Updated: Nov 13
ISO 19600 defines compliance as the outcome of meeting a company's obligations. These obligations arise from such things as regulations, standards, policies, guidelines, permits, contracts, codes of conduct and many other sources.
A subset of these will be legal obligations which tend to be prescriptive in nature, for example, "Companies must report all tier one releases within 24 hours." Whereas, industry standards and guidelines tend to be more risk and performance-based where companies are expected to make progress towards reducing such things as emissions, violations, fatalities, breaches, and so on. Intermediate targets for these obligations may be dictated by regulatory bodies making them mandatory, however, the means by which these are achieved is usually left to each organization based on their level of risk.
Independent of the source of the obligations or whether they are mandatory of voluntary we can categorize them by four different types each with their own specific demands on the organization as shown in the following diagram:
Obligations will in turn give rise to compliance objectives in order to meet each obligation demand.
Companies will put in place compliance systems of processes to efficiently manage and ensure these objectives are met taking advantage of shared capabilities and resources to keep the costs within sustainable levels commensurate with a tolerated level of obligation risk across categories that include: safety, regulatory, reputation, environmental and other areas of concern.
To better understand the nature of compliance objectives we need to understand the dynamics of systems and specifically purposeful systems that are goal-seeking as is the case for compliance which where systems are used to ensure meeting targeted objectives.
Dr. Russell Ackoff defined a system as:
" a whole which is defined by its function in a larger system of which it's a part. For a system to perform its function it has essential parts:
Essential parts are necessary for the system to perform its function but not sufficient
Implies that an essential property of a system is that it can not be divided into independent parts.
Its properties derive out of the interaction of its parts and not the actions of its parts taken separately."
The last point is what we will focus on in this article. The properties of a compliance system derive from its interactions of its parts and not the actions of the parts taken separately. As others have said, outcomes are an emergent property of these interactions. The parts and their interactions of a system are derived from the purpose of a compliance system and to a large degree by its objectives.
Outcomes vs. Objectives:
There tends to be much confusion around the notions of outcomes, objectives, goals, results, and even initiatives. For now we will define and consider the difference between outcomes and objectives since they are the primary components of a compliance system (c.f. ISO 19600).
Outcomes: these are the ends that we do not expect to attain within the period planned for but which progress is expected through achievement of planned objectives. Examples of these include: zero incidents, zero harm, zero breaches, zero emissions, zero defects, and many others. These are often described in qualitative terms may also have defined measures of effectiveness to indicate progress towards the targeted outcome.
Objectives: these are the ends that we expect to attain within the period covered by planning. These results contribute to making progress towards the targeted compliance outcome. An outcome may require several objectives done in parallel, sequentially, continuously, and some contingent on others.
Some form of causation model (deterministic, probabilistic, linear, non-linear, etc.) is used to estimate the confidence level of achieving the desired outcomes by means of objectives. In cases of greater uncertainty these models will be adjusted over time as more information is gathered and correlation between objectives and outcomes are better known.
Objective Criteria and Evaluation
Objective Criteria: these are attributes that describe an objective. These may consist of measures of performance, conformance, risk, or other attributes that are used to evaluate whether an objective has or is being met.
Objective Scorecard: a qualitative and/or quantitative evaluation of the attributes that define an objective. This are often aggregated to form a single score used to rank the overall status of each objective.
A point worth mentioning is that measures of effectiveness are usually associated with outcomes rather than objectives as they are indicators of progress towards a given outcome. However, in some cases where objectives require obtaining a specified result over a period of time, the objective may also have a measure of progress. An example would be reducing a level of risk to an acceptable level associated with an objective itself. A measure of progress or effectiveness might be a confidence level based on the level of uncertainty.
Those familiar with performance-based systems will notice that evaluation is a form of performance assessment rather than an audit. Assessments are usually conducted more frequently to manage compliance performance as opposed to audits which are conducted to validate outcomes or the existence of evidentiary material related to measures of prescriptive conformance. This differentiation is important particularly when trying to maintain a status of compliance during the period between when audits are conducted.
An Example From Occupational Safety
In this example we will look at making progress towards zero safety incidents which is a goal that many organizations have. For our purposes we will use as the outcome of our safety compliance system as zero incidents.
To make progress towards zero incidents (the ultimate or terminal goal) there will be a number of objectives to be managed by a safety compliance system. Here is a list of examples:
Increase the number of documented near misses
Create a safe work culture as evaluated by an organizational culture survey
Ensure effective safeguards on machinery and equipment
Provide effective safety training for all workers and contractors
Ensure works use PPE appropriate for the level of risk
Maintain and train against up to date safe-work procedures and practices
Establish and maintain an effective joint health and safety committee
Establish an effective emergency response system
Conduct a yearly risk and hazard assessment
Reduce the level of safety risk by 10% year over year
Each of these objectives will have their own set of criteria relative to current conditions, the planning time frame, and targeted results.
Let's take a look at one of these objectives in more detail, "Establish an effective emergency response system." This objective would include attribute criteria such as:
Activation of emergency response plan occurs within X hours of a reported incident.
Affected stakeholders notified within X hours.
Response plan is updated after risk and hazard assessments.
Performance of emergency response plan is tested once per year.
Local authorities are notified within X hours.
Response teams receive refresher training once per year.
Some of these criteria come directly from regulations while other may come from internal policies and other sources.
Objectives and their attributes will have dependencies with other objectives which will also need to managed. In addition, each objective will require a set of capabilities (some shared) to meet all its criteria. And finally, objectives may be connected with other safety obligations.
Ensuring that companies meet all their obligations requires effectively managing the objectives connected with them. Objectives are more than gaps identified by audit findings but instead define what is needed to ensure that obligations are met continuously all the time so there are no gaps in the first place.