Managing Compliance Demands: When to Pull, When to Push

The Dual Nature of Compliance

Over the years working with companies in highly-regulated industries, I've observed that organizations often struggle with compliance because they fail to distinguish between two fundamentally different types of work. They treat everything as equally urgent, pushing all work through the system regardless of actual need. This creates inefficiency and waste while failing to prevent the risks that matter most.

The solution lies in recognizing that compliance involves two distinct flows requiring opposite strategies—pull for promises, push for risk.

The Push of Obligations

Let's start with what we cannot control. Obligations are pushed onto organizations from the outside world. Regulators don't wait for organizational readiness before issuing new requirements. Legislators pass laws on political timelines. Industry standards evolve. Customers demand certifications according to their procurement schedules. This external push is inevitable—organizations are demand-receivers in the compliance landscape.

However, not all obligations come from outside. Organizations regularly push obligations onto themselves through voluntary commitments—sustainability pledges, ethical sourcing standards, diversity targets, voluntary certifications. While theoretically discretionary, competitive pressure and stakeholder expectations often make them feel just as mandatory as regulatory requirements.

The critical difference: pull systems can reveal when voluntary obligations create unsustainable bottlenecks, providing data-driven insight to modify or discontinue them—a strategic flexibility that doesn't exist with mandated requirements.

Pull for Promises: Making Bottlenecks Visible

Once obligations exist—whether mandated or voluntary—organizations can use pull principles to fulfill them efficiently. Instead of immediately mobilizing resources when a new requirement appears, compliance work is pulled through the system based on level of commitment and applicability to the organization.

A regulatory change announced with a two-year implementation window doesn't need immediate action—it needs a clearly defined trigger point that pulls appropriate resources when action becomes necessary.

Pull systems excel at revealing where promise-keeping breaks down. When documentation requests accumulate before audits, when certifications expire before renewals complete, when regulatory deadlines are consistently missed—these visible accumulations pinpoint where capacity is insufficient.

Pull systems reveal more than just delays. They also expose excess work from over-commitment, such as redundant reporting requirements that consume resources without adding value. They reveal duplicate delivery on promises due to lack of coordination—different departments doing similar work, preparing parallel compliance reports, or responding independently to the same stakeholder requirement.

A compliance kanban board that shows work backing up, the visual management system that highlights both delays and redundancies—these are diagnostic tools that make constraints and waste obvious and actionable.

This visibility enables continuous improvement. You're not guessing where to add resources or improve processes; the pull system shows you precisely where promises are falling behind to from obligation to fulfillment.

Push for Risk: Prevention Requires Forecasting

Risk management operates on entirely different logic. You cannot wait for a data breach to occur before implementing security controls. You cannot pull a response to a compliance violation after it has created regulatory liability. Prevention requires pushing controls, safeguards, and capabilities into place before they're needed—often for events that may never occur.

This is fundamentally forecasting-based work. What regulatory changes are on the horizon? What emerging technologies might create new compliance challenges? What systemic vulnerabilities could cascade into organizational crises? Risk management demands horizon scanning, scenario modelling, and proactive deployment of countermeasures.

The push approach accepts what appears to be inefficiency or waste as the necessary price of resilience. You build redundant capacity, invest in monitoring systems that may never detect an incident, and create response capabilities that might go unused.

Integrative Systems: Using Each Approach for What It Does Best

The sophistication lies in connecting these two approaches. Pull-based promise-keeping generates valuable data about where compliance obligations concentrate and where failures occur most frequently. This historical pattern data should inform push-based risk investments.

If pull systems consistently reveal bottlenecks in privacy compliance, that's a signal to push additional preventive controls into data governance. If promise-keeping regularly fails during regulatory transitions, that indicates a need to push more change management capability into the organization.

From Reactive Chaos to Proactive Capability

Organizations that lack this distinction scramble reactively when obligations arrive, pushing emergency work through systems where every new requirement feels like a crisis. There's no differentiation between what needs immediate execution and what requires long-term preparation.

Organizations that understand this dual nature use push to build capability ahead of demand, then use pull to execute efficiently when obligations require action. The balance isn't about choosing between push and pull—it's about using each approach for what it does best.

When external obligations are pushed at you—and they will be—you'll have pushed sufficient capability into place that you can pull work through efficiently. That's not just effective compliance.

Raimund Laqua is founder and Chief Compliance Engineer at Lean Compliance Consulting, Inc. His focus is helping ethical, ambitious companies in highly-regulated, high-risk industries improve the effectiveness of their compliance programs.