Regulatory Compliance Can Make Your Work Easier and Happier, Thanks to NAPE

The case for Compliance Autonomy

Watts S. Humphrey, the father of quality in software and CMMI, said two decades ago; “Every business is a software business”. The same is true of various departments within a company, there's a reason we're very unlikely to send a handwritten note using the post any more, technology has improved our lives, made us more efficient and given us access to more information than we could process in a lifetime. This applies to our work regardless if we're a Software Architect or starting out as an Internal Auditor.

Working in a regulated company often presents challenges when it comes to interacting with complex policies. These policies are typically codified in documents that are difficult to change without a long meeting series and high level stakeholders. They're often complex and challenging to understand in a single reading. While these policies provide essential guidelines, the execution by humans can become costly and time-consuming, particularly when procedures need to be repeated frequently. Computers excel at repeating themselves. It's natural for human performance to fluctuate when procedures are infrequently performed or overly repetitive. For each of these actions; learning, assurance, and execution, the company incurs labor costs instead of leveraging the lower cost of automation. While many risks are being mitigated with less resources and the company is maintaining regulatory compliance. It's equally important to consider that previously unmitigated risks and unexplored uncertainties are more likely to be mitigated.

Automation is the best possible outcome

Despite the anticipated challenges to updating policies, our company wrote these policies, procedures and assurances and that means as employees can change them, when we find the collective willpower. When we align this collective willpower around automation then we're setting ourselves up to be able to repeat these processes on demand, even continuously with low or zero marginal cost. We need to embrace this challenging yet rewarding process of implementing change to give our company strong market advantages. You can learn more about how to effect these changes in Kalvex's Founder's presentation at DevOps Enterprise 2023 . The advantages that can be found are numerous and highly significant:

• Faster time to market, as people in the technology departments have more evidence of compliance automatically collected, so too does the requirement for them to be in audit meetings and spend time answering questions for audit preparations. The evidence collection goes from days or weeks to minutes. This gives them more time to work on what they were hired for, to make the product that helps your company win in the market and increase the pace of development.
• Happier employees who are less burdened by their regulatory requirements. Richard Branson once said "Clients do not come first. Employees come first. If you take care of your employees, they will take care of the clients." Audits can be very stressful moments for employees, particularly if they're not feeling confident before it starts or the auditor starts highlighting serious findings during the audit meeting. Automation of the audit process will allow for fewer findings over multiple audits with automation, by tooling, like NAPE because the evidence will be more structured and the execution has been performed identically before. When tools like NAPE show all risks have been mitigated, then employees can confidently attend audit meetings and go home happy.
• A more robust policy development approach. When audit findings occur, it's common to update the process being audited to prevent similar failures. Often, this is due to gaps in the policy or assurance, and by addressing these gaps, we reduce risk. However, continually adding complexity can make procedures harder to follow. Complicated processes often introduce more steps, exceptions, and requirements that are harder to consistently manage or execute, which can lead to errors, inefficiencies, and increased difficulty in maintaining compliance. When procedures become overly complicated, the chances of human error rise, and the ability to consistently ensure quality or follow all details decreases. This complication can unintentionally introduce new vulnerabilities or gaps in governance. Automation ensures these details are handled precisely, simplifying the execution of policies. When we implement automation to handle policy execution, we ensure that all details are consistently accounted for, making processes more robust and repeatable.

Introducing NAPE: A Strong Solution to Compliance Automation

NAPE is a tool developed by Bill Bensing, a well-known figure in DevOps and Compliance Automation. NAPE addresses a critical pain point: the challenge of providing timely and accurate evidence for risk-based compliance activities. NAPE Seeks to tighten the intervals for gathering assurances into a part of daily business operations, as opposed to simply part of the fieldwork of infrequent audits.

NAPE is designed to show, the clear mapping of how business activities are proven to be performed according to the risk control objectives, as long as the risk control and NAPE's definitions are maintained. Risks is mitigated by validating the requirements. The specifications of the requirements are assured via NAPE's assurance actions to ensure that the requirement is correctly implemented. It seeks to go beyond simple one-time automation to become an autonomous process, where business events can trigger updates to compliance appraisal, removing the humans input to trigger the start of the evaluation removes subjectivity from the process on each execution, though biases made during development of the autonomy may still influence the outcomes.

NAPE’s goal is to serve both the development teams embedded in a company’s compliance processes and the broader compliance apparatus, including internal auditors and risk management teams. By automating assurance tasks, NAPE allows you to define risk controls and assurance activities to execute those assurance activities in a way that is not only repeatable but proactive.

NAPE exists to solve a common problem: the inefficiencies in how different teams; development, IT operations, compliance, and audit—coordinate assurance activities. Each team may be aligned on the end goal, but they often find themselves mired in redundant communication, manual processes, and endless back-and-forths, which drain resources and slow progress.

NAPE automates the assurance process by continuously collecting, evaluating, and validating compliance evidence. This reduces the need for manual intervention and removes subjectivity in triggering evaluations, though biases from development may still influence outcomes. It enables compliance processes to operate proactively and autonomously, ensuring that organizations maintain audit readiness with minimal effort.

NAPE’s Key Features and Benefits

By adopting NAPE, you’re moving from reactive, manual assurance to an automated, proactive approach. This reduces the friction between teams, increases operational capacity, and empowers everyone to focus on high-value work. It’s not just about automating tasks—it’s about making compliance efficient, seamless, and truly integrated into the fabric of your organization’s processes.

As a tool NAPE Seeks to empower those who straddle technology and compliance departments by encouraging them to adopt technology practices, such as basic programming skills. By giving these skills to those individuals we allow them to apply their expertise to ensuring that the risk controls and assurances are best implemented. This also allows them to better explain what NAPE is doing for their organization.

As previously mentioned, NAPE comes from the brilliant mind of Bill Bensing who frequently networks with audit and compliance professionals, he understands how they want to change their careers to be more proactive and ancillary instead of being seen as enforcers and roadblocks. We can expect that their needs will be addressed and we can be sure that this tool will be supported for a long time to come.

NAPE is the first tool of its kind that focusses on being open source from the start. This allows both the internals of the tool to be audited for full transparency and will foster the creation of a community around compliance. This will also mean that we can leverage the contributions of other compliance automation professionals to, for example, implement our own ISO9001 Quality Management system by simply adapting their work to our organization.

Conversely though, if you're looking for deep integrations with popular technology toolchains like Sonar for code quality analyses or other popular developer tooling then you may want to consider other offerings. Similarly as NAPE is still quite early in its journey, then the capabilities may not be as mature as other offerings too.

Contact Kalvex to see what's possible with Compliance Autonomy.

Ready to transform your compliance process with actionable steps? Subscribe to the Kalvex newsletter for exclusive insights, tutorials, and updates on NAPE and other compliance solutions.

Coming soon, I hope to share with you how to create your first assurance actions with NAPE, how to integrate it with a HR System to demonstrate some aspects of IST85 (Icelandic equal pay certification), reporting and hopefully even see if we can have the results audited.