When it comes to compliance there is a boundary that exists between what is inside an organization and what is outside. This compliance boundary is so important that the ISO standard on Compliance Management Systems (CMS) - ISO 19600, calls out twelve (12) places where it should be considered:
Section 4. Context of the Organization
Internal / external issues
Internal / external aspects
Internal / external obligations
Section 5. Leadership
Internal / external stakeholders
Section 6. Support
Internal / external policies
Internal / external communications
Internal / external reporting
Section 7. Performance Evaluation
Internal / external inspections
Internal / external reporting
Internal / external issues
Internal / external audit
Section 8. Improvement
Internal / external notification and escalation
Taking external and internal factors into account helps to ensure that compliance is comprehensive and exhaustive across all of its roles and activities. The compliance boundary also helps to identify important factors with respect to where obligations might be found, who is accountable to meet them, and who is responsible to ensure that they are.
The internal / external line also signals that different approaches and practices may be necessary depending on which side of the line a particular aspect resides. For example, how one identifies and incorporates internal / external stakeholder expectations might be different as external obligations tend to have regulatory and legal implications whereas internal obligations tend to be more voluntary and require different forms of incentives to achieve.
The compliance boundary is a line that should be monitored regularly and not only once as if it was something that is entrenched or static as the physical parts of a business might be. The compliance boundary is more fluid and subject to change with new regulations and when companies take on more or less ownership of their obligations within their organization and across their supply chain.
It is often that what is considered as internal or external will have more to do with who is accountable for the risk than who is responsible for providing the service or function. An example of when ownership of obligations is a driving force is when contractors are used and where accountability for safety remains with the company that’s procuring the service. The fact that an external party is responsible for the work doesn't necessarily result in the transfer of accountability for safety obligations. In this case, the line used to separate work packages is not the same as the line used to separate compliance obligations.
For compliance to be effective, organizations must pay close attention to the compliance boundary which requires that they:
Define the line between what is internal and external with respect to meeting compliance obligations.
Identify the role that internal / external factors have on meeting compliance objectives.
Ensure that internal / external account-abilities and responsibilities are clearly defined and there are no gaps in coverage.
Establish a process that anticipates and contends with impacts arising from changes to internal / external factors.
Continually monitor the internal / external boundary.
Lean Compliance helps companies adopt and improve compliance programs to better meet performance and outcome-based obligations. Schedule a call with us today to find out more. You can book your appointment here.
