SEARCH

When it comes to compliance, there are numerous obstacles that can hinder success, and it is vital to avoid or eliminate them. However, it's not the obstacles that appear to be the primary issue. Many people often express something crucial is absent—something that should be present but isn't. This is the point at which discussions about gaps come into play creating a list that includes gaps in training, procedures, processes, cultural aspects, and more—the usual suspects. But there is something else, something between the findings from the last audit and the preparations for the next one. Something they can't quite put their finger on. This invariably leads to the next question: "Can you assist us?" The answer is yes, but merely filling in the gaps won't be enough. To truly address the situation, we must first tackle the root cause that has led to your current situation. It’s what you are really missing, but up until now have never addressed. What many companies in your situation lack is: the opportunity to make things better, to be proactive rather than reactive. There are often reasons given for this lack of proactivity, such as budget constraints, resource shortages, and a constant barrage of urgent issues. These factors have trapped many in what seems to be an inescapable cycle. Breaking free from this trap is possible, and necessary. Although, it may require taking a leap of faith. Not a blind faith, but a faith grounded in the knowledge that being proactive can and will enhance compliance. Instead of waiting for something bad to happen, you can anticipate something good. Instead of dealing with symptoms, you can address the root cause and prevent symptoms ever happening. Instead of being uncertain and unsure, you can have confidence in your ability to meet all your obligations. The most significant risk to compliance isn't the obstacles that may hinder it, but the opportunities that are never taken to improve it. That's what compliance is truly missing, and the gap that needs to be closed. And yes, we can help you with that.

In recent months there's a buzzword that has been circulating: "Proactive Risk Management." While it may seem like a term that denotes a forward-thinking approach to mitigating risks, it is essential to pause and reflect on whether this phrase is truly meaningful. In this article, we delve into the topic of risk management and why the term "Proactive Risk Management" might not be as relevant or necessary as it seems. The Essence of Risk Management Before we explore the idea further, let's establish the fundamental principles of risk management. At its core, risk management is a proactive endeavour, characterized by anticipating, planning, and acting to create an impact. In essence, the very definition of risk management embodies this concept of proactivity. After all, its primary goal is to identify, assess, and handle risks before they materialize into issues or incidents. Risk Management vs. Issue Management A crucial point of contention arises when people confuse risk management with issue management. The two are distinct concepts and should not be conflated. Issue management typically occurs in response to non-conformance, problems, or incidents that have already happened. This process involves corrective and preventive actions aimed at rectifying the situation and preventing its recurrence. Issue management is inherently reactive, addressing events that are in the past. On the other hand, risk management is forward-looking. It deals with uncertainty and aims to identify potential risks and their consequences before they come to fruition. In this context, there is no such thing as "reactive risk management" because by definition, risk management focuses on what might happen in the future, not what has already occurred. The Fallacy of "Proactive Risk Management" Now, let's return to the crux of the matter – the term "Proactive Risk Management." The inherent problem with this terminology is that it adds an unnecessary layer of redundancy. As we've established, risk management is inherently proactive, and there is no need to qualify it as such. To label it as "proactive" is, in fact, tautological and can lead to confusion. Furthermore, by using the phrase "Proactive Risk Management," we risk perpetuating the misconception that risk management, as traditionally understood, is also a reactive process. This misconception undermines the crucial role of risk management in various industries, including safety, security, sustainability, quality and other compliance domains. The Importance of Clarity Clarity of terminology is essential in professional domains. When we use terms like "Proactive Risk Management," we risk diluting the significance and distinctiveness of risk management as a proactive discipline. It is crucial to differentiate between risk management and issue management to maintain the integrity of these processes. While the intent behind the term "Proactive Risk Management" may be to emphasize the forward-thinking nature of risk management, it inadvertently muddles the understanding of this essential discipline. Risk management, by its very nature, is proactive, and there is no need to qualify it as such. It is crucial to use precise terminology to ensure that risk management retains its distinctiveness and fulfills its role in contending with uncertainties and potential threats. As professionals in the field of risk management, let's strive for clarity and precision in our terminology, avoiding the unnecessary redundancy of "Proactive Risk Management."

Not all obligations are the same or require the same capabilities and approaches to satisfy. One way to understand obligations is to consider them as a hierarchy of needs between commitments associated with accepting legal responsibility and those connected with accepting stakeholder responsibility. These levels create increasing but separate needs to comply with minimum requirements, conform consistently to procedures and practices, improve performance to reach and sustain targets, and advance outcomes associated with stakeholder expectation. To accomplish these each level will have different set of functions, behaviours and interactions unique to the obligations at that level. Starting and Finishing Well Organizations most often begin their compliance journey by focusing on legal requirements associated with regulations. These represent the basic or minimum requirements needed to satisfy the conditions by which a regulatory license is given for a company to operate. When companies begin to internalize their external commitments they start to improve how they meet these basic requirements. They also have an increased desire to accept greater social responsibilities. In fact, many companies have now reached a tipping point where there are just as many, if not more, voluntary obligations associated with stakeholder expectations than those required by regulations. It is for these reasons that meeting obligations now requires more than just following rules (we call this Compliance 1). In addition, organizations need operational programs to meet performance targets and deliver compliance outcomes (i.e., Compliance 2). Adopting Compliance 2 capabilities is what Lean Compliance aims to help organizations establish. To that end, we have observed that many don’t know how compliance programs should work which hinders their ability to implement them and improve effectiveness over time. That is why our approach focuses on teaching organizations the essential concepts and principles that underlie management programs based on an operational model for compliance designed for performance and outcome-based obligations. This model incorporates the science of governing, systems, risk, and promise theories, along with Lean principles and practices to ensure alignment, accountability, and assurance for organizations to meet all their obligations in the presence of uncertainty. We quickly establish these capabilities by following a version of the Lean Startup methodology to establish a minimal viable program where all essential functions, behaviours, and interactions are working together at levels sufficient to deliver benefits – the outcome of compliance. This measure of operability provides a true assessment of effectiveness that all programs must achieve and improve over time. The compliance landscape has changed and so must our approaches. This does not mean reinventing the wheel. What it does require is a different point of view. We need to look up, look forward, and build what is needed to continuously stay between the lines and ahead of risk – not a luxury, but a necessity.

Ensuring that organizational obligations and policies are effectively deployed and upheld is a critical task. This is where Hoshin Kanri, a Lean practice, comes into play. Hoshin Kanri offers a structured approach to operationalize obligations across organizations, providing a roadmap to align objectives, ensure accountability, and drive continuous improvement. In this blog post, we will delve into the framework of policy deployment using Hoshin Kanri, shedding light on its key components and how it helps organizations steer towards better outcomes. The Framework: Policy Deployment using Hoshin Kanri At its core, policy deployment using Hoshin Kanri is about translating high-level organizational goals and policies into actionable plans that permeate throughout the organization. This framework can be summarized as follows: Define Obligations and Promises: The journey begins by defining organizational obligations and high-level policies. These policies provide guiding principles that align the organization with its strategic direction. Promises are more specific commitments derived from the policies, essentially breaking down the high-level goals into tangible objectives. Policy Deployment Plans (PDPs): Once policies and promises are established, they are captured in Policy Deployment Plans (PDPs). These plans serve as roadmaps, outlining the specific actions, responsibilities, and timelines required to meet the promises. Each PDP is a detailed action plan that brings clarity to the path forward. Negotiation: The negotiation phase is where the rubber meets the road. PDPs are not handed down from the top; instead, they are negotiated with those responsible and accountable for their execution. This negotiation process is known as "Catch-ball." It encourages open dialogue and collaboration, breaking down silos and ensuring everyone is on the same page. Alignment, Accountability, and Assurance Policy deployment using Hoshin Kanri is a powerful framework because it helps drive alignment, accountability, and assurance across the organization: Alignment: The process aligns every individual and team with the organization's policies and objectives, creating a shared sense of purpose. Accountability: Through the negotiation and Catch-ball process, clear responsibilities are assigned, leaving no room for ambiguity. This enhances accountability at all levels of the organization. Assurance: By monitoring both quantitative and qualitative aspects, the organization gains assurance that it is not only meeting its targets but also advancing its long-term obligations and outcomes. Two Primary Loops: Quantitative and Qualitative Regulation In policy deployment using Hoshin Kanri, there are two primary loops that guide the process: Meeting Objectives (Quantitative Regulation - Compliance 1): This loop focuses on quantitative regulation, ensuring that the organization is meeting its numerical targets and objectives. It involves tracking key performance indicators (KPIs) and metrics to measure progress towards the promises made in the PDPs. Meeting Obligations and Advancing Outcomes (Qualitative Regulation - Compliance 2): While meeting numerical targets is crucial, qualitative aspects are equally important. This loop emphasizes qualitative regulation, ensuring that obligations are met and outcomes are advanced. It involves assessing the impact of policies on the organization's culture, values, and long-term sustainability – it measures effectiveness. A Proactive and Integrative Program What emerges from policy deployment using Hoshin Kanri is an integrative and proactive program. It's not merely about meeting immediate goals but about strategically advancing the organization towards better outcomes. It's a dynamic process that encourages continuous improvement and adaptability in a rapidly changing environment. Building a policy deployment program using Hoshin Kanri requires a structured approach: Leadership Commitment: Start by securing commitment from top leadership. Without their buy-in, it's challenging to drive such a comprehensive change. Education and Training: Provide training and education on Hoshin Kanri principles and methodologies to all levels of the organization. Policy Development: Develop clear and concise organizational policies that align with your strategic direction and organizational obligations. Promise Identification: Identify specific commitments derived from these policies, ensuring they are actionable and measurable. Policy Deployment Plans: Create detailed PDPs that outline responsibilities, timelines, and metrics for each promise. Catch-ball Process: Implement the Catch-ball process to negotiate and refine the PDPs with those responsible and accountable. Monitoring and Feedback: Continuously monitor progress using KPIs and gather feedback to make necessary adjustments. Continuous Improvement: Encourage a culture of continuous improvement, where the organization learns from its successes and failures. Policy deployment using Hoshin Kanri is a robust framework for operationalizing obligations across organizations. It not only ensures alignment, accountability, and assurance but also drives organizations towards better outcomes. By following the structured approach outlined in this blog post, you can build a proactive and integrative program that transforms your organization's policies into tangible objectives, making a meaningful impact on its success and sustainability. To learn more on using Policy Deployment Framework to drive better compliance outcomes covering: safety, security, sustainability, quality, regulatory, and other mission critical objectives consider becoming a member of: The Proactive Certainty Program™.

In today’s world, where instant gratification often takes precedence, it's easy to fall into the trap of taking a short-term view of life and business. We yearn for immediate results and quick fixes, all while sometimes neglecting the true cost of our decisions. However, it's essential to recognize that success often requires a longer-term perspective, a willingness to make sacrifices in the present to secure something of greater value in the future. In this blog post, we will explore the need to shift from short-term thinking to a long-term view and the benefits it can bring to our lives, businesses, and compliance success. Living as a Teenager The desire (or rather impulse) for instant results is more prevalent today than ever. Whether it's in our personal lives, business endeavours, or even the domain of meeting obligations, we often seek immediate gratification. We want things now, today, or, at the very least, as soon as possible. This mindset can lead to hasty decisions and a lack of consideration for the long-term consequences of our actions. Our impulse for instant gratification plays a significant role in having a short-term view of the world. We've grown accustomed to the convenience of getting what we want when we want it, and this culture of immediacy can erode our patience and resilience. This is reinforced by the ubiquity of technology, the internet, social media, same-day delivery, along with other factors, perhaps more than any other generation. A common fallacy that accompanies this line of thinking is the belief that everything will somehow work out favourably in the end. We have heard that said from many including perhaps our parents. Who doesn’t want to believe that it will all work out for the good in the end? However this perspective tends to underestimate the real cost of our decisions, thinking either that their are no downsides or that someone else will bear the consequences, and that it won't be us. This mindset can lead to risky behaviour and a lack of accountability. In many ways, we are acting as teenagers driven solely by our passions (and hormones). While growing in maturity (adult-ing as some call it these days) is difficult, living forever as a teenager does not prepare us to handle the reality of how the world works. The Need to Look Up and Grow Up To break free from the shackles of instant gratification and short-term thinking, we must mature and adopt a longer-term view. This involves recognizing that success (including compliance success) often requires sacrifices in the present to attain something of greater value in the future. It means being willing to invest time, resources, and effort today for more substantial, enduring, and ultimately better outcomes tomorrow. Personally, this might mean investing in education, saving for retirement, or making responsible environmental choices, even when they don't yield immediate rewards. With respect to compliance this means taking ownership of obligations and keeping promises associated with them. However, I think it means more than this. We must learn to think beyond ourselves. Having a long term perspective is a mindset shift that enables us to make choices that are not just beneficial for us but also for our communities, the environment, and future generations. It’s the mindset of mature adults particularly those who are leaders. Some of us had the opportunity to witness that with our own parents who gave up much so that we (their children) might have a better life. This is a characteristic we value in people and businesses, and something we need to value with respect to compliance. Compliance Growth and Maturity In a world where short-term thinking often prevails, it's time to embrace the wisdom of the long-term view particularly when it comes to meeting obligations. This means sacrificing instant gratification and making choices to achieve more significant and enduring success. It's a path that requires maturity, patience, integrity, and a willingness to invest in a better tomorrow. We are often tempted by short-term thinking, which makes it easy to avoid responsibility and make empty commitments which negatively impacts both compliance and business success. However, a long-term perspective reminds us that embracing accountability and fulfilling promises (the heart of compliance) is an investment in our future. It means sacrificing immediate comfort, like setting standards, or admitting when we are wrong, to build trust and reliability over time. By doing so, we not only strengthen our relationships but also contribute to a more responsible and trustworthy world, paving the way for personal and corporate success in the long run. It’s time, and its always been time, to look up, grow up, and pave the way for a future that truly reflects our values and aspirations.

I was listening to a podcast recently where Mo Gawdat (ex-google CBO) was interviewed and asked about his thoughts concerning AI. Here are some of the things he said: Three facts about AI: AI has happened ( the genie is out of the bottle and can’t be put back in) AI will be smarter and already is than many of us Bad things will happen What is AI (I have paraphrased this)? Before AI we told the computer how to do what we want - we trained the dog With generative AI we tell it what we want and it figures out how to do it - we enjoy the dog In the future, AI will tell us what it wants and how to do it - the dog trains us Barriers we should never have crossed, but have anyways: Don’t put AI on the open internet Don’t teach AI to write code Don’t let AI prompt another AI What is the problem? Mo answers this by saying the problem is not the machines, the problem lies with us. We are the ones doing this (compulsion, greed, novelty, competition, hubris, etc.), and we may soon reach the point where we are no longer in the drivers seat. That is the existential threat that many are concerned about. Who doesn’t want a better dog? But what if the dog wants a better human? Before we get there we will have a real smart dog, that is way smarter (10 times, 100 times, or even higher) than us, which we will not understand. Guardrails for explain-ability will amount to AI creating a flowchart of what it is doing (oh how the tables have turned), one that is incomprehensible to most if not all of us. How many of us can understand String Theory or Quantum Physics even if you can read the text books – very few of us. Why do we think that we will understand what AI is doing? Sure, AI can dumb it done or AI-splain it to us so we feel better. Perhaps, we should add another guardrail to Mo’s list: 4. Don’t let AI connect to the physical world. However, I suspect we have already passed that one as well. Or how about this? 5. Don’t do stupid things with AI You can view the podcast on YouTube here:

In today’s world of compliance, organizations face a dual challenge: not only must they faithfully adhere to regulations, but they must also make significant progress in their compliance efforts. This requires compliance to be reliable and effective. Eliyahu Goldratt, the visionary thinker behind the Theory of Constraints, introduced in his book, Beyond the Goal, definitions for reliability and effectiveness: Unreliability: things that should have been done but were not Ineffectiveness: things that should not have been done but nevertheless were done Though traditionally applied to operational throughput, these definitions hold remarkable value when employed in the context of compliance. In this article, we'll explore how organizations can apply Goldratt's principles to achieve both reliable and effective compliance while introducing new measurements and rules to drive the desired behaviours. Reliability: Consistently doing what should be done Goldratt's definition of unreliability - "things that should have been done but were not" - establishes the heart beat of compliance, integrity, and a commitment to keeping promises. Compliance is unreliable to the degree that an organization does not do what should be done. According to Goldratt, the end result of being unreliable, in terms of the organization as a whole, is that the company fails to fulfil its commitments to the external world. The BP Deepwater Horizon oil spill in 2010 stands out as a prime example of a company failing to do what should have been done in terms of safety and environmental compliance. In this catastrophic incident, BP compromised safety practices, lacked adequate emergency response preparedness, and neglected environmental responsibility. The result was one of the largest environmental disasters in U.S. history, with severe consequences, including environmental impacts, extensive legal and financial penalties, reputational damage, operational challenges, and leadership changes. Effectiveness: Not doing what should not be done Goldratt's concept of ineffectiveness, described as "things that should not have been done but nevertheless were done," complements reliability by offering a perspective on compliance progress. Compliance is ineffective to the degree that an organization does things that should not be done. If we continue to do things that we should not be doing, what is the end result? The answer is at worst mission failure and at least significant waste. For example, Volkswagen (VW), one of the world's largest automakers, was under tremendous pressure to meet strict emissions standards, especially in the United States. To comply with these regulations while maintaining high-performance diesel vehicles, VW engineers developed a sophisticated software known as a "defeat device." This software manipulated emission tests to make the company's diesel engines appear much cleaner and environmentally friendly than they were in real-world driving conditions. Volkswagen did what should not be done. You Do What You Measure Goldratt reminds us that measurements play a dual role in our endeavours. They act as navigational aids, offering insights into our current position and guiding us towards our desired destination. A common example of this is the GPS found in a car that informs us of our status. Measurements also serve as instruments of influence, shaping our behaviours and actions. However, it's vital to bear in mind that we are dealing with humans and organizations composed of humans, as Eliyahu Goldratt noted: "Tell me how you measure me, and I'll tell you how I behave." When selecting measurements, it is important to do so with the understanding that they should encourage individual parts to contribute to the overall well-being of the company. This is particularly relevant when it comes to compliance and making progress towards compliance outcomes. For compliance to succeed, organizations can follow Goldratt's advice by introducing measurements that foster desired behaviours: Define Clear Compliance Outcomes: Begin by clearly defining the compliance outcomes you aim to achieve. These outcomes should encompass broader objectives beyond mere adherence, such as strengthening risk management, enhancing stakeholder trust, and realizing the benefits from being in compliance: better safety, security, sustainability, quality and so on. Prioritize Outcome-Driven Activities: Align your compliance activities with the defined outcomes. Prioritize initiatives that directly contribute to progress in achieving those outcomes while eliminating or optimizing tasks that do not. Embrace Outcome-Oriented Metrics: Shift from traditional, compliance-focused metrics to outcome-oriented ones. Measure progress based on the achievement of desired compliance outcomes rather than merely tracking adherence to individual regulations. Encourage Cross-Functional Collaboration: Break down silos within your organization by fostering collaboration among departments responsible for compliance. Encourage teams to work together to achieve shared compliance objectives. Continuously Adapt and Improve: Embrace a culture of continuous improvement, where lessons learned from compliance efforts drive innovation and refinement. Regularly review and update your strategies based on outcomes and insights. Eliyahu Goldratt's Theory of Constraints, rooted in concepts such as reliability and effectiveness, offers valuable guidance for organizations seeking to transform their compliance operability. By introducing measurements and rules that focus on achieving desired behaviours and outcomes, organizations can achieve both reliability and effectiveness in their compliance efforts. While reliability (always doing what should be done) ensures an unwavering commitment to fulfilling obligations, effectiveness (not doing what should not be done) encourages ethical behaviours resulting in better compliance outcomes. This holistic approach empowers organizations to not only meet compliance requirements but also make significant strides toward broader compliance objectives.

True leadership demands pro-activity—anticipating, planning, and actively steering an organization toward its desired goals. This distinction becomes particularly relevant when addressing organizational culture. In this article we explore the findings of a recent Auditboard report raising important issues related to organizational culture. It also calls for internal auditors to take proactive steps in managing culture-related issues. While culture profoundly influences an organization's values and behaviours, a critical question that was not asked is: Should the audit function be responsible for improving and assuring culture? Let's take a look... 2023 Organizational Culture and Ethics Report This report highlights the prevalence of organizational failures due to a troubled culture and emphasizes the importance of assessing and improving organizational culture. The report mentions that many organizations (4 in 5) are not effectively monitoring their culture, which can lead to significant problems. The role of internal audit in assessing and providing assurance on culture is discussed, with the report presenting insights from a survey of internal audit leaders. The challenges in this regard include executive behaviour as a critical indicator, a lack of understanding about culture's aspects and risks, reluctance to tackle culture, and a lack of prioritization of culture assessment. The report calls on internal auditors to take proactive steps in addressing culture-related issues and provides guidance and tools to do so effectively. Key findings from the report include: Organizational Failures: The report highlights that numerous organizations worldwide have experienced significant failures due to troubled cultures. Examples include Enron, WorldCom, Volkswagen, Carillion, WireCard, Theranos, and FTX. Culture's Vital Role: A troubled culture lacking the right tone at the top and a constructive environment is identified as a common factor in these failures. Such a culture can hinder an organization from achieving its strategic goals and objectives in an ethical and healthy manner, while also undervaluing key stakeholders. Devastating Impacts: These failures have had severe consequences, affecting various stakeholders such as employees, investors, customers, suppliers, and communities. Trust in capital markets is eroded, jobs and retirement savings are lost, reputations are damaged, and long-term sustainable success is compromised. Culture Risk Indicators: The report highlights that executive behaviour is a major indicator of culture risk. Poor tone at the top, profit-at-any-cost mentality, poor communication, and unethical/illegal conduct are identified as key risk indicators. Culture Assessment Gap: Despite increased attention and scrutiny, many organizations are still not assessing their culture effectively. A significant number of senior internal audit executives have not been asked by the board or audit committee to provide reports on culture, Reluctance to Address Culture: A significant percentage of organizations do not formally audit or assess culture, and some employ piecemeal, ad-hoc approaches or limited assessment methods. This reluctance to address culture may lead to significant problems. Lack of Understanding: Many organizations do not fully understand the various aspects of culture, including its benefits, risks, key elements, drivers, and principles of a healthy culture. They may focus on the benefits while overlooking critical risks. Importance of Culture Monitoring: The report emphasizes that organizations cannot manage their culture without monitoring it. Boards and executives need to assess the health of their culture continuously and ensure it aligns with expectations. Priority of Culture Assessment: Despite the impact of culture on organizational success, many organizations do not prioritize culture assessment. They may underestimate the risks or face resource constraints. The Right Assessment – The Wrong Conclusion? The report raises important issues concerning organizational culture and the impact that culture can have on mission success or rather mission failure. Undoubtedly, culture is a critical factor in staying between the lines and ahead of risks. The report extends an invitation to those in audit roles, urging them to break free from passivity and seize the opportunity to guide organizations in recognizing the urgent and far-reaching impact of culture. However, the report does not raise (but it should) the question of whether the audit function should be the driver of culture improvement and assurance. The problem is that the audit function typically operates as a reactive rather than a proactive force. It also lacks the inherent managerial accountability that would allow it to drive cultural change effectively, which even if it did, would undermine the role of those who should rightfully lead this effort. Culture emerges as a consequence of actions and serves to reinforce the values associated with those actions. Relying on management reviews, post-incident investigations, and audits reinforces a reactive approach the very thing that the report asks internal audit to change. This reactive behaviour focused on past events is not true leadership, but rather a form of management. It aligns with internal regulation (loop 1) focused on making course corrections and corrective actions, perpetuating a cycle of reactivity not pro-activity. True leadership, on the other hand, centres on pro-activity, involving the anticipation, planning, and action required to make substantial progress towards desired outcomes. This forward-looking approach is evident in setting goals, conducting management pre-views, pre-investigations, pre-mortems, capability assessments, as examples. Such practices align with internal regulation (loop 2) focused on operational governance, steering, and establishing the capabilities needed for mission success, representing a more strategic and forward-thinking approach to shaping organizational culture. In essence, managers manage loop 1 (stay on course) and leaders look after loop 2 (set the right course). To shape culture you need to steer from the front not from the back. The bottom line is this: leaders (those with managerial accountability) need to lead not manage. While audit can be responsible for aspects of this effort, they cannot be the ones to lead cultural change.

In the world of ethical, regulatory, and stakeholder obligations, understanding the underlying theories that drive compliance is key to achieving both compliance and mission success. Compliance isn't just about following rules; it's about employing strategic principles that not only ensure adherence but also deliver the benefits from always staying between the lines and head of risk. In this article, we will delve into the power of Management Theory (ISO 37301), Promise Theory, Systems Theory, Risk Theory, and Lean Management Theory, exploring how these theories when put into practice can elevate your compliance game. Management Theory (ISO 37301): The Blueprint for Compliance Excellence ISO 37301 (Compliance Management System) standard is rooted in management theory and serves as a comprehensive guide to how to effectively manage obligations. It goes beyond mere rule-following and focuses on proactive strategies for meeting obligations efficiently. Key Takeaway: ISO 37301 provides a structured approach to compliance, emphasizing the importance of proactive planning and performance. Promise Theory: A Culture of Trust through Compliance Promise Theory, introduced by computer scientist Mark Burgess, emphasizes that compliance is not merely a checklist; it's a collection of promises (policies) made to stakeholders. When these promises align with obligations, compliance becomes a part of an organization's culture. Key Takeaway: Promise Theory transforms compliance into a living culture of trust, where commitments to stakeholders are honoured and upheld. Systems Theory: Compliance as an Interconnected Symphony Systems Theory underscores that compliance is not achieved in isolation. Instead, it's a symphony of interconnected components and processes within an organization that must work together seamlessly. Compliance is more than the sum of its parts. Key Takeaway: Systems Theory highlights that Minimum Viable Compliance (MVC) is achieved when essential functions, behaviours and interactions are performing together at levels sufficient to produce compliance outcomes. Risk Theory: Navigating Compliance in Uncertain Waters Risk Theory acknowledges that compliance is not just about meeting expectations under ideal conditions. It recognizes that businesses must be resilient and adaptable in the face of uncertainty and risk. Key Takeaway: Risk Theory encourages organizations to build effective risk measures to improve the probability that compliance outcomes will be achieved in the presence of uncertainty. Lean Theory: Efficiency and Continuous Improvement Lean Management is a philosophy that focuses on efficiency, waste reduction, and continuous improvement. When applied to compliance, it streamlines processes and eliminates inefficiencies. Key Takeaway: Lean Management principles can be harnessed to optimize compliance processes, making them more efficient and adaptable. This frees up resources to be more proactive with compliance delivering compounding benefits over time. Harnessing the Power Understanding the theories behind compliance is crucial for success in ethical and regulatory matters. This article explored five powerful theories: Management Theory (ISO 37301), Promise Theory, Systems Theory, Risk Theory, and Lean Theory, and their potential to transform compliance. ISO 37301 offers a structured approach, emphasizing proactive planning. Promise Theory fosters a culture of trust by aligning commitments with obligations. Systems Theory stresses the interconnected nature of compliance components. Risk Theory focuses on resilience and adaptability. Lean Management improves efficiency. In summary, compliance is about more than just rules; it's about using these theories to thrive in a competitive business world. Applying them can help navigate uncertainty, build trust, streamline processes, and achieve compliance excellence improving the probability of long term mission success.

Today’s businesses must navigate an intricate landscape of regulations, commitments, and evolving stakeholder expectations. Compliance encompasses responsibilities related to privacy, security, safety, sustainability, and quality, along with others categories of risk. These obligations comprise both a regulatory, and an increasingly influential non-regulatory component shaped by stakeholder demands. The latter, now coming into view as part of Environmental, Social & Governance (ESG) expectations. Operationalizing all these obligations in a cohesive manner is crucial for mitigating risks, driving performance, and securing the longevity of an enterprise. This requires integration but not with traditional legal, audit, and compliance functions as some may suggest. Instead, the role of meeting obligations is moving towards operational functions and in some cases creating their own where performance management and operational excellence can be applied to continuously deliver on promises associated with all organizational obligations. It is within this context that the concept of Operational Compliance has emerged as a keystone in ensuring both compliance and mission success. Navigating Beyond Regulatory Boundaries Compliance today must address a two-fold challenge. Regulatory mandates serve as a necessary bedrock, with legal obligations dictating the do's and don'ts for businesses associated with a legal license to operate. However, the landscape has evolved with the surge in non-regulatory obligations, moulded by stakeholder expectations associated with what could be called a social license to operate. These obligations are steadily nearing the magnitude of regulatory requirements and in some cases already have. Organizations are expected to shoulder the mantle of ethical stewardship, integrating considerations of social responsibility, environmental impact, and customer well-being into their operations. They must deliver on commitments made to advance outcomes and achieve and improve performance targets. The implications of this shift are profound. The traditional focus and attention predominately given to regulatory obligations is not enough and hasn't been for some time, highlighting the need for a different approach. Compliance is no longer just about adhering to the law; it's about operating within a complex nexus of obligations that intertwine with a company's purpose, values, identity and more so its operations. Performance-Based Paradigm The cornerstone of modern compliance lies in its performance-based orientation. It's not merely a checklist exercise; rather, it's a dynamic commitment to buying down risks and advancing outcomes associated with all organizational obligations. The emphasis on outcomes is pivotal – shifting the focus from ticking boxes to realizing tangible results. This shift has propelled compliance into a proactive sphere, where risk mitigation is interwoven with both strategic and operational decision-making and embedded as part of management programs and systems. Technical capabilities are essential in this endeavour. As the business landscape grows more intricate, organizations must harness cutting-edge technologies to fortify security, optimize sustainability, ensure safety, and elevate quality. But technical prowess alone is insufficient. What is also needed is operational excellence to transform organizational capabilities into real-world outcomes associated with compliance obligations. Beyond Audits Towards Operational Compliance Gone are the days when legal departments and compliance units were the sole custodians of compliance. The new paradigm demands a more integrated, holistic, and proactive approach – Operational Compliance. However, Operational Compliance is not confined or defined by periodic audits and mandatory reporting; it's a whole systems approach that encompasses the entirety of an organization's value chain. It's not unlike a symphony where each note, from procurement to production, and from distribution to customer service, resonates with the heartbeat of keeping promise associated with organizational obligations. In this new paradigm, management programs act as conductors of this symphony. They infuse value chain capabilities with the essence of promise-keeping and integrity, creating a harmonious rhythm that sustains the life of an organization. These programs help transcend traditional compliance roles into the domain of operational excellence. Adopting The New Paradigm The importance of Operational Compliance is unequivocal. In a world shaped by intricate regulations and dynamic stakeholder expectations, the traditional focus solely on legal obligations is diminishing. The essence of compliance lies now with its performance to transform obligations into opportunities and risks into rewards. Operational Compliance is the keystone of this new paradigm and is more than a function; it's a mindset, a commitment, and a strategic advantage. It leverages technical capabilities and management prowess to turn obligations into achievements, and compliance into a catalyst for better stakeholder outcomes. The integration of Operational Compliance within the value chain is critical to establish a resilient, adaptive, and ethically-grounded organization – one poised to navigate the complexities of today's regulatory and stakeholder landscape with assurance. More information on the topic of Operational Compliance: Steering Compliance: Three Imperatives for Operational Compliance Programs Traditional versus Operational Approach to Compliance Compliance Programs and Systems Why Organizations Are Ineffective at Compliance Compliance: the triple threat against mission failure

When it comes to performance-based compliance required by organizations where compliance failure means mission failure we need more than working systems – we need systems that work. For compliance systems to work they must be operational. They must achieve a minimum level of compliance defined as Minimum Viable Compliance (MVC). MVC is achieved when essential functions, behaviours, and interactions work together at levels sufficient to create compliance benefits (the outcome of compliance.)

For compliance to succeed you must manage your obligations, but more importantly you need to keep your promises. This requires several things working together to produce the outcome of compliance: better safety, security, sustainability, quality, lower risk, and ultimately better stakeholder trust. ISO 37301 can help you achieve those outcomes. But only if you intend to keep your promises. Otherwise, it will just be another standard among others that add more work, cost and deliver few benefits. ISO 37301 is not a rule-based standard like many of the others. ISO 37301 is performance-based which makes it ideal for performance and outcome-based obligations, and where compliance failure means mission failure. In this webinar, I help you understand what ISO 37301 is all about, how it works, and how to use it to keep all your promises. By doing so you will realize more than just incremental improvements. You will experience transformational benefits that compound year over year. You can download the PDF of the presentation here: You can view the video recording of this webinar by becoming member of Lean Compliance.