Dimensions of Compliance



Compliance has several dimensions (Foorthuis, 2012, p. 207, see also chapter 6). These dimensions represent the different aspects that should be taken into account when the aim is to achieve or to measure compliance with norms (i.e. prescriptions).

           Correctness: A norm should be applied in accordance with its intended meaning, rationale and usage.


           Justification: The application of a given norm - or the lack thereof - should be justified, depending on its relevance and priority in the specific situation.


           Consistency: Certain norms may be related and dependent on each others application. In this case a group of norms needs to be applied as a package, since applying one norm only would not be sufficient. Furthermore, such related norms should be applied in a coherent way.


           Completeness: All (mandatory) norms should be adhered to, as opposed to adhering only to a convenient subset.




In other words, when applying norms (prescriptions) or assessing them on conformance, several dimensions of compliance should be taken into account (Foorthuis and Bos, 2011):

A norm should be applied correctly. Its use, or lack of it, should also be justified (relevant) in the respective situation. Another issue is whether related norms are applied consistently. A final concern is whether the complete set of (mandatory) norms is applied, as opposed to merely a convenient subset.

Click here to see other aspects of compliance.


Comments:
When assessing compliance, the aspects above can be seen as compliance checks or aspects to assess (Foorthuis et al., 2009, 2012):

           Correctness check: Verifies whether a given norm (prescription) is applied by the regulatee in a way that is in accordance with its intended meaning, rationale and usage. In other words, this check verifies whether the application of the norm deviates from the norm as it was intended by the policy maker.


           Justification check: Verifies whether the (lack of) application of a given norm (prescription) is justified, depending on its relevance in the specific situation. The justification check's actual execution is dependent upon certain conditions. First, if the application of a norm deviates from its intended application (which is determined by the correctness check), it needs to be ascertained whether the alteration is justified. Second, if a norm is not applied, it needs to be ascertained whether it is justified not to apply it. Third, if a norm is applied correctly, it needs to be checked whether it is indeed justified to apply it. This last sub-check aims to avoid 'blind' conformance that could harm the goals of the enterprise or the regulatee (e.g. a unit, project or individual employee) in the specific situation. In short, the justification check verifies whether the regulatee has made the appropriate choice when deciding to apply, alter or not to apply a given norm.


           Consistency check: Verifies whether, if a given norm is applied, required related norms are also applied. Some norms, especially those at lower abstraction levels, might need to be implemented as a package. For example, so-called counterpart norms are interdependent. Another focus of the check is to verify whether the norms' applications do not contradict each other, but instead culminate in a consistent and balanced result.


           Completeness check: Verifies whether all the norms are applied. Minimally, the norms that have been marked as mandatory (perhaps dependent on specific situations) need to be applied.



Such checks are relevant for compliance testing. Survey research (n=293) found the use of compliance assessments to be the most important determinant of conformance of projects to enterprise architecture prescriptions, probably due to assessments emphasizing the importance of compliance and to actors' desire to avoid confrontation (Foorthuis et al., 2010).




Sources:


           Foorthuis, R.M., Steenbergen, M. van, Brinkkemper, S., Bruls, W. (2015). A Theory Building Study of Enterprise Architecture Practices and Benefits. Information Systems Frontiers. DOI: 10.1007/s10796-014-9542-1.
Download paper: A theory building study of EA practices and benefits - Foorthuis et al.pdf


           Foorthuis, R.M. (2012). Project Compliance with Enterprise Architecture. Doctoral dissertation (PhD thesis). Utrecht University, Department of Information and Computing Sciences, Organization and Information. ISBN: 978-90-393-5834-4.
Download dissertation: Download pdf file from Utrecht University Repository


           Foorthuis, R.M., Hofman, F., Brinkkemper, S., Bos, R. (2012). Compliance Assessments of Projects Adhering to Enterprise Architecture. Journal of Database Management, Vol. 23, No. 2, pp. 44-71.
Download paper: Compliance Assessments of Projects Adhering to EA - Foorthuis et al.pdf


           Foorthuis, R.M., Bos, R. (2011). A Framework for Organizational Compliance Management Tactics. In: C. Salinesi and O. Pastor (Eds.), CAiSE 2011 Workshops (GRCIS 2011), LNBIP 83, pp. 259268. Berlin: Springer-Verlag.


           Foorthuis, R.M., Steenbergen, M. van, Mushkudiani, N., Bruls, W., Brinkkemper, S., Bos, R. (2010). On Course, But Not There Yet: Enterprise Architecture Conformance and Benefits in Systems Development. In: Proceedings of the Thirty First International Conference on Information Systems (ICIS 2010), St. Louis, Missouri, USA.


           Foorthuis, R.M., Hofman, F., Brinkkemper, S., Bos, R. (2009). Assessing Business and IT Projects on Compliance with Enterprise Architecture. In: Proceedings of GRCIS 2009, CAiSE Workshop on Governance, Risk and Compliance of Information Systems.





Updated: February 7th 2015
Ralph Foorthuis