I have spent most of my career building information and management systems in support of engineering, compliance, and mission critical processes for highly regulated, high risk companies. In many cases, these systems were deployed following a process which would roughly follow these steps:
Create a project team
Disband project team
After these steps were done the system would move into "maintenance mode" as is typical for other equipment in the organization. For that is how management and information systems were considered – as equipment.
The thought of improving the capabilities of a system after it had been installed did not cross anyone's mind. The only thing that did was to make sure the system remained operational and continued to perform according to how it was originally designed. When the system could no longer do that it would be replaced.
In some circles this is called, "run to fail" and fail they always did for all kinds of reasons that included the effects of:
Changes in compliance requirements
Lack of training
Lack of support
Changes in technology
Changes in leadership priorities
Changes in organizational structure
Business process changes
Changes in culture
Improvements were few and far between and were seldom able to keep up. You might patch the software, upgrade the hardware, or even move to the cloud but eventually the system would need to be replaced. Improvement of the system might then be entertained.
However, what I have observed is that even then improvement did not always come for the following reasons:
The people who knew how things worked no longer work for the company
The constraints of the old technology would became "requirements" for the new technology which would mostly negate any improvement
Moving to the "cloud" and cost reduction would be a higher priority than improving system effectiveness
Different leadership would have different priorities
Run to fail created an urgent response instead of a planned one with sufficient time to consider options
Resistance to change (what we did in the past is good enough for the future)
And many other reasons ...
When it comes to quality, safety, environmental, and regulatory systems where the goal is to reach a certain level of performance over time it is no wonder that one of the contributors to lack of overall progress is due to the effects of a "run to fail" or "set and forget" mode of system operations.
The phrase, "two steps forward, three steps back" comes to mind and aptly describes the current state of many systems in place today. Continuous improvement and maturity of capabilities is extremely difficult when a system is thrown out and replaced every 3-5 years and always starting over.
As compliance is now heading towards performance and outcome based standards the way in which systems operate must change to a new mode of operation. This new way of managing systems requires the ability to improve on a continuous basis but as importantly the ability to steer which is what compliance governance is responsible for and the function of a compliance program.
The steering function must continually adjust system capabilities to achieve increasing and changing standards either from mandatory or voluntary obligations. Governance is what proactively drives this continuous improvement.
It is important to note that this differs from continuous improvement at the process level which tends to focus on cost reduction by eliminating waste and improving efficiencies. While this is better than re-actively addressing non-conformance its purpose is still to improve consistency against current standards.
Whereas, improvement at the system level directed by a compliance program focuses on advancing capabilities to advance overall outcomes:
A compliance program is fundamentally a system in its own right consisting of proactive processes that anticipates, plans, and acts to improve compliance outcomes. An effective compliance program will steer the continuous improvement of processes, technology, and people so as to increase the probability that outcomes will be advanced. This is very different than the "run to fail" and "set and forget" mode of operations that assume that compliance obligations are mostly prescriptive and never change.
In a world measured by the continuous increase in value, compliance must also be continuous and advancing in capabilities to keep up. This changes the role of governance away from "run to fail" and "set and forget" to one that proactively steers towards better outcomes. Instead of two steps forward three steps back, compliance governance needs to always be steps forward.