To contend with compliance, operational, and technical uncertainty, organizations often adopt management systems standards such as ISO 37301 (Corporate Compliance), ISO 14001 (Environment), ISO 31000 (Risk), ISO 9001 (Quality), ISO 55000 (Assets), and so on.
The concept of operations (CONOPS) for these management system standards varies but each follows a similar model illustrated below:
Successfully implementing these systems requires understanding the concept of operation starting with these key concepts.
Compliance is a system of systems
In many cases programs are used synonymously with systems which conflates the different purposes that each have. Compliance management is a system-of-systems consisting of governance, programs, systems, work, and control & measure processes.
Here is an overview of the purpose for each functional component:
Governance Processes set the parameters: outcome, risk appetite, mandate, etc. for programs to operate.
Program Processes sets goals, targets, and objectives introducing change to underlying systems. They regulate systems towards better outcomes.
Management Processes sets standards to achieve consistency of outputs by resisting change (variation) through standard work practices and process control.
Work Processes coordinate work to meet management objectives by following safe, risk-adjusted, and compliance driven procedures.
Controls and Measures provide feed-back processes to correct & prevent deviance from standard (Conformance Controls) and feed-forward processes to prevent & mitigate the effects of uncertainty on compliance objectives (Risk Controls).
Compliance is more than the sum of its parts
None of the parts of a compliance system individually can effectively contend with risk. Instead, they all must work as-a-whole to provide effective layers of defence against the effects of uncertainty to avoid or minimize the number of incidents, injuries, loss time, claims, emissions, spills, violations, and so on.
Partial implementation results in sub-optimal performance that will weaken the ability of a compliance system to be effective. Systems without programs will sub-optimize for efficiency. Programs without systems seldom achieve consistent performance. Processes without systems suffer from lack of consistency and conformance to standards and regulations.
A minimum level of essential capabilities must be operational to create the outcome of compliance.
Compliance needs to be integrated
While management system standards can improve compliance performance, research shows that decoupling these from business processes reduces internal legitimacy and institutionalizes misconduct and non-conformance. Therefore, it is important that adopted system standards are integrated across the organization rather than seen as the responsibility of a particular business or program function.
A compliance system will therefore necessarily interact with other systems and processes within an organization that are under regulation. To ensure that promises are kept it is important to know which and how each part of the organization contributes to, but more importantly, are critical to meeting compliance obligations (i.e. what is critical-to-compliance)
The following criticality ranking is often used to prioritize compliance effort:
Critical – discontinue or substantially change this service, system or process will result in a high likelihood of failure to meet compliance obligations.
Significant – discontinue or substantially change this service, system or process will most likely result in failure to meet compliance obligations.
Moderate – discontinue or substantially change this service, system or process will moderately affect meeting compliance obligations.
Not Significant – discontinue or substantially change this service, system or process will not significantly affect meeting compliance obligations.
Knowing which parts of the business are critical-to-compliance will help identify who is responsible and who needs to be accountable for compliance. It will also help manage change by ensuring that what critical is taken into account.
Compliance needs to be fit for purpose
Compliance needs to be fit for purpose; able to achieve compliance and realize the benefits from being in compliance. This requires an operational rigour commensurate with what is at risk and what is needed to contend with uncertainty. Utilizing management system standards can help but only when their concept of operations are understood and properly implemented. Evidence for this can be demonstrated by having credible answers to these questions:
How well are essential compliance functions working together as a whole?
To what extent is compliance integrated into our business?
To what degree are we considering what is critical-to-compliance in our decisions?
To what extent is our compliance fit for purpose?
Download our Lean Operational Compliance Model:
(Version 4) – Operational Compliance is a state of operability when all essential compliance functions, behaviours, and interactions exist and perform at levels necessary to realize compliance outcomes. This operational compliance model will help you achieve and sustain operational readiness so that you always stay between the lines and ahead of risk.
This model now includes the 5 immutable principles of program success:
