top of page


Elevate Your Undestanding

Golden Thread of Assurance for Compliance

Golden Thread of Assurance for Compliance
Golden Thread of Assurance for Compliance

An important role of compliance is keeping organizations operating between the lines and ahead of risk. And when it comes to risk many will provide a long list that you might consider. Some of these will indeed require attention and careful deliberation.

However, there will always be uncertainty when pursuing mission success. There will always be a list of risks to handle.

What’s better is knowing how to meet obligations and deliver stakeholder commitments in the presence of uncertainty. This is why compliance should consider operational aspects when planning their compliance efforts.These are the capabilities necessary for compliance to be successful in the presence of uncertainty.

A measure of compliance success is when compliance is fit for purpose, capable of meeting all obligations, and perhaps most importantly, capable of realizing the benefits that come from being in compliance: better safety, security, sustainability, quality, regulatory, and ultimately stakeholder trust.

The following are essential compliance capabilities as viewed through an operational lens. These define the operational requirements for an effective compliance program:

  1. Obligation Management

  2. Promise Fulfillment

  3. Value Chain Integration

  4. Organizational Alignment

  5. Compliance Operability

When operating together these form a golden thread of assurance to provide the necessary confidence for compliance success.

Let's take a look at each one, starting with obligations.

1. Obligation Management

Compliance must manage obligations

Many organizations have compliance management systems. However, very few manage obligations.

You may have a management system for quality, environmental, safety, security and so on. These manage the “practice” of compliance but do not necessarily obligations themselves. For that you need a compliance program.

ISO 37301 is a recent standard you can use that has the basics for such program. It elevates compliance by providing a system to manage compliance performance.

ISO 37301 includes a concept of operations diagram that illustrates the various functions, behaviours, and interactions that need to be considered and continuously improved over time.

This is a good start for organizations beyond the basics of what common management systems provide.

We need to remember that we don't need compliance management we need managed obligations.

2. Promise Fulfillment

Compliance must operationalize obligations.

Organizations may track their obligations but seldom do they keep track of their promises which makes them difficult to keep.

Promises are the operational side of obligations. In fact, promises are operationalized obligations. They define the commitments we make to meet our obligations. Promises describe the how while obligations describe the what.

Obligation and Promises

If obligations are the requirements, promises are the specifications that tell us what we need to achieve compliance.

While managing obligations is a level up for many organizations, managing promises is what makes them effective at it.

To meet obligations, organizations need to learn and practice how to keep their promises.

3. Value Chain Integration

Compliance must be an integral part of the value chain

For compliance to be successful obligations must be operationalized which means compliance must be an integral to the value chain. The following adaptation of Michael Porter's value chain helps illustrate why this is important:

Total Value Chain
Total Value Chain

At the basic level companies desire to advance profit and better margins. However, organizations will also have other outcomes promised to their stakeholders. Ensuring these outcomes requires programs to operational obligations.

These programs (or what we call certainty programs) translate obligations into value chain commitments (or promises) that contribute to meeting targets or advancing outcome associated with safety, security, sustainability, quality, and so on.

This kind of integration is known as internal regulation – regulating towards better outcomes, not only better margins.

This is not a project that is done once and forgotten. Value Chain Integration is a continuous process that aligns organizational values with operational objectives.

4. Organizational Alignment

Compliance must bridge the gap between what's above and what's below

There is a line that runs through an organization that separates the difference between:

upper management and lower management.

Organizational Barrier
Organizational Barrier

This organizational barrier creates a gap between:

  • those who are accountable and those that are responsible

  • programs that change state, and systems that resist change to maintain state

  • obligations that define compliance requirements and promises that specify our commitments

  • the ends and the means

  • the benefits and the cost

  • our long term vision and our short term mission

Now, there used to be something called middle management to do the translation between what is above and what is below because they all speak different languages.

This layer has been mostly gutted in recent years to flatten organizational structures.

What does this mean for compliance?

If you want an effective compliance program, that program must now include managing change, and negotiation of this barrier. Failure to do this will result in compliance failure.

You could say that operationalizing obligations depends on how well you negotiate this barrier.

Compliance must find a way to align these two worlds.

5. Compliance Operability

Compliance must be operational

For compliance to be successful it must be operational. It must be fit for purpose, able to meet obligations, and capable of realizing the benefits of compliance.

To understand this better we developed the following compliance operational model:

Compliance Operational Model
Compliance Operational Model

This model comprises what's needed to continuously deliver on promises to maintain a state of compliance:

  • Operational Governance - sets the destination - the desired outcomes, the goals that we want to achieve.

  • Operational Programs - what governance uses to steer towards outcomes (the controller of the subsystems)

  • Operational Subsystems - implement controls (which are processes) to ensure that objectives are consistently met

  • Operational Processes - do the work of compliance

  • Feed-back and Feed-forward processes along with improvement loops for conformance, performance, and effectiveness.

These are all continuous functions, behaviours, and interactions not yearly activities or tasks. When operational they will achieve what we call Minimal Viable Compliance (MVC) - the minimum performance necessary to start realizing benefits.

MVC is not achieved at the end of a 5-step maturity model, but right at the start.

Why is that important?

Because, compliance failure means mission failure.

Operational Compliance - Primer

"For Compliance to be Effective,

It First Must be Operational."

Download our Free

Operational Compliance - Primer


bottom of page