SEARCH

In the IT industry where I spent much of my early career, a significant amount of resources are dedicated to integrating components together. This is needed to build enterprise solutions made from capabilities across a variety of existing and new technologies. A common architectural principle used for this kind of integration is to minimize coupling, how tightly they are connected, between the solution and its components. That way you can, in theory, replace the components with something else downstream. You can also avoid unintended side effects when code changes. Along with the design goal to achieve loose coupling it is also standard practices to achieve a high-level of encapsulation – hiding the internals of the components from the solution that uses it. Both of these design principles are intended to minimize disruption arising from future changes to either the solution or its components. While these design principles makes sense for IT solutions, they are not what's needed for compliance. Instead, compliance needs to achieve a tighter coupling and greater transparency with the value chain. You could say in technical terms, there is an impedance mismatch between IT and compliance objectives. What Compliance Needs from IT Compliance needs an integrative approach with the value chain not just integrate with it. This also applies to the tools an technologies that are used to support compliance. However, IT solutions struggle to realize these principles particularly SAAS and cloud applications. While they may integrate with your business they seldom provide the means for compliance to be an integral part of the value chain so that the business always knows if it is operating between the lines. Negotiating the cultural and architectural differences between compliance and IT is critical for compliance to achieve higher levels of performance and effectiveness. This is more important now with the advent of artificial or rather machine intelligence where we need greater levels of transparency, explain-ability, and trust.

Not all holes are hazards, not all risks matter The risks that matter are between you and your objective.

When it comes to Artificial Intelligence what worries many is not so much how smart it might become but instead what it might do with the intelligence it learns. The “do” part is a function of its agency and is perhaps the greatest source of risk and concern facing today’s society. Agency is the power to act in the world. In its narrow definition agency is intentional but may lack moral considerations. However, having agency without moral capacity is a serious problem and something where applied ethics (AI Ethics) is needed. Before we explore the topic of AI Agency we need consider the difference between autonomy and agency. Autonomy has more to do with the right to make decisions free from external control or unwarranted interference. Autonomy is the right of self-governance. In this context, autonomous vehicles are better described as driving agents as they are acting on behalf of the driver’s intention. They do not have the right of self-governance or act on its own intention. However, when it comes to AI agency and autonomy these are often used interchangeably often describing aspirational goals of the creators rather than describing the AI technology itself. Agency is what turns our possibilities into realities, and therein lies the rub. Agency is what turns descriptions of our world into something we experience. Having smart people is important, but it's what is done with this knowledge that we are more concerned about. It's the application of knowledge (engineering) which builds our realities. When it comes to AI, without agency: Intelligence is just advice, Information is just data, and Knowledge is just a database. You could also say, engineering is just technology. Having smarter machines is not the problem. It is a means to an end. The question is – what end? For humans, informed by knowledge of our past and future desires, agency turns possibilities into present day realities. What those realities are depend very much (but not entirely) on one’s intentions. Agency provides the means to transcend a world defined by a future described as unfolding, controlled by deterministic laws of nature, and stochastic uncertainty to a future that is becoming chosen by the decisions and actions we make. Agency gives us the power to choose our future. That’s why agency without good judgment is not desirable as it creates the opportunity for risk. We usually limit the amount of agency based on moral capacity and the level of accountability. Just as with our children, we expect them to behave morally, however we do not hold them accountable in the same way as we do adults. As such we limit what they can do and the choices they can make. When we are young our foolish choices are tolerated and at times encouraged to provide fodder for learning. However, as adults, foolishness is frowned upon in preference of those who demonstrate wisdom, good judgment, and sound choices. To act in the world brings with it the responsibility to decide between bad and good, useless and useful, and what can harm and what can heal. Ethics provides the framework for these decisions to be made. In many ways, applied ethics is the application of wisdom to the domain of agency. If AI is to have agency it must at least have the capacity to make moral decisions. This requires at a minimum ethical subroutines, something that is currently not available. Even if they were, this would need to be accompanied by accountability. Agency always brings with it a measure of culpability. Agency and accountability are two sides of the same coin. Agentic AI must be answerable for the decisions it makes. This in turn will require more than just explanation for what it has done. As humans are more than an embodiment of intelligence, we need another name to describe artificial intelligence with agency having ethical subroutines, and is accountable for its actions. Here are a possible names for each type: AI Machines - AI systems without agency (advisory, decision support, analysis, etc..) AI Agents - AI Machines with agency but without moral capacity and limited culpability AI Ethical Agents - AI Agents with moral capacity and full culpability AI Machines can still have agency (self-referencing machines) In theory, machines have a measure of agency to the degree they interact in the world. In the classical sense, machines may adapt to their environment based on pre-defined rules. However, when it comes to AI Machines the ability to adapt is enhanced by machine learning. AI Machines of this kind are self-referencing and are not an impartial observer in the classical sense. The output generated interferes with the future they are trying to represent which forms a feedback loop. AI in this scenario is better described as an observer-participant which gives it a greater measure of agency than classical machines. This is agency without purpose or intention manifesting as a vicious or virtuous cycle towards some unknown end. Perhaps, this is what is meant by autonomous AI. These are AI machines that no longer act on behalf of its creator, but instead acts on its own towards some unknown goal, perhaps even to itself. No wonder this is creating significant angst in the population. We have created an open-loop system with the capacity to act in the world and to decide but lacking moral capabilities. Agency is not the only concern AI Agency is a source of significant risk. Some of the categories discussed are currently possible and others are still in our future. Nonetheless, guidelines and guardrails can and should be developed to properly regulate AI Agency proportionate to the level of risk. AI has other risks beyond its capacity to act in the world and to decide. However, AI Agency is where the greatest benefits will come and with it the greatest risks to society.

An important role of compliance is keeping organizations operating between the lines and ahead of risk. And when it comes to risk many will provide a long list that you might consider. Some of these will indeed require attention and careful deliberation. However, there will always be uncertainty when pursuing mission success. There will always be a list of risks to handle. What’s better is knowing how to meet obligations and deliver stakeholder commitments in the presence of uncertainty. This is why compliance should consider operational aspects when planning their compliance efforts.These are the capabilities necessary for compliance to be successful in the presence of uncertainty. A measure of compliance success is when compliance is fit for purpose, capable of meeting all obligations, and perhaps most importantly, capable of realizing the benefits that come from being in compliance: better safety, security, sustainability, quality, regulatory, and ultimately stakeholder trust. The following are essential compliance capabilities as viewed through an operational lens. These define the operational requirements for an effective compliance program: Obligation Management Promise Fulfillment Value Chain Integration Organizational Alignment Compliance Operability When operating together these form a golden thread of assurance to provide the necessary confidence for compliance success. Let's take a look at each one, starting with obligations. 1. Obligation Management Compliance must manage obligations Many organizations have compliance management systems. However, very few manage obligations. You may have a management system for quality, environmental, safety, security and so on. These manage the “practice” of compliance but do not necessarily obligations themselves. For that you need a compliance program. ISO 37301 is a recent standard you can use that has the basics for such program. It elevates compliance by providing a system to manage compliance performance. ISO 37301 includes a concept of operations diagram that illustrates the various functions, behaviours, and interactions that need to be considered and continuously improved over time. This is a good start for organizations beyond the basics of what common management systems provide. We need to remember that we don't need compliance management we need managed obligations. 2. Promise Fulfillment Compliance must operationalize obligations. Organizations may track their obligations but seldom do they keep track of their promises which makes them difficult to keep. Promises are the operational side of obligations. In fact, promises are operationalized obligations. They define the commitments we make to meet our obligations. Promises describe the how while obligations describe the what. If obligations are the requirements, promises are the specifications that tell us what we need to achieve compliance. While managing obligations is a level up for many organizations, managing promises is what makes them effective at it. To meet obligations, organizations need to learn and practice how to keep their promises. 3. Value Chain Integration Compliance must be an integral part of the value chain For compliance to be successful obligations must be operationalized which means compliance must be an integral to the value chain. The following adaptation of Michael Porter's value chain helps illustrate why this is important: At the basic level companies desire to advance profit and better margins. However, organizations will also have other outcomes promised to their stakeholders. Ensuring these outcomes requires programs to operational obligations. These programs (or what we call certainty programs) translate obligations into value chain commitments (or promises) that contribute to meeting targets or advancing outcome associated with safety, security, sustainability, quality, and so on. This kind of integration is known as internal regulation – regulating towards better outcomes, not only better margins. This is not a project that is done once and forgotten. Value Chain Integration is a continuous process that aligns organizational values with operational objectives. 4. Organizational Alignment Compliance must bridge the gap between what's above and what's below There is a line that runs through an organization that separates the difference between: upper management and lower management. This organizational barrier creates a gap between: those who are accountable and those that are responsible programs that change state, and systems that resist change to maintain state obligations that define compliance requirements and promises that specify our commitments the ends and the means the benefits and the cost our long term vision and our short term mission Now, there used to be something called middle management to do the translation between what is above and what is below because they all speak different languages. This layer has been mostly gutted in recent years to flatten organizational structures. What does this mean for compliance? If you want an effective compliance program, that program must now include managing change, and negotiation of this barrier. Failure to do this will result in compliance failure. You could say that operationalizing obligations depends on how well you negotiate this barrier. Compliance must find a way to align these two worlds. 5. Compliance Operability Compliance must be operational For compliance to be successful it must be operational. It must be fit for purpose, able to meet obligations, and capable of realizing the benefits of compliance. To understand this better we developed the following compliance operational model: This model comprises what's needed to continuously deliver on promises to maintain a state of compliance: Operational Governance - sets the destination - the desired outcomes, the goals that we want to achieve. Operational Programs - what governance uses to steer towards outcomes (the controller of the subsystems) Operational Subsystems - implement controls (which are processes) to ensure that objectives are consistently met Operational Processes - do the work of compliance Feed-back and Feed-forward processes along with improvement loops for conformance, performance, and effectiveness. These are all continuous functions, behaviours, and interactions not yearly activities or tasks. When operational they will achieve what we call Minimal Viable Compliance (MVC) - the minimum performance necessary to start realizing benefits. MVC is not achieved at the end of a 5-step maturity model, but right at the start. Why is that important? Because, compliance failure means mission failure.

Modern compliance must regulate at faster rates to keep an organization always on-side and operating between acceptable safety, security, sustainability, quality, regulatory and ethical levels. In an electrical circuit, voltage regulation (maintaining a consistent voltage level) is achieved using a feedback process that measures the output to adjust the circuit to remove variation from the output. In modern switch-mode power supplies this happens at a frequency between 20,000 to 2 million cycles per second. In theory, the frequency of regulation is chosen to be fast enough to maintain variation in the output within acceptable levels. The greater the variation in input voltage the higher the regulation frequency needs to be. This is not unlike how audit-correction cycles work. In theory, audits and corrections should happen as frequently as necessary to maintain adherence to standard within acceptable levels. The number of days spent operating outside the lines along with the time it takes to return to acceptable levels are measures of compliance effectiveness and performance respectively. However, what many don't consider is: The more often things change, the higher the frequency of audits need to be. Let’s assume you audit conformance to prescribed controls once every year. It's therefore possible to be off-side for an entire year before it’s noticed plus the time it takes to correct the deviation – hopefully before the next audit. In the worst case, it could be two years before you get back on-side. What impact would being off-side for two-years have on your operations? That’s why audits are often too slow and too late to protect value creation. Never mind that audits seldom evaluate effectiveness against targeted compliance goals and outcomes. As change can be a significant source of risk, organizations in highly regulated, high-risk sectors use a Management of Change (MOC) process to keep up with the speed of risk due to planned changes. This process functions as a real-time compliance regulator to keep an organization always operating between the lines. Here are a few questions to consider when planning your compliance: How long do you wait before knowing when you are off-side? What are acceptable levels of effectiveness and performance for compliance? What capabilities and capacities do you need to regulate your compliance to meet your measures of success? What strategies can you apply to always stay between the lines?

This year will mark the end of unregulated use of AI for many organizations. This has already happened in the insurance sector (State of Colorado) and others are not far behind. AI safety regulations and responsible use guidelines are forthcoming. Organizations must now learn to govern their use of AI across their value chain to protect stakeholders from preventable risk. This will require building Responsible AI and/or AI Safety Programs to deliver on obligations and contend with AI specific risk. To stay ahead of AI risk you can no longer wait. Ethical and forward looking organizations have already started to build out AI Safety and Responsible Use Programs. Don’t be left behind. Take steps starting today to protect your value chain.

Controls without systems are not controls, they are only processes. In many compliance domains meeting obligations is seen as a controls problem. As a result, documenting, building, managing, and monitoring controls is at the forefront of compliance activities. This is reinforced if not driven by industry management system standards which conceptualize compliance in the same way and provide a long list of controls that you “should” implement. However, focusing solely on controls often results in losing sight of the big picture. Many have lost sight of the forest for the trees. Controls are processes that adjust operating system parameters to maintain output between targeted values. Technically, controls perform the function of regulation needed to achieve compliance to a given standard of performance. This applies to all systems including socio-technical ones. However, all too often controls are implemented without knowledge of what they are intended to control, how they work, or what they are supposed to accomplish. Many may not be connected to the systems they are intended to control. They may even operate at cross-purposes implemented to work separately and not together. This is definitely a significant source of compliance waste. Instead of compliance systems, many organizations have control management systems often not doing more than mapping controls to regulatory elements. They might even have all the boxes checked and able to pass an audit. What many organizations don’t have (but need) are controlled systems to deliver on commitments associated with their obligations. They need systems capable of creating the outcomes of compliance. Compliance is about regulation and you cannot regulate without a system – you cannot regulate with controls alone. If you are not realizing desired outcomes from your compliance efforts, check to make sure your controls are connected, operational, and are effective at regulating your safety, security, sustainability, quality, environmental, regulatory and ethics systems. Don’t lose sight of compliance for the controls.

With compliance in all of its manifestations (safety, security, sustainability, quality, environmental, regulatory, etc.) taking on a more integral role in the operations of an organization it also takes on greater responsibilities. One of these is the pursuit of operational excellence. Operational excellence refers to an organizational philosophy and management approach that focuses on consistently achieving optimal performance and efficiency in all aspects of business operations. It involves the continuous improvement of processes, systems, and workflows to enhance productivity, reduce waste, and deliver high-quality products or services. Operational excellence is often associated with Lean management principles, Total Quality Management (TQM), and other methodologies that aim to create a culture of continuous improvement. The Shingo Institute (home of the Shingo Prize) is a non-profit organization that focuses on promoting organizational excellence using a methodology that has gained prominence for its transformative approach to achieving operational excellence and continuous improvement. At the heart of the Shingo Model™ are three pivotal insights that guide organizations toward mission success. In this article, we delve into these insights along with one that we learned as part of Lean Compliance and explore how these are beneficial to compliance excellence: Insight #1: Ideal Results Require Ideal Behaviour, Insight #2: Purpose and Systems Drive Behaviour, Insight #3: Principles Inform Behaviour, and Insight #4: Programs Elevate Systems (Lean Compliance) Insight 1: Ideal Results Require Ideal Behaviour Central to the Shingo Model™ is the understanding that achieving ideal results necessitates cultivating ideal behaviours within an organization. This insight emphasizes the critical role of leadership in setting the tone for expected behaviours. Leaders are urged to inspire and model the behaviours that align with the organization's goals, fostering a culture where everyone is committed to excellence. By promoting a mindset where individuals take ownership of their actions (along with obligations) and continuously strive for improvement, organizations can create a ripple effect of positive behaviours that lead to optimal outcomes. This insight encourages leaders to not only focus on end results but to also consider the behaviours and practices that drive those results. Insight 2: Purpose and Systems Drive Behaviour The second key insight of the Shingo Institute Management System underscores the influence of purpose and systems on shaping organizational behaviour. Purpose serves as a guiding force, aligning the actions of individuals and teams with the overall mission and vision of the organization. When individuals understand the purpose behind their work, they are more likely to engage in behaviours that contribute to the achievement of organizational goals. Additionally, systems play a crucial role in influencing behaviour. The design and structure of systems within an organization can either support or hinder the desired behaviours. The Shingo approach encourages leaders to examine and optimize systems to ensure they drive behaviours that align with the organization's purpose and goals. Insight 3: Principles Inform Behaviour The third insight centres around the idea that principles inform behaviour. The Shingo Institute Management System is built on a set of guiding principles that serve as a compass for decision-making and action. These principles, which include humility, respect, and continuous improvement, are the foundation for creating a culture of excellence. By embedding these principles into the organizational DNA, leaders can guide behaviour at all levels. Principles inform the choices individuals make, the way teams collaborate, and the overall culture of the organization. This insight emphasizes the importance of aligning actions with enduring principles to foster a sustainable culture of excellence. Insight 4: Programs Elevate Systems (Lean Compliance) This insight comes from Lean TCM (Total Compliance Management) emphasizing the idea that management programs elevate system performance. Whereas, systems are designed to resist change by removing variability, management programs introduce change to advance outcomes. Management programs drive system performance levels needed to advance targeted compliance outcomes. In essence, programs regulate systems towards desired outcomes in the same way that systems regulate processes toward desired outputs. This insight emphasizes the importance that to achieve better outcomes you need programs to elevate systems. Conclusion The Shingo Institute’s along with the Lean Compliance Model offer profound approaches to organizational and compliance excellence. By recognizing the interplay between ideal behaviour, purpose-driven systems and programs, and guiding principles, organizations can create a framework for continuous improvement and mission success. Embracing these insights empowers leaders and teams to cultivate a culture where behaviours are aligned with organizational goals and obligations, driving sustained excellence and adaptability in a dynamic business environment.

“In our world," said Eustace, "a star is a huge ball of flaming gas." Even in your world, my son, that is not what a star is, but only what it is made of.” ― C.S. Lewis, The Voyage of the Dawn Treader For those looking to govern the creation and use of Artificial Intelligence (AI) there is one question that must be answered, "What is AI?" Before meaningful regulation, policies, or guidelines can be developed we must first understand what AI is and what it is not. However, as important as this question is, the answer has eluded many if not most of us. At one level AI consists of the same computing technology we have used in the past. In fact, it can be reduced down to its bits and bytes and a simple Turing machine. However, our experience using AI suggests that it is something more and different than computing of the past. Perhaps, AI is better defined by how it is used or what it can do and by what it might become? How should AI be best defined? In this article we consider the concepts of overmining, undermining and the domain of Object-Oriented Ontology (OOO) to help get to the heart of the matter. Object Oriented Ontology In the domain of philosophy, Object-Oriented Ontology (OOO) has emerged as a thought-provoking framework that challenges traditional notions of reality and existence. At the centre of OOO lies a delicate balance between undermining and overmining, a paradox that holds particular significance when applied to objects, be they physical entities like a chair or more abstract constructs like Artificial Intelligence (AI). Undermining: Descending into the Essence Consider a chair. When we focus on its individual components, such as the legs, we risk undermining the holistic essence of the chair. Object-Oriented Ontology suggests that by dissecting and isolating the parts, we lose sight of the interconnectedness and emergent properties that define the chair as a unified whole. This reductionist approach challenges us to reconsider how we perceive and categorize objects, urging us to appreciate their intrinsic qualities beyond mere components. The same principle applies to AI. When we break down artificial intelligence into its algorithms, data structures, or even specific functionalities, we may undermine the overarching complexity and emergent behaviours that make AI a unique entity. OOO encourages us to recognize the depth of objects, discouraging reductionism that oversimplifies their essence. Overmining: Ascending into Abstraction Conversely, when we overmine an object, we risk losing touch with its concrete reality. Take the example of a chair again. If we start categorizing chairs based on its shape, or how it is used such as: round chairs, tall chairs, chairs in hospitals, kitchen chairs—we risk overmining the concept of a chair. Object-Oriented Ontology cautions against excessive abstraction, urging us to avoid diluting the essence of an object by layering it with unnecessary classifications—a risk of holism. In the world of AI, overmining occurs when we categorize artificial intelligence based solely on external factors such as its applications, industry use cases, or even its cultural impact. OOO challenges us to find a middle ground that allows for meaningful categorization without losing sight of the fundamental nature of AI as a complex, interconnected system. Synthesis: Finding the Balance The challenge, then, lies in finding a balance between undermining and overmining—an intersection of reductionism and holism. In the context of a chair, we need a definition that captures the essence without reducing it to its individual components or overdetermining it with non-essential attributes. The same applies to AI, where we strive to define its nature without oversimplifying its complexity or overloading it with extraneous categorizations. Object-Oriented Ontology encourages us to adopt a nuanced perspective, recognizing the interconnectedness and emergent properties of objects, whether they be physical entities or conceptual constructs like AI. By navigating the delicate balance between undermining and overmining, we can develop a more profound understanding of the objects that shape our world including what defines Artificial Intelligence. More work is needed to develop clarity to what AI is and what it is not. A lack of a clear and concise definition creates the risk of over regulation or under regulation for compliance, as well as possible duplication of effort in creating new standards and guidelines that already cover what is essential. In the words of Goldilocks we need a definition that is not too hard, not too soft, but just right.

A common problem facing organizations in highly regulated, high-risk environments is how to properly govern their operations to ensure they meet all their obligations and keep all their stakeholder commitments. This problem in many ways is about aligning the ends with the means, or better, bridging the gap between organizational outcomes and operational objectives. In fact, it’s a problem of managing compliance in the middle. When one considers the combinatorial explosion of obligations and associated risks connected with safety, security, sustainability, quality, regulatory along with ethical conduct the problem is almost intractable. This is evidenced by a large number of end points, connections, and interactions to control particularly when addressing the problem through a reactive and reductive model centred on controls, tasks, issues, and corrective actions. Technology offers some relief by enabling certain processes and making some more efficient. However, automation can all too often result in baking in processes, or what we used to call, “paving the cowpath” resulting in greater fragility rather than agility to contend with uncertainty and complexity. To reduce complexity and improve overall compliance effectiveness organizations will adopt different strategies some of which are compelled by regulation, others are voluntarily chosen. These can be categorized by their primary focus: standardizing practices, integrating controls, or operationilzing systems. Standardize Practices - example: management system standards and frameworks (ISO, ICH, NIST, CSA, FDA, OSHA, etc.) Integrate Processes - example: GRC (Governance, Risk and Compliance ) Operationalize Systems - example: Lean TCM (Total Compliance Management) These approaches overlap to various degrees but differ in how they work, and where they operate within an organization. In this article we explore each of them and compare their advantages and disadvantages. Standardize Practices ISO management systems standards such as ISO 37301 (CMS) are examples of this approach. ISO standards are a set of internationally recognized guidelines designed to assist organizations in achieving operational excellence, ensuring quality, and promoting continual improvement. These standards are developed by the International Organization for Standardization (ISO), a non-governmental organization that brings together experts from various industries to create consensus-based specifications. The primary objective of ISO management standards is to establish a common framework that organizations can implement to enhance efficiency, reduce risks, and meet the expectations of stakeholders. These standards cover a wide range of disciplines, including quality management, environmental management, information security, and occupational health and safety. Implementation of ISO management standards typically involves a systematic approach, starting with a thorough understanding of the organization's processes and objectives. Organizations seeking certification adhere to the specific requirements outlined in the relevant ISO standard. The implementation process often includes the development of documented policies, procedures, and guidelines, as well as the establishment of key performance indicators to measure progress. Certification, which is usually assessed by independent third-party auditors, serves as a formal recognition that the organization's management system conforms to the specified ISO standard. Achieving and maintaining ISO certification demonstrates a commitment to excellence and can enhance an organization's reputation, fostering trust among customers, partners, and regulatory authorities. One of the fundamental principles of ISO management standards is the concept of continual improvement. Organizations are encouraged to regularly review and refine their management systems to adapt to changes in the internal and external environment. Continuous monitoring, measurement, and evaluation of performance metrics help identify areas for enhancement and ensure that the organization remains responsive to evolving circumstances. This iterative process not only drives efficiency but also cultivates a culture of innovation and adaptability within the organization. In essence, ISO management standards provide a dynamic and flexible framework that empowers organizations to navigate the complexities of today's business landscape while fostering a commitment to ongoing improvement and customer satisfaction. Potential Weaknesses While ISO standards provide valuable guidelines for organizations seeking to enhance their processes and ensure quality, there are some key weaknesses associated with their implementation: Rigidity and Formality: ISO standards can be perceived as rigid and overly formal, leading to a potential disconnect between the prescribed requirements and the dynamic needs of certain organizations. This formality may hinder innovation and creativity within some contexts, especially in rapidly evolving industries where flexibility is crucial. Resource Intensiveness: Achieving and maintaining ISO certification can be resource-intensive, particularly for small and medium-sized enterprises (SMEs). The documentation, training, and audit processes involved can be time-consuming and costly, posing a challenge for organizations with limited budgets or manpower. Focus on Documentation: ISO standards often emphasize extensive documentation to demonstrate compliance. While documentation is essential for clarity and accountability, an excessive focus on paperwork can lead to a "box-ticking" mentality, where organizations prioritize meeting documentation requirements over genuine process improvement and effectiveness. Limited Adaptability: ISO standards may not always adapt quickly enough to emerging trends, technologies, or industry-specific nuances. This limitation can make it challenging for organizations in cutting-edge or highly specialized fields to fully align their management systems with the most current best practices. Lack of Strategic Guidance: ISO standards provide a framework for establishing management systems but may not offer specific strategic guidance tailored to individual organizations. This can result in organizations achieving ISO certification without necessarily aligning their management systems with their strategic goals. Perceived Bureaucracy: The implementation of ISO standards can sometimes be viewed as bureaucratic, especially by employees who may feel burdened by additional administrative tasks. This perception may hinder employee engagement and commitment to the principles of the ISO management system. Overemphasis on Documentation Compliance: In some cases, organizations may prioritize demonstrating compliance with documentation requirements rather than focusing on the underlying principles and effectiveness of the management system. This can lead to a superficial adherence to ISO standards without realizing the intended benefits. It's important to note that these weaknesses do not negate the overall value of ISO standards. Organizations should carefully consider their specific needs, industry context, and strategic objectives when deciding to adopt and implement ISO management standards. Integrate Processes Governance, Risk, and Compliance (GRC) frameworks are an example of this approach. GRC is a holistic framework that integrates three critical components of organizational management: governance, which involves the establishment of structures and processes for decision-making and accountability; risk management, which focuses on identifying, assessing, and mitigating potential threats to an organization's objectives; and compliance, which ensures adherence to relevant laws, regulations, and internal policies. The GRC framework aims to harmonize these elements to promote effective decision-making, mitigate risks, and ensure compliance with legal and regulatory requirements. Within a GRC framework, governance sets the tone for the organization by defining its strategic objectives and establishing the framework for decision-making. It involves the allocation of responsibilities, creation of policies, and development of communication structures to guide the organization toward its goals. Risk management within GRC involves the identification, assessment, and prioritization of potential threats to the achievement of objectives. This proactive approach enables organizations to implement strategies to mitigate risks and capitalize on opportunities effectively. Compliance, the third pillar of GRC, ensures that an organization operates within the bounds of relevant laws, regulations, and internal policies. It involves monitoring, reporting, and taking corrective actions to address any non-compliance issues. The GRC framework operates synergistically, providing a structured approach to managing the complex interplay between governance, risk, and compliance. Implementation often involves the use of technology and specialized software solutions to streamline processes, enhance visibility, and facilitate real-time monitoring. GRC frameworks not only help organizations avoid legal and financial pitfalls but also contribute to overall business resilience and sustainability. By embedding a culture of accountability and transparency, GRC facilitates the establishment of robust internal controls, ultimately leading to improved decision-making, stakeholder trust, and long-term organizational success. Potential Weaknesses While Governance, Risk, and Compliance (GRC) frameworks offer valuable tools for managing and aligning organizational processes, they are not without potential weaknesses. Here are some common weaknesses associated with GRC frameworks: Complexity: GRC frameworks can be intricate and complex, particularly in large organizations. The complexity may lead to confusion among employees and make it challenging to implement and maintain the framework effectively. One-Size-Fits-All Approach: Some GRC frameworks may adopt a generic or standardized approach that might not suit the specific needs and nuances of an organization. This can result in inefficiencies and may not adequately address the unique risks and compliance requirements of the organization. Lack of Integration: Integration is the by-word of GRC and issues may arise if the GRC framework is not well-integrated with existing business processes and systems. Siloed information and disconnected processes can hinder the effectiveness of risk management and compliance efforts. Overemphasis on Conformance: In some cases, organizations may focus too heavily on adherence to procedures, neglecting the broader aspects of governance and risk management. This can lead to a reactive approach rather than a proactive one. Resistance to Change: Implementing a GRC framework often requires significant changes in organizational culture, processes, and structures. Resistance from employees and stakeholders can impede successful adoption and implementation. Resource Intensive: Developing, implementing, and maintaining a GRC framework can be resource-intensive. Small and medium-sized enterprises may find it challenging to allocate the necessary resources for a comprehensive GRC program. Technology Dependence: Some organizations heavily rely on technology solutions for GRC management. While technology is essential, over-dependence on tools without a solid understanding of underlying principles and processes can be a weakness. Inadequate Communication: Effective communication is crucial for the success of any GRC framework. Weaknesses may emerge if there is a lack of clear communication regarding roles, responsibilities, and expectations related to governance, risk, and compliance. Insufficient Training and Awareness: Employees may not fully understand the importance of GRC or their roles in the framework. Lack of training and awareness can result in non-compliance and ineffective risk management practices. Despite these weaknesses, a well-designed and effectively implemented GRC framework can provide substantial benefits to organizations. It's crucial for organizations to carefully tailor GRC practices to their specific needs, regularly assess their effectiveness, and continuously improve their approach to governance, risk management, and compliance. Operationalize Systems Lean TCM (developed by Lean Compliance) is an example of this strategy. Lean TCM takes a different approach from other methodologies by considering a different set of questions: What would compliance look like if it was already an integral part of the value chain? How could effectiveness be realized right from the start? What is necessary to meet all obligations and keep promises? How would it need to operate and what is essential for operability? Instead of standardizing and integrating all the pieces of a “broken” system at the task or process level, Lean TCM endeavours to establish an integrative operating model that works at the point where obligations become promises. Lean TCM operates in the middle of an organization, bridging the gap between outcomes and objectives which is essential to achieve effectiveness (i.e. the realization of benefits). Unlike traditional compliance approaches, Lean TCM does not replace existing management standards; instead, it elevates them to a higher level, providing essential capabilities that extend beyond mere certification. It addresses both Compliance 1 (rules and practices) and Compliance 2 (targets and outcomes), encompassing legal and social licenses to operate. This framework serves as a guiding navigator for organizations, ensuring the right balance between reactive and proactive behaviors and practices. Drawing inspiration from various management disciplines such as Total Quality Management, Continuous Improvement, Lean Startup, Hoshin Kanri, ISO standards (e.g., ISO 37301 for CMS and ISO 31000 for RM), Performance Management, Promise Theory, and Cybernetics, Lean TCM is designed to tackle modern-day compliance challenges. It enables organizations to not only achieve more benefits than certification alone but also handle regulatory and stakeholder obligations efficiently. The framework emphasizes sustainability, trust-building, and the fulfillment of obligations, equipped with strategies for improvement, alignment, and accountability at every organizational level. The Lean TCM Framework provides organizations with a holistic, proactive, and integrative approach to operate in highly regulated and high-risk environments. It serves as more than just a means to an end, defining an operational approach for sustainable mission success. The Operational Compliance Model within Lean TCM ensures that compliance is not just a set of rules but an operational function, achieving Minimal Viable Compliance (MVC) by incorporating regulatory design principles derived from systems theory and cybernetics. Additionally, Lean Compliance offers advanced programs such as The Proactive Certainty Program™ and The Elevate Compliance Program, both designed to facilitate compliance transformation, strengthen defenses, and address modern compliance challenges with assurance. Lean TCM emphasizes the following: You start with something that is already operational, simpler, and capable of delivering benefits. The point of intervention happens where obligations align with promises, outcomes align with objectives, and the ends align with the means. Adds the function of management programs missing from management system standards, including GRC frameworks. Implemented using Lean Startup to accelerate learning and improvement Focuses on outcomes and operational risk. Harnesses lean principles to reduce waste to create the opportunity for proactive improvements. You learn to drive towards compliance outcomes by driving right from the start. Weaknesses: While Lean Total Compliance Management (Lean TCM) offers a robust framework for organizations to enhance their compliance efforts, there are certain weaknesses associated with this approach: Novel Implementation (lean startup): Lean TCM utilizes the Lean Startup approach which may not be as familiar to those who have followed traditional bottom-up approaches. Resource Intensiveness: Similar to other comprehensive compliance frameworks, Lean TCM may demand significant resources, both in terms of time and financial investment. Smaller organizations or those with tight budgets may find it challenging to allocate the necessary resources for successful implementation. Resistance to Change: The introduction of a holistic and integrative compliance approach may face resistance from employees accustomed to traditional compliance methods. The shift towards a proactive and operational compliance culture might encounter pushback, requiring effective change management strategies to ensure successful adoption. Limited Experience: While Lean TCM incorporates well known principles and practices from different domains, its overall approach may not be as familiar. This could pose a challenge for organizations looking for traditional methods. Not Elevating Minimal Viable Compliance: While the concept of achieving Minimal Viable Compliance (MVC) is integral to Lean TCM, there is a risk of organizations focusing solely on meeting the minimum requirements rather than striving for continuous improvement and excellence in compliance practices. Dependency on Existing Capabilities: Lean TCM emphasizes elevating existing resources for compliance benefits. However, organizations with inadequate existing capabilities or those lacking a strong foundation in relevant management principles may struggle to realize the full potential of Lean TCM. Limited Industry-Specific Guidance: Lean TCM provides a broad framework applicable across various industries and compliance domains, but it may lack specific guidance tailored to certain sectors with unique compliance challenges. Organizations in highly specialized fields may need to supplement Lean TCM with industry-specific expertise. Potential Overemphasis on Effectiveness: The focus on outcomes may lead to an overemphasis on outcomes potentially neglecting the importance of efficiency. Despite these weaknesses, organizations can mitigate challenges by carefully assessing their specific needs, participate in educational programs, and develop a tailored roadmap for their organization. An Aside From the Past For those working in the IT industry in the 90’s may remember using CORBA (www.corba.org). The CORBA approach is based on the concept of a middleware infrastructure, known as the Object Request Broker (ORB), which facilitates communication and interaction between distributed objects. Back then we attempted to create business objects written in Java for every object of interest to the business which would then be integrated together using a CORBA broker. Sounds great! It also sounds very familiar and similar to the approaches taken by GRC frameworks and to a lessor degree management system standards. As you can imagine, there was not enough time, energy or funding to define and integrate everything, so CORBA implementations usually failed. This is an important lesson for any holistic approach particular those that depend on tight coupling of objects and the need for everything to be perfect. This is something that Lean TCM attempts to address by operating in the middle, above the task and procedure level, and using concept of minimal viable programs (MVPs), which can elevated over time. Implementing CORBA also taught me that just because you integrate everything together doesn’t mean you will end up with more than you started with apart from now having to manage all the integration touch points. When you connect reactive processes together you still end up with a reactive system. Integration only makes sense when used to build a system that is capable of delivering benefits which is something that many organizations fail to understand. Summary In this article we explored three key strategies for achieving success in compliance within highly regulated, high-risk environments. The common challenge faced by organizations in these environments is effectively governing their operations to meet obligations and stakeholder commitments while bridging the gap between organizational outcomes and operational objectives. The strategies discussed include standardizing practices, integrating processes through Governance, Risk, and Compliance (GRC), and operationalizing systems with Lean Total Compliance Management (Lean TCM). The first strategy involves standardizing practices using management standards, which provide recognized guidelines to enhance efficiency, reduce risks, and meet stakeholder expectations. While management system standards offer valuable guidance, potential weaknesses include rigidity, resource intensiveness, and a potential overemphasis on documentation compliance. The second strategy focuses on integrating processes through GRC frameworks, harmonizing governance, risk management, and compliance. Despite its advantages, GRC frameworks have potential weaknesses, such as complexity, a one-size-fits-all approach, and the challenge of integration with existing business processes. The third strategy introduces Lean TCM, a unique approach developed by Lean Compliance that operationalizes obligations by integrating compliance into the value chain. Lean TCM addresses Compliance 1 and Compliance 2 requirements, offering a holistic, proactive, and integrative approach. However, potential weaknesses include its novel implementation using Lean Startup, limited industry-specific guidance, and potential resistance to something different. In essence, each strategy has its strengths and weaknesses, and organizations must carefully consider their specific needs, industry context, and strategic objectives when choosing a compliance approach. While ISO standards, GRC frameworks, and Lean TCM offer valuable insights, successful implementation requires a tailored approach, ongoing assessment, and a commitment to continuous improvement.

An important role of compliance officers is keeping an organization operating between the lines and ahead of risk. It’s no wonder that when it comes to the topic of compliance challenges many experts will create a long list of risks that include: AI, Cybersecurity, ESG, Fraud, Safety, Climate Change, Cybersecurity, Fraud, and many many more. These are indeed areas of concern and in need of attention. However, there will always be uncertainty and risk when it comes to meeting business objectives. What's critical is deciding how best to ensure mission success in the presence of this uncertainty. That’s why the list of challenges should contain items related to operational aspects of compliance. These are challenges pertaining to what’s needed for compliance to be fit for purpose and capable of meeting all obligations, and contending with risk associated with legal requirements to ESG commitments and everywhere in between. The following are key challenges facing compliance officers seen through an operational lens. This is not exhaustive list and you will no doubt have your own challenges to add to it. However, it's a good place to start when planning your compliance objectives for the upcoming year: Identifying, Classifying, and Taking Ownership for Obligations: One of the initial challenges lies in identifying and classifying the diverse set of obligations an organization must meet. Compliance officers must take ownership and establish a clear understanding of each obligation to form a solid foundation for an effective compliance program. Operationalizing Obligations: Once obligations are identified, the challenge is to operationalize them across the organization seamlessly. This involves defining obligation commitments and establishing processes that ensure compliance is integrated into day-to-day operations. Organizational Structure to Meet Obligations: Deciding on the optimal organizational structure to meet obligations is crucial. Compliance officers must strike a balance, ensuring that responsibilities and accountabilities are distributed appropriately across roles, functions, divisions, and business units. Addressing Risks Across Programs: Determining which risks to address within a compliance program and across the entire portfolio (safety, security, sustainability, quality, corporate, ethics, AI, etc.) is a perpetual challenge. Balancing priorities and aligning risk mitigation strategies with organizational goals requires strategic decision-making. Evaluating Operational Risk: Compliance officers must continuously evaluate and contend with operational risks associated with meeting obligations. This involves assessing potential disruptions and implementing strategies to mitigate these risks effectively. Measuring Compliance Success: Defining and measuring compliance success is essential. Compliance officers need to establish clear metrics for conformance, performance, effectiveness, and assurance within each program and collectively across the entire compliance portfolio. Governance of Multiple Programs: Deciding how to govern and operate multiple compliance programs and management systems is a complex task. Establishing effective governance structures and processes ensures alignment and accountability while optimizing resource utilization. Resource Optimization: Strategically leveraging existing resources to enhance compliance capabilities is a challenge. Compliance officers must identify opportunities for improvement and implement measures to achieve better outcomes with available resources by reducing waste and tapping into underutilized talent. Budgeting Within Risk Tolerance: Determining the size of the budget needed to meet obligations within risk tolerance, capacity, and capabilities is a delicate balance. Compliance officers must justify budgetary needs while considering potential uncertainties.This also includes determining the size of margin needed to cushion the effects of irreducible risk. Improving Alignment, Accountability and Assurance: These are the guardrails that protect business integrity within and across the organization.This involves fostering a proactive culture throughout the organization and ensuring that all stakeholders understand their roles. Leveraging Technology and AI: Staying ahead of risk requires compliance officers to strategically leverage AI, technology, and management systems & controls. Incorporating these tools can streamline processes, enhance efficiency, and provide valuable insights for decision-making. Elevating Compliance to Performance-Oriented Obligations: Moving towards Compliance 2.0 involves elevating compliance beyond mere conformance to meet performance and outcome-based obligations. This requires a shift in mindset and the adoption of operational systems and processes. Managing the Vital Few: Deciding on the vital few objectives to monitor and manage (Pareto Rule, Theory of Constraints), is essential for focusing efforts on the most critical aspects of compliance. Compliance officers must prioritize and allocate resources to areas that significantly impact organizational and compliance success. Pursuing Compliance Success: Ultimately, compliance officers face the ongoing challenge of determining what is essential to achieve compliance success. This involves continuous improvement, adapting to changing regulations and new obligations, and the adoption of proactive, holistic, and integrative compliance strategies. Conclusion The role of compliance officers is pivotal in keeping organizations operating between the lines and ahead of risk. While compliance challenges such as AI, cybersecurity, and ESG rightfully demand attention, it is equally crucial to view these issues through an operational lens. The operational challenges outlined—ranging from identifying and classifying obligations to the pursuit of compliance excellence—provide a comprehensive framework for compliance officers to enhance the effectiveness of all their programs and achieve compliance success. Addressing these challenges requires a strategic approach, including the operationalization of obligations, organizational alignment, risk management, evaluation of operational risks, and the establishment of clear metrics for success. Governance of multiple programs, resource optimization, and budgeting within risk tolerance are additional complexities that demand careful consideration. In addition, fostering a culture of compliance, leveraging technology, and elevating compliance to performance-oriented obligations are key strategies for staying ahead of evolving risks. As compliance officers navigate these challenges, the pursuit of compliance success necessitates continuous improvement, adaptability to changing regulations, and the adoption of proactive, holistic, and integrative compliance strategies. By focusing on the vital few objectives that significantly impact organizational success, compliance officers can prioritize efforts and allocate resources effectively. In essence, the journey towards Compliance 2.0 involves not only meeting conformance requirements but also achieving performance and outcome-based obligations, marking a paradigm shift in mindset and operational processes. Through these concerted efforts, compliance officers play a crucial role in safeguarding business integrity and ensuring the sustained success of the organization in the face of uncertainty and risk.

Proactivity is a powerful tool that can help you achieve your desired outcomes. Proactivity is more than a mindset or an attitude. It's also a process that can be applied to any set of actions through anticipating, planning, and striving to have an impact [1]. In this article, we consider what motivates proactive behaviour and how proactivity can be applied to goals including those to meet all your obligations. Proactive Motivations There are four key factors that encourage proactivity when applied to meeting goals: the obligation, ambiguity, accountability, and autonomy [1], [2]. Obligation refers to the goals associated with an outcome that you want to advance. It is the desired result that you are working towards. Considering goals as obligations creates an impetus for proactive behaviour. Obligations can be short-term or long-term, and they can be personal or corporate. Examples of obligations include losing weight, delivering a project, or making progress towards net zero emissions. Risk refers to the uncertainty (ambiguity) with respect to reaching the goal. It is the possibility that you may not meet your obligation. Uncertainty provides a motivation to be proactive - to improve the probability of success. Risks are the effects of uncertainty on our objectives which can be controllable or uncontrollable. Examples of risks include decreased health, unrealized project benefits, or negative impacts on the environment. Incentive refers to the accountability for the results. It is another motivation that drives you to achieve your obligation. Incentives can be intrinsic or extrinsic, and they can be positive or negative. Examples of incentives include realized benefits, financial rewards, or social recognition (i.e. reputation). Promise refers to the autonomy and agency to develop and work the plan. It is the commitment that you make to yourself to achieve your obligation. Making and keeping promises provide moral motivation to satisfy the obligation. Promises can be personal or corporate, and they can be explicit or implicit. However, to be effective they need to be declared and documented. Examples of promises include meeting deadlines, targets, or following rules. Proactive Goal Setting These factors can be applied to the process of goal setting to maximize proactivity in the following way: Identify Obligations: start by setting clear and realistic goals that are aligned with your values, priorities, and commitments. Identify what you want to achieve and why it matters to you. This will help you stay focused and motivated. Evaluate Risk: these are potential obstacles and challenges that may prevent you from achieving your goals. Assess the likelihood and impact of each risk and develop contingency plans to mitigate them. This will help you stay prepared and resilient. Establish Incentives: create a system of rewards and consequences that will hold you accountable for your results. Celebrate your successes and learn from your failures. This will help you stay motivated and committed. Make and Keep Promises: develop a plan of action that is tailored to your needs and preferences. Break down your goals into smaller, manageable tasks and set deadlines for each one. This will help you stay organized and on track. Conclusion Being proactive is a strong tool that goes beyond just a mindset, evolving into a dynamic process applicable to various actions through anticipation, planning, and active impact. We explored four key motivators for proactive behaviour: obligation, risk, incentive, and promise. Obligations drive proactive behavior by linking goals to desired outcomes, whether short-term or long-term, personal or corporate. Risks, as uncertainties related to goal attainment, push for proactivity to increase the probability of success. Incentives, whether intrinsic or extrinsic, positive or negative, help make individuals accountable for results. Promises, involving autonomy and agency, provide moral motivation for meeting obligations. Combining these motivations, a proactive goal-setting process involves identifying obligations, evaluating risks, establishing incentives, and making and keeping promises. This approach ensures clarity, resilience, accountability, and structure, fostering proactive behaviours toward achieving meaningful outcomes. [1] "The dynamics of proactivity at work", Adam M. Grant, Susan J. Ashford, 2008 [2] "Promise Theory", Mark Burgess