According to Albert Einstein:
Insanity is doing the same thing over and over again and expecting different results.
And yet, that is exactly how some organizations approach compliance. Consistency and conformance is king and hoping for better outcomes is the primary article of faith. Any improvements that are made have more to do with form as prescribed rather than function as intended. However, even still companies rarely know the status of their compliance with respect to form and with respect to function; this is not measured at all. The phrase "blind faith" comes to mind. Just follow the rules and everything will be just fine.
This posture as common and prevailing as it may be, is however changing. Slowly, yes; but changing nonetheless.
In order to better protect public and environmental safety, stakeholder value, reputation, quality, and other value outcomes, a sea-change is happening to the risk and compliance landscape.
Compliance obligations now have more to do with making progress towards vision zero targets such as: zero emissions, zero fatalities, zero harm, zero fines, zero violations, and so on, than meeting prescriptive requirements. The latter is still necessary but only as a part of an overall compliance framework. Why? because regulators, standards bodies, and stakeholders recognize that to address more complex and systemic risk organizations need more latitude in terms of the means by which risk is addressed.
This is a huge paradigm shift for this who work in risk and compliance. Previous one-size-fits-all prescriptive approaches to prevent loss and mitigate harms are too expensive when aggregated across an industry or even an organization. But more importantly, they are ineffective to deal with the challenges that must now be faced.
The bad news is that after decades under the tutelage of prescriptive regulations and industry standards making the necessary changes will not and have not been easy. Substituting audit regimes with performance and risk-based compliance services has been slow although there are signs that things are speeding up.
At the same time continuing to use reactive, and silo-ed functions to meet obligations will not be enough and probably never was. Compliance must now be goal-oriented, proactive and integrated into overall governance and managerial accountability. Advancing outcomes is now the new king and risk-based approaches focused on continuous improvement over time is the new standard. Instead of hoping for better outcomes companies must now put in place measures to make certain that they are better – informed faith rather than blind faith.
The good news is this will make compliance more effective at protecting overall value and lighter weight in the process (think risk-based and lean). Compliance will be in a better position to contend with uncertainty and improve the probability that what we value is not lost and new value is advanced.
If this only means preventing risk before they becomes a reality and avoids a recall, a security breach, an oil spill, excessive emissions, then this will be a huge win for everyone. Compliance will no longer be seen as a necessary evil and something to avoid but will be looked at as a necessary good and something to be good at.
Of course, some will continue with the same approaches they have followed for years and hope for the best. But we know this leads to same outcomes that we have always had; passing audits but not advancing compliance outcomes or reducing risk.