top of page


Over 400 Articles To Help Elevate Your Compliance

Mastering Compliance - What Do You Need To Know

Mastering Compliance - What Do You Need To Know

We've curated a comprehensive list of 100 essential concepts and skills (divided into 25 groups of 4) that can help you navigate the compliance landscape and mitigate risks more effectively. By developing a strong grasp of these and applying them judiciously, you can significantly improve your compliance efforts to better stay between the lines and ahead of risk:

  1. Four Properties of Effective Compliance

  2. Four Types of Regulatory Designs

  3. Four Categories of Obligations

  4. Four Types of Obligations

  5. Four Types of Promises

  6. Four Types of Commitments

  7. Four Capabilities of Operational Compliance

  8. Four Properties of Positive Compliance Culture

  9. Four Stages of Compliance Team Formation

  10. Four Key Properties of Compliance Systems

  11. Four Types of Work Specifications

  12. Four Types of Compliance Measures

  13. Four Types of Indicators

  14. Four Types of Responsibilities

  15. Four Key Compliance Roles

  16. Four Types of Internal Controls

  17. Four Types of Risk

  18. Four Methods of Risk Assessment

  19. Four Types of Responses for Negative Risk

  20. Four Types of Responses for Positive Risk

  21. Four Methods for Root Cause Analysis

  22. Four Types of Problem Solving

  23. Four Methodologies for Improvement

  24. Four Steps of Improvement

  25. Four Key Benefits When Compliance is Effective

Details for each follow.


100 Things You Need To Know to Master Compliance

1. Four Properties of Effective Compliance:

  1. Proactive: Effective compliance programs are proactive in their approach to identifying and mitigating risks. This means that compliance professionals are actively looking for potential risks, rather than waiting for problems to arise. They take steps to prevent violations before they occur, through regular risk assessments, monitoring and testing, and training programs.

  2. Integrative: Effective compliance programs are integrative in nature, meaning that they are fully integrated into the organization's overall strategy and operations. Compliance professionals work closely with other departments within the organization, such as legal, finance, and operations, to ensure that compliance is integrated into their daily activities. This approach helps to ensure that compliance risks are identified and addressed in a timely and effective manner.

  3. Risk-based: Effective compliance programs are risk-based, meaning that they prioritize risks based on their likelihood and potential impact. Compliance professionals use a risk-based approach to design compliance controls and procedures, and to allocate resources to areas where the greatest risks exist. By focusing on the most significant risks, compliance programs can be more effective and efficient in preventing violations.

  4. Operational: Effective compliance programs are operational in nature, meaning that they are designed to be practical and effective in real-world situations. Compliance professionals work to design and implement compliance controls and procedures that are tailored to the specific needs of the organization, taking into account its size, complexity, and industry. They also ensure that compliance controls and procedures are implemented and enforced in a consistent and effective manner across the organization.

2. Four Types of Regulatory Designs:

  1. Macro-Ends (Outcome-Based): This regulatory design sets broad outcome-based goals or objectives, but allows regulated entities to determine the best means of achieving those goals. This approach focuses on achieving desired outcomes rather than prescribing specific means of achieving them.

  2. Macro-Means (Performance-Based): This regulatory design sets broad performance standards or goals that regulated entities must meet, but leaves the specific means of achieving those goals up to the entity. This approach provides flexibility to regulated entities to find the most cost-effective means of meeting the regulatory goals.

  3. Micro-Ends (Standards-Based): This regulatory design specifies detailed technical standards or specifications that regulated entities must meet in order to comply with the regulation. This approach is similar to the micro-means approach but is focused on technical specifications rather than specific rules or requirements.

  4. Micro-Means (Rules-Based): This regulatory design specifies detailed rules or requirements that regulated entities must follow in order to comply with the regulation. This approach is highly prescriptive and leaves little room for interpretation or flexibility by regulated entities.

3. Four Categories of Obligations:

  1. Legal obligations: These are obligations that arise from laws and regulations that govern behaviour in a particular jurisdiction. Examples of legal obligations include paying taxes, complying with workplace health and safety regulations, and respecting intellectual property rights.

  2. Contractual obligations: These are obligations that arise from a contractual agreement between two or more parties. Examples of contractual obligations include delivering goods or services within a specified time frame, paying for goods or services received, and maintaining confidentiality.

  3. Moral obligations: These are obligations that arise from ethical principles or personal beliefs about what is right and wrong. Examples of moral obligations include treating others with respect and fairness, being honest and transparent, and not causing harm to others.

  4. Social obligations: These are obligations that arise from a person's membership in a particular community or society. Examples of social obligations include contributing to the welfare of the community, participating in civic activities, and respecting cultural norms and values.

4. Four Types of Obligation:

  1. Persistent Achievement: These obligations require ongoing effort to achieve a specific goal or outcome. The goal may be to maintain a certain level of performance, meet a set of standards or requirements, or achieve a specific objective. These obligations typically require consistent, sustained effort over time.

  2. Persistent Maintenance: These obligations require ongoing effort to maintain a particular state or condition. This may involve maintaining a physical asset, complying with regulatory requirements, or adhering to established procedures or standards. These obligations are focused on maintaining a consistent level of performance or quality over time.

  3. Non-Persistent: These obligations are time-limited and have a specific endpoint. They may involve completing a one-time task or project, meeting a specific deadline, or fulfilling a short-term obligation. Once the obligation is fulfilled, it no longer requires ongoing effort or attention.

  4. Contingent: These obligations are dependent on certain conditions or events. They may require a specific action or response if certain conditions are met, or if a particular event occurs. For example, an employment contract may include contingent obligations related to bonuses or promotions that are dependent on meeting specific performance metrics. Contingent obligations may be time-limited or ongoing, depending on the conditions or events that trigger them.

5. Four Types of Promises:

  1. Express promises: These are promises that are explicitly made in words or writing, such as a verbal agreement or a written contract.

  2. Implied promises: These are promises that are not explicitly made but are implied by the circumstances or conduct of the parties involved. For example, if a restaurant serves you food and you pay for it, there is an implied promise that the food is safe to eat and free from harmful contaminants.

  3. Conditional promises: These are promises that are made subject to certain conditions or contingencies. For example, a contractor may promise to complete a construction project by a certain date, but that promise may be conditioned on receiving timely payments from the client.

  4. Gratuitous promises: These are promises that are made without any expectation of receiving something in return. For example, a friend may promise to help you move to a new apartment without asking for anything in return.

6. Four Types of Commitments:

  1. Best efforts: This is a promise to use one's best efforts to achieve a particular outcome, but without any guarantee of success. For example, a seller may promise to use their best efforts to sell a certain number of products, but there is no guarantee that they will actually reach that target.

  2. Reasonable efforts: This is a promise to use a reasonable level of effort to achieve a particular outcome. This is a lower standard than the best efforts commitment/promise, but still requires a meaningful effort to be made. For example, a service provider may promise to use reasonable efforts to complete the work on time.

  3. Continuous efforts: This is a promise to continue to make efforts over a specified period of time, rather than achieving a particular outcome. For example, a contractor may promise to provide services for a certain period of time, regardless of whether a specific outcome is achieved.

  4. Performance milestone: This is a promise to achieve specific performance milestones, rather than achieving a single overall outcome. For example, a contractor may promise to achieve certain milestones, such as completing the foundation work or finishing the framing, before receiving payment.

7. Four Capabilities of Operational Compliance:

  1. Operational Governance: This capability refers to the framework of policies, procedures, and standards that govern an organization's compliance operations. It includes the establishment of roles and responsibilities, the development of risk management strategies, and the oversight of compliance activities and establishing of context, scope, and risk profiles.

  2. Operational Programs: This capability refers to the specific initiatives that an organization implements to advance compliance towards compliance outcomes. It includes processes to improve aligning operational systems with organizational values and compliance outcomes. Examples include: policy deployment, Hoshin Kanri, accountability frameworks, etc.

  3. Operational Systems: This capability refers to the technology and systems that an organization uses to support operational compliance. It includes the use of automation, data management systems, document/records management, and monitoring and reporting tools along with specific systems for each compliance domain (ex. vulnerability management systems, incident management systems, etc.)

  4. Operational Processes: This capability refers to the processes that an organization uses to manage its operations and ensure compliance. It includes the design and implementation of workflows, the development of procedures and guidelines, and the integration of compliance requirements into business operations.

8. Four Properties of Positive Compliance Culture:

  1. Strong leadership commitment: A culture of compliance starts at the top. Leaders must demonstrate a strong commitment to compliance by setting the tone from the top, providing resources, and communicating expectations.

  2. Open communication: Employees should feel comfortable speaking up about compliance concerns, asking questions, and reporting potential violations without fear of retaliation. This requires an environment of open communication and transparency.

  3. Clear policies and procedures: A culture of compliance requires clear policies and procedures that are easy to understand and follow. These policies should be regularly updated and communicated to all employees.

  4. Ongoing training and education: Compliance training and education should be ongoing and tailored to the needs of the organization. This can include regular training sessions, updates on changes in regulations, and other forms of education to help employees stay informed and engaged.

9. Four Stages of Compliance Team Formation:

  1. Forming: In this stage, team members are introduced to each other and begin to get to know each other. They often feel uncertain about their role in the team and are still figuring out how to work together effectively.

  2. Storming: In this stage, conflicts and tensions may arise as team members begin to work more closely together. They may disagree about goals, procedures, and individual roles, leading to a period of adjustment and negotiation.

  3. Norming: In this stage, the team begins to establish a more cohesive and harmonious working environment. They develop a common understanding of goals and expectations, and individual roles become more clearly defined.

  4. Performing: In this stage, the team is fully functional and working together to achieve common goals. They are focused on achieving success and have a high level of trust and cooperation with each other. This stage requires ongoing effort and attention to maintain the effectiveness of the team.

10. Four Key Properties of Compliance Systems:

  1. Interconnectedness: A system is made up of interconnected parts that work together to achieve a common goal. The behaviour of one part affects the behaviour of the other parts, and the system as a whole.

  2. Interdependence: The parts of a system are interdependent, meaning that they rely on each other to function properly. If one part of the system fails or malfunctions, it can have ripple effects on the entire system.

  3. Feedback: Systems have feedback mechanisms that allow them to monitor their own performance and make adjustments as needed. These feedback loops can be positive, where a system reinforces its own behaviour, or negative, where a system corrects or adjusts its behaviour to achieve a desired outcome.

  4. Emergence: Systems exhibit emergent behaviour, meaning that the behaviour of the system as a whole is greater than the sum of its individual parts. This emergent behaviour can be difficult to predict or understand based solely on the behaviour of the individual parts. Since, compliance is an outcome of meeting obligations it is therefore an emergent property.

11. Four Types of Work Specifications

  1. Policy: Policies are high-level statements that outline an organization's commitment/promises, goals, values, and overall approach to meet obligations. They provide a framework for decision-making and guide the development of more detailed work specifications.

  2. Process: Processes are a series of steps or activities that need to be completed in a specific order to achieve the desired result. They define the overall flow of work and provide a road map for achieving a particular outcome.

  3. Procedure: Procedures provide detailed, step-by-step instructions that describe the specific tasks and activities required to complete each stage of the process. They provide guidance for carrying out work consistently and efficiently.

  4. Work instruction: Work instructions provide specific guidance for performing individual tasks within the overall process. They provide detailed, step-by-step instructions for carrying out specific activities, including information on the tools and equipment required, the sequence of steps to be followed, and any safety or quality considerations that need to be taken into account.

12. Four Types of Compliance Measures:

  1. Measures of Effectiveness: These measures are used to assess how well an organization is achieving its goals and objectives. They focus on the outcomes or results of a particular activity or process, and are often tied to key performance indicators (KPIs) that are directly linked to the organization's compliance strategy (ex. progress / advancement towards compliance outcomes).

  2. Measures of Performance: These measures are used to evaluate the efficiency and productivity of an organization or a particular process. They focus on how well resources are being used to achieve specific compliance goals and objectives, and are often expressed as ratios or percentages (ex. rate we are buying down compliance risk, and capacity to keep our promises).

  3. Measures of Conformance: These measures are used to ensure that work adheres to established guidelines, standards and procedures. They focus on conformance to standards, regulatory requirements, and other established norms and expectations (ex. count of evidence of compliance).

  4. Measures of Assurance: These measures are used to provide confidence that work is being carried out in a reliable and trustworthy manner. They focus on the effectiveness of controls and safeguards that are in place to mitigate risks and ensure compliance with established standards and procedures. Measures of assurance may include audits, inspections, and other forms of testing and evaluation to verify that work is being carried out as intended (ex. confidence in our ability to always stay between the lines and ahead of risk).

13. Four Types of Indicators:

  1. Performance indicators: These indicators are used to measure the performance of a business, process, or individual against predefined goals or targets. Examples include sales revenue, customer satisfaction scores, and employee productivity.

  2. Risk indicators: These indicators are used to identify and assess potential risks to a business or project. Examples include safety incident rates, financial risks, and regulatory compliance risks.

  3. Financial indicators: These indicators are used to track the financial performance of a business or project. Examples include revenue growth, profit margins, and return on investment (ROI).

  4. Sustainability indicators: These indicators are used to measure the social, environmental, and economic impact of a business or project. Examples include carbon emissions, energy consumption, and social responsibility ratings.

14. Four Types of Responsibilities:

  1. Accountable: The person who is accountable for meeting an obligation. This person is answerable for the outcome and responsible to take ownership for the obligation, task or decision, and is often the person who has the authority to decided on the level of commitment. The accountable person may delegate doing the work of compliance to responsible persons, but remains accountable for the obligation.

  2. Responsible: The person who is responsible for doing the work of compliance. This person is expected take take ownership for processes, tasks, and objectives and to ensure that it promises are kept, within budget, and to the required standard.

  3. Consult: The person who is consulted is not responsible for meeting the obligation, but is asked to provide input or advice to help inform the decision-making process. This person may have expertise or knowledge that is relevant to an obligation or the how the obligation might be met, and their input is valued and taken into consideration.

  4. Inform: The person who is informed is not responsible for meeting or doing the work of compliance but is kept up-to-date on the progress and outcome of compliance goals and objectives. This person may need to be informed for various reasons, such as to maintain awareness of important developments or to ensure that they are able to carry out their own responsibilities effectively.

15. Four Key Compliance Roles:

  1. Compliance Officer: The compliance officer is responsible for overseeing the compliance program and ensuring that the organization operates within legal and regulatory guidelines. This person also provides guidance to employees, conducts training and education, and ensures that internal policies and procedures are up to date.

  2. Risk Manager: The risk manager identifies, assesses, and manages risks that could impact the organization's compliance efforts. This person is responsible for developing risk management plans, monitoring the effectiveness of those plans, and communicating any changes in risk to the compliance officer.

  3. Investigator: The investigator is responsible for conducting investigations into potential compliance violations. This person gathers evidence, interviews witnesses, and determines whether a violation has occurred. The investigator then provides a report to the compliance officer, who determines the appropriate course of action.

  4. Auditor: The auditor is responsible for conducting regular audits of the organization's compliance program. This person reviews policies and procedures, conducts interviews with employees, and reviews documentation to ensure that the program is effective and compliant with legal and regulatory requirements. The auditor then provides a report to the compliance officer, who determines whether any changes or improvements are necessary.

16. Four Types of Internal Controls:

  1. Administrative controls: Administrative controls include policies and procedures established by management to manage the activities of the organization. These controls may include segregation of duties, access controls, and management oversight.

  2. Detective controls: Detective controls are designed to identify errors, omissions, or other problems after they occur. Examples of detective controls include audits, reconciliations, and data analysis.

  3. Preventive controls: Preventive controls are measures put in place to stop problems before they occur. These controls are designed to deter potential risks and reduce the likelihood of errors or fraud. Examples of preventive controls include access controls, physical security measures, and authentication procedures.

  4. Corrective controls: Corrective controls are actions taken to correct errors or mitigate problems after they have occurred. These controls may include reporting systems to track errors, investigations of incidents, and disciplinary actions against employees who violate policies or procedures.

17. Four Types of Risk:

  1. Compliance risk: Compliance risk refers to the potential for an organization to violate laws, regulations, or industry standards that apply to its operations. This includes the risk of financial loss, legal action, and reputational damage that can result from non-compliance.

  2. Operational risk: Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, systems, or human error. In the context of compliance, operational risk can arise from weaknesses in compliance processes, systems, or controls that make it more difficult for an organization to comply with applicable regulations.

  3. Safety/security/sustainability risk: Safety, security, and sustainability risks refer to the potential for an organization to harm people, property, or the environment due to non-compliance. These risks can arise from a failure to comply with regulations that are designed to protect the safety and well-being of employees, customers, and the environment.

  4. Strategic risk: Strategic risk refers to the potential for an organization to fail to achieve its strategic objectives as a result of non-compliance. In the context of compliance, strategic risk can arise when an organization fails to effectively manage compliance risks that are aligned with its overall strategic goals and objectives. Failure to manage strategic compliance risks can result in significant reputational and financial consequences for an organization.

18. Four Methods of Risk Assessment:

  1. Quantitative Risk Assessment: This method uses numerical data and statistical analysis to measure the likelihood and potential impact of a risk event. It involves calculating the probability of a risk occurring, the potential consequences, and the cost associated with managing or mitigating it.

  2. Qualitative Risk Assessment: This method uses subjective judgment and expert opinions to assess risks based on their perceived likelihood and potential impact. It involves identifying and analyzing risks based on factors such as the severity of consequences, the likelihood of occurrence, and the effectiveness of existing controls.

  3. Model-based Risk Assessment: This method uses computer models and simulations to predict the likelihood and potential impact of a risk event. It involves creating a mathematical model of the system being assessed and running simulations to test different scenarios and assess the risk associated with each.

  4. Scenario-based Risk Assessment: This method involves analyzing potential scenarios that could lead to a risk event and assessing the likelihood and impact of each scenario. It involves brainstorming potential scenarios, analyzing each one in detail, and identifying the most likely scenarios to occur.

19. Four Types of Responses for Negative Risk:

  1. Avoid: This response involves taking steps to eliminate the risk or avoid the situation that creates the risk altogether. This may involve changing the scope of the project, reassigning tasks, or simply avoiding the activity that creates the risk.

  2. Transfer: This response involves shifting the risk to another party, such as an insurance provider, a contractor, or a third-party vendor. This is often done through the use of contractual agreements or insurance policies.

  3. Mitigate: This response involves taking steps to reduce the likelihood or impact of the risk. This may involve implementing additional controls, improving processes, or enhancing resources to better manage the risk.

  4. Accept: This response involves accepting the risk and developing a plan to manage it. This may involve setting aside contingency funds, developing a risk mitigation plan, or creating a plan to respond in the event that the risk occurs.

20. Four Types of Responses for Positive Risk:

  1. Enable: This response involves taking steps to enhance the probability or positive impact of the risk. This may involve allocating additional resources or creating a favorable environment to increase the likelihood of the risk occurring.

  2. Exploit: This response involves taking advantage of the opportunity presented by the positive risk. This may involve reallocating resources or modifying plans to maximize the benefits of the risk.

  3. Share: This response involves sharing the benefits of the positive risk with other parties. This may involve partnering with other organizations or stakeholders to jointly benefit from the risk.

  4. Accept: This response involves accepting the positive risk and developing a plan to manage it. This may involve setting aside resources to maximize the benefits of the risk, or developing contingency plans in case the risk does not materialize as expected.

21. Four Methods for Root Cause Analysis:

  1. 5 Whys: A simple but effective method that involves repeatedly asking "Why?" until the root cause is identified.

  2. Fish-bone diagram: Also known as an Ishikawa diagram, this method uses a visual representation of the possible causes and their relationships to help identify the root cause.

  3. Fault tree analysis: A deductive method that uses logic diagrams to identify the combinations of events or conditions that could lead to the problem.

  4. Apollo Root Cause Analysis (ARCA): A structured approach commonly used in high-reliability industries to identify the root cause of an event or problem. It involves defining the problem, assembling a cross-functional team, describing the event, identifying causal factors, determining the root cause using the "Apollo question," developing and implementing corrective actions, and verifying effectiveness.

22. Four Types of Problem Solving:

  1. Troubleshooting: This type of problem-solving involves identifying and resolving specific issues or failures that arise in a system or process. Troubleshooting typically involves a step-by-step approach to identify the root cause of a problem and develop a solution to fix it.

  2. Gap from Standards: This type of problem-solving involves identifying areas where current performance or processes fall short of established standards or requirements. The focus is on identifying and closing the gap between current performance and the desired performance or process.

  3. Target State: This type of problem-solving involves defining a specific desired state or outcome and working backwards to identify the steps needed to achieve that outcome. The focus is on developing a clear vision of the desired outcome and then breaking it down into actionable steps.

  4. Open-Ended: This type of problem-solving is used when the problem is not well-defined or the desired outcome is not clear. The focus is on exploring different options and possibilities, generating new ideas, and testing hypotheses to determine the best course of action. This approach is often used in research and development or in situations where the problem is complex and multifaceted.

23. Four Methodologies for Improvement:

  1. Continuous Improvement: Continuous Improvement, also known as Kaizen, is a methodologies that focuses on making incremental improvements to processes, products, or services over time. It involves regularly reviewing and analyzing performance metrics, identifying areas for improvement, and implementing changes to increase efficiency, reduce waste, and improve quality.

  2. Lean/Six Sigma: Lean/Six Sigma is a methodology that combines two approaches to process improvement: Lean and Six Sigma. Lean focuses on reducing waste and increasing efficiency, while Six Sigma focuses on reducing defects and improving quality. Together, they provide a comprehensive approach to process improvement that involves identifying and eliminating waste, reducing variation, and improving customer satisfaction.

  3. Lean Startup: Lean Startup is a methodology that focuses on creating new services or products with minimal resources and maximum efficiency. It involves testing ideas and assumptions quickly and using customer feedback to make informed decisions about product development. This approach allows startups to iterate rapidly and avoid investing significant resources in ideas that may not succeed.

  4. Agile: Agile is a methodology that is commonly used in software development but can be applied to any project. It involves breaking down work into small, manageable chunks and prioritizing them based on customer value. Agile teams work in short iterations, regularly reviewing and adapting their approach to ensure they are delivering value to customers efficiently. This approach allows teams to be flexible and responsive to changing requirements or customer needs.

24. Four Steps of Improvement:

  1. Plan: In this step, the team identifies a problem or opportunity for improvement and develops a plan for how to address it. This includes setting objectives, establishing metrics for success, and creating a detailed plan for implementation.

  2. Do: In this step, the team carries out the plan that was developed in the previous step. This may involve making changes to processes, implementing new tools or technologies, or testing new approaches to see if they are effective.

  3. Check: In this step, the team measures the results of the changes made in the previous step to determine if they have been effective in achieving the desired outcomes. This involves gathering data and analyzing it to identify trends, patterns, and areas for further improvement.

  4. Act: In this final step, the team takes action based on the results of the previous step. This may involve implementing further changes, refining the existing approach, or taking corrective action if the results were not as expected. The team then goes back to the planning step to continue the cycle of improvement

25. Four Key Benefits When Compliance Is Effective:

  1. Protection from legal and financial risks: Effective compliance helps companies to identify and mitigate risks that could lead to legal or financial consequences. By adhering to laws and regulations, companies can avoid fines, penalties, lawsuits, and reputational damage.

  2. Improved operational efficiency: Compliance programs require companies to establish processes and procedures that help to streamline operations and reduce inefficiencies. Compliance can also help to identify areas where improvements can be made, leading to increased productivity and profitability.

  3. Increased employee morale: Effective compliance programs promote ethical and responsible behaviour among employees, which can lead to a positive workplace culture. When employees understand the importance of compliance and feel supported by management, they are more likely to be engaged, motivated, and committed to their work.

  4. Enhanced reputation and trust: Companies that prioritize compliance are seen as more trustworthy and reliable by customers, stakeholders, and investors. Effective compliance programs can help to build a positive reputation and improve brand value, which can lead to increased customer loyalty and business growth.