appropriate choice when deciding to apply, alter or not to apply a given prescription.


           Consistency check: verifies whether, if a given prescription (norm) is applied, required related prescriptions are also applied. Some prescriptions, especially those at lower abstraction levels, might need to be implemented as a package. For example, so-called counterpart prescriptions are interdependent. Another focus of the check is to verify whether the prescriptions' applications do not contradict each other, but instead culminate in a consistent and balanced result.


           Completeness check: verifies whether all the prescriptions (norms) are applied. Minimally, the prescriptions that have been marked as mandatory (perhaps dependent on specific situations) need to be applied.



Such checks are relevant for compliance testing. Survey research (n=293) found the use of compliance assessments to be the most important determinant of conformance of projects to enterprise architecture prescriptions, probably due to assessments emphasizing the importance of compliance and to actors' desire to avoid confrontation (Foorthuis et al., 2010).




Sources:


           Foorthuis, R.M., Steenbergen, M. van, Brinkkemper, S., Bruls, W. (2015). A Theory Building Study of Enterprise Architecture Practices and Benefits. Information Systems Frontiers. DOI: 10.1007/s10796-014-9542-1.
Download paper: A theory building study of EA practices and benefits - Foorthuis et al.pdf


           Foorthuis, R.M., Hofman, F., Brinkkemper, S., Bos, R. (2012). Compliance Assessments of Projects Adhering to Enterprise Architecture. Journal of Database Management, Vol. 23, No. 2, pp. 44-71.
Download paper: Compliance Assessments of Projects Adhering to EA - Foorthuis et al.pdf


           Foorthuis, R.M., Bos, R. (2011). A Framework for Organizational Compliance Management Tactics. In: C. Salinesi and O. Pastor (Eds.), CAiSE 2011 Workshops (GRCIS 2011), LNBIP 83, pp. 259268. Berlin: Springer-Verlag.


           Foorthuis, R.M., Steenbergen, M. van, Mushkudiani, N., Bruls, W., Brinkkemper, S., Bos, R. (2010). On Course, But Not There Yet: Enterprise Architecture Conformance and Benefits in Systems Development. In: Proceedings of the Thirty First International Conference on Information Systems (ICIS 2010), St. Louis, Missouri, USA.


           Foorthuis, R.M., Hofman, F., Brinkkemper, S., Bos, R. (2009). Assessing Business and IT Projects on Compliance with Enterprise Architecture. In: Proceedings of GRCIS 2009, CAiSE Workshop on Governance, Risk and Compliance of Information Systems.





Created: February 7th 2015
Ralph Foorthuis