Updated: Aug 6
In this post we will look at the topic of compliance governance which is the act of steering to keep organizations between the lines and heading in the right direction.
A compass will help you find your way when the landscape is flat or otherwise two dimensional. With a compass you will know where you are relative to where you want to go no matter how lost you become. It has saved the lives of countless people for many years and still does today although modern day equivalents are now available.
Most of us now use what is called a GPS or Global Positional System. This works much the same way as a compass does and when combined with a real-time map has significantly improved getting to one's destination with the occasional misstep when the map is not accurate or complete.
Compliance Navigational System
Organizations that decide to keep all their promises will also need a navigational system. In the past, audits functioned in a similar way as a compass did. It worked when the terrain was mostly known, flat and when conditions did not change very often. However, this is no longer (or perhaps never was) the case.
Compliance now needs a modern day navigational system equivalent to a GPS, a real-time map, and steering mechanism to stay between the lines and stay on course. This is the function of compliance governance combined with programs. They are the navigational system for compliance.
Compliance governance begins with knowing where you are and where you want to go in order to plot your course.
The destination for compliance is determined by a company's regulatory license to operate along with its social licence. These are tempered by its appetite and tolerance for risk.
Where you are is determined by the capabilities of your existing compliance systems and processes.
The Hoshin Kanri method is a popular LEAN approach used to steer organizations by aligning strategy with outcomes. It uses what is called an X-Matrix that functions as a compass to ensure that all planned effort is working towards long term priorities and compliance standards. The X-matrix is oriented in the following way:
North: guiding standards, priorities or goals
South: long term outcomes, results, or breakthrough objectives
West: short term objectives, initiatives, or actions
East: processes or metrics to improve and track progress
The corners are used to map the correlation or contribution between each component of the matrix starting at the bottom and working your way around clock-wise.
From a compliance standpoint a digital thread is more than just a collection of metrics. It defines measures necessary to maintain the integrity of an organization and keep it heading towards its goals without crashing – it is a measure of assurance ( i.e. a golden thread).
Compliance Steering (feed-forward)
Compliance programs are the means that compliance steers towards greater effectiveness in order to meet all of its obligations. While systems focus on consistency (staying on course), the role of a program is to advance outcomes by steering towards them.
A compliance program takes specified outcomes (i.e. destinations) and maps them to systems and processes to ensure that resources and capabilities are available to meet them. When gaps are identified initiatives are created to close them.
Each compliance program will have its own set of outcomes that it is trying to improve such as: reducing safety incidents, reducing risk, reducing costs, increase reporting of near misses, and so on. As targets change to align with higher standards, each program directs underling systems by adjusting capabilities, capacity, processes, and system controls.
Programs operate as a feed-forward process to regulate outcomes.
Course Corrections (feed-back)
It is well understood that you can have compliance systems that are operational and yet fail to achieve the intended outcomes.
Validating that systems actually are advancing towards targeted outcomes is an essential program level process and is very different from verifying system performance or conformance.
Projects and initiatives are also used by programs to close gaps to improve the level of effectiveness.
Compliance Radar (avoiding danger)
Today compliance needs the means to know where it is in real time relative to where it is heading. Compliance must also have the means to look ahead to see and anticipate obstacles.
The risk management function operates as radar to keep organizations out of danger. Measures are put in place to prevent risk events from occurring similar to warning indicators and reduce their effects should they happen similar to the role that air bags play.
Compliance radars can take many forms including the bow-tie analysis above which can help plot courses that are more likely to be safe and certain. This is more effective when data both leading (before the risk event) and lagging (after the risk event), is available in real-time.
Cruise Control (not as good as it sounds)
Compliance without governance often ends up operating in what is known as maintenance mode or cruise control. When this happens steering essentially stops. Systems end up operating with just enough resources to perform each process but none for improvements or raising standards.
This will lead to compliance drift or if you like a “run" to failure.
Compliance needs to move beyond using audits as the primary means to steer compliance. Looking through the rear view window only ever made sense when the danger being avoided is chasing you from behind.
Setting compliance to cruise control is also not an option if you intend on reaching your destination.
As compliance's focus now includes the advancement of regulatory and voluntary outcomes a better navigational system is needed one that can negotiate today's compliance landscape and uncertainty.
This system must be proactive and support feed-forward, and real-time processes that can continually steer compliance towards greater effectiveness over time.