Creating a regulatroy-ready mindset by David Staley

 

I  dread questions beginning with, “Did you remember . . .?” Because chances are I didn’t! 

My youngest daughter has rowed competitively since she was a freshman in high school. Before she could drive herself, I was the designated chauffeur to and from rowing practice. One morning, while juggling work commitments and prioritizing the day’s list of logistics, she asked if I’d put her rowing bag in the car before she left for school. She couldn’t carry it along with everything else she had to carry. “Of course,” I said confidently — assuring her I’d take care of the task, meaning it fully, and believing I’d follow through. 

Hours later, as the sun began to set behind Lake Sammamish, we pulled up to the boathouse. My daughter turned to me and asked the question I hadn’t been anticipating: “Did you remember to grab my rowing bag?” I glanced in the rearview mirror — the back seat was empty. In disbelief, I turned around to look again: no rowing bag, no water bottle, nothing. 

Instantly, my daughter’s face went from eagerness to pale, and my heart sank. That moment of unpreparedness triggered instant panic in my daughter; I could almost hear her pulse quicken as my own thoughts scrambled. So, I did what any reasonable, rational parent would do; I completely freaked out! My freakout lasted all of thirty seconds before I barked at myself, “Get it together, David!” 

Then came action. I drove like a Formula 1 driver to the nearest Target, devising a plan along the way: first, navigate the aisles with precision; second, find anything that even remotely resembles rowing gear (I’d dash for socks — she’d handle the rest); and third, get my daughter back to rowing practice before the crew launched onto the water. 

While she changed in the car, I broke nearly every traffic law driving on the way back to practice. Somehow, we made it to the boathouse just in time, both of us laughing as she ran out of the car wearing the army-green sandals she insisted were essential. I grinned, thinking that although it wasn’t the typical rowing drop-off, we managed to avoid a total catastrophe. 

Later that evening, as calm replaced the adrenaline, I reflected on what had actually happened. I hadn’t simply forgotten a rowing bag; I’d failed to anticipate the possibility of forgetting and didn’t plan accordingly. Sure, we had a process that worked well — until it didn’t. And when it didn’t, our only option was to scramble. That’s when the real lesson from that frantic afternoon struck me: scrambling to solve a problem isn’t a strategy. From that day forward, we made one simple, lasting change: we packed an extra set of rowing gear and kept it in the trunk. It wasn’t so much about having backup gear in the car; it was more about being prepared for the unexpected. The insight was deceptively simple but enduring: scrambling might save the day once, but preparedness saves it every time. 

It occurred to me that the same lesson applies to the research world. We build systems that perform beautifully under routine conditions but often forget to anticipate disruptions — for misplaced documentation, missing signatures, incomplete data, unanticipated audits, inspections, or safety events. And when the unforeseen happens, we scramble. But scrambling isn’t a strategy. 

Since that afternoon, I’ve come to see preparedness not as an act of remembering, but as a way of thinking and behaving; a mindset of anticipating, designing, and reinforcing reliability before systems are tested. In both parenting and compliance, the goal remains the same: to be so ready that when the unexpected happens, we don’t panic; we adapt, because we’re prepared. 

The preparedness proposition 

Much of our research worlds can sometimes look and feel precarious — especially when we’re operating in unstable, unpredictable, and worrisome circumstances that push our programs, processes, and systems to their limits. Imagine a city built in haste: foundations poured too quickly, walls leaning, bridges half-constructed. From afar, the skyline may look impressive, but draw nearer and the scaffolding gives an entirely different impression — one of imbalance and strain. 

Yet, we shouldn’t view that imbalance as failure; it’s a sign of people behind the system, working tirelessly to keep it standing. As compliance professionals, many of us are building as we go, doing our best to reinforce the structure amid shifting expectations, scarce resources, and constant scrutiny. It isn’t surprising that when the pace of risk in compliance outstrips the strength of our structures, even the most well-intentioned systems begin to falter. The familiar sense of control gives way to uncertainty; confidence gives way to reaction. Even relentless dedication has limits. When determination substitutes for design, fatigue replaces foresight, and even the most devoted teams begin to feel the strain. It’s haunting: a fragile, vulnerable research infrastructure on the verge of collapse. No clear systems. No reliable structures. No focus. No sight of potential futures because of present realities, just scrambling for survival. 

And isn’t that exactly what happens when research operates reactively? When complexity overwhelms us, when processes break down, when oversight becomes inconsistent? In those moments, our focus narrows to survival rather than strategy, and the capacity for opportunity gives way to the urgency of correction. But as Donella Meadows observed, “We can’t control systems or figure them out. But we can dance with them.”1 Readiness, then, becomes less about command and more about composition — something closer to jazz: structured yet improvisational, grounded in rhythm but alive to variation. It’s about anticipating change and adapting with intention when the rhythm shifts. When we stop listening for those shifts — when our systems lose adaptability and foresight — the rhythm of readiness falters. The ensemble drifts out of sync; what once sounded beautifully orchestrated turns discordant, and what once carried energy and momentum begins to unravel. And when the music stops altogether, we’re left reacting instead of creating. 

When the last note fades, what remains is uncertainty. And here’s what’s at stake: an environment without readiness. It isn’t just inefficient; it’s unsustainable. It’s dangerous. W. Edwards Deming cautioned, “A bad system will beat a good person every time.”2 In compliance, that truth resonates deeply: even the most principled professionals cannot overcome the weight of a system unprepared for variation and complexity. Without readiness, good intent alone cannot stand against structural fragility. That’s why regulatory readiness must evolve from a compliance goal into an organizational mindset. It requires us to move beyond defense and toward design, beyond reaction and toward preparedness. 

Preparedness by design 

But mindsets don’t transform by accident; they’re forged through intention and experience. Readiness can’t grow from individual effort or goodwill alone; it requires a regulatory framework robust enough to sustain both. The regulatory framework provides a deliberate structure to recognize complexity, organize for clarity, and prioritize the acts of preparedness that anchor compliance work. Together, they reinforce the path forward toward lasting readiness. 

Recognize 

Preparedness begins with recognition, with the discipline to see complexity rather than oversimplify or distort it. In research compliance, recognition means identifying the areas of strain: the volume of studies, the variability of oversight, and the human and procedural gaps that threaten reliability. When we recognize these pressure points, we move from assumption to visibility, mapping both the regulations that ground our work and the vulnerabilities that expose it. Recognition is the first act of readiness; it transforms uncertainty into insight. 

Organize 

Once complexity is recognized, preparedness depends on coherence — and coherence begins with organization. To organize is about scoring readiness, tracking patterns, and establishing indicators that reveal how programs, processes, and systems truly perform under pressure. 

When I was in high school, I played basketball and was determined to master free throws. My plan was simple: shoot a hundred free throws a day. My dad — who had a key to a local gym — listened patiently as I explained my plan, and then he asked two questions that stopped me in my tracks: “How will you measure your progress?” and “How will you simulate game-like conditions?” I didn’t have any answers. He smiled and quoted Vince Lombardi: “If you’re not keeping score, you’re just practicing.”3 

That advice became my lifelong approach to quality and compliance. In compliance work, activity without measurement is motion without progress. We can’t know how prepared we are unless we measure it. Readiness scoring elevates compliance from static reporting to active diagnosis, turning oversight into design. When teams see their readiness quantified, they can align their cadence, strengthen weak points, and adjust before pressure mounts. In this way, the organization transforms compliance from a reactive exercise into a proactive mindset: regulatory-ready by design. 

Keeping score: Turning indicators into a scoreboard 

Every aspect of research — eligibility verification, informed consent documentation, reportable event management, and data integrity — can be measured and evaluated on a preparedness spectrum. Measuring readiness isn’t about shaming; it’s about making progress visible. The question is simple: Where are we today, and what would preparedness look like if every team operated with a regulatory-ready mindset? 

Using a Preparedness Scoring Rubric (see Figure 1 on page 35) structures a way to answer that question. It’s a five-point framework for evaluating regulatory preparedness in clinical research settings, ranging from 
low preparedness to notable preparedness. At the lowest levels, organizations demonstrate frequent compliance failures, weak investigator oversight, and systemic breakdowns that compromise participant safety and study integrity — conditions that demand intensive preparedness action. Midrange scores reflect partial progress: systems exist but are inconsistently applied, signaling a need for refinement and targeted improvements. At the highest levels, organizations consistently demonstrate oversight, maintain strong operations, and embed compliance practices so thoroughly that regulatory readiness becomes second nature. The rubric not only highlights areas of risk but also offers a clear roadmap for developing sustainable excellence in quality and compliance. 
When research organizations score preparedness, they replace assumptions with evidence. The rubric doesn’t judge people; it fine-tunes systems. Over time, the results tell a story of progress, moving from reaction to design, from compliance as punishment to compliance as insight and direction. When preparedness is measurable, readiness becomes achievable. But keeping score only advances the work so far. Readiness requires deciding where to focus our actions; that’s where prioritization comes into play. 

 

Preparedness Scoring Rubic

 
Prioritize 

Even with recognition and organization, preparedness falters without focus. To prioritize means deciding what matters most based on preparedness measurements. Every research enterprise faces finite time, attention, and resources, and not every area carries equal weight or risk — especially when variation or pressure hits. Prioritization ensures that the essentials — participant safety, data reliability, and ethical oversight — remain nonnegotiable. It channels commitment toward actions that uphold integrity with efficiency. When teams have clear insight into what matters, they act with clarity and purpose rather than urgency without direction. In this way, prioritizing turns compliance from a checklist into a compass, guiding decisions, aligning actions, and sustaining readiness under pressure. 

From errors to insights: What, so what, now what 

Even the most sophisticated systems experience disruption. Mistakes happen, timelines slip, and oversight occasionally dwindles. Yet in a regulatory-ready culture, these disruptions don’t represent failure; they’re signals: messages from processes and systems that reveal where they’re strained, misaligned, or — worse — unprepared. Readiness isn’t about perfection; it’s about perception — seeing deviation as data and learning to interpret what the system is trying to tell us. 
When something goes wrong in our processes or systems, we first, instinctively, stop at fixing the what — the mishap, the error, the broken step. But preparedness pushes us beyond the what: so what — why does it matter? And finally, now what: what will we change next? This structured approach, known as the What, So What, Now What framework, was developed by John Driscoll and builds on the reflective model first proposed by Terry Borton in 1970.4 The framework offers a practical path from reaction to reflection to redesign (see Figure 2 on page 36). 

What, so what, now what framework

Used consistently, this approach transforms compliance corrections into learning rather than blaming. Teams stop asking, “Who caused the problem?” and start asking, “What does this teach us about our system?” It’s how reflection becomes the quiet driver of preparedness. In other words, when teams pause to learn, they intentionally discover ways to prevent the same patterns from repeating. Transparency replaces tension; curiosity replaces fear. Every after-action review, every debrief, every lesson logged becomes a rehearsal for future resilience. 

Applying the framework — A readiness case study: Informed consent 

Few research processes test readiness more visibly than informed consent. It sits at the intersection of ethics, stewardship, and participant trust — and its breakdowns often reveal where processes and systems themselves are unprepared. When we apply the recognize–organize–prioritize framework, the informed consent process serves as both a diagnostic lens and a measure of regulatory preparedness. 

The process begins with recognizing variability. Across research teams, informed consent procedures often differ in tracking versions, obtaining and documenting consent, or assessing understanding of the research study. The key, then, is pinpointing the inconsistency causing unpreparedness — whether in process design, documentation systems, or role clarity. 

Once variability is recognized, the next step is to measure it. Using the preparedness scoring rubric, the organization scores its consent process across the five readiness levels — from low inconsistently managed, frequent missing pages, unclear delegation) to notable preparedness (e.g., reliable workflows, version control verified, systematic quality checks embedded). These scores become preparedness indicators: the consent process’s scoreboard. They reveal whether the process and system perform reliably under audit or inspection pressure or still depend on manual oversight. 

The results prioritize focus. A some preparedness score, for example, might reveal that teams use proper consent forms but that consenting responsibilities aren’t consistently performed within the appropriate scope of practice or expertise. Prioritization turns that insight into targeted action: updating policies/standard operating procedures, redesigning consenting workflows based on roles and responsibilities, clarifying delegation of authority, integrating eConsent platforms with role-specific permissions, or implementing risk-based quality management activities. By focusing effort where it matters most, the team strengthens its readiness long before a regulatory inspection ever occurs. 

The regulatory why 

When a deviation or finding surfaces — a missing signature, an outdated consent version, a lapse in proper documentation — the goal isn’t simply to fix the problem; it’s to understand why it matters. This is what I call finding the regulatory why: the purpose behind the process and the principle behind the rule. 
The What, So What, Now What framework still guides the inquiry, but through a lens of meaning rather than mere mechanics: 

  • What happened? A participant consented using the wrong version of the informed consent document.
  • So what? The version-control system failed to flag the change. 
  • Now what? Update the procedural prompts, revise workflows to lock previous versions, and add an automated alert for newly approved consent documents. 


But then comes the deeper question: the regulatory why: Why does this matter to participant protection, data integrity, or institutional trust? That question transforms correction into understanding. It shifts compliance from a checklist response to a deliberate act of stewardship. 

Each discovery, each deviation, becomes an opportunity to reconnect process with purpose — proof that regulatory readiness is sustained not just by systems that work, but by people who understand why they work and the regulations that sustain them. 

Conclusion: Readiness as mindset, method, and measure 

Readiness isn’t a single act of compliance; it’s a way of thinking, a way of building, and a way of measuring what matters. A regulatory-ready mindset begins with how we see complexity: not as chaos to control, but as systems and processes to understand. It matures through a reliable method, the deliberate design of structures that anticipate variation and strengthen alignment. And it sustains itself through measurement, the discipline of keeping score so we can see our progress, confront our shortcomings, and learn from our signals. 

The real work of regulatory readiness happens long before an audit or inspection ever occurs. It happens in conversations where teams ask the right questions, in daily practices and processes that turn lessons into learning, and in leadership moments when someone chooses action over reaction. Each act of preparation — choosing to build and prepare systems instead of scrambling to salvage them — moves an organization closer to a regulatory-ready mindset. 

A regulatory-ready organization doesn’t fear oversight; it welcomes it. Its strength lies not in perfection, but in preparedness, knowing that when disruption comes, the systems will hold steady, the people will adapt, and the work will persist. 

In the end, regulatory readiness is less about enduring audits and more about earning trust; trust in the systems that support the work, in the roles and responsibilities that define it, and in the people who fulfill them. When readiness becomes a mindset, compliance becomes second nature — because preparedness is woven into every role, every process, and every system. 
 

Takeaways 

  • Readiness begins with recognition. Seeing complexity clearly — before it becomes crisis — turns compliance from reactive scrambling into proactive design.
  • Organization builds coherence. Scoring readiness through structured rubrics reveals how systems truly perform under pressure and where they must improve. 
  • Prioritization focuses direction. Focusing effort where it matters most safeguards participant safety, data reliability, and ethical trust long before audits begin. 
  • Finding the regulatory why sustains learning and adaptability. Asking why something matters transforms correction into comprehension and compliance into stewardship. 
  • Readiness is a mindset made visible. When teams practice reflection, measure progress, and act with foresight, compliance ceases to be a series of events; it becomes a way of acting. 

 

 

 

View all articles   Read the next article

 

Earn CEUs for this article. Log in with your username and password to take the quiz.
Copyright © 2025 Health Care Compliance Association (HCCA). All rights reserved. All information provided through this site, including without limitation all information such as the "look and feel" of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms of Use and Privacy Statement.