Engineered Compliance: Mapping Obligations to Outcomes in Regulated Industries

By Raimund Laqua, PMP, P.Eng., Founder and Chief Compliance Engineer at Lean Compliance

I've spent 30 years in the trenches of compliance, and one question keeps coming up:

This isn't just a theoretical question. It has real consequences for safety, operations, and organizational success.

I've walked through facilities where managers proudly showed me comprehensive compliance documentation, yet their controls weren't effectively addressing the risks they were designed to manage.

Many organizations treat compliance as a simple equation:

But when I look at what actually happens in practice, I see something different.

Organizations can check all the right boxes and still fail to achieve what matters most:

In this article, I'm sharing what I've learned from three decades helping companies move beyond procedural to operational compliance.

This shift isn't just about better compliance—it's about safer operations, improved efficiency, and sustainable success in regulated industries.

The Problem with Controls

Early in my career, I worked with a pipeline company that was dealing with issues across several areas: their management systems had gaps, they were experiencing worker safety incidents, pipe handling problems were occurring, and there were environmental protection concerns.

They had implemented control systems with procedures covering these areas, but the controls weren't effectively preventing these issues from recurring. This illustrated a pattern I would see repeatedly—having controls in place doesn't automatically translate to the protection those controls were intended to provide.

This is a pattern I've seen repeatedly across industries—oil & gas, healthcare, manufacturing, you name it. Companies invest in comprehensive control systems, create detailed procedures, and maintain voluminous records. Then they're shocked when incidents occur or when regulators issue findings.

The reality is that traditional control-based approaches often emphasize implementation over effectiveness. They're built around passing audits rather than achieving outcomes. And they typically react to problems rather than preventing them.

I've seen this reactive cycle play out hundreds of times:

1. A finding or incident occurs

2. The organization implements more controls and documentation

3. Things look better on paper

4. Another issue occurs in a different area

5. Rinse and repeat

This approach isn't just ineffective—it's exhausting. It burns out compliance professionals across all domains, frustrates operations teams, and wastes resources. Worst of all, it doesn't adequately protect what matters – it doesn't actually work.

Companies that break this cycle take a fundamentally different approach. They focus on what actually works in the field, not just what controls are documented in the office. They build systems that detect problems before they manifest. Most importantly, they design their programs around the outcomes they need to achieve, not just the controls they need to implement.

When companies make this shift, something remarkable happens. They create an upward momentum where better outcomes lead to increased stakeholder trust, which supports more effective compliance, which delivers even better outcomes—a virtuous cycle that creates real value.

What Regulators Actually Want

Working alongside regulatory professionals for decades has given me an interesting perspective. While many people have a narrow view of regulators, the reality is much more nuanced.

Modern regulatory frameworks contain four distinct types of obligations which are often overlooked:

1. Rules-based requirements tell you exactly what to do When a regulation states "pressure vessels must be inspected every 36 months," there's no ambiguity. You either did the inspection on schedule or you didn't.

2. Practice standards define approaches you need to follow Requirements to "implement management of change procedures" don't prescribe exact steps, but they do require specific processes to be in place and functioning.

3. Performance-based requirements specify what you need to achieve When regulations require "99.95% availability of safety systems," they don't specify how you achieve it—what is important is that you do.

4. Outcome-based obligations focus on the protection you need to provide. Requirements to "prevent releases" or "ensure process safety" focus on the ultimate goal without specifying methods or performance standards.

I've watched this evolution unfold over my career. Twenty years ago, most regulations were prescriptive rules. Today, regulators increasingly focus on performance and outcomes, giving organizations flexibility in how they achieve compliance while holding them accountable for results.

Here's the thing: the approach that works for rules-based requirements fails miserably for outcome-based ones.

This disconnect explains something I've observed repeatedly:

Matching Your Approach to Your Obligations

Over time, I've developed a practical framework for matching compliance approaches to the primary types of obligations:

1. For rules-based requirements: Traditional controls with verification work fine When regulations specify exact inspection frequencies or precise parameter settings, implementing those specific controls and verifying they happened is appropriate.

   I worked with a medical device manufacturer who needed to document specific quality checks. For these clear requirements, we implemented straightforward controls and verification processes. This worked perfectly for these types of obligations.

2. For practice standards: You need functioning processes, not just documented ones For requirements specifying management systems or processes, having documentation isn't enough—those processes must function effectively in practice. At an energy company, we moved beyond just documenting their management of change process to ensuring it actually managed the risks resulting from planned changes. This shift from "having a process" to "having a process that works" made all the difference.

3. For performance-based requirements: You need monitoring and adaptive approaches When regulations specify performance targets, you need systems that continuously monitor performance and adapt when targets aren't being met. A refinery implemented real-time monitoring of their safety-critical systems rather than just periodic checks. This allowed them to address potential issues before they affected system reliability, consistently meeting their 99.9% availability requirements for emergency shutdown systems.

4. For outcome-based obligations: You need integrated programs that address all factors For requirements focused on outcomes like safety or environmental protection, you need comprehensive programs that address technical, human, and organizational factors.

   With a pipeline operator, we helped develop a holistic approach to process safety management that went beyond inspections to address all factors affecting pipeline safety. This program-based approach delivered much better protection than their previous control-centric system.

This framework isn't just another approach to compliance—it's what's needed to meet all your obligations not just the ones you are most familiar with.

In addition, the further you move from rules toward outcomes, the more you need to shift from documentation to operational effectiveness.

Four Practical Steps to Transform Your Approach

Based on my experience helping organizations make this transition, I've developed a four-step process at Lean Compliance called The Proactive Certainty Program™. It's designed to help companies move from procedural to operational compliance:

1. ORIENT

Start by understanding which direction you are heading:

This begins with a comprehensive scorecard assessment that evaluates 10 essential aspects of operational compliance. This reveals gaps in your compliance approach and readiness for transformation that typical reviews often miss.

During this activity:

• Identify your highest-risk areas and greatest improvement opportunities

• Evaluate your operational compliance across the 10 essential aspects

• Determine what's preventing you from being more proactive

• Assess your readiness for transforming your approach

This step is about honest assessment. Many organizations believe their compliance programs are more effective than they actually are. The orientation phase provides clarity on the true starting point.

2. MAP

With a clear understanding of the current situation, develop a practical roadmap:

This 13-week process includes structured learning objectives that teach you what you need to know about operational compliance, combined with hands-on work to create a viable pathway from the current state to where you need to be.

During this phase:

• Learn essential concepts and principles that drive effective operational compliance

• Current approaches are evaluated against what actually works in similar organizations

• A roadmap is designed toward what's called "Minimal Viable Compliance"

• A clear pathway is created from the current state to operational compliance

This mapping creates the blueprint for transformation. It's not about theory—it's about establishing a practical path forward based on specific situations and resources while building the knowledge foundation needed for success.

3. OPERATIONALIZE

Implementation is where many transformations fail. The focus must be on building what's essential:

This phase is about establishing practices that keep organizations between the lines and ahead of risk in their operations rather than creating more documentation.

During this step:

• Establish the essential practices required for operational compliance

• Implement the minimum necessary foundation rather than trying to boil the ocean

• Create operational mechanisms that make compliance part of regular work

• Develop monitoring systems that provide early warning of potential issues

This activity ensures building a foundation that delivers real protection before expanding to address less critical areas. It's about focusing resources where they matter most to stay between the lines and ahead of risk.

4. ELEVATE

With the essentials in place, performance can be elevated and outcomes advanced:

This phase involves implementing continuous improvement cycles that steadily advance capabilities beyond minimum requirements.

During this activity

• Systematically raise standards beyond minimal compliance

• Advance capabilities to achieve better outcomes with less effort

• Implement improvement cycles based on lean principles

• Realize the full benefits of proactive compliance

This elevation phase transforms compliance from a cost center into a value creator. Organizations that reach this level consistently outperform their peers in both compliance and operational metrics.

These four steps—ORIENT, MAP, OPERATIONALIZE, ELEVATE—aren't academic.

They've guided dozens of organizations from reactive, procedural-focused compliance to proactive, operational-oriented programs.

The transformation doesn't happen overnight, but each step delivers tangible benefits that make the journey worthwhile.

The Path Forward

So, let's return to our original question:

After 30 years in the field, my answer is clear: While controls are essential for rules-based requirements, they're insufficient for performance and outcome-based obligations. Those require operational approaches focused on what actually happens in the field, not just what's documented in the office.

I've seen organizations waste millions on compliance efforts that look good on paper but fail to deliver real value. I've also seen organizations transform their approach and achieve better outcomes with fewer resources.

The difference comes down to recognizing that compliance isn't primarily a procedural challenge—it's an operational one. It's about ensuring that what happens in the field consistently delivers the outcomes regulations were intended to protect.

The organizations that thrive in today's complex regulatory environment are those that:

1. Take ownership of their obligations rather than just reacting to audits

2. Establish real-time monitoring systems rather than waiting for periodic checks

3. Continuously improve their approach based on operational feedback

This transformation isn't just about better compliance—it's about safer operations, improved efficiency, and sustained organizational success. It's about protecting what matters while eliminating activities that don't add value.

In my experience, this isn't a journey you can skip or shortcut. There's no magical tool that will transform your compliance program overnight. But by following a structured approach and focusing on what actually works, you can steadily move from where you are to where you need to be.

The companies I've seen make this journey successfully share one characteristic: they're committed to doing the right thing, not just checking the right boxes. They see compliance not as a burden to be minimized but as a capability to be developed.

If that describes your organization, you're already on the right path. And if you're struggling with compliance that feels heavy on procedures but light on effectiveness, there's a better way forward. I've seen it work repeatedly across industries, and I'm confident it can work for you too.

Raimund Laqua, PMP, P.Eng. is Founder and Chief Compliance Engineer at Lean Compliance Consulting, Inc., which he founded in 2017. With over 30 years of consulting experience across North America, he focuses on helping ethical, ambitious companies in highly-regulated, high-risk industries improve the effectiveness of their compliance programs. His expertise spans safety & security, quality, regulatory and environmental objectives across multiple sectors including oil & gas, energy, pharmaceutical, medical device, financial, technology, and government. He is the author of weekly blog articles, an upcoming book on operational compliance, and regularly speaks on topics of risk, compliance, lean, and responsible and safe AI.