When it comes to performance-based compliance you need to manage both compliance and obligation risk.

• Compliance risk are the effects of uncertainty of non-conformance. These impede outcomes.

• Obligation risk (i.e. opportunities) are the effects of uncertainty of conformance. These advance outcomes.

To manage both the following are helpful tools, and systems:

• Bow-Tie Analysis - evaluate risk and controls to optimize risk buy-down and opportunity invest-up plans
  

• ISO 31000 Risk Management System - provides a framework to manage risks and opportunities across their life-cycle. Don't create an opportunity for threats to penetrate your defenses or opportunities to be missed by missing a step.
  

• ISO 19600 Compliance Management System - provides a framework to manage all your obligations under one governance system. It does this by establishing processes to identify, implement, evaluate, and maintain all mandatory and voluntary obligations covering: quality, safety, environment, security, regulatory, and other risk-based obligations. The goal of ISO 19600 is to ensure effectiveness.

When obligation risk is addressed ahead of time it reduces the probability of compliance risk. Not only will you protect against loss but you also advance outcomes at the same time.

It pays to be proactive.