Someone once asked the question, "why do cars have brakes?" The answer given was, "so they can go fast!" What brakes do for cars is what compliance does for companies. They allow companies to go fast by helping them stay within the lines.
In recent years, many companies have invested significant effort in ways to help them go faster. Several strategies have been used including Agile and LEAN techniques and methods. These approaches have functioned as an accelerator for business processes and have in many cases produced remarkable results.
While a faster engine may help you to go fast, you also need a braking system that is just as capable. The faster you go the better the brakes need to be. However, brakes are only one part of what makes a car effective and safe. A car also needs (among other things):
A driver to choose the destination and pilot the vehicle
A guidance system to identify optimal routes
Limits (speed, traffic lights, etc.) to keep everyone safe
Guard rails to minimize injury
Lines that tell us when we are off-side
Newer vehicles have the ability to tell drivers when they have crossed the line, when it is safe to make a lane change, and when they are no longer on course. Intelligent braking systems also keep cars from losing traction so they can safely slow down. However, getting to your destination safely requires more than these, it also depends on the skills and actions of the driver.
When I first learned to drive we were taught what is still called, "defensive driving skills." These were skills defined as, "driving to save lives, time, and money, in spite of the conditions around you and the actions of others." Its aim was to reduce the risk of collision by anticipating dangerous situations. We practiced these skills until they became second nature. I have continued to use these skills ever since and by doing so kept me and my family safe for over 30 years. This is what it means to be a good driver. Not that you never have an accident but rather that you have the skills and mindset to reach your destination safely.
Just as we need drivers to be good we also need companies to be the same. Similar strategies as "defensive driving" can be learned and applied to meeting and maintaining compliance. Unfortunately, many companies have only the equivalent of guard rails to let them know when they are off-side. They need to crash into a rail before they realize they crossed the line and lost control. This is what happens to those that only use audits to manage compliance. Audits are necessary but ineffective at protecting our businesses and keeping everyone safe.
Drivers that practice defensive driving skills plan and act in such a way to arrive at there destination on time and safely. It is not a choice between one or the other. Companies must also meet multiple goals with regards to compliance whether they include: safety, security, quality, environmental, financial or otherwise. They do not need to sacrifice one for the other and neither should they. This is what it means to take ownership of all your compliance obligations which is necessary for companies to be ethical.
The cybernetic law of Inevitable Ethical Inadequacy (introduced in a previous blog) states, “If you don’t specify that you require a secure ethical system, what you get is an insecure unethical system." Without including ethical goals in your systems they will regulate away from being ethical towards other goals predominately being financial and short term.
We know that most companies want to be ethical as stated in their mission and value statements where words such as: integrity, respect, safety, quality, and social responsibilities are often used. Unfortunately, many of these same companies use a reactive compliance model that was developed only to verify the integrity of financial statements and protect against fraud. However, the dynamics of the systems needed to achieve non-financial goals are different and require proactive strategies that anticipate conditions in the same way that we use defensive driving skills to anticipate dangerous situations.
Next to audits, training is the predominate method used by companies to achieve compliance. This training tends to be technical in nature similar to learning how to drive a car and rarely includes "defensive skills." There are areas such as safety where defensive skills are taught and reinforced. However, for the most part, compliance for many is about checking off boxes to meet prescriptive standards. Companies can improve their compliance by teaching their workers defensive skills rather than only focusing on compliance actions.
In addition to defensive skills, we can also consider greater degrees of automation and embedded compliance in our work processes. Current advancements in autonomous driving provide helpful insights into how automated compliance can work. Understanding that we may never want full automation as compliance decisions are ethical in nature since they involve risk trade-offs and that is something that cybernetics does not address.
For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do.
In 2014, SAE International published their standard for driving automation (J3016) that defines six levels of autonomous driving:
This chart provides a means to compare against similar automation in compliance systems and processes. What we find is that many companies are only operating at a level 0 as they provide little to no automation to assist workers in meeting compliance obligations. In fact, many do not even provide the equivalent of defensive skills training and only teach workers to follow prescribed steps. No wonder the effort applied to audits is so high and increasing.
Levels 3 and above do not have a human monitoring the environment and in the case of Level 4 and 5 do not have a human to fall back on should highly ethical decisions need to be made. Therefore, these levels may not be suitable for compliance support and arguably not desirable for autonomous vehicles either. Nevertheless, partial automation and compliance assist systems are helpful in providing workers with greater visibility of compliance obligations either in terms of objectives that need to be met along with limits that need to be observed.
Looking forward, companies that want to see more of their ethical values realized in their organizations will benefit from applying proactive strategies such as defensive skills to help workers better meet compliance obligations. In addition, increasing the level of automation while maintaining human accountability will provide greater and immediate certainty of compliance and reduce the spiraling increase and dependence on audits.
It is better to know that you might cross a line so you have the opportunity to make course corrections. The alternative, is hitting the guard rail and reading a police report that states the obvious. The first is proactive and the latter is reactive compliance which is preventable.