Task 32: Plan and Manage Project Compliance

Every project operates within a web of obligations — regulatory mandates, contractual requirements, organizational policies, industry standards, and ethical commitments. Failure to meet any of these can trigger fines, lawsuits, reputational damage, or project cancellation. ECO Task 32 — Plan and Manage Project Compliance — addresses this reality by requiring the project manager to systematically identify, classify, and manage compliance requirements throughout the project lifecycle. This task sits in the Business Environment domain because compliance is fundamentally about how the project interacts with the external and organizational environment in which it operates.

Compliance is not merely a checklist to be completed at the end of the project. It is an ongoing discipline that shapes planning decisions, risk management, procurement, quality assurance, and stakeholder communication. PMI emphasizes that project managers must be proactive about compliance — anticipating requirements, building them into the project plan, and continuously verifying adherence — rather than reacting to violations after they occur. This study guide covers the full scope of Task 32, including the ECO enablers, practical frameworks for classifying and managing compliance, and how compliance scenarios appear on the PMP exam.

ECO Enablers for Task 32

The PMP Exam Content Outline defines the specific capabilities a project manager must demonstrate when planning and managing compliance. These enablers move from identification through classification, analysis, response planning, and ongoing measurement:

Confirm project compliance requirements. The PM must identify all applicable compliance obligations — regulatory (government-mandated), legal (contractual), organizational (internal policies), and industry (standards and certifications). This requires engaging legal counsel, compliance officers, procurement specialists, and subject matter experts who understand the regulatory landscape.
Classify compliance categories. Once requirements are identified, the PM must organize them into meaningful categories (e.g., security, health and safety, environmental, data privacy, financial reporting, accessibility) to ensure nothing is overlooked and that appropriate expertise is applied to each category.
Determine potential threats to compliance. The PM must assess what could cause the project to fall out of compliance — changes in regulations, supplier nonconformance, team turnover, scope creep that introduces new compliance dimensions, or failure to document adherence properly.
Use methods to support compliance. This enabler covers the tools, processes, and frameworks the PM deploys to maintain compliance: audits, inspections, compliance checklists, training programs, quality control procedures, and automated monitoring systems.
Analyze the consequences of noncompliance. The PM must understand what is at stake — financial penalties, criminal liability, contract termination, loss of certifications, reputational harm, or project shutdown — and communicate these consequences to stakeholders who may be tempted to cut corners.
Determine the necessary approach and action to address compliance needs. Based on the analysis, the PM selects the appropriate strategy: risk-based approaches that prioritize the highest-impact requirements, legal review processes for ambiguous regulations, or preventive measures such as design reviews and third-party certifications.
Measure the extent to which the project is in compliance. Compliance is not a binary state achieved once. The PM must establish ongoing metrics, conduct periodic audits, track corrective actions, and report compliance status to governance bodies and regulators as required.

These enablers map to PMBOK 7's Stewardship principle — "Be a diligent, respectful, and caring steward" — which explicitly includes compliance with legal and regulatory requirements. They also connect to the Delivery and Measurement performance domains, which emphasize quality and performance tracking.

🔑 Compliance vs. Quality — Know the Difference

The PMP exam draws an important distinction between compliance and quality. Compliance is about meeting externally imposed requirements — laws, regulations, contracts, standards — that the project must satisfy regardless of whether stakeholders consider them valuable. Quality is about meeting stakeholder expectations and fitness for use — it is internally driven. A building can be high-quality (beautiful, functional, well-constructed) but noncompliant (missing fire safety certifications). Conversely, a project can be fully compliant but low-quality. The PM must manage both dimensions, and on the exam, look for answer choices that treat compliance as non-negotiable while quality involves trade-off decisions.

Classifying Compliance Categories

The second enabler — classifying compliance categories — is foundational because different categories demand different expertise, processes, and urgency. The project manager cannot treat all compliance requirements identically. Below is a classification framework that the PMP exam expects you to understand:

Compliance Category	Examples	Typical Owner / SME	Consequence of Failure
Security / Data Privacy	GDPR, HIPAA, CCPA, PCI-DSS, ISO 27001, organizational data classification policies	CISO, Data Protection Officer, Legal	Fines up to 4% of global revenue (GDPR), breach notification costs, loss of customer trust, criminal liability
Health & Safety	OSHA (US), HSE (UK), workplace safety regulations, hazardous materials handling	Safety Officer, HR, Facilities	Workplace injuries/fatalities, criminal charges, project shutdown, OSHA fines up to $156K per violation
Environmental	EPA regulations, emissions standards, waste disposal laws, sustainability commitments	Environmental Manager, Legal, Operations	Cleanup costs, fines, permit revocation, reputational damage, shareholder lawsuits
Financial / Anti-Corruption	SOX, FCPA, UK Bribery Act, anti-money laundering, procurement integrity rules	Finance, Legal, Compliance Officer	Criminal prosecution, debarment from government contracts, executive liability, massive fines
Industry-Specific	FDA (pharma/medical devices), FAA (aviation), FCC (telecom), building codes, accessibility (ADA, WCAG)	Regulatory Affairs, Quality Assurance, Engineering	Product recalls, market withdrawal, loss of license to operate, civil penalties
Contractual	Service Level Agreements (SLAs), deliverable acceptance criteria, insurance requirements, subcontractor compliance	Procurement, Legal, Project Manager	Contract termination, damages, loss of payment, performance bond forfeiture
Organizational Policy	Code of conduct, diversity requirements, procurement policies, document retention, internal audit standards	PMO, HR, Internal Audit	Internal disciplinary action, project cancellation, loss of PMO support, audit findings

An effective PM builds a compliance register — similar to a risk register — that catalogs each requirement, its category, owner, the method of verification, and the consequence of noncompliance. This register becomes a living document updated throughout the project.

Determining Threats to Compliance

The third enabler requires the PM to think adversarially: what could cause the project to fall out of compliance? Threat identification is essentially risk management applied specifically to compliance obligations. Common compliance threats include:

Regulatory change during the project. A law or regulation is amended, repealed, or newly enacted after the project begins. The PM must monitor the regulatory environment and have a process for assessing the impact of changes. This is especially critical in long-duration projects in heavily regulated industries.
Supply chain noncompliance. A subcontractor or vendor fails to meet their compliance obligations, exposing the prime contractor to liability. The PM must flow down compliance requirements contractually and verify vendor adherence through audits or certifications.
Scope creep introducing new compliance domains. A seemingly modest scope change — adding a payment processing feature, expanding into a new country, collecting additional user data — can introduce entirely new regulatory regimes. The PM must assess every change request for compliance implications before approving it.
Documentation gaps. Compliance often requires documented evidence of adherence. If the team fails to maintain audit trails, test records, or approval signatures, the project may be found noncompliant even if the work was technically correct.
Team turnover and knowledge loss. When the compliance expert leaves the team, their knowledge of specific requirements may leave with them. Cross-training and documented compliance procedures mitigate this threat.

⚠️ Exam Trap: The Compliance-Schedule Conflict

A classic PMP exam scenario: the project is behind schedule, and a stakeholder suggests skipping a compliance review or certification step to catch up. The correct answer is never to bypass compliance, even temporarily. Compliance requirements are mandatory constraints, not discretionary activities. The PM should instead explore crashing or fast-tracking other activities, negotiating the schedule baseline, or reallocating resources — but compliance gates remain in place. If the exam asks what the PM should do when compliance and schedule conflict, look for the answer that protects compliance while proposing legitimate schedule recovery techniques.

Methods to Support Compliance

The fourth enabler addresses the practical tools and techniques the PM uses to maintain compliance throughout the project. These methods form a compliance assurance system:

Compliance audits — Independent reviews (internal or external) that assess whether project activities conform to requirements. Audits may be scheduled (e.g., quarterly) or triggered by events (e.g., a significant change). The PM's role is to facilitate audits, not to obstruct them.
Compliance checklists — Structured verification tools that ensure each requirement is addressed at the appropriate project phase. Checklists are especially valuable during phase gate reviews and deliverable acceptance.
Training and awareness programs — Ensuring the team understands their compliance obligations. A developer who doesn't know about data privacy requirements cannot comply with them.
Automated monitoring and tooling — Using software to continuously verify compliance (e.g., static code analysis for security standards, automated accessibility testing, CI/CD pipeline gating on compliance checks). Automation reduces human error and provides real-time compliance visibility.
Third-party certifications — Engaging external bodies to certify that the project's outputs meet required standards (e.g., UL certification for electrical products, SOC 2 for software platforms). Certification provides independent assurance to stakeholders and regulators.

Analyzing Consequences of Noncompliance

The fifth enabler demands that the PM understand — and communicate — the true cost of noncompliance. This analysis drives prioritization: not all compliance requirements carry equal consequences, and the PM must allocate attention and resources accordingly. Consequences fall into several categories:

Consequence Type	Description	Example
Financial Penalties	Fines, penalties, damages, loss of revenue	GDPR fines up to €20M or 4% of global turnover; OSHA penalties; liquidated damages for contractual noncompliance
Legal / Criminal Liability	Civil lawsuits, criminal charges against individuals or the organization	FCPA violations leading to prosecution of executives; wrongful death suits from safety violations
Operational Disruption	Project suspension, permit revocation, product recall, facility shutdown	FDA ordering a clinical trial halt; FAA grounding aircraft; building inspector ordering construction to stop
Reputational Damage	Loss of customer trust, negative media coverage, brand devaluation	Data breach eroding customer confidence; environmental violation triggering boycotts
Loss of Business Opportunity	Debarment from government contracts, loss of certifications needed to operate	Company barred from federal contracting; ISO certification revoked, blocking access to markets

The PM should conduct a compliance impact assessment early in planning, quantifying consequences where possible and qualifying them where not. This assessment informs the compliance approach: high-consequence requirements demand rigorous preventive controls, while lower-consequence requirements may be managed through periodic monitoring.

Determining the Compliance Approach

The sixth enabler — determining the necessary approach and action — is where the PM translates analysis into strategy. There are several proven compliance approaches, and the PM selects the appropriate one (or combination) based on the requirement and its consequences:

Risk-based approach. Prioritize compliance activities based on the likelihood and impact of noncompliance. High-risk requirements receive intensive controls; low-risk requirements receive lighter monitoring. This approach maximizes limited compliance resources.
Legal review approach. For ambiguous or novel regulatory requirements, engage legal counsel to interpret the obligation and define the specific actions needed for compliance. This is common in emerging regulatory areas like AI governance or cryptocurrency.
Preventive design approach. Build compliance into the product or process from the start rather than inspecting it in later. This includes design reviews, compliance-focused architecture decisions, and embedding compliance checks into the definition of done.
Corrective action approach. When noncompliance is detected, implement a structured corrective action process: identify the root cause, implement a fix, verify the fix worked, and update processes to prevent recurrence. This is the Plan-Do-Check-Act cycle applied to compliance.

Measuring Ongoing Compliance

The final enabler — measuring the extent of compliance — ensures that compliance is not treated as a one-time gate but as an ongoing dimension of project performance. Effective compliance measurement includes:

Compliance KPIs. Define metrics such as percentage of compliance requirements verified, number of open compliance findings, average time to resolve findings, and audit pass rate. These KPIs should be reported in regular status reviews.
Periodic self-assessments. The project team should regularly evaluate its own compliance posture, identifying gaps before an external auditor does.
Compliance dashboards. Visual tools that provide at-a-glance status of compliance across all categories. A green/yellow/red system helps governance bodies quickly assess whether the project is on track.
External validation. Where required, engage third-party auditors or certifying bodies to independently verify compliance status.

How Task 32 Appears on the PMP Exam

Pattern 1: "A regulation changed mid-project. What should the PM do?"

Assess the impact of the regulatory change on the project, update the compliance register and project management plan, and communicate the implications to stakeholders — including any necessary scope, schedule, or budget changes. The PM should not ignore the change or assume it doesn't apply.

Pattern 2: "A team member suggests skipping a compliance review to meet a deadline."

The PM must not skip compliance activities. Instead, explore legitimate schedule acceleration techniques, engage the sponsor to discuss the schedule constraint, or adjust the project baseline. Compliance is not optional.

Pattern 3: "A subcontractor is found to be noncompliant. What should the PM do?"

Address the noncompliance with the subcontractor immediately. Review the contract for remedies, require a corrective action plan, and if the subcontractor cannot or will not comply, initiate contract termination procedures and find a compliant replacement. The PM cannot simply accept the noncompliance.

Pattern 4: "Stakeholders are unaware of the consequences of noncompliance."

The PM should educate stakeholders by presenting the compliance impact assessment, explaining the specific consequences of noncompliance (financial, legal, operational, reputational), and reinforcing that compliance is a project constraint, not a preference. Use data and concrete examples.

Study Checklist for Task 32

✅ Can you name at least five compliance categories and provide an example of each?
✅ Do you understand the difference between compliance and quality — and why both must be managed?
✅ Can you describe the seven ECO enablers and how they form a complete compliance lifecycle?
✅ Can you identify common threats to compliance and how to mitigate each?
✅ Do you know the four compliance approaches (risk-based, legal review, preventive design, corrective action) and when each is appropriate?
✅ Are you prepared for exam scenarios where schedule pressure conflicts with compliance requirements?
✅ Can you explain how compliance connects to PMBOK 7's Stewardship principle?

Compliance is the guardrail that keeps the project on the road. Ignore it, and the project may crash — no matter how well it performs on schedule and budget. Continue to the ECO Study Guide Index for the remaining Business Environment tasks, including benefits realization and organizational change.

← Back to ECO Study Guide Index | Practice Business Environment Domain Questions →