A common problem facing organizations in highly regulated, high-risk environments is how to properly govern their operations to ensure they meet all their obligations and keep all their stakeholder commitments. This problem in many ways is about aligning the ends with the means, or better, bridging the gap between organizational outcomes and operational objectives. In fact, it’s a problem of managing compliance in the middle.
When one considers the combinatorial explosion of obligations and associated risks connected with safety, security, sustainability, quality, regulatory along with ethical conduct the problem is almost intractable. This is evidenced by a large number of end points, connections, and interactions to control particularly when addressing the problem through a reactive and reductive model centred on controls, tasks, issues, and corrective actions.
Technology offers some relief by enabling certain processes and making some more efficient. However, automation can all too often result in baking in processes, or what we used to call, “paving the cowpath” resulting in greater fragility rather than agility to contend with uncertainty and complexity.
To reduce complexity and improve overall compliance effectiveness organizations will adopt different strategies some of which are compelled by regulation, others are voluntarily chosen. These can be categorized by their primary focus: standardizing practices, integrating controls, or operationilzing systems.
Standardize Practices - example: management system standards and frameworks (ISO, ICH, NIST, CSA, FDA, OSHA, etc.)
Integrate Processes - example: GRC (Governance, Risk and Compliance )
Operationalize Systems - example: Lean TCM (Total Compliance Management)
These approaches overlap to various degrees but differ in how they work, and where they operate within an organization. In this article we explore each of them and compare their advantages and disadvantages.
Standardize Practices
ISO management systems standards such as ISO 37301 (CMS) are examples of this approach.
ISO standards are a set of internationally recognized guidelines designed to assist organizations in achieving operational excellence, ensuring quality, and promoting continual improvement. These standards are developed by the International Organization for Standardization (ISO), a non-governmental organization that brings together experts from various industries to create consensus-based specifications. The primary objective of ISO management standards is to establish a common framework that organizations can implement to enhance efficiency, reduce risks, and meet the expectations of stakeholders. These standards cover a wide range of disciplines, including quality management, environmental management, information security, and occupational health and safety.
Implementation of ISO management standards typically involves a systematic approach, starting with a thorough understanding of the organization's processes and objectives. Organizations seeking certification adhere to the specific requirements outlined in the relevant ISO standard. The implementation process often includes the development of documented policies, procedures, and guidelines, as well as the establishment of key performance indicators to measure progress. Certification, which is usually assessed by independent third-party auditors, serves as a formal recognition that the organization's management system conforms to the specified ISO standard. Achieving and maintaining ISO certification demonstrates a commitment to excellence and can enhance an organization's reputation, fostering trust among customers, partners, and regulatory authorities.
One of the fundamental principles of ISO management standards is the concept of continual improvement. Organizations are encouraged to regularly review and refine their management systems to adapt to changes in the internal and external environment. Continuous monitoring, measurement, and evaluation of performance metrics help identify areas for enhancement and ensure that the organization remains responsive to evolving circumstances. This iterative process not only drives efficiency but also cultivates a culture of innovation and adaptability within the organization. In essence, ISO management standards provide a dynamic and flexible framework that empowers organizations to navigate the complexities of today's business landscape while fostering a commitment to ongoing improvement and customer satisfaction.
Potential Weaknesses
While ISO standards provide valuable guidelines for organizations seeking to enhance their processes and ensure quality, there are some key weaknesses associated with their implementation:
Rigidity and Formality: ISO standards can be perceived as rigid and overly formal, leading to a potential disconnect between the prescribed requirements and the dynamic needs of certain organizations. This formality may hinder innovation and creativity within some contexts, especially in rapidly evolving industries where flexibility is crucial.
Resource Intensiveness: Achieving and maintaining ISO certification can be resource-intensive, particularly for small and medium-sized enterprises (SMEs). The documentation, training, and audit processes involved can be time-consuming and costly, posing a challenge for organizations with limited budgets or manpower.
Focus on Documentation: ISO standards often emphasize extensive documentation to demonstrate compliance. While documentation is essential for clarity and accountability, an excessive focus on paperwork can lead to a "box-ticking" mentality, where organizations prioritize meeting documentation requirements over genuine process improvement and effectiveness.
Limited Adaptability: ISO standards may not always adapt quickly enough to emerging trends, technologies, or industry-specific nuances. This limitation can make it challenging for organizations in cutting-edge or highly specialized fields to fully align their management systems with the most current best practices.
Lack of Strategic Guidance: ISO standards provide a framework for establishing management systems but may not offer specific strategic guidance tailored to individual organizations. This can result in organizations achieving ISO certification without necessarily aligning their management systems with their strategic goals.
Perceived Bureaucracy: The implementation of ISO standards can sometimes be viewed as bureaucratic, especially by employees who may feel burdened by additional administrative tasks. This perception may hinder employee engagement and commitment to the principles of the ISO management system.
Overemphasis on Documentation Compliance: In some cases, organizations may prioritize demonstrating compliance with documentation requirements rather than focusing on the underlying principles and effectiveness of the management system. This can lead to a superficial adherence to ISO standards without realizing the intended benefits.
It's important to note that these weaknesses do not negate the overall value of ISO standards. Organizations should carefully consider their specific needs, industry context, and strategic objectives when deciding to adopt and implement ISO management standards.
Integrate Processes
Governance, Risk, and Compliance (GRC) frameworks are an example of this approach.
GRC is a holistic framework that integrates three critical components of organizational management: governance, which involves the establishment of structures and processes for decision-making and accountability; risk management, which focuses on identifying, assessing, and mitigating potential threats to an organization's objectives; and compliance, which ensures adherence to relevant laws, regulations, and internal policies. The GRC framework aims to harmonize these elements to promote effective decision-making, mitigate risks, and ensure compliance with legal and regulatory requirements.
Within a GRC framework, governance sets the tone for the organization by defining its strategic objectives and establishing the framework for decision-making. It involves the allocation of responsibilities, creation of policies, and development of communication structures to guide the organization toward its goals. Risk management within GRC involves the identification, assessment, and prioritization of potential threats to the achievement of objectives. This proactive approach enables organizations to implement strategies to mitigate risks and capitalize on opportunities effectively. Compliance, the third pillar of GRC, ensures that an organization operates within the bounds of relevant laws, regulations, and internal policies. It involves monitoring, reporting, and taking corrective actions to address any non-compliance issues.
The GRC framework operates synergistically, providing a structured approach to managing the complex interplay between governance, risk, and compliance. Implementation often involves the use of technology and specialized software solutions to streamline processes, enhance visibility, and facilitate real-time monitoring. GRC frameworks not only help organizations avoid legal and financial pitfalls but also contribute to overall business resilience and sustainability. By embedding a culture of accountability and transparency, GRC facilitates the establishment of robust internal controls, ultimately leading to improved decision-making, stakeholder trust, and long-term organizational success.
Potential Weaknesses
While Governance, Risk, and Compliance (GRC) frameworks offer valuable tools for managing and aligning organizational processes, they are not without potential weaknesses. Here are some common weaknesses associated with GRC frameworks:
Complexity: GRC frameworks can be intricate and complex, particularly in large organizations. The complexity may lead to confusion among employees and make it challenging to implement and maintain the framework effectively.
One-Size-Fits-All Approach: Some GRC frameworks may adopt a generic or standardized approach that might not suit the specific needs and nuances of an organization. This can result in inefficiencies and may not adequately address the unique risks and compliance requirements of the organization.
Lack of Integration: Integration is the by-word of GRC and issues may arise if the GRC framework is not well-integrated with existing business processes and systems. Siloed information and disconnected processes can hinder the effectiveness of risk management and compliance efforts.
Overemphasis on Conformance: In some cases, organizations may focus too heavily on adherence to procedures, neglecting the broader aspects of governance and risk management. This can lead to a reactive approach rather than a proactive one.
Resistance to Change: Implementing a GRC framework often requires significant changes in organizational culture, processes, and structures. Resistance from employees and stakeholders can impede successful adoption and implementation.
Resource Intensive: Developing, implementing, and maintaining a GRC framework can be resource-intensive. Small and medium-sized enterprises may find it challenging to allocate the necessary resources for a comprehensive GRC program.
Technology Dependence: Some organizations heavily rely on technology solutions for GRC management. While technology is essential, over-dependence on tools without a solid understanding of underlying principles and processes can be a weakness.
Inadequate Communication: Effective communication is crucial for the success of any GRC framework. Weaknesses may emerge if there is a lack of clear communication regarding roles, responsibilities, and expectations related to governance, risk, and compliance.
Insufficient Training and Awareness: Employees may not fully understand the importance of GRC or their roles in the framework. Lack of training and awareness can result in non-compliance and ineffective risk management practices.
Despite these weaknesses, a well-designed and effectively implemented GRC framework can provide substantial benefits to organizations. It's crucial for organizations to carefully tailor GRC practices to their specific needs, regularly assess their effectiveness, and continuously improve their approach to governance, risk management, and compliance.
Operationalize Systems
Lean TCM (developed by Lean Compliance) is an example of this strategy.
Lean TCM takes a different approach from other methodologies by considering a different set of questions:
What would compliance look like if it was already an integral part of the value chain?
How could effectiveness be realized right from the start?
What is necessary to meet all obligations and keep promises?
How would it need to operate and what is essential for operability?
Instead of standardizing and integrating all the pieces of a “broken” system at the task or process level, Lean TCM endeavours to establish an integrative operating model that works at the point where obligations become promises. Lean TCM operates in the middle of an organization, bridging the gap between outcomes and objectives which is essential to achieve effectiveness (i.e. the realization of benefits).
Unlike traditional compliance approaches, Lean TCM does not replace existing management standards; instead, it elevates them to a higher level, providing essential capabilities that extend beyond mere certification. It addresses both Compliance 1 (rules and practices) and Compliance 2 (targets and outcomes), encompassing legal and social licenses to operate. This framework serves as a guiding navigator for organizations, ensuring the right balance between reactive and proactive behaviors and practices.
Drawing inspiration from various management disciplines such as Total Quality Management, Continuous Improvement, Lean Startup, Hoshin Kanri, ISO standards (e.g., ISO 37301 for CMS and ISO 31000 for RM), Performance Management, Promise Theory, and Cybernetics, Lean TCM is designed to tackle modern-day compliance challenges. It enables organizations to not only achieve more benefits than certification alone but also handle regulatory and stakeholder obligations efficiently. The framework emphasizes sustainability, trust-building, and the fulfillment of obligations, equipped with strategies for improvement, alignment, and accountability at every organizational level.
The Lean TCM Framework provides organizations with a holistic, proactive, and integrative approach to operate in highly regulated and high-risk environments. It serves as more than just a means to an end, defining an operational approach for sustainable mission success. The Operational Compliance Model within Lean TCM ensures that compliance is not just a set of rules but an operational function, achieving Minimal Viable Compliance (MVC) by incorporating regulatory design principles derived from systems theory and cybernetics. Additionally, Lean Compliance offers advanced programs such as The Proactive Certainty Program™ and The Elevate Compliance Program, both designed to facilitate compliance transformation, strengthen defenses, and address modern compliance challenges with assurance.
Lean TCM emphasizes the following:
You start with something that is already operational, simpler, and capable of delivering benefits.
The point of intervention happens where obligations align with promises, outcomes align with objectives, and the ends align with the means.
Adds the function of management programs missing from management system standards, including GRC frameworks.
Implemented using Lean Startup to accelerate learning and improvement
Focuses on outcomes and operational risk.
Harnesses lean principles to reduce waste to create the opportunity for proactive improvements.
You learn to drive towards compliance outcomes by driving right from the start.
Weaknesses:
While Lean Total Compliance Management (Lean TCM) offers a robust framework for organizations to enhance their compliance efforts, there are certain weaknesses associated with this approach:
Novel Implementation (lean startup): Lean TCM utilizes the Lean Startup approach which may not be as familiar to those who have followed traditional bottom-up approaches.
Resource Intensiveness: Similar to other comprehensive compliance frameworks, Lean TCM may demand significant resources, both in terms of time and financial investment. Smaller organizations or those with tight budgets may find it challenging to allocate the necessary resources for successful implementation.
Resistance to Change: The introduction of a holistic and integrative compliance approach may face resistance from employees accustomed to traditional compliance methods. The shift towards a proactive and operational compliance culture might encounter pushback, requiring effective change management strategies to ensure successful adoption.
Limited Experience: While Lean TCM incorporates well known principles and practices from different domains, its overall approach may not be as familiar. This could pose a challenge for organizations looking for traditional methods.
Not Elevating Minimal Viable Compliance: While the concept of achieving Minimal Viable Compliance (MVC) is integral to Lean TCM, there is a risk of organizations focusing solely on meeting the minimum requirements rather than striving for continuous improvement and excellence in compliance practices.
Dependency on Existing Capabilities: Lean TCM emphasizes elevating existing resources for compliance benefits. However, organizations with inadequate existing capabilities or those lacking a strong foundation in relevant management principles may struggle to realize the full potential of Lean TCM.
Limited Industry-Specific Guidance: Lean TCM provides a broad framework applicable across various industries and compliance domains, but it may lack specific guidance tailored to certain sectors with unique compliance challenges. Organizations in highly specialized fields may need to supplement Lean TCM with industry-specific expertise.
Potential Overemphasis on Effectiveness: The focus on outcomes may lead to an overemphasis on outcomes potentially neglecting the importance of efficiency.
Despite these weaknesses, organizations can mitigate challenges by carefully assessing their specific needs, participate in educational programs, and develop a tailored roadmap for their organization.
An Aside From the Past
For those working in the IT industry in the 90’s may remember using CORBA (www.corba.org). The CORBA approach is based on the concept of a middleware infrastructure, known as the Object Request Broker (ORB), which facilitates communication and interaction between distributed objects.
Back then we attempted to create business objects written in Java for every object of interest to the business which would then be integrated together using a CORBA broker. Sounds great! It also sounds very familiar and similar to the approaches taken by GRC frameworks and to a lessor degree management system standards.
As you can imagine, there was not enough time, energy or funding to define and integrate everything, so CORBA implementations usually failed. This is an important lesson for any holistic approach particular those that depend on tight coupling of objects and the need for everything to be perfect. This is something that Lean TCM attempts to address by operating in the middle, above the task and procedure level, and using concept of minimal viable programs (MVPs), which can elevated over time.
Implementing CORBA also taught me that just because you integrate everything together doesn’t mean you will end up with more than you started with apart from now having to manage all the integration touch points. When you connect reactive processes together you still end up with a reactive system. Integration only makes sense when used to build a system that is capable of delivering benefits which is something that many organizations fail to understand.
Summary
In this article we explored three key strategies for achieving success in compliance within highly regulated, high-risk environments. The common challenge faced by organizations in these environments is effectively governing their operations to meet obligations and stakeholder commitments while bridging the gap between organizational outcomes and operational objectives. The strategies discussed include standardizing practices, integrating processes through Governance, Risk, and Compliance (GRC), and operationalizing systems with Lean Total Compliance Management (Lean TCM).
The first strategy involves standardizing practices using management standards, which provide recognized guidelines to enhance efficiency, reduce risks, and meet stakeholder expectations. While management system standards offer valuable guidance, potential weaknesses include rigidity, resource intensiveness, and a potential overemphasis on documentation compliance.
The second strategy focuses on integrating processes through GRC frameworks, harmonizing governance, risk management, and compliance. Despite its advantages, GRC frameworks have potential weaknesses, such as complexity, a one-size-fits-all approach, and the challenge of integration with existing business processes.
The third strategy introduces Lean TCM, a unique approach developed by Lean Compliance that operationalizes obligations by integrating compliance into the value chain. Lean TCM addresses Compliance 1 and Compliance 2 requirements, offering a holistic, proactive, and integrative approach. However, potential weaknesses include its novel implementation using Lean Startup, limited industry-specific guidance, and potential resistance to something different.
In essence, each strategy has its strengths and weaknesses, and organizations must carefully consider their specific needs, industry context, and strategic objectives when choosing a compliance approach. While ISO standards, GRC frameworks, and Lean TCM offer valuable insights, successful implementation requires a tailored approach, ongoing assessment, and a commitment to continuous improvement.
