The risk and compliance problem:
Companies are too reactive.
Prescriptive policies, standards and regulations do not adequately protect against loss or ensure value creation.
High consequence risk rarely occur due to a failure of a single activity but instead occur because of an alignment of vulnerabilities across multiple activities (i.e. systemic risk).
The capabilities needed to manage systems is different than managing individual processes where results are limited to the sum of the parts.
To keep up at the speed that risk becomes a reality companies cannot wait for audit findings to make improvements.
The solution:
Companies must be more proactive.
Policies, standards and regulations need to and are transitioning to performance and outcome-based designs (e.g. vision zero)
Meeting performance and outcome-based obligations will require a holistic and integrative approach that goes beyond process improvement to focus on system effectiveness.
Capabilities must include managing interdependencies between and across functions to unleash performance where results are the product of the interactions.
Continuous improvement will be driven by the presence of uncertainty not only the presence of problems.
When companies adopt a proactive approach to risk & compliance they will have a competitive advantage because most others will not. And if they become good at it they will be unstoppable.