Overcoming Compliance Silos
It seems more and more that standards and regulatory bodies are promoting a holistic approach to compliance. However, many companies still implement them using an element-by-element plan of action that unfortunately reinforces silo-ed behaviors and practices. This disconnect, left to itself, greatly diminishes the benefits of what the new compliance landscape offers.
In this blog post, I will look at: why silos are still used, what the new compliance standards and regulations need, and how you can overcome the effects of compliance silos in your organization.
Organizational Structures
In many asset intensive companies accountability tends to be aligned to mirror the structure of the assets themselves. Many companies adopt a hierarchical management structure centered around operations and maintenance functions. This organization provides a single point of accountability for the performance of the process along with providing effective resourcing of specialist skills to keep the plant or facility operational.
A challenge for these kinds of organizations is how best to organize the management of systems and processes that are cross-functional. Compliance programs tend to be distributed across functional groups such as: quality, process safety, occupational safety, regulatory compliance, environment, and so on. Managers for these processes tend not to report to the same director or vice president.
It is no wonder that given this situation that companies find it difficult to find a single point of accountability that has a scope large enough to oversee the entire breadth that new regulations and standards require. This is perhaps one of the greatest obstacles to adopting system-based compliance.
Evolution of Compliance Strategies
Regulations and standards have evolved over the years to respond to new challenges and learn from prior approaches. However, these changes have not always been adopted to the degree that many had hoped. This has left companies lagging behind often resorting to using old behaviors to address new requirements.
In the book entitled, "Guidelines for Risk Based Process Safety" published by the Center for Chemical Process Safety, Chapter 2 provides an excellent overview of how strategies have changed over the decades. While this is in the context of process safety, much of the history is shared with other compliance regulations and standards.
The following diagram (my annotations in RED) from this book presents the progression beginning with the focus on standards:
Standards and compliance based approaches tended towards prescriptive specifications which afforded consistency and could be verified easily by checklists.
However, the new compliance strategies are performance based requiring cross-functional processes. In order to apply continuous improvement and risk based thinking companies need to go beyond simple compliance towards the use of systems so that overall outcomes can be achieved and risks can be managed.
In recent years, this systems focus has increased the scope of several regulations and standards extending them beyond what is done by existing functional groups. Many companies are struggling to find a place in the organization to own not only the various elements of these systems but also the system itself.
It is not uncommon to find many companies using existing behaviors in an attempt to meet new demands while keeping existing management structures mostly intact. However, this results in companies falling further behind when it comes to the adopting the practices that are needed to achieve overall system objectives.
Why This Matters – It's all about risk
A systems-based approach will allow companies to take advantage of: synergies across processes, common practices, and the reduction of unwanted duplication. However, this is not the only reason why systems are used.
A systems approach does provides a method of achieving outcomes. However, they also provide a way to address risk. In fact, that is the purpose behind compliance programs.
James Reason introduced the Swiss Cheese model to illustrate how even small holes in safety barriers can lead to adverse effects. This model, adapted below for ISO 9000:2015, shows each component as layers that have their own processes and practices. These layers all work together to produce the overall outcomes for the quality system.
As shown in the next diagram, latent or active failures even small can allow threats to materialize. It is by understanding how these breaches connect with each other that the overall system can be adequately protected.
To further this idea, the API Recommended Practice 1173 for Pipeline Safety Management System introduced in 2015, rightly states in their introduction:
"Major accidents with high consequences rarely occur due to a safety breakdown of a single activity but instead occur because of an alignment of weaknesses across multiple activities. While safety efforts may be applied individually to each activity more effective safety performance is achieved when viewing the linked activities as processes"
This holds true not only for safety but for compliance programs in general.The lesson to be learned is that it is necessary to look at the entire system to effectively manage risk. This is difficult to do when implementing processes in isolation within functional silos and when there is no clear accountability for the entire system.
Overcoming Compliance Silos
This brings us back to the question of what can companies do to benefit from the new compliance strategies when they are predominately organized in hierarchies.
A common approach used to support cross-functional processes is the matrix structure. This is used for projectized work which while different than management systems can offer some insights into similar issues and approaches.
With regards to projects, asset based organizations tend to have a "weak" matrix organization as defined in the PMBOK®. Functional managers have stronger authority relative to project managers which makes sense given that the ultimate accountability for such things as quality, safety and risk lies with those that own the assets.
In a previous blog, I introduced the concept of programs and systems. The role of the program is similar to the use of programs to manage related projects. Programs ensure system-wide outcomes and introduce changes to ensure alignment with program priorities and objectives.
Introducing a program role to oversee a compliance system would help in the same way that programs help co-ordinate related projects. However, to fully benefit from doing this it is important to give that role greater accountability than that typically found in "weak" matrix organizations. The program role has to be given accountability at the same level as functional managers to ensure program outcomes. This would create the need for a "strong" matrix organization at least with regards to compliance programs.
A program role would be accountable for:
The outcomes of the compliance system and related processes
Aligning corporate strategies and initiatives to program goals and objectives
Providing resources to operate, manage, and improve the system
Identifying and managing program risks
Co-coordinating cross-functional responsibilities to deliver system outcomes
To find out more on how to implement system-based compliance, visit us at www.leancompliance.ca
#holisticcompliance #layersofdefense #systemsbasedcompliance #riskedbasedcompliance #SwissCheeseModel