It is common for companies these days to have several programs to manage both mandatory requirements and voluntary commitments in response to regulatory and industry standards. These programs are often created to match each compliance element or area:
Implementing these programs as isolated initiatives can lead to significant duplication and inconsistent practices. There are two primary causes for duplication that if addressed will eliminate excessive waste and improve overall process consistency. These are:
Overlapping Compliance Demand (requirements and commitments)
Overlapping Compliance Capabilities (resources)
Managing Compliance Demand
Overlapping compliance demand can be addressed by managing the compliance obligation separately from the requirement or commitment. The ISO 196000 guidelines provide a straightforward approach to effectively manage compliance obligations covering both internal and external demands.
An obligation documents (among other things) the decisions a company makes on: how the particular regulation or standard is interpreted, what defines evidence of compliance, and the controls and measures needed to address the associated risks.
In essence, the obligation defines "what" the company complies with leaving the "how" to the program and system levels. This alleviates the need for each program to determine the level of obligation which can often lead to differences in priority, and lack of overall alignment with company strategy and objectives.
Combining similar demands into a single obligation can provide further benefits. For example, each of the following compliance demands can be addressed by a single obligation:
Commitment - ISO 9001:2015 (9.2) - Internal Auditing
Requirement - OSHA 29 CFR 1910.119 (o) - Compliance Audits
Commitment - OHSAS 18001 (4.5.2) - Evaluation of Compliance
Commitment - ISO 14001:2015 (9.1.2) - Evaluation of Compliance
Managing overlapping obligations in this way allows organizations to apply a consistent level of rigor (structure, process, resources, etc) based on the level risk.
A compliance management system can be used to assist with managing these obligations. This helps ensure appropriate compliance coverage and provides a central place where compliance changes can be managed and coordinated.
The ISO 19600 approach embeds the Plan-Do-Check-Act continuous improvement cycle directly into the overall process. This is more intentional than the audit-fix cycle which, as I have commented in a previous blog, is by itself not effective to advance compliance objectives.
The ISO guideline can be easily combined with existing management systems to provide an overall governance model particularly when combined with quality (ISO 9001), and risk management (ISO 31000) standards.
Managing Compliance Capabilities
Each compliance program will have some capabilities that are the same with those needed by other programs.
For example, most programs will require risk management. Instead, of having each program have their own risk management capabilities, a central risk function can be used to provide consistent: tools, skills training, and practice improvement.
Common compliance capabilities include:
Risk Management
Change Management
Documentation and Record Keeping
Measurement and Monitoring
Program Management
Continuous Improvement
In my previous blog, "Do You Need A Different System for Each Regulation" I explore this topic of managing common capabilities in more detail.
Managing compliance obligations is critical to effectively manage overlapping compliance demand and reduce duplication and inconsistencies at the program and system levels. Following the ISO 19600 compliance system guidelines can help provide the framework by which to manage these obligations, ensure coverage, and manage changes to compliance.
