Many organizations implement their compliance systems in a phased approach by working through each element of a regulation or standard. They often start by implementing "shall statements" which tend to be more prescriptive and somewhat easier to establish.
While this element-first approach might achieve a certification or pass an audit quicker it seldom delivers a system that is effective or even operational.
In this article we compare this approach with a systems-first approach based on the work by Eric Ries (Lean Startup).
The element-first approach starts at the bottom by identifying the components of the system that may already exist:
Understand the elements of the regulation or standard.
Map existing practices to the elements.
Identify where current practices do not meet the standard.
Engage these deficiencies in a Plan-Do-Check-Act (PDCA) cycle.
Target these deficiencies for compliance with the standard.
This process captures where existing practices might support a given element. This provides a measure of conformance at least at some level.
However, what this approach overlooks is that existing practices were established in another context and perhaps for a different purpose. They most likely have not been designed to work together within the context of the desired compliance management system.
What organizations have done is essentially taken a bunch of existing parts and put them into another box labelled, "New Compliance Management System."
They still need to adapt them to work together to fulfill the purpose of the new compliance system. Until that happens the system cannot be considered as operational.
Unfortunately, organizations usually run out time, money, and motivation to move beyond the parts of a system to implementing the interactions which are essential for a system is to be considered operational.
To support modern regulations designed with performance and outcome-based obligations another strategy is needed that:
Achieves operational status sooner,
Focuses on system behaviours
Improves effectiveness over time right from the start
To achieve operational status sooner the Lean Startup approach developed by Eric Ries (Lean Startup) can be used. This systems-first approach emphasizes system interactions so that a measure of effectiveness is achieved right away.
Instead of a bottom up approach the focus is on a vertical slice of the management system so that all system behaviours are present at the start and can be applied to each vertical slice. System behaviours create the opportunity for compliance to be achieved.
In a manner of speaking we start with a minimal viable compliance system; one that has all essential parts working together as a whole. Not only is the system operational it is already demonstrating a measure of effectiveness. It also provides a better platform on which the system can be improved over time.