ISO 19600 defines compliance as the outcome of meeting a company's obligations. These obligations arise from such things as regulations, standards, policies, guidelines, permits, contracts, codes of conduct and many other sources.
A subset of these will be legal obligations which tend to be prescriptive in nature, for example, "Companies must report all tier one releases within 24 hours." Whereas, industry standards and guidelines tend to be more risk and performance-based where companies are expected to make progress towards reducing such things as emissions, violations, fatalities, breaches, and so on. Intermediate targets for these obligations may be dictated by regulatory bodies making them mandatory, however, the means by which these are achieved is usually left to each organization based on their level of risk.
Independent of the source of the obligations or whether they are mandatory of voluntary we can categorize them by four different types each with their own specific demands on the organization as shown in the following diagram:
Each type of obligation will in turn give rise to compliance objectives in order to meet the obligation demand. Companies will put in place compliance systems of processes to efficiently manage and ensure these objectives are met taking advantage of shared capabilities and resources to keep the costs within sustainable levels commensurate with a tolerated level of obligation risk across categories that include: safety, regulatory, reputation, environmental and other areas of concern.
To understand how best to meet each compliance objective we need to understand the dynamics of systems and specifically purposeful systems that are goal-seeking which is the case for compliance which where systems are used to ensure meeting targeted objectives.
Dr. Russell Ackoff defined a system as:
" a whole which is defined by its function in a larger system of which it's a part. For a system to perform its function it has essential parts:
Essential parts are necessary for the system to perform its function but not sufficient
Implies that an essential property of a system is that it can not be divided into independent parts.
Its properties derive out of the interaction of its parts and not the actions of its parts taken separately."
It is this last part which is often overlooked that I want to focus our attention on.
Outcomes vs. Objectives:
Making progress towards compliance outcomes is a primary measure of effectiveness for compliance programs. Since outcomes are an emergent property of compliance systems it is important that we understand how the parts interact with each other to create the outcome of compliance.
To help with this we need to clear up confusion around the notions of outcomes, objectives, goals, results, and even initiatives. For now we will define and consider the difference between outcomes and objectives since they are the primary components of a compliance system (c.f. ISO 19600, ISO 37301:2021).
Outcomes: these are the ends that we expect to attain over time and where progress is expected through the achievement of planned objectives. Examples of these include: zero incidents, zero harm, zero breaches, zero emissions, zero defects, and many others. These are often described in qualitative terms but may also have defined measures of effectiveness to indicate progress towards the targeted outcome.
Objectives: these are the ends that we expect to attain within the period covered by planning. These results contribute to making progress towards the targeted compliance outcome. An outcome may require several objectives done in parallel, sequentially, continuously, and some contingent on others.
Some form of causation model (deterministic, probabilistic, linear, non-linear, etc.) is used to estimate the confidence level of achieving the desired outcomes by means of objectives. In cases of greater uncertainty these models will be adjusted over time as more information is gathered and correlation between objectives and outcomes are better known.
Objective Criteria and Evaluation
Objective Criteria: these are attributes that describe an objective. These may consist of measures of performance, conformance, risk, or other attributes that are used to evaluate whether an objective has or is being met.
Objective Scorecard: a qualitative and/or quantitative evaluation of the attributes that define an objective. These are often aggregated to form a single score used to rank the overall status of each objective.
A point worth mentioning is that measures of effectiveness are usually associated with outcomes and often measured as progress towards these outcomes. However, in some cases where objectives require obtaining a specified result over a period of time, the objective may also have a measure of progress. An example would be reducing the level of risk to an acceptable level for a given objective over time.
Those familiar with performance-based systems will notice that evaluation of outcomes is a form of performance assessment rather than an audit. Assessments are usually conducted more frequently to measure the ability to achieve outcomes as opposed to audits which are conducted to validate outcomes have been achieved or the existence of evidentiary material related to prescriptive conformance. This differentiation is important particularly when trying to maintain a status of compliance during the period between when audits are conducted.
An Example From Occupational Safety
In this example we will look at making progress towards zero safety incidents which is a goal that many organizations have. For our purposes we will define as the outcome of our safety compliance system as zero incidents.
To make progress towards zero incidents (the ultimate or terminal goal) there will be a number of objectives to be managed by a safety compliance system. Here is a list of examples:
Increase the number of documented near misses
Create a safe work culture as evaluated by an organizational culture survey
Ensure effective safeguards on machinery and equipment
Provide effective safety training for all workers and contractors
Ensure works use PPE appropriate for the level of risk
Maintain and train against up to date safe-work procedures and practices
Establish and maintain an effective joint health and safety committee
Establish an effective emergency response system
Conduct a yearly risk and hazard assessment
Reduce the level of safety risk by 10% year over year
Each of these objectives will have their own set of criteria relative to current conditions, the planning time frame, and targeted results.
Let's take a look at one of these objectives in more detail, "Establish an effective emergency response system." This objective would include attribute criteria such as:
Activation of emergency response plan occurs within X hours of a reported incident.
Affected stakeholders notified within X hours.
Response plan is updated after risk and hazard assessments.
Performance of emergency response plan is tested once per year.
Local authorities are notified within X hours.
Response teams receive refresher training once per year.
Some of these criteria come directly from regulations while other may come from internal policies and other sources.
Objectives and their attributes will have dependencies with other objectives which will also need to managed. In addition, each objective will require a set of capabilities (some shared) to meet all its criteria. And finally, objectives may be connected with other safety obligations.
What does this all mean?
For compliance to be effective organizations must be clear about the outcomes they are trying to achieve and the objectives that need to be met to get there. Objectives are more than gaps identified by audit findings. Objectives define what is needed to ensure that obligations are met continuously all the time so there are no gaps in the first place. They also define what is needed to realize compliance outcomes (the benefits from being in compliance).