top of page

Compliance and the Problem of Evil

Raimund Laqua, P.Eng., PMP



When we speak of safety failures, quality defects, security breaches, or sustainability shortfalls, we are always speaking of absences. Something that should have been present was not. A capability that ought to have existed was missing. A promise that was made went unkept.


But an absence only makes sense in relation to a presence. You cannot miss what was never defined. You cannot fall short of a standard that was never articulated. And here lies the fundamental error at the heart of most compliance frameworks: they begin with what has gone wrong and attempt to work backwards to what should be.


This gets the order of reality exactly backwards.


Two Kinds of Absence


Not all absences are equal. Negation is simple logical denial — the contradictory of a thing. A product meets quality standards or it does not. A workplace is safe or not-safe. This binary framing is clean, auditable, and almost entirely useless for building real capability.


Privation is richer. It is the absence of something that ought to be present given the nature and purpose of the thing in question. A bridge that cannot bear its rated load does not merely "lack safety" in some abstract logical sense — it is deprived of a quality proper to its function as a bridge. The privation tells us not only that something is wrong, but what is missing and why it matters.


Both negation and privation are real and consequential. But here is the crucial point: neither is intelligible without first defining the positive reality from which they depart.


You cannot know what is unsafe without first defining what safe means. You cannot identify a quality defect without first defining what quality is for this product, in this context. You cannot declare a security breach without first establishing what a secured state looks like. The negative has no content of its own — it borrows all of its meaning from the positive it denies or falls short of. Define the good, and the nature of its absence becomes clear. Skip that step, and you are left cataloguing symptoms with no diagnosis.


The Problem of Evil


This is, in essence, the ancient question of good and evil restated in operational terms. The word evil may seem out of place in business discourse — we prefer the antiseptic language of "risk events," "non-conformances," and "control failures." But if that language makes us comfortable while people are harmed by the absence of what ought to have been present, then the comfortable language is part of the problem. The moral structure does not change because we have found softer words for it.


In the classical tradition, evil is not a thing in itself — it is the privation of good. Blindness is not a substance; it is the absence of sight in a being that ought to see. Cruelty is not a positive force; it is the absence of the justice and compassion that ought to govern human action. Evil is parasitic on good. It can only be understood — can only exist — as a deficiency in something that should otherwise be whole.


The question is not whether organisations that fail at safety are evil. The question is whether the structure of that failure — the absence of a good that ought to be present — is any different from what the classical tradition calls evil. If the structure is the same, perhaps the moral weight deserves more attention than we have been giving it.


The Hard Problem of Positive Definition


This logic applies across every compliance domain — quality, safety, security, sustainability, ethics, AI safety. But the moment we try to apply it, we encounter a discomforting discovery: the positive definitions do not exist. Not in any rigorous sense. What we have instead are glossary entries that are themselves negations dressed up as definitions.


Consider safety. ISO 45001 defines it as "freedom from unacceptable risk." That is a negation — safety is defined as the absence of something else. But what is safety positively? What is present when safety is present?


The instinct is to reach for mechanisms: controls, redundancies, protective barriers, safe behaviours. But these are means by which safety is achieved or maintained, not safety itself. A beam bears its load. It is whole, doing what it was made to do. It is safe — not because something was added to it, but because safety is what it is when it is intact. A worker stands on solid ground. No harness, no procedure, no signage. She is safe — not because of controls, but because there is nothing she has been deprived of. Safety is the default condition from which danger is the departure.


The Latin salvus — from which we derive "safe," "salvation," and "salvage" — means whole, intact, uninjured. Safety, at its root, is wholeness: the condition of a thing being as it ought to be, undiminished, undamaged, complete in its nature and purpose. A bridge is safe when it is whole — when it possesses the structural integrity proper to a bridge. A person is safe when they are whole — unharmed, unthreatened, able to be what they are. Safety is not something added on top. It is the baseline condition of things being as they should be.


Even here, wholeness must be partly described by what it is not — undiminished, undamaged, uninjured. The positive and the negative are genuinely intertwined. But the wholeness comes first. We only know what "undamaged" means because we already know what the intact thing looks like.


And there is a further difficulty. To define safety as wholeness, we had to invoke "as it ought to be" — which demands a prior understanding of a thing's nature and purpose. We are doing philosophy whether we intended to or not. This is genuinely hard. And the same difficulty awaits every domain:


  • What is quality? Not the absence of defects — but what is present when quality exists? Is it conformance to purpose, excellence of execution, coherence of design?

  • What is security? Not the absence of breaches — but what exists when something is truly secure? Is it trustworthiness, integrity of boundaries, inviolability of what has been entrusted?

  • What is sustainability? Not the avoidance of depletion — but what is present when an operation is sustainable? Is it stewardship, regenerative capacity, fidelity to obligations that extend beyond the present?

  • What is ethics? Not the avoidance of wrongdoing — but what is present when action is ethical? Is it integrity, justice, care, accountability?

  • What is AI safety? Not the absence of misalignment or harm — but what is present when artificial intelligence is safe? Is it alignment, transparency, bounded purpose, controllability? And who defines these qualities — and on what grounds?


These are not rhetorical questions. They are the questions that every compliance framework implicitly answers but rarely confronts. And the difficulty of answering them does not excuse the failure to ask. Without a positive definition — however hard-won — negation tells us nothing and privation has no reference point. We are left managing the absence of things we have never defined.


The Practical Consequence


When organisations begin with hazard registers, threat models, risk matrices, and failure modes, they are starting with evil and trying to infer good. The result is compliance that is inherently reactive — catalogues of bad things that might happen, with no coherent vision of the good state they are trying to achieve or sustain.


This leads to familiar pathologies: risk registers that grow without limit because there is no defined "enough"; controls that address symptoms rather than root capabilities; audit regimes that verify the presence of paperwork rather than the presence of capability; and a pervasive sense that compliance is burden rather than benefit.


The corrective is simple in principle, though demanding in practice: define the positive first. Once defined, negation and privation become powerful diagnostic tools. Negation gives you the binary check: is the quality present or not? Privation gives you the gap analysis: what specific qualities are missing, relative to what should be there?


Compliance as the Pursuit of the Good


If the argument of this piece holds, then compliance is not fundamentally about avoiding bad outcomes. It is about defining and pursuing good ones — about doing the hard work of establishing what quality, safety, security, sustainability, ethics, and AI safety actually are before attempting to manage their absence.


The positive definitions resist easy formulation. They demand engagement with purpose, nature, obligation — questions that most compliance frameworks are not designed to ask. But the difficulty does not change the logical order. The good is still prior to its privation. Wholeness is still prior to damage. The intact thing is still prior to the defect.


The promise an organisation makes — whether to regulators, to customers, to the public, or to future generations — is not "we will avoid harm." It is "we will be this." We will possess these qualities. We will sustain these commitments. We will deliver these outcomes. Harm avoidance follows from that positive commitment. It is a consequence, not a substitute.


This is why compliance, properly understood, is not overhead. It is the operational pursuit of the good — the ongoing work of defining what wholeness looks like for this organisation, in this context, and then building and sustaining the qualities to achieve it. When that work is neglected, what follows is not merely a regulatory gap. It is a privation — the absence of something that ought to have been present. And the moral weight of that absence does not diminish because we have learned to call it something else.


Evil is the privation of good. Risk is the privation of certainty. Non-compliance is the privation of commitment.


In every case, you must define what something is before you know what is missing.


Raimund Laqua is the founder of Lean Compliance Consulting and co-founder of ProfessionalEngineers.AI. His work focuses on transforming compliance from procedural overhead into operational capability through the principles of Promise Theory and cybernetic governance.

 
 
bottom of page