How to Maintain Continuous Compliance

⏰ AI Governance – A Time for Change⏰ Implementing and maintaining compliance with an Artificial Intelligence Management System (#AIMS) is transformative. It reshapes workflows, accountability, and decision-making, but challenges can extend beyond deployment. Sustaining compliance requires consistent employee engagement, skill development, and adaptation to evolving standards. The #ADKAR model (Awareness, Desire, Knowledge, Ability, Reinforcement) is a proven framework for managing individual transitions. Combined with #ISO10020, which provides structured change management practices, these tools guide organizations through both building and sustaining adherence to an AIMS. ➡️ Challenges in AIMS Implementation and Compliance 🧱 Employee Resistance: Teams may distrust AI systems or resist workflow changes required for compliance. 🛑 Skill Gaps: Maintaining compliance demands ongoing proficiency in monitoring and improving AIMS operations. ⚙️ Process Overhaul: Adherence often requires rethinking workflows and embedding accountability structures. ⚖️ Accountability and Ethics: Sustained compliance requires transparency and alignment with organizational values. These issues necessitate strategies addressing both human and operational challenges. ➡️ How ADKAR and ISO10020 Facilitate Compliance 1️⃣ Awareness: Establishing the Why ISO10020 highlights the importance of clear communication, while ADKAR ensures individuals understand the need for change. ⚠️ Challenge: Employees may question the effort required for AIMS compliance. 🏆 Solution: Communicate how compliance is both a safeguard and a foundation for ethical AI. 2️⃣ Desire: Encouraging Engagement Long-term compliance requires sustained commitment. ⚠️Challenge: Employees may disengage if they see compliance as burdensome. 🏆 Solution: Highlight how compliance simplifies workflows, builds trust, and safeguards integrity. Share success stories to inspire buy-in. 3️⃣ Knowledge: Building Competency ISO10020 emphasizes training plans, while ADKAR focuses on equipping individuals with role-specific skills. ⚠️Challenge: Teams may lack expertise to manage compliance or respond to audits. 🏆 Solution: Offer ongoing training tailored to roles, covering regulatory updates and compliance practices. 4️⃣ Ability: Supporting Skill Application ADKAR emphasizes practice, and ISO10020 focuses on interventions to remove barriers. ⚠️Challenge: Teams may struggle with consistent application of compliance requirements. 🏆 Solution: Establish actionable workflows and assign compliance champions to provide guidance. 5️⃣ Reinforcement: Sustaining Compliance Both frameworks stress the importance of monitoring and iterative improvement. ⚠️Challenge: Without follow-up, teams may lapse in compliance adherence. 🏆 Solution: Use tools like dashboards and change matrices to track progress. Celebrate successes and refine processes based on feedback. A-LIGN Prosci Tim Creasey #TheBusinessofCompliance Harm Ellens

FDA Warning Letter snippet: Facility has areas not maintained and in a state of decay. QMR identified significant gaps in training which were not addressed effectively. Sterile operations were not maintained with basic requirements being ignored and willfully violated. What can you do about these issues: The GxP compliance process of Align, Apply, and Adapt is a structured approach to ensuring that GxP standards are effectively integrated into an organization’s operations. Here’s how this framework works: 1. ALIGN – Establishing Compliance Foundations This phase ensures that the company’s policies, procedures, and systems are aligned with regulatory expectations and industry best practices. Key Activities: ✔ Regulatory Landscape Assessment – Identify applicable FDA guidelines. ✔ Gap Analysis – Assess current systems against regulatory requirements and industry benchmarks. ✔ Quality & Compliance Framework Development – Establish or refine SOPs, policies, and quality systems. ✔ Stakeholder Buy-In – Ensure leadership and teams understand compliance priorities and objectives. 📌 Outcome: A clear compliance roadmap that aligns business operations with regulatory expectations. 2. APPLY – Implementation & Execution Focuses on applying compliance principles into daily operations to ensure processes are followed consistently and effectively. Key Activities: ✔ Training & Competency Development – Conduct role-specific GMP training for employees. ✔ Process Integration – Embed compliance into manufacturing, quality control, and clinical operations. ✔ Data Integrity & Documentation – Ensure ALCOA+ principles are met. ✔ Routine Monitoring & Self-Inspections – Conduct internal audits and quality reviews to identify gaps before regulatory inspections. 📌 Outcome: Compliance becomes part of the company’s operational culture, not just a checkbox activity. 3. ADAPT – Continuous Improvement & Risk Management Since regulations and business environments evolve, organizations must continuously adapt their compliance approach to remain inspection-ready and competitive. Key Activities: ✔ Regulatory Change Management – Monitor FDA updates and enhance policies accordingly. ✔ Process Optimization – Leverage insights from deviations, CAPAs, and audit findings to improve compliance efficiency. ✔ Technology & Automation – Implement digital compliance tools to enhance data integrity and reduce human error. ✔ Culture of Compliance – Foster a mindset where compliance is proactive rather than reactive. 📌 Outcome: A resilient, future-proof compliance program that evolves with regulatory changes and business needs. Why This Approach Matters 🔹 Prevents last-minute compliance scrambles before inspections. 🔹 Reduces regulatory risk and ensures inspection readiness at all times. 🔹 Increases operational efficiency by integrating compliance into day-to-day processes. 🔹 Supports scalability, ensuring compliance remains strong as the company grows.

The DOJ consistently says that compliance programs should be effective, data-driven, and focused on whether employees are actually learning. Yet... The standard training "data" is literally just completion data! Imagine if I asked a revenue leader how their sales team was doing and the leader said, "100% of our sales reps came to work today." I'd be furious! How can I assess effectiveness if all I have is an attendance list? Compliance leaders I chat with want to move to a data-driven approach but change management is hard, especially with clunky tech. Plus, it's tricky to know where to start– you often can't go from 0 to 60 in a quarter. In case this serves as inspiration, here are a few things Ethena customers are doing to make their compliance programs data-driven and learning-focused: 1. Employee-driven learning: One customer is asking, at the beginning of their code of conduct training, "Which topic do you want to learn more about?" and then offering a list. Employees get different training based on their selection...and no, "No training pls!" is not an option. The compliance team gets to see what issues are top of mind and then they can focus on those topics throughout the year. 2. Targeted training: Another customer is asking, "How confident are you raising bribery concerns in your team," and then analyzing the data based on department and country. They've identified the top 10 teams they are focusing their ABAC training and communications on, because prioritization is key. You don't need to move from the traditional, completion-focused model to a data-driven program all at once. But take incremental steps to layer on data that surfaces risks and lets you prioritize your efforts. And your vendor should be your thought partner, not the obstacle, in this journey! I've seen Ethena's team work magic in terms of navigating concerns like PII and LMS limitations – it can be done!

The monitor walked into our site and found 3 GCP violations in 10 minutes. My stomach dropped. Not because we were careless. But because we thought we were compliant. Here's what I learned that day: Good intentions aren't enough in clinical research. You need systems. After 10+ years in this industry, I've seen the same violations destroy careers and compromise trials. Let me break down the 7 most common GCP violations—and how to avoid them: 1️⃣ Inadequate Informed Consent ↳ The risk: Invalid subject data & regulatory penalties ✅ The fix: Always use the latest IRB-approved form & document consent properly 2️⃣ Protocol Deviations ↳ The risk: Compromised data integrity ✅ The fix: Train staff thoroughly & document all deviations immediately 3️⃣ Incomplete Source Documentation ↳ The risk: Audit findings & data loss ✅ The fix: Record data in real-time & maintain source-to-CRF consistency 4️⃣ Poor Investigational Product (IP) Accountability ↳ The risk: Patient safety issues & protocol noncompliance ✅ The fix: Log all IP receipts, dispensation, and returns accurately 5️⃣ Failure to Report Adverse Events (AEs) ↳ The risk: Regulatory noncompliance & patient risk ✅ The fix: Train team on AE reporting timelines and definitions 6️⃣ Inadequate Delegation of Duties ↳ The risk: Tasks performed by unqualified staff ✅ The fix: Maintain a current Delegation Log & verify credentials 7️⃣ Missing or Expired Regulatory Documents ↳ The risk: Site noncompliance ✅ The fix: Set calendar reminders & use a document tracker The truth is These violations aren't about being perfect. They're about being prepared. Every single one is preventable with the right systems and training. But here's what most sites miss: ➡️ Preventing GCP violations starts with training, checklists, and a compliance-first culture. Not fear. Not perfection. Just consistency. If you're running trials without these systems—you're not protecting patients. You're hoping nothing goes wrong. And hope isn't a compliance strategy. What's the most common GCP violation you've seen at sites? Drop it below. Let's learn from each other. Follow Rudy for more real-world clinical research insights. #clinicalresearch #GCP #compliance #clinicaltrials #patientSafety #regulatoryaffairs #CRA #CRC

I see you juggling validation, monitoring, and calibration—trying to keep everything aligned, staying compliant, and making sure no detail is missed. It’s a lot. Here’s something that might help: The ISPE Baseline Guide Volume 5 is clear—these aren’t separate tasks. Particularly in the context of Commissioning and Qualification (C&Q). Integration is key. By weaving these activities into a single lifecycle strategy, you simplify workflows, reduce redundancies, and build a system that’s proactively compliant. 💡 Here’s what you need to know: ✅ 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 → The guide emphasizes a science and risk-based approach to validation, ensuring that facilities, utilities, and equipment meet regulatory requirements and function as intended. It integrates qualification as a key component of validation, focusing on documented evidence that systems perform reliably. ✅ 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 → Continuous monitoring is highlighted as an essential part of maintaining compliance and product quality. The guide discusses strategies for periodic review and data-driven decision-making to ensure that systems remain in a validated state. ✅ 𝗖𝗮𝗹𝗶𝗯𝗿𝗮𝘁𝗶𝗼𝗻 → Proper calibration of instruments and equipment is necessary to maintain accuracy and reliability. The guide outlines best practices for calibration management, ensuring that critical parameters are consistently measured and controlled. When you integrate Commissioning & Qualification (C&Q) with Quality Risk Management (QRM) and Good Engineering Practices (GEP), you’re not just following a process—you’re building a system that works smarter, not harder. 🚀 This means: ✔️ Less firefighting, more confidence. ✔️ Smoother audits, fewer headaches. ✔️ A proactive approach to patient safety and product quality. You’ve got this. And if you ever need a hand, we're here to help. #Validation #Monitoring #Calibration #ISPE #Compliance #LifeSciences #Ellab

❗ As many of you probably know, before I was an FBI Special Agent, I was a teacher. Because of this background, I am focused on blending the concepts of cybersecurity and education together to help businesses and individuals stay safe so they can reduce the chance of becoming a cyber victim. I think the current method most companies take in offering cyber training once or twice a year is ineffective. In today's evolving cyber landscape, small and medium-sized businesses (SMBs) face unprecedented challenges when it comes to cybersecurity. There is a fallacy out there that cybersecurity attacks mainly target large corporations, but the reality is far different. In fact, according to a recent report, nearly 43% of all cyber-attacks are aimed at SMBs, often because attackers expect less sophisticated defense mechanisms. Training and education is an area that is often also lacking in the SMB world. 🔑 Why One-Time Training Isn't Enough Initial training sessions on cybersecurity might give your team a foundational understanding, but cybersecurity is not a one-and-done endeavor. The threat landscape is constantly evolving, and what was secure yesterday might not be secure today. Here's why continual training is crucial: 1️⃣ New Threats Emerge Daily: Cybercriminals are innovating faster than ever. Your team needs to keep up. 2️⃣ Technology Evolves: As your business adopts new technologies, new vulnerabilities may emerge that your team needs to be aware of. 3️⃣ Human Error: The most common cause of breaches is still human error. Regular training helps keep best practices at the top of mind. 🎯 Benefits of Continual Cybersecurity Education 1️⃣ Proactive Defense: Ongoing training helps employees recognize threats before they become incidents. 2️⃣ Compliance: Many industries require regular cybersecurity training for compliance purposes. 3️⃣ Employee Confidence: A well-educated staff is more confident in their daily operations, reducing stress and increasing productivity. 💡 Action Steps for SMBs 1️⃣ Annual Assessments: Conduct cybersecurity risk assessments annually, if not bi-annually. 2️⃣ Quarterly Training: Implement quarterly cybersecurity training and frequent drills. 3️⃣ Stay Updated: Keep abreast of the latest in cybersecurity news and update your training materials accordingly. Remember, cybersecurity is a journey, not a destination. As a business owner of leader, you need to prioritize the safety of your businesses, employees, and customers by investing in ongoing cybersecurity education. Stay safe and secure! 🔒 #Cybersecurity #SMBs #DataProtection #ContinualTraining #DigitalSafety #BusinessSecurity #knowledgeisprotection (image source - cyberpilot dot com)

DIB: Are we getting attached to the Class Deviation Memo? As we continue to engage with organizations trying to understand if they should implement NIST 800-171 Rev 3 or if they will be subject to CMMC Level 3 requirements, the need to harmonize cyber risk management with compliance management is more apparent than ever. And let’s be honest, that might just mean future-proofing your CUI program. The Class Deviation 2024-O0013, modifies DFARS 252.204-7012, pushing the Defense Supply Chain (DSC) to continue aligning with NIST 800-171 Rev 2, instead of Rev 3. But, this bad boy is temporary. It will be rescinded 32 and 48 CFRs evolve. Class deviation memos aren’t exactly new. They’ve long been a handy tool for the federal government, used as temporary modifiers. Are you solving yesterday’s problems? Likely. While today’s compliance efforts are laser-focused on NIST 800-171 Rev 2, real security risks have pushed NIST to work as effectively as many of us have seen the federal government deliver a quality product, leading to the quick release of the NIST 800-171 Rev 3, which promises more dynamic security controls and recommendations. Investing to only meet Rev 2 might seem like a smart move today, but without a strategy to adapt to Rev 3, you will be playing catch-up, again. The key is to build a program that’s adaptable; one that can evolve as the regulatory landscape matures, and of course, to improve security by at least frustrating the adversaries, as Dr. Ross would say. Let’s Build Adaptable CUI Programs. Here are some key points to consider: 1. Invest in Scalable Solutions: Design security controls that align with 171 Rev 3 or that, at the very least, can grow/adapt as new requirements emerge. Some cloud-based solutions, for example, offer the flexibility to adjust to new standards without requiring a complete overhaul. Often, this might just mean adding a new module or feature rather than implementing and learning an entirely new product. 2. Develop a “Continuous” X Culture: This could be “monitoring,” “compliance,” or “improvement,” but whatever it is, make sure it’s continuous. Regularly assess and update your security controls in response to emerging business and operational risks as well as regulatory changes. This isn’t just about compliance; it’s about conducting business securely and making risk-informed decisions. 3. Invest in Risk Management: Conduct meaningful and periodic risk assessments at the enterprise level, unit level, and system level. Task your GRC team to determine and anticipate the changes that Rev 3 and other updates will bring. Regular risk assessments can help you identify gaps or measure performance against regulatory and legal requirements. Keep a close eye on regulatory developments, attend relevant conferences, or follow a few good folks here on LinkedIn. Do you think we will see a class deviation memo for NIST 800-172? #ProtectCUI #ProtectHVA #cui #cmmc #c3pao #rpo

You know how it feels when you lock your doors at night, then go back three times just to double-check? That’s what traditional authorization can be like—except it’s worse because you only get to check once a year. 😅 Enter cATO, where security and compliance are happening all the time, so you can finally relax (sort of). So, how do you actually implement cATO? Here’s the play-by-play: 1️⃣ Culture First: cATO is more than just shiny tools—it’s a whole vibe. Get everyone from execs to developers in sync, understanding that cybersecurity isn’t a one-and-done deal. It’s a day-in, day-out commitment. 2️⃣ Automate Everything: You wouldn’t manually water your lawn, right? Use automated security tools for continuous monitoring, real-time alerts, and dashboards to make sure you’re catching issues before they break your system (or your spirit). 3️⃣ DevSecOps for the Win: Security isn’t something you tack on at the end. With DevSecOps, you can build security into the process from the very start, like adding chocolate chips into cookie dough—baked in. 🍪 Oh, and use Infrastructure as Code (IaC) to manage secure setups in a repeatable way. 4️⃣ Tailor Risk Management: Every organization is a little different (like snowflakes, but less poetic). Customize your control baselines and leverage ongoing risk assessments to keep your systems secure, not just once, but always. 5️⃣ Risk-Based Authorization: Give your Authorizing Officials (AO) real-time dashboards so they can make decisions based on the current risk—not the risk from six months ago. Stay flexible and keep moving with the times (but not too fast, we’re still security professionals after all). 6️⃣ Continuous Feedback Loops: Security issues? Handle them like you’d handle a fire drill—quick, decisive, and maybe with a little extra coffee. ☕ Automate your compliance reports and keep the feedback coming between teams. 7️⃣ Update Your Policies: Your organization’s policies should be as fresh as your cATO implementation. Update them to reflect real-time monitoring, automation, and everything in between. And yes, your vendors need to get on board with this too. 👈 Being a GRC Policy Lead, this is a big one for me. 🔄 Final Thought: Think of cATO as a security marathon, not a sprint. You’ve got to keep going, keep improving, and maybe throw in a few stretch breaks. Let’s keep our systems safe and compliant, 24/7! #cybersecurity #DevSecOps #cATO #automation #compliance #riskmanagement #infosec #innovation

Each Monday in July, I’m going to throw out an idea to small businesses in the #DIB who may feel like although CMMC is on the horizon, it’s still overwhelming. I hope these Mondays in July help to reframe things in manageable, realistic bites that are value-added to your cybersecurity and compliance efforts. 🧠 Bite 3 of 4: Set Reminders Without Buying More Software Use what you’ve got! Get organized and set reminders for periodic CMMC tasks You don’t need a fancy GRC tool to start building a security habit. Use your existing software to set recurring reminders for these essential CMMC-related tasks: Use Outlook, Google Calendar, Teams, or something like Unipoint/Quality Toolkit or software your shop uses to issue tickets and reminders for calibrations and maintenance. (If you have something you already use and like, feel free to share in the comments. GRC tools for the sake of GRC tools will be deleted.) Do you ever wake up in the middle of the night with things going through your head, and you need to write them down in order to get back to sleep? Consider this kind of like that. If you can get organized and automate certain tasks, you can focus on prioritizing what's next. 🔁 Weekly / Biweekly ·      Review security logs and alerts ·      Run antivirus scans / verify endpoint protections are up-to-date ·      Confirm backups completed successfully and are restorable 📅 Monthly ·      Conduct internal account reviews (disable stale accounts) ·      Validate software patching status across devices ·      Check if your asset inventory (hardware/software) needs updating 🧾 Quarterly ·      Check/update data flow diagrams ·      Review incident response procedures with your team ·      Run a phishing test or basic cybersecurity awareness check ·      Assess vendor access or software/service compliance (FCI/CUI exposure) 🧠 Annually ·      Review and update policies and procedures ·      Conduct a mock incident response tabletop exercise ·      Perform a risk assessment or gap analysis ·      Review training logs and retrain as needed

Since becoming certified as a compliance officer, it has me thinking what things I would do to impact organizational change and promote compliance. Here’s the first things I would do: 1. Start with a risk assessment- get to know what the organization’s risks are. Identify vulnerable areas, billing, coding, HIPAA, employee training, security/ privacy, Medicare/ Medicaid rules, etc 2. Develop a Compliance Framework- based on the risk assessment, I would begin building a plan using the OIG Compliance Program Guidance. The outline would contain the core elements, polices and procedures, training and education, auditing and monitoring, reporting and disciplinary actions. 3. Leadership Buy-In- presentation of findings and proposals to leadership. Emphasizing the importance of compliance and ramifications for noncompliance, reputational risk. 4. Create/ Update Policies and Procedures- begin drafting and revising compliance-related policies, code of conduct, billing practices, reporting mechanisms, etc. 5. Establish Training and Education- compliance awareness starts with proper training!