Companies often consider compliance as a "necessary evil" rather than a "necessary good."

They sometimes feel they are forced to comply with arbitrary rules that have little correlation with the outcomes they are trying to achieve.

This is not hard to imagine when excessive audits and controls are put in place as a reaction to a serious incident or serious audit findings. This reactive approach makes compliance look more like a tyrant rather than a leader.

Instead of functioning like a GPS that leads a driver to its destination, compliance has become for these companies, a tyrant – pulling the strings to compel the behaviours it wants.

Why is compliance necessary?

Compliance, at its fundamental level, is about keeping promises to obligations that we have made. These obligations may be in the form of agreements to follow such things as: engineering standards, building codes, traffic laws, quality standards, or internal policies and procedures.

Regulations and standards set a benchmark for normative behaviour. Without them we would all be doing our own thing. While this may have some benefits, it breaks down when we try to work and live together.

As an engineer, I have always had to follow rules (i.e. requirements) of all kinds such as: laws of physics, mathematical theorems, laws of cybernetics, engineering standards, time and budget constraints, and the list goes on. Professional engineers in Canada (and other parts of the world) are also constrained by law to protect public safety which adds additional obligations.

All of these are a form of constraint, and to an engineer these are seen as challenges and not problems. Engineering at its core is about creating solutions within constraints allowing for contingencies to make certain system objectives are met. Constraints are not hindrances to innovation, but rather the source of creativity.

Compliance with regulations in many ways is no different than an engineer designing a system to meet product or customer requirements. However, what is different is the way in which these are done and therein lies the rub.

We know that it is best to design safety and quality into our products, services, and manufacturing. This produces better result than inspecting and auditing for conformance afterwards. The former makes compliance an engineering problem, while the latter makes it a policing and enforcement problem.

Compliance when seen as enforcement contributes to why many consider it as a "necessary evil".

When is compliance evil?

We know that too much order (or control) removes autonomy from both individuals and organizations. At some point this loss of autonomy creates resentment that results in companies only doing the minimum of what is asked of them. This unfortunately has been the case for many who are under significant government regulation.

Companies may also not differentiate between conformance to a standard and compliance to a regulatory statute. For example, many view compliance as a tax on productivity and so they want to do the minimum just like with their taxes. This same perspective is often used to address other kinds of obligations. Minimizing taxes is one thing, however, taking this same minimalist approach to safety and quality is another matter and perhaps even unethical.

Sometimes, regulations and standards are not well designed which further contributes to a negative view of compliance. This can be seen with earlier versions of the quality management standard ISO 9001. Early versions were very prescriptive and subject to much interpretation. Recent changes to the standard have attempted to address some of this by moving to a management-based approach. This affords organizations with a greater degree of autonomy. However, this comes with the requirement that organizations develop their own means (their own rules) by which they will meet their obligations.

With greater autonomy there is also greater responsibility. This is a realization that those who have implemented 9001:2015 risk-based thinking are discovering. Auditors can no longer tell them what to do and neither should they. Each company must figure out for themselves how best to manage risk to prevent defects as well as achieve their quality outcomes.

How compliance can be a leader rather than a tyrant

Organizations should not give up ownership for meeting obligations by blindly following standards and regulations as if these were tyrants. Instead, they should take back responsibility and own their commitment. This involves deciding what strategies are best for their company to meet all their obligations and stay ahead of risk.

And when it comes to safety, security, sustainability, quality or the environment, it will require more than just following rules. It requires leading the organization towards better outcomes.

Finding the right balance that creates enough order without sacrificing too much autonomy is difficult. However, this is precisely the role that those accountable for obligations must take for compliance to fulfill it's purpose of protecting and ensuring value creation.