An important role of compliance is keeping organizations operating between the lines and ahead of risk. And when it comes to risk many will provide a long list that you might consider. Some of these will indeed require attention and careful deliberation.
However, there will always be uncertainty when pursuing mission success. There will always be a list of risks to handle.
What’s better is knowing how to meet obligations and deliver stakeholder commitments in the presence of uncertainty. This is why compliance should consider operational aspects when planning their compliance efforts.These are the capabilities necessary for compliance to be successful in the presence of uncertainty.
A measure of compliance success is when compliance is fit for purpose, capable of meeting all obligations, and perhaps most importantly, capable of realizing the benefits that come from being in compliance: better safety, security, sustainability, quality, regulatory, and ultimately stakeholder trust.
The following are essential compliance capabilities as viewed through an operational lens. These define the operational requirements for an effective compliance program:
Obligation Management
Promise Fulfillment
Value Chain Integration
Organizational Alignment
Compliance Operability
When operating together these form a golden thread of assurance to provide the necessary confidence for compliance success.
Let's take a look at each one, starting with obligations.
1. Obligation Management
Compliance must manage obligations
Many organizations have compliance management systems. However, very few manage obligations.
You may have a management system for quality, environmental, safety, security and so on. These manage the “practice” of compliance but do not necessarily obligations themselves. For that you need a compliance program.
ISO 37301 is a recent standard you can use that has the basics for such program. It elevates compliance by providing a system to manage compliance performance.
ISO 37301 includes a concept of operations diagram that illustrates the various functions, behaviours, and interactions that need to be considered and continuously improved over time.
This is a good start for organizations beyond the basics of what common management systems provide.
We need to remember that we don't need compliance management we need managed obligations.
2. Promise Fulfillment
Compliance must operationalize obligations.
Organizations may track their obligations but seldom do they keep track of their promises which makes them difficult to keep.
Promises are the operational side of obligations. In fact, promises are operationalized obligations. They define the commitments we make to meet our obligations. Promises describe the how while obligations describe the what.
If obligations are the requirements, promises are the specifications that tell us what we need to achieve compliance.
While managing obligations is a level up for many organizations, managing promises is what makes them effective at it.
To meet obligations, organizations need to learn and practice how to keep their promises.
3. Value Chain Integration
Compliance must be an integral part of the value chain
For compliance to be successful obligations must be operationalized which means compliance must be an integral to the value chain. The following adaptation of Michael Porter's value chain helps illustrate why this is important:
At the basic level companies desire to advance profit and better margins. However, organizations will also have other outcomes promised to their stakeholders. Ensuring these outcomes requires programs to operational obligations.
These programs (or what we call certainty programs) translate obligations into value chain commitments (or promises) that contribute to meeting targets or advancing outcome associated with safety, security, sustainability, quality, and so on.
This kind of integration is known as internal regulation – regulating towards better outcomes, not only better margins.
This is not a project that is done once and forgotten. Value Chain Integration is a continuous process that aligns organizational values with operational objectives.
4. Organizational Alignment
Compliance must bridge the gap between what's above and what's below
There is a line that runs through an organization that separates the difference between:
upper management and lower management.
This organizational barrier creates a gap between:
those who are accountable and those that are responsible
programs that change state, and systems that resist change to maintain state
obligations that define compliance requirements and promises that specify our commitments
the ends and the means
the benefits and the cost
our long term vision and our short term mission
Now, there used to be something called middle management to do the translation between what is above and what is below because they all speak different languages.
This layer has been mostly gutted in recent years to flatten organizational structures.
What does this mean for compliance?
If you want an effective compliance program, that program must now include managing change, and negotiation of this barrier. Failure to do this will result in compliance failure.
You could say that operationalizing obligations depends on how well you negotiate this barrier.
Compliance must find a way to align these two worlds.
5. Compliance Operability
Compliance must be operational
For compliance to be successful it must be operational. It must be fit for purpose, able to meet obligations, and capable of realizing the benefits of compliance.
To understand this better we developed the following compliance operational model:
This model comprises what's needed to continuously deliver on promises to maintain a state of compliance:
Operational Governance - sets the destination - the desired outcomes, the goals that we want to achieve.
Operational Programs - what governance uses to steer towards outcomes (the controller of the subsystems)
Operational Subsystems - implement controls (which are processes) to ensure that objectives are consistently met
Operational Processes - do the work of compliance
Feed-back and Feed-forward processes along with improvement loops for conformance, performance, and effectiveness.
These are all continuous functions, behaviours, and interactions not yearly activities or tasks. When operational they will achieve what we call Minimal Viable Compliance (MVC) - the minimum performance necessary to start realizing benefits.
MVC is not achieved at the end of a 5-step maturity model, but right at the start.
Why is that important?
Because, compliance failure means mission failure.
