Frequently Asked Questions


What is the difference between a program audit and a program evaluation?

Program Audit

Review documents (e.g. policies, processes, and procedures ) to identify gaps against applicable regulations and standards. This helps identify procedural deficiencies in work as imagined or work as prescribed. Audits are best for prescriptive obligations where compliance is determined by the existence of documentation and records.

Program Evaluation

Evaluate system capabilities against performance targets to achieve goals and objectives. This helps identify deficiencies in conformance, performance, and effectiveness. Evaluations are best for systems designed to meet performance and outcome-based obligations where compliance is measured by making progress towards targeted goals such as zero incidents, zero fatalities, zero violations, etc.

Lean Complaince does not perform audits as we believe that advisory and audit functions should be at arms length. However, we do conduct program evaluations to help companies improve and advance compliance outcomes.

How do you define compliance?

We use the ISO 19600 Compliance Management System definition which defines compliance as the outcome of meeting obligations.

How do you define risk?

We use the ISO 31000 Risk Management definition which defines risk as the "effects of uncertainty on objectives." However, "objective" can be replaced with anything that you care about or are trying to achieve. Risk nevers stands alone. Risk is always connected to what we want to achieve or protect and uncertainty.

What is an obligation?

Obligations are define in ISO 19600 as either mandatory requirements or voluntary commitments. These can be categorized further by the nature of the obligation: conformance obligation, performance obligation, achievement obligation, or outcome obligation. Obligations are promises made to stakeholders that companies intend to keep. Lean Compliance focuses on obligations specific to meeting quality, safety, envrionmental, and regulatory objectives.

What is the difference between a compliance program and a compliance system?

Programs and systems have different purposes. A system maintains state. Systems use feed-back processes to regulate outputs to maintain the set points established by a governing program. Systems focus on performance. A program changes state of a system. Programs act as a feed-forward process to establish new set points (goals) which a system needs to achieve and then maintain. Programs focus on effectiveness.

Which performance indicators should I use?

Performance indicators are: • Factors that influence/determine performance. • Leading when they predict level of performance. • Lagging when they report level of performance. • Derived from the systems model used to create performance. When it comes to compliance performance indictors they are often connected to the effectiveness of risk controls. Failure of risk controls is a signficant contributer to the lack of compliance.

How do you define proactivity?

Proactivity is a process that can be applied to any set of actions through anticipating, planning, and striving to have an impact.

How do you address resistance to being more proactive with respect to compliance risk?

One of the reasons for not being proactive is that many organizations believe that with greater visibility comes greater culpability.

Not knowing is seen as an adequate defense against undesirable behaviours and outcomes. Plausible deniability is the “best practice” to compliance.

However, organizations are culpable for the lack of effective governance and for not having adequate assurance measures. Ignorance of the law or of one's obligations will not protect an organization. Ignorance is no defense against culpability and closing your eyes will not help.

Improving the visibility of one's obligations and risks allows you to face the future with your eyes open so you can improve the probability of achieving the outcomes you want and avoid the one's you don't.

How do you leverage an internal audit function to drive organizational change in the new risk management landscape?

It is common to hear of audit functions wanting to extend their roles by adding risk management, as well as advisory functions with respect to how to improve. This practice is evidence of a company's overall lack of ownership and accountability for obligations. The audit function should be looking at what has happened and is part of a reactive process to correct abnormal behaviors and outputs. However, the risk management function anticipates what might happen and is part of a proactive process to address the effects of uncertainty. Therefore, audit and risk are fundementally on different sides of the temporal line and management accountabililty. In practice, the audit and advisory functions should be at arms length for either to be effective. The audit function should not have ownership for ensuring that obligations are met. Management should own their obligations and actively managing risks associated with them.

What would be the one area of an organization to start the focus on transitioning from reactive to proactive compliance?

Short answer: the area where the obligations are most at risk. Longer answer: organizational designs based on "Taylorism" structure themselves around the specialization of work. Each level of work will have a different time horizon. The first level of work is concerned with the here and now; what will I do today, this hour, this moment. The next layer of work focuses on what needs to be done this week and so on up the organization. The level of reactivity will be the highest at the bottom of the organization and should become more proactive as you move up the organization. What we have observed is that the transition between reactive and proactive occurs most at the director level of the organization (those that direct managers). They are concerned about effectiveness more than efficiency. They will have a time horizen (1-3 years) that requires that they set goals, identify strategies, and anticipate and contend with risk which are all proactive activities. However, in many organizations directors do not function as directors and instead manage managers rather than direct them. So I would begin with the directors of qualiity, safety, environmental, and regulatory programs. If they are not proactive the company can never be. Lean Compliance has a program to help directors become more proactrive with their compliance.

How do you define a hazard?

A hazard from a safety perspective is a potential source of harm or adverse health effect on a person or persons. Howerver, in general terms, a hazard is a source of uncertainty (possibilities) that creates the opportunity for risk. A hazard is only a hazard when it is connected with an objective or outcome. For example, if we have a goal to walk from the parking lot to the office building and there is a hole in the path along the way, then this hole is a hazard -- a potential source of harm which in turn effects our ability to reach the goal of getting to the office. The effects of uncertainty are also uncertain and include: cuts and bruises, broken bones, and even the possibility of a fatality. However, not all holes in the ground are hazards; only the ones that have an effect on targeted outcomes. The identification of hazards is a first step in dealing with safety. In the same wa, as risk is defined as the effects of uncertainty on outcomes so it becomes important that we first identify the sources of uncertainty. This preceeds the identification of their effects on outcomes (i.e. risk). A bow-tie analysis is helpful to visualize the propagation from uncertainty to risk.