Change Management For Compliance Initiatives

The DOJ consistently says that compliance programs should be effective, data-driven, and focused on whether employees are actually learning. Yet... The standard training "data" is literally just completion data! Imagine if I asked a revenue leader how their sales team was doing and the leader said, "100% of our sales reps came to work today." I'd be furious! How can I assess effectiveness if all I have is an attendance list? Compliance leaders I chat with want to move to a data-driven approach but change management is hard, especially with clunky tech. Plus, it's tricky to know where to start– you often can't go from 0 to 60 in a quarter. In case this serves as inspiration, here are a few things Ethena customers are doing to make their compliance programs data-driven and learning-focused: 1. Employee-driven learning: One customer is asking, at the beginning of their code of conduct training, "Which topic do you want to learn more about?" and then offering a list. Employees get different training based on their selection...and no, "No training pls!" is not an option. The compliance team gets to see what issues are top of mind and then they can focus on those topics throughout the year. 2. Targeted training: Another customer is asking, "How confident are you raising bribery concerns in your team," and then analyzing the data based on department and country. They've identified the top 10 teams they are focusing their ABAC training and communications on, because prioritization is key. You don't need to move from the traditional, completion-focused model to a data-driven program all at once. But take incremental steps to layer on data that surfaces risks and lets you prioritize your efforts. And your vendor should be your thought partner, not the obstacle, in this journey! I've seen Ethena's team work magic in terms of navigating concerns like PII and LMS limitations – it can be done!

Most companies think stakeholder management is about getting buy-in. It's actually about changing predictions.   Years ago, I was helping a technology company with their organizational transformation. They had grown from a startup to several thousand people but were still operating like a startup. No real processes. No decision-making structures. Just running from one urgent need to another.   When I recommended new forms of governance, the resistance was immediate. And here's what made it complicated: each senior leader was resisting against a different, negative outcome as a result of the change.   For example, some believed that structure would slow them down and make them less nimble versus competitors. Others thought it would kill innovation. Some thought it would create bureaucracy by adding layers and layers of approvals to workflows. Many thought it meant they would lose the autonomy to run their business unit.   Here's what was really happening. Each person's brain was making different predictions based on their unique experience. These leaders could only predict problems because unstructured processes and systems were all they'd ever known. Their brains couldn't envision the benefits because they had no (or at least limited) experience with good structure.   Traditional stakeholder management would have grouped them as "senior leaders" and design one strategy for them all. But their concerns were entirely individual.   Changing predictions requires three things. First, understanding that each person's concerns are unique. No two brains make the same predictions. Second, getting people to try new approaches without perfect information. This takes direct, one-on-one conversations. Third, recognizing that predictions don't change overnight. It takes experience and repetition.   If the stakeholders in your company are resisting change understand that their brains are doing what brains do. They're predicting outcomes based on what they know.   The next time you build your stakeholder management approach remember it's not about treating everyone with the same title the same.   It's about engaging everyone, individually, where they are. Michael J Lopez Consulting #change #stakeholdermanagement

Find your GRC teams always in a fix-it mode?  That’s where the real risk begins. Instead of proactively managing risks, most GRC teams are: 🔁 Chasing people 📥 Collecting evidence 🧯 Putting out fires that should’ve never started Cue in security threats, audit delays, data leaks, and a company stuck firefighting instead of thinking strategically. It needn’t be this way. Build a culture where risk is not just acknowledged—it’s actively measured, scored, and communicated. That means: ✅ Creating a shared risk language ✅ Scoring risks and mapping them to systems, owners, and impact ✅ Escalating cross-functional risks in formats executives can act on Proactive compliance starts with structure: 📁 Evidence collection is just the beginning: Templatize it. Version it. Make it auditor-ready by default. 🎯 Audit interaction needs clarity: Don’t just upload files—create walkthroughs, narratives, and preview environments. 📊 Dashboards should highlight gaps Understand the gaps before the audit season begins. 🚫 Risk can’t stay siloed. Identify, assess, and map all potential risks across assets, departments, and people. Stop surviving audits. Start operationalizing compliance.

Auditing is proposed in laws, regulations, and industry guidelines to mitigate AI risks, but there's a lack of established norms and standardized practices for compliance and assurance audits. Despite varied approaches like adversarial pressure testing and quantitative assessments, consensus on norms and practices is still evolving. The term 'audit' is used broadly to encompass diverse evaluations of algorithmic tools, including pressure-testing by external entities, internal pre-deployment assessments, collaborative audits, and external audits ensuring compliance with legislative or standardized framework requirements. External audits differ from risk or impact assessments in two main aspects. Firstly, algorithmic impact or risk assessments primarily focus on internal evaluations. Secondly, external audits require a conclusive outcome for stakeholders to act upon, while risk or impact assessments usually provide open-ended outputs, such as prioritized lists of risks or impacts. This paper below specifically focuses on 'external audits,' also known as 'compliance audits,' which aim to ensure adherence to specified requirements. This paper introduces the 'criterion audit' as a practical way to do external audits, inspired by how financial audits work. It is defined as: "A criteria-based independent external evaluation E of an algorithmic system S conducted by an auditor A to determine whether the given system S meets the requirements set by a normative framework." The criterion audit is characterized by 4 key features: 1. Standardized Criteria: Transparent evaluation against publicly accessible criteria. 2. Normative Framework: Measuring compliance against a specific normative framework. 3. Auditor Training: Standardized training and accreditation for auditors. 4. Public Disclosure: Results disclosed, ensuring transparency while addressing security concerns. The standard process for a criterion audit includes target scoping, documentation submission, evidence verification, publication of the audit report, and certification of the audited algorithmic system based on the evaluation against normative framework requirements. The paper demonstrates the application of the proposed approach to comply with NYC Local Law 144. The paper stresses that auditors for the criterion audit, like financial auditors, need professional values, subject matter expertise, and rigorous audit processes. It advocates for standardized audit training and suggests combining this with responsible AI education for a comprehensive understanding of complex considerations in algorithm audits. Title: "A Framework for Assurance Audits of Algorithmic Systems": Authors: BABL AI research team, led by Khoa Lam, Dr. Benjamin Lange, and Borhane Blili-Hamelin, PhD. Contributions from Shea Brown, Jovana Davidovic, and Ali Hasan.

⏰ AI Governance – A Time for Change⏰ Implementing and maintaining compliance with an Artificial Intelligence Management System (#AIMS) is transformative. It reshapes workflows, accountability, and decision-making, but challenges can extend beyond deployment. Sustaining compliance requires consistent employee engagement, skill development, and adaptation to evolving standards. The #ADKAR model (Awareness, Desire, Knowledge, Ability, Reinforcement) is a proven framework for managing individual transitions. Combined with #ISO10020, which provides structured change management practices, these tools guide organizations through both building and sustaining adherence to an AIMS. ➡️ Challenges in AIMS Implementation and Compliance 🧱 Employee Resistance: Teams may distrust AI systems or resist workflow changes required for compliance. 🛑 Skill Gaps: Maintaining compliance demands ongoing proficiency in monitoring and improving AIMS operations. ⚙️ Process Overhaul: Adherence often requires rethinking workflows and embedding accountability structures. ⚖️ Accountability and Ethics: Sustained compliance requires transparency and alignment with organizational values. These issues necessitate strategies addressing both human and operational challenges. ➡️ How ADKAR and ISO10020 Facilitate Compliance 1️⃣ Awareness: Establishing the Why ISO10020 highlights the importance of clear communication, while ADKAR ensures individuals understand the need for change. ⚠️ Challenge: Employees may question the effort required for AIMS compliance. 🏆 Solution: Communicate how compliance is both a safeguard and a foundation for ethical AI. 2️⃣ Desire: Encouraging Engagement Long-term compliance requires sustained commitment. ⚠️Challenge: Employees may disengage if they see compliance as burdensome. 🏆 Solution: Highlight how compliance simplifies workflows, builds trust, and safeguards integrity. Share success stories to inspire buy-in. 3️⃣ Knowledge: Building Competency ISO10020 emphasizes training plans, while ADKAR focuses on equipping individuals with role-specific skills. ⚠️Challenge: Teams may lack expertise to manage compliance or respond to audits. 🏆 Solution: Offer ongoing training tailored to roles, covering regulatory updates and compliance practices. 4️⃣ Ability: Supporting Skill Application ADKAR emphasizes practice, and ISO10020 focuses on interventions to remove barriers. ⚠️Challenge: Teams may struggle with consistent application of compliance requirements. 🏆 Solution: Establish actionable workflows and assign compliance champions to provide guidance. 5️⃣ Reinforcement: Sustaining Compliance Both frameworks stress the importance of monitoring and iterative improvement. ⚠️Challenge: Without follow-up, teams may lapse in compliance adherence. 🏆 Solution: Use tools like dashboards and change matrices to track progress. Celebrate successes and refine processes based on feedback. A-LIGN Prosci Tim Creasey #TheBusinessofCompliance Harm Ellens

Dear Auditors, Auditing CI/CD Change Controls Continuous Integration and Continuous Deployment (CI/CD) pipelines have become the backbone of modern IT operations. Teams push code daily, sometimes multiple times a day, with the help of automation. While this accelerates delivery, it creates a new challenge. How do you audit change controls in an environment where traditional ticket-based approvals no longer apply? This can be done by adapting the audit approach without slowing down the business. 📌 Code Review as Approval: In pipelines like GitHub Actions, GitLab, or Azure DevOps, peer review is the new approval process. An auditor should test whether all production changes require pull requests, with at least one independent reviewer before merging. 📌 Segregation of Duties: The person who develops code should not be the one approving their own pull request or deploying directly to production. Look at repository permissions, branch protection rules, and pipeline access rights. 📌 Automated Testing: Unit, integration, and security tests are often embedded in the pipeline. An audit should confirm these steps exist and that the pipeline blocks deployments when tests fail. Evidence comes from pipeline logs, not just screenshots. 📌 Rollback and Recovery: Speed without safety is dangerous. Review whether the team can roll back a failed deployment. Blue-green or canary deployments should leave an evidence trail showing when and how a rollback was triggered. 📌 Audit Trail: Every pipeline run generates metadata: who triggered it, what code was deployed, and whether it passed controls. Auditors should confirm that this metadata is retained, tamper-proof, and available for review during compliance checks. 📌 Culture of Shared Accountability: The shift to DevOps means developers, security, and operations share responsibility for controls. Auditors must approach with the mindset of validating what’s working, not just enforcing outdated processes. If your audits still ask for manual change tickets, you’re missing the point. CI/CD pipelines are not the enemy of control; they’re the new evidence source. The future of assurance lies in understanding automation, not resisting it. #ITAudit #ChangeManagement #CI/CD #DevOps #CloudSecurity #InternalAudit #RiskManagement #ITGC #Automation #CyberAudit #GRC #CyberVerge #CyberYard

Three Tips For Policies & Change Management Compliance (and other) policies often require changes in human behavior, but a policy alone is not likely to change behaviors. Policies therefore need to be preceded and accompanied by a proportionate amount of well thought and effective change management to help people understand what the changes are and why, and to ensure the change is lasting. Whether the change required is incremental or transformational, the change process should not be overlooked. Here are three tips for managing the change management process when it comes to policies: 1. Understand The Status Quo: In order to know how much change management is required, you need to understand how the desired behaviors compare to the status quo. This includes understanding current behaviors, asking why those behaviors exist and looking at the context that supports/expects the current behaviors (e.g., incentives). 2. Stakeholder Engagement Before The Policy Is Final: Training and awareness/communications are needed once the policy has been finalized, but that should not be the first point of stakeholder engagement. Engage different stakeholders (including those who will be impacted by the policy, leaders and managers, and anyone who will play a governance/oversight role for the policy requirements) early in the policy development process - ask them questions, hear their perspectives, and get them to help identify potential change management challenges you might not have considered. While time consuming, this can help start the change management process before the policy is even written, and engaged and informed stakeholders who helped to develop the policy might be more inclined to advocate for the policy once it is rolled out and help others with any necessary change management too. 3. Policies Are Products: You won’t see the Sales & Marketing Department launch a new product and think that sending an email or two to target audiences is enough. They will engage in a whole communication and awareness campaign to connect with and educate the target audiences, speak to them in terms of their interests, identify spokespeople or influential voices who can help engage and persuade others, and do so multiple times knowing that this type of change management will help the product’s success. Policies are essentially our products - if you want the policy to be successful, don’t think a single reference on an intranet site or email is going to support the necessary change management. What other tactics or approaches have others used to help support effective change management when it comes to policies? _____ #SundayMorningComplianceTip #EthicsAndComplianceForHumans 📚 Want to get more compliance ideas and suggestions like this? Connect with me here on LinkedIn or get your copy of my book called Ethics & Compliance For Humans (published by CCI Press and available in print and kindle format on Amazon and various other online book stores)

Internal Audit does have a role ensuring audit issues are remediated. It is not acceptable to communicate an issue in an audit report and then "check back in" to see if management has corrected the issue. By using change management best practices, Internal Audit can help drive remediation efforts when audit issues: - Are tied to company goals - Are mapped to transformation initiatives - Have buy-in from front-line workers to senior management - Deadlines are based on work needed to be done, vs 30/60/90 day dates - Action plans broken down to incremental steps to achieve short-term wins - Implemented actions are celebrated with audit report recipients - Identified actually have a negative impact corporate objectives, opposed to internal audit just “writing them up” Managing an issue remediation strategy with intent can result in faster corrective actions and help maintain the strong reputation of internal audit. AuditBoard #internalaudit #enablingpositivechange

Not going to lie - I have a handful of failed legal tech implementations and legal tech projects under my belt. If you're in legal ops and you haven't had the same happen to you, you likely haven't been doing it long enough. My biggest lesson? Don't overlook the importance of change management. Whether you're tackling a CLM implementation or shifting the way legal services are delivered at your company, change management is going to be key to the success of any legal operations initiative. Here are a few change management specific tips I've learned along the way: - Focus on the people We all know it at this point - legal professionals are resistant to change. You have to make sure you're not only explaining the why but also proactively addressing concerns before they arise. - Know how you're going to measure success You can't show quantifiable impact without knowing what success looks like. Ensure you have a clear definition of what success looks like - including what KPIs and KRIs you'll track, how you'll track them, and where the data is going to come from. - Don't skip UAT and Training It's easy to assume that because you understand something it's going to be easy and intuitive for everyone else. Being neurodivergent, I know that's rarely the case. Even for smaller initiatives, ensure you run a UAT group and build training materials that are right sized for the project (and support folks of all different learning types) - Take feedback as a gift and use it to iterate Legal ops is not set it and forget it. Don't wait until you've hit your KRI(s) for success - you should be leveraging feedback loops during the change management process to actively identify friction points and refine the change strategy as you go. Fellow legal ops pros - what else would you add? #legaloperations #legalops #legalinnovation #legaltech

😅 Ever build an awesome new process, then realize you forgot to tell anyone about it? Yeah, me too. (Oops.) It's tempting to just flip the switch and say, "Ta-da! Go forth and use!" But we know how that ends... usually with confusion and some creative excuses. 🥴 The truth is: building it is the easy part. Bringing people along—that's where the real leadership magic kicks in. ✨ Here's what actually works (learned the hard way!): 👉 Admit you’re late to the party. A simple, “Hey, we built this, and honestly should’ve talked to you earlier—can we talk now?” goes a looooong way toward trust. (Transparency wins!) 👉 Swap "any feedback?" for real talk: "How would your team break this?" (Yes, seriously.) "If you could tweak one thing to make life easier, what would it be?" "Does this feel like it'll actually help, or did we just invent more busywork?" 👉 Context, not commandments. People resist "because I said so." They embrace "here's why this helps, and what we're trying to achieve." (Clarity unlocks buy-in faster than authority ever could.) 👉 Tiny moments of teamwork. Pilots, feedback loops, quick huddles, group chats—give stakeholders a chance to shape the outcome, even if it’s small. Ownership is a powerful motivator. 👉 Prepare for adoption (for real!). No documentation, training, or support? Congrats, you've built a shiny new paperweight! 🥳 At the end of the day, people don't resist change—they resist change done TO them instead of WITH them. I'd love to hear your stories! 👇 Ever rolled out something great (or not-so-great) and learned these lessons firsthand? Share your wisdom (or hilarious fails!) in the comments. #Leadership #RealTalk #ProcessAdoption #Collaboration #StakeholderEngagement #ChangeManagement #LaughAndLearn #PeopleFirst