SEARCH

Risk and compliance practitioners often find themselves navigating the nuances in terminology that can sometimes blur the lines between seemingly similar concepts. Three words in particular - ensure , insure , and assure - are frequently used in the context of risk management, yet they each hold distinct meanings that are crucial to understand. In this article, we'll explore these three terms, their definitions and how they work together to create a comprehensive risk management strategy for your compliance objectives. Ensure: Ameliorating the Reducible When we talk about "ensuring" something in risk management, we're referring to the process of making certain that a specific outcome will occur. This typically applies to risks that are identifiable and can be reduced through targeted actions. For example, ensuring that a building has adequate fire protection systems or that employees receive comprehensive safety training are ways to "ensure" that the risks associated with these areas are minimized. By taking proactive steps to address these reducible risks, we can feel confident that they will be effectively managed. Insure: Buffering the Irreducible In contrast, "insuring" against risk involves providing a financial cushion (i.e. margin) to mitigate the impact of risks that are difficult to predict or control. This is particularly useful for risks such as natural disasters or legal liabilities, which can be challenging to eliminate entirely. By transferring these irreducible risks to an insurance company, organizations can create a safety net that protects them from the potentially devastating consequences of these events. This allows them to focus on managing the risks they can influence more directly. Assure: Guaranteeing the Outcome The third term, "assure," is all about providing confidence that the risk management measures in place are truly effective for both reducible and irreducible risk. This involves processes of planning, design, implementation, monitoring, and adjustment to ensure the risk management strategy remains aligned with the organization's objectives and the changing nature of the uncertainty it faces. Assurance is not a one-time event, but rather a continuous cycle of evaluation and refinement. By regularly reviewing the effectiveness of risk management efforts, organizations can make informed decisions about where to allocate resources and how to optimize their approach. Bringing It All Together These three terms - ensure , insure , and assure - work together to create a comprehensive risk management strategy. By understanding the distinct roles they play, risk and compliance practitioners can develop a multi-layered approach that addresses both reducible and irreducible risk, while also providing the necessary assurance that their efforts are truly making a difference. Mastering this trio of concepts is essential for anyone looking to meet all their obligations and keep their promises with confidence and success. So the next time you find yourself in a discussion about risk or compliance, remember the power of ensure , insure , and assure , and how they can work together to increase your probability of mission success.

Quality assurance (QA) and quality control (QC) are two complementary but distinct concepts that have evolved over time in the world of projects, product development, and manufacturing. Traditionally, QC was viewed as the primary means of ensuring quality with QA added to corroborate QC findings. However, as processes and methodologies have advanced, the roles of QA and QC have shifted, with QA now taking on a more proactive and comprehensive approach to quality management. QC: The Reactive Measures At its core, QC is a set of activities focused on identifying and addressing defects or issues after the fact. QC involves inspections, testing, and other validation measures to catch errors or problems before a product is released or reaches the customer. This reactive approach was long considered the primary means of ensuring quality, with the goal of weeding out any flaws or nonconformity. While QC remains an essential component of quality management, it has become clear that a reactive strategy alone is not sufficient. Relying solely on QC means that issues are only identified after they've already occurred, often at a much higher cost to fix. QA: The Proactive Measures In contrast, QA takes a more proactive and holistic approach to quality. Rather than simply checking for defects, QA focuses on building quality into the process from the very beginning. This involves activities such as: Establishing clear quality standards and processes Implementing quality control measures throughout the development life-cycle Conducting risk assessments and mitigating potential issues Providing training and guidance to ensure quality-focused practices Continuously monitoring and improving the overall quality management system By taking a proactive stance, QA aims to prevent issues from arising in the first place, rather than just reacting to them. This shifts the focus from detection to prevention, ultimately leading to higher-quality products and a more efficient development process. QA as the Measure of Assurance As the role of QA has evolved, it has become the primary measure of an organization's overall confidence in the quality of its projects, products or services. QA encompasses not just the technical aspects of quality but also the broader systems, processes, and cultural elements that contribute to quality. A robust QA program demonstrates an organization's commitment to quality, its ability to anticipate and address potential issues, and its confidence in the end product. By aligning QA with strategic business objectives, organizations can ensure that quality is a key driver of success, rather than just a reactive afterthought. Assurance for all Compliance Programs While the roles of QC and QA have shifted, they remain complementary and essential components of a comprehensive quality management system. QC continues to play a crucial role in identifying and addressing defects, while QA provides the strategic framework to ensure that quality is woven into every aspect of development along with quality activities themselves. Just as QA has evolved from a reactive quality control function to a strategic, holistic approach for product development, leading organizations are now harnessing QA to provide comprehensive assurance across the full spectrum of compliance programs. By applying QA rigour to areas like workplace safety, data security, environmental sustainability, ethical business practices, and regulatory compliance, companies can proactively identify and mitigate risks, foster a culture of accountability, and demonstrate their commitment to stakeholders. In doing so, they not only protect against costly failures, but also position themselves as responsible, trustworthy, and forward-thinking industry leaders.

We often hear the mantra "change is inevitable." This axiom has become so ingrained in our collective consciousness that we rarely pause to consider its implications. However, what many fail to recognize is that change doesn't occur in a vacuum. Instead, it unfolds within systems meticulously designed for consistency, constancy, and conformity to specifications. These systems of stability are not without merit. They serve crucial functions in ensuring: Quality control Safety standards Sustainability practices Security measures In essence, these frameworks act as a bulwark against variability, resisting change in all its forms. This resistance is not a flaw but a feature, designed to maintain the integrity of processes that have been proven effective and reliable. The Human Factor Beyond the systems themselves, we must consider the human element. Organizations routinely instruct their staff to: Maintain consistency in their work Adhere strictly to established rules Follow standard operating procedures without deviation Moreover, during the hiring process, companies actively seek out individuals who excel at following these directives. Once onboard, these employees are often rewarded for their ability to maintain the status quo efficiently. The Inevitable Clash Given this context, it should come as no surprise that resistance to change is not merely a possibility but an inevitability. When we introduce change into an environment specifically engineered to resist it, friction is bound to occur. This resistance isn't necessarily a sign of failure or obstinacy. Rather, it's a natural consequence of the systems and cultures we've cultivated. The very qualities that make an organization stable and reliable in the short term can become obstacles to necessary evolution in the long term. Navigating the Paradox Understanding this paradox is crucial for leaders and change managers. It highlights the need for a nuanced approach to organizational transformation. Instead of viewing resistance as a hurdle to overcome, we should recognize it as an integral part of the change process itself. Effective change management, therefore, isn't about eliminating resistance—it's about working with it. This might involve: Clearly communicating the reasons for change Involving stakeholders in the change process Providing support and training to ease the transition Acknowledging and addressing valid concerns But, most of all, it involves developing a capacity for change. Developing the Capacity for Change As we navigate the complex terrain of organizational change, let's remember that resistance isn't a bug in the system—it's a feature. The key to success lies not in eliminating this resistance, but in developing our capacity to work with it effectively. Developing the capacity for change involves: Fostering a culture of adaptability alongside stability Building resilience at both individual and organizational levels Creating systems that can flex without breaking Encouraging continuous learning and skill development By recognizing and respecting the value of both stability and change, we can create more resilient, adaptive organizations. These organizations don't just weather change—they thrive on it, using each transition as an opportunity for growth and innovation. The next time you encounter resistance to change, pause to consider its source. It might just be a sign that your systems are working exactly as designed. The challenge, then, is not to eliminate resistance, but to harness it as a force for thoughtful, strategic evolution. By developing your organization's capacity for change, you transform resistance from a barrier into a valuable tool for navigating the ever-shifting landscape of business and technology. Remember, the goal isn't to become impervious to change or to eliminate all resistance. Instead, aim to build an organization that can adapt swiftly and intelligently, turning the inevitability of change into a competitive advantage.

Companies often consider compliance as a "necessary evil" rather than a "necessary good." They sometimes feel they are forced to comply with arbitrary rules that have little correlation with the outcomes they are trying to achieve. This isn't hard to imagine when excessive audits and controls are put in place as a reaction to a serious incident or serious audit findings. This reactive approach makes compliance look more like a tyrant rather than a leader. Rather than serving as a helpful guide like a GPS, compliance has become an oppressive force for these companies. It now dictates and manipulates their actions, much like a controlling puppeteer. Why is compliance necessary? Compliance, at its fundamental level, is about keeping promises to obligations that we have made. These obligations may be in the form of agreements to follow such things as: engineering standards, building codes, traffic laws, quality standards, or internal policies and procedures. In addition, regulations and standards set a benchmark for normative behaviour. Without them we would all be doing our own thing. While this may have some benefits, it breaks down when we try to work and live together. As an engineer, I have always had to comply with rules (i.e. requirements) of all kinds such as: laws of physics, mathematical theorems, laws of cybernetics, engineering standards, time and budget constraints, and the list goes on. Professional engineers in Canada (and other parts of the world) are also constrained by law to protect public safety which adds ethical and moral obligations. All of these are a form of constraint, and to an engineer these are seen as challenges and not problems. The essence of engineering lies in designing solutions that work within given constraints while planning for unforeseen circumstances to ensure system goals are achieved. Far from stifling innovation, these limitations actually fuel creative thinking. Compliance with regulations in many ways is no different than an engineer designing a system to meet product or customer requirements. However, what is different is the way in which these are done and therein lies the rub. We know it's best to design safety and quality into our products, services, and manufacturing. This produces better results than inspecting and auditing for conformance afterwards. The former makes compliance an engineering problem, while the latter makes it a policing and enforcement problem. When compliance is viewed primarily as a means of imposing rules, it's no wonder many regard it as an unwelcome but unavoidable burden. When is compliance evil? We know that too much order (or control) removes autonomy from both individuals and organizations. At some point this loss of autonomy diminishes agency, among other things, resulting in companies only doing the minimum of what is asked of them. Many organizations subject to heavy governmental oversight have, regrettably, experienced this perspective firsthand. Companies may also not differentiate between conformance to a standard and compliance to a regulatory statute. For example, many view compliance as a tax on productivity and so they want to do the minimum as they do with paying their taxes. This same perspective is often applied to other kinds of obligations. Minimizing taxes is one thing, however, taking this same minimalist approach for safety and quality is another matter and perhaps even unethical. Sometimes, regulations and standards are not well designed which further contributes to a negative view of compliance. This can be seen with early versions of the quality management standard ISO 9001. When this standard was introduced, it was very prescriptive and subject to much interpretation. Recent changes to this standard have attempted to address some of this by moving to a management-based approach. This affords organizations with a greater degree of autonomy. However, this comes with the requirement that organizations develop their own means (their own rules) by which they will meet their obligations. With greater autonomy there is also greater responsibility. This realization is becoming evident to those implementing risk-based approaches in their compliance programs. The lack of prescription, while a good thing, is viewed negatively because it's more difficult to audit. Instead of checking conformance to a prescriptive rule, you need to evaluate performance and effectiveness against targeted goals and objectives. As a consequence, auditors can no longer tell organizations what to do and neither should they. Each company must figure out for themselves how best to manage risk to prevent defects as well as achieve their quality outcomes. How compliance can be a leader rather than a tyrant Organizations should not give up ownership for meeting obligations by blindly following standards and regulations as if these were tyrants. Instead, they should take back responsibility and own their commitments. This involves deciding what strategies are best for their company to meet all their obligations and stay ahead of risk. And when it comes to safety, security, sustainability, quality or the environment, this requires more than just following rules. It requires leading the organization towards better outcomes. Finding the right balance that creates enough order without sacrificing too much autonomy is challenging. However, this is precisely the challenge for those accountable for obligations must take for compliance to fulfill it's purpose of protecting and ensuring value creation.

First of all, I believe that those working in risk management should:   Understand what risk is and why contending with risk is important Understand the fundamental concepts of risk management Be familiar with the primary tools and techniques used to manage risk across different risk domains Be familiar with industry standards and practices for applicable risk domains (COSO, ISO 31000, etc..) Know how to estimate uncertainty, identify risk, build a risk register, use a bow-tie analysis (or appropriate analysis tool), and identify measures to improve the probability of achieving objectives across various risk domains: safety, compliance, enterprise, project and other risk categories.   The last objective is vital to connect all the risk concepts together so that the benefits of risk management can be obtained.  Hopkin's book, "Fundamentals of Risk Management – 5th Edition" covers many of the topics needed to meet the above objectives and should be a good reference for students of risk management. There is much to like about this book. It is one of few that provides a comprehensive overview of risk management with a good selection of topics applicable to compliance, safety (hazards), finance and enterprise risk. Topics include: Part One - Introduction to risk management Part Two - Approaches to risk management Part Three - Risk assessment Part Four - Risk response Part Five - Risk strategy Part Six - Risk culture Part Seven - Risk governance Part Eight - Risk assurance However, there are some topics that might need further elaboration for those who want to master risk management: Further development of the role that uncertainty has with respect to risk would be helpful. This requires a more thorough discussion on the nature of uncertainty, cause/effect models, and working definitions for objectives, outcomes, and goals, among other things. Hopkin's uses examples from different risk domains when discussing each risk concept which is helpful but may also lead to misapplications of tools and practices. Readers may come away thinking that a particular tool or practice is applicable for safety when it only applies to financial risk. Clarification of which and when different risk tools should be used would help. Worked examples or exercises would be beneficial with respect to developing risk plans, estimating uncertainties, identification of risk, developing risk measures, and how to continuously track risk throughout the objective life-cycle. Enterprise Risk Management (ERM) is offered (or at least assumed) as a unified approach for risk management. However, in practice ERM tends to be applied only to corporate and financial risk. Since risk never stands alone this might be better handled as part of a discussion of GRC (governance, risk, and compliance) or other frameworks. Quantitative risk tools and practices (probabilities, likelihoods, Monte Carlo, estimation techniques, aggregation, modelling, prediction, etc.) are not discussed. A summary chapter of the quantitative risk principles might be helpful. The following version of his book has been updated to include: "Now revised to be completely aligned with the recently updated ISO 31000 and COSO ERM Framework, this comprehensive text reflects developments in regulations, reputation risk, loss control and the value of insurance as a risk management method. Also including a thorough overview of international risk management standards and frameworks, strategy and policy, Fundamentals of Risk Management is the definitive text for those beginning or considering a career in risk." "Fundamentals of Risk Management - 5th edition" by Paul Hopkin is a great reference for those who want to learn about risk management to improve the probability of mission success.

Having worked in compliance for several decades, I've witnessed firsthand the transformative power of having a clear compliance vision in areas of safety, security, sustainability, quality, regulatory, ethics, and other compliance programs. In this article I explore how organizations can achieve a clear vision for their compliance by leveraging three critical perspectives: hindsight, insight, and foresight. By integrating these elements and harnessing the power of both human expertise and advanced technologies, compliance departments can move beyond mere reaction to regulations and instead position themselves as strategic drivers of organizational integrity and risk management. Hindsight: Learning from the Past Hindsight in risk and compliance involves thoroughly examining historical data and past events. This retrospective analysis is where machine learning (ML) truly shines. ML algorithms can process vast amounts of historical compliance records and risk event data, identifying patterns and trends that might escape human notice. AI-powered systems analyze past compliance metrics, risk indicators, and incident reports, highlighting significant events and recurring issues. This machine-driven hindsight provides a factual basis for understanding what has occurred and why. It helps organizations recognize patterns in past compliance failures or risk events, offering a foundation for improvement. However, the interpretation of this historical data still requires human expertise to contextualize the findings and draw meaningful conclusions. Insight: Understanding the Present Insight bridges hindsight and foresight, focusing on deriving meaning from both historical and current data to understand the present state of risk and compliance. This is where the collaboration between human expertise and machine learning is most evident. Machine learning contributes by providing real-time analysis of current compliance metrics and risk indicators. AI systems can continuously monitor for anomalies, flagging potential issues for immediate attention. Natural Language Processing capabilities allow for rapid analysis of current regulatory documents and internal policies, identifying potential compliance gaps. Human experts then interpret these machine-generated insights, applying their knowledge of the business context, regulatory environment, and industry trends. This human-machine collaboration enables a deep understanding of the organization's current risk and compliance posture, identifying areas of vulnerability and opportunities for improvement. Foresight: Anticipating the Future Foresight, being prospective in nature, is primarily driven by human expertise in risk and compliance management. It involves the ability to anticipate future regulatory and commitment changes, emerging risks, and their potential impacts on an organization. While machine learning can contribute through predictive analytics, using historical and current data to forecast potential future scenarios, the core of foresight relies on human judgment and the setting of goals and direction. Compliance and risk experts analyze proposed regulation (internal and external), industry trends, and potential threats and opportunities, projecting how these might evolve and affect business operations. They develop strategies for various risk scenarios and compliance challenges, drawing on their experience, intuition, and understanding of the broader risk landscape. This human-led foresight allows organizations to prepare proactively for potential risks and opportunities with respect to meeting obligations. It enables the development of forward-looking strategies that not only ensure compliance but also position the organization advantageously by staying between the lines and ahead of risk. Integrative Vision The journey from reactive to proactive compliance is not just about staying ahead of regulations; it's about fundamentally changing how organizations see compliance. By cultivating clear sight through the lenses of hindsight, insight, and foresight, compliance practitioners can elevate their role from regulatory enforcers to ensuring and protecting total value creation. Hindsight allows us to learn from past experiences, turning historical data into valuable lessons. Insight enables us to interpret current trends and regulatory landscapes with precision. Foresight empowers us to anticipate future challenges and prepare our organizations accordingly. Together, these perspectives create a comprehensive compliance vision that transforms how we approach our responsibilities. This proactive stance offers numerous benefits. It reduces the risk of non-compliance and associated penalties, enhances organizational agility in the face of regulatory changes, and fosters a culture of integrity that can become a significant competitive advantage. Moreover, it positions the compliance function as a value-add to the organization, contributing directly to strategic decision-making and risk management. As compliance leaders, our mandate is clear. We must champion this proactive approach, leveraging both human expertise and technological advancements to achieve and holistic and clear compliance vision. By doing so, we not only protect our organizations from regulatory pitfalls but also drive sustainable growth and build stakeholder trust in the presence of increasing uncertainty. The path from reactive to proactive compliance may be challenging, but it is undoubtedly the way forward. With an integrative and clear vision, we can navigate the complexities of modern regulation, turning compliance from a necessary cost into a strategic asset. In doing so, we don't just meet today's standards – we set tomorrow's, ensuring our organizations are well-prepared for whatever obligations the future may hold.

In past presentations I have spoken on the topic of risk which of course meant we also talked about dragons. Dragons, metaphorically speaking, represent uncertainty in our endeavours that hinder and often thwart our adventures. In the real world uncertainty creates the opportunity for risk which if not addressed hinders or thwarts mission success. It should not come as any surprise that Implementing LEAN might have its share of dragons to contend with and overcome. In this article we explore the problem of why so many LEAN implementations end in failure. Although we will focus on the supply chain the problem of failed LEAN implementations crosses almost all domains where LEAN is used. There are many reasons why LEAN fails and there are many who have written about them. However, not many have talked about the root cause of these failures. That is why in this article we will be paying close attention to a specific dragon; one that hinders almost all LEAN implementations and probably yours. According to Eliyahu Goldratt (the author of Theory of Constraints) if we don’t contend with this dragon, we will never see the benefits of any of our LEAN initiatives. By finding this dragon I hope that we will find gold in learning what to avoid and what to pursue to successfully implement LEAN in our organizations. We know that hope is a wonderful thing but it is not an effective strategy against risk or dragons. Instead, we will use LEAN A3 problem solving and Theory of Constraints (TOC) as our guide to improve the chances of finding the dragon and the treasure that awaits us. In a manner of speaking, we are going to use LEAN to fight a dragon; the one responsible for causing so many LEAN initiatives to fail. At least that’s the plan. We have a lot of ground to cover (so too speak) so let’s start looking for this dragon. ROADMAP We will need a roadmap for our journey and for this we will use the LEAN A3 Process. Some of you might be familiar with A3 Problem Solving. It is simple method that is very effective applicable for problems small and large. Don’t worry if you haven’t’ seen A3 before. We will work through each part of the LEAN A3 process in detail starting with the definition of the problem. A3 - PROBLEM STATEMENT For A3 to work we need to first state our problem. This is perhaps the hardest part of the process with the greatest impact on failure if not done correctly. As has been said before, "A problem well-stated is a problem half solved." Not knowing the problem increases the certainty that whatever answers we come up will miss the mark. It is important to be clear what the problem is which in our case is this: 70% of LEAN implementations do not create value (i.e., benefits) which threatens mission success. Our dragon has been busy. The number of 70% is debatable but most people agree that many organizations struggle to apply LEAN successfully and receive real benefits. It seems that after the low hanging fruit has all been picked realizing any significant value from LEAN is few and far between. Perhaps, this resonates with some of you. Maybe you might be struggling with how to apply LEAN to improve your supply chain. We are going to look at the reasons why this might be. To do that we need to better understand the background to our problem. We need to answer the question of, “How did we get here?” A3 - BACKGROUND This leads us to the next step in the A3 process: BACKGROUND. Here we are looking to answer questions such as: Why is this topic important? What is the context of the problem? Why should our organization care about this situation and be motivated to participate in improving? Good questions that need good answers. SUPPLY CHAIN DISRUPTION Whatever has led organizations to consider LEAN in the past these reasons will mostly put aside as organizations all over the world contend with the ongoing effects of COVID-19. As a result of the current pandemic the supply chain has been disrupted more than it ever has in recent history. The following chart is from a study conducted by EY in 2021 on the top priorities that now face the supply chain: The top 5 include the need to: Increase efficiency Retrain / Re-skill workforce Increase visibility Increase responsiveness / resiliency Manage / reduce costs To address the top most priorities many organizations are looking to and doubling down on their LEAN initiatives. Applying LEAN around the edges of the supply chain with modest efficiency gains will not be enough to compete in a post pandemic world. THE STATUS OF LEAN LEAN has been adopted by many industries and is considered an important enabler to address the current and on-going supply chain issues. Unfortunately, the problem that is facing many is that they are struggling to receive any real benefits from their efforts which is putting their business at risk. Many are wondering which LEAN framework is best to use. Here are a few of the frameworks: Quality Strategies Lean TPS Lean Six Sigma Theory of Constraints Digitalization Agile Supply Chain Each of these have a different approach and a different goal. Knowing which one to use and how to leverage it to deliver real benefits are important questions that companies are attempting to answer. Having chosen a framework(s) the next question is where should it be applied to create a real impact on the supply chain? The following is Michael Porter’s value chain which we have extended to include risk & compliance components which also cut across the entire chain: You can consider this as a system of processes working together to create the desired outcomes for an organization. Knowing where and want to change is not trivial. It requires knowledge of dependancies and how things work overall. All too often there is no one that understands or has enough scope to sponsor system level changes across the entire chain. This leads to proximal and suboptimal improvements that do not contribute to value creation or value protection for that matter. Even when when changes are have been identified many organizations do not properly manage the change itself. Many focus only on the technical aspects of LEAN (i.e., tools) and ignore the people and process side of change as surprising as that might be. Steps needed to realize the benefits are seldom taken leaving much of the benefits to chance (another dragon indeed.) A3 – CURRENT CONDITION Now that we have a better idea of the context and why this is important we can move on to the next step in the A3 process: CURRENT CONDITION. Here we identify the situation right now in our organizations: How are things working today? What is contributing to our problem? What are the current LEAN capabilities to address the problem? Each company of course will have different answers to these questions. However, generally speaking there are two broad categories for how LEAN is working and what might be contributing to the problem we are trying to solve. OLD FACTORY MODEL The first category are organizations that are operating under the OLD FACTORY MODEL. This is a traditional, linear view of manufacturing. Value creation is measured by the difference between the price products or services are sold and the cost of making or delivering them. You can call this margin. To stay competitive these companies lower their prices while undergoing cost reduction programs by applying LEAN. This is a race to the bottom strategy. To win you need the lowest price and own the majority of the market. This approach however often leads to less value for the customer and fragility (the opposite of resilience) across the supply chain as most of the margins have been removed or greatly reduced. I am still shocked to find that many have eliminated their safety stock to further drive down costs. This creates vulnerabilities instead of value. This is the situation facing many LEAN implementations; the drive to the bottom. NEW FACTORY MODEL The second category are organizations that are operating under the NEW FACTORY MODEL. This model is based on seeing the supply chain as a network or hub. The goal of the NEW FACTORY MODEL is to continuously add new value for each customer. Apple and Amazon are good examples of how this is done. These companies focus on value creation activities as well as cost reduction programs but this time without losing value. Margins (and by this I mean value) get larger over time and organizations become more resilient (the opposite of fragility). This is called a race to the top strategy. Notice that LEAN is used as before but this time with a different strategy, purpose and a different outcome. LEAN is creating greater resiliency and value rather than fragility and loss. You might now start to get where I am heading and why LEAN projects fail and why they succeed. We are close to finding our dragon. A3 – GOAL / TARGET CONDITION The next step of the A3 process is to identify the goal or next target condition: What does success look like for LEAN implementation? What outcome are we expecting and for what reasons? Our goal is to have the majority of LEAN implementations create real value. Value realization is the measure of success. This is essential to create greater resiliency, better margins, improved visibility, and other outcomes for the supply chain. Even organizations that have efficient supply chains can still be noncompetitive. What is preventing us from achieving our goal of more successful implementations? A3 – ROOT CAUSE ANALYSIS This brings us to the root cause analysis step of A3 and where we hope to find our dragon at last. To achieve our goal we need to address the root cause or causes for why LEAN implementations are failing. The tool we will use is based on lessons from Eliyahu Goldratt based on Theory of Constraints (TOC). This starts with recognizing that LEAN is (among other things) primarily a technology. LEAN AS A TECHNOLOGY LEAN is no different from any other body of knowledge or know-how we apply to achieve some result or purpose. What Goldratt recognized and perhaps you have as well is that we are really bad at adopting new technology. But that is not the worst of it – we are worse at is exploiting new technology. And there-in lies the rub. Here lies our dragon. Eliyahu Goldratt proposes that: “Technology can bring benefit if, and only if, it diminishes a limitation.“ In our case, LEAN can deliver benefit if, and only if, it diminishes a limitation. Think about this for a moment. This is critical to what follows. We can imagine that our supply chain is operating at certain level of performance. We can change any part of the chain which may improve something. However, if this does not eliminate or vastly reduce a limitation, this change will have little effect on the supply chain as a whole. LEAN may eliminate waste, or variation, or achieve some other improvement but if it does not eliminate a limitation we will never see any real impact. This is why LEAN fails. This is our dragon. Are you getting this? THE POWER OF LEAN To better understand this important insight Goldratt developed four questions that if we answer carefully will uncover the gold that our dragon has been hoarding: What is the power of the new technology? What current limitation or barrier does the new technology eliminate or vastly reduce? What rules, patterns and behaviours are used today to bypass the limitation? (work arounds) What rules, patterns or behaviours should be adopted to benefit from the new technology? Let’s see how this is applied as we consider three scenarios: The Power of MRP (Materials Requirements Planning) The Power of LEAN TPS The Power of DESIGN THE POWER OF MRP In the 1980's many companies were adopting MRP (Material requirements planning) capabilities, the precursor to ERP. At that time it would take, let's say, 5 days to create a master production schedule (MPS) manually with a large department. As a result companies would only perform these calculations once a month. This meant that the orders needed to be frozen for the month; you couldn't make any changes until the next month. It also meant that manufacturing and shipping were organized around monthly cycles. This was the norm. With the introduction of MRP companies could calculate an MPS within a day. This was the power of MRP – it could perform calculations faster. Large departments to perform calculations were no longer needed so staff could be reduced. This was an improvement in efficiency and savings for many companies. This was the return of investment that most realized. However, some companies got more from their MRP implementation. What was the limitation before MRP? The limitation was that production schedules could only be updated once a month. What was the work around for this? What were the rules that were introduced by the limitation? The answer is that production and shipments were also done monthly. Some companies decided to change these rules. They started to calculate the MPS every week and some every day. What they also did was change their manufacturing and shipping rules to align with the increased frequency. This is one of the reasons why Amazon became a huge success. You can place an order today and have it delivered the next or even the same day. They exploited the power of MRP better than most companies. Same technology, better results. THE POWER OF LEAN TPS How about Taichii Ohno the father of Toyota Production System? Did he know about this dragon? You bet. In one of the books about Taichii Ohno there is a story about when he was assigned to address a problem in manufacturing where a line was not able to meet the demand. The line was producing, let's say, 50 cars per day and the demand was for 200. Good problem to have but also a very big problem for Toyota. So, what did Ohno do? He began to work with one of the workers to improve a work centre which they were able to eliminate entirely from the line. This improved cycle time and he now had a person to work on more improvements forming the first Kaizen Team. He continued this approach which further improved efficiency and increased the production to 75 cars per month. He also increased his Kaizen team to make even more improvements. Sounds like the beginnings of a virtuous cycle of continuous improvement. Now, you may be tempted to stop here. Many do but Ohno didn’t. The work around to the original limitations was building inventory in the line which he now exploited. While he continued to make improvements on LINE 1 he also reassigned workers that were no longer needed to start a second line. Others would have let these workers go and they would never realize the benefits from applying LEAN. By creating another line, production was increased to 200 cars per month meeting the market demand. All with the same number of workers Ohno started with. No wonder LEAN has transformed the automotive industry along with almost every other industry where companies have understood how to exploit the power of LEAN to realize real value. THE POWER OF DESIGN One more story. This one is a cautionary tale and why Eliyahu Goldratt added a 5th question. Let’s see if you can see why. In the book, Thinking in Systems by Donella H. Meadows, the author writes: Once upon a time, people raced sailboats not for millions of dollars or for national glory, but just for the fun of it. They raced the boats they already had for normal purposes, boats that were designed for fishing, or transporting goods, or sailing around on weekends. It quickly was observed that races are more interesting if the competitors are roughly equal in speed and maneuverability. So rules evolved, that defined various classes of boat by length, and sail area and other parameters, and that restricted races to competitors of the same class. Soon boats were designed not for normal sailing, but for winning races within the categories defined by the rules. They squeezed the last possible burst of speed out of a square inch of sail, or the lightest possible load out of a standard-sized rudder. These boats were strange-looking and strange-handling, not at all the sort of boat you would want to take out fishing or for a Sunday sail. As the races became more serious, the rules became stricter and the boat designs more bizarre. Now racing sailboats were extremely fast, highly responsive, and nearly unseaworthy. They need athletic and expert crews to manage them. No one would think of using an America's Cup yacht for any purpose other than racing within the rules. The boats are so optimized around the present rules that they have lost all resilience. Any change in the rules would render them useless. This may remind you of LEAN organizations that have an entire army of LEAN coaches, black belts, brown belts, yellow belts engaging in numerous Kaizen Events, Lean Six Sigma Projects, Rapid Improvement Events, and so on. These companies find that they too need LEAN athletes to effect change as the rules have become more complicated, and stricter. In many ways, these companies have become less agile, less resilient – more vulnerable to breaking when the business climate changes. In the words of Meadows, these companies have become nearly unseaworthy . Too much LEAN is also a thing and something to pay attention to. That is why we have another question: What new limitation, rules, or behaviours are introduced by the new technology? THE TREASURE IS FOUND We now have our dragon: LEAN can deliver benefit if, and only if, it diminishes a limitation. What treasure has the dragon been hoarding? LEAN implementations must eliminate or vastly reduce a limitation including the work arounds followed to bypass the limitation. New rules must be adopted to exploit the removal of this limitation. This is what creates real value and the benefits for the organization. From this we can identify the root causes along with countermeasures to formulate a plan for successful LEAN implementations: The counter measures include: Focus on the whole system and dependencies Eliminate or reduce a limitation Change the old rules after a change is made (eliminate the workarounds) Adopt new rules to exploit the diminished limitation Manage the change effectively (people, process, and technology) LEAN implementations that fail are those that fail to include these counter measures. A3 – IMPLEMENTATION Implementing countermeasures successfully requires a risk-adjusted plan. The following are the 5 Immutable Principles of Project Success created by Glen A Alleman: From these principles we have 5 questions that will help to develop a plan for success: What does DONE look like? How do we get there? Do we have enough time, resources, and money to get there? What impediments will we encounter along the way? (Yes there are always more dragons!) How do we know we are making progress? Answering these questions will help to ensure (make certain) that LEAN projects deliver the needed benefits. A3 – VERIFICATION / VALIDATION After the plan is completed it’s time to assess the results. There are two categories of assessments that are needed: Verification : Did we do what we said we would do? Validation : Did we get the outcomes (i.e., benefits) we intended: efficiency, breakthrough, or even unintended results? The A3 process is not complete until the targeted benefits have been obtained and followup actions have been identified. A3 - FOLLOW UP The last step of the A3 process is to identify next steps and capture lessons learned. Here is the completed A3 process that we have followed: While many, perhaps most, organizations experience marginal and incremental results from their LEAN implementations others have experienced breakthrough benefits. These organizations have taken the lessons of Eliyahu Goldratt and A3 Problem Solving to achieve much more than their peers with the same technology, but with better outcomes. If you want to learn more on the topic of LEAN and its use in the supply chain I recommend the following resources:

Management systems are efficient at what they do, that is, doing the same thing the same way over and over again. What they tend not to be good at is change and improvement. What compliance needs most of all is the ability to improve and mature capability over time to advance compliance outcomes. This means change and this is something that management software often does not support very well. Many organizations chose software based only on improving efficiencies with respect to a fixed set of basic compliance requirements. These capabilities are often directed at the reactive side of compliance focused on reporting, audits and the collection of lagging indicators. Software applications and platforms in this space often do not support processes that allow you to be proactive as you improve towards higher standards, and better outcomes. The majority of regulations and industry standards are now performance and risk-based that require companies advance their capability maturity over time. Compliance systems must move beyond just focusing on improving efficiencies and instead support the capabilities leadership needs to improve effectiveness. Compliance technology must now support proactive as well as reactive processes. Modern compliance systems should include capabilities that support: Managing all obligations (mandatory and voluntary) Managing traceability of promises and commitments in support of accepted obligations Managing the alignment of organizational values with operational objectives Managing preventive and mitigatve measures to contend with uncertainty and risk Real-time monitoring of compliance status and capacities Discovery of insights to proactively stay in compliance and ahead of risk Learning and skill development to advance capabilities that advance compliance outcomes (safety, security, sustainability, quality, regulatory, ethical, etc.) Continuous improvement across measures of conformance, performance, effectiveness, and assurance. Support for front-view planning, management preview, pre-incident investigations, program pre-mortems, evaluate/elevate cycles, prevention and improvement, benefit realization. Organizations should not settle on software that only meets basic, reactive requirements. When it comes to meeting modern day obligations, there is more at stake than just saving money.

Have you ever noticed how quickly things start to shape up when senior management turn their gaze to a particular corner of the company? It's almost like magic – suddenly, that chronically underperforming function or system is hitting targets, or that long-neglected process gets a much-needed overhaul. This phenomenon isn't just coincidence; it's the power of attention at work. Attention, particularly from senior management, acts as a powerful catalyst for change. When leaders focus on an area, several things happen: Resources are allocated : Time, money, and personnel are directed towards the area of focus. Accountability increases : People know they're being watched, so they step up their game. Innovation is encouraged : Fresh ideas are sought out and implemented to show progress. Priorities shift : The highlighted area becomes a top concern for everyone involved. This sudden influx of energy and resources often leads to rapid improvements. It's like shining a spotlight on a dusty corner – you can't help but notice what needs cleaning. But here's the million-dollar question: Is attention alone enough to sustain long-term improvement? The short answer is no. While attention is a great kick-starter, it's not a sustainable strategy for continuous improvement. Here's why: Attention is finite : Leaders can't focus on everything all the time. Eventually, their gaze will shift elsewhere. Quick fixes vs. systemic change : The pressure of attention often leads to band-aid solutions rather than addressing root causes. Burnout : Constant scrutiny can lead to stress and decreased morale over time. Dependency : Teams may become reliant on leadership attention to drive improvement, rather than developing their own initiative. So, what's the solution? How can businesses harness the power of attention while ensuring lasting improvement? Here are a few strategies: Develop robust systems : Create processes that maintain high standards even when leadership isn't watching. Foster a culture of continuous improvement : Encourage all employees to constantly seek ways to enhance their work. Implement regular check-ins : Schedule periodic reviews to maintain accountability without constant oversight. Empower middle managemen t: Equip them with the tools and authority to drive ongoing improvement in their areas. Celebrate and reward sustained excellence : Recognize long-term performance, not just short-term gains. Attention from senior management is indeed a powerful tool for driving improvement in business. However, it's most effective when used as a catalyst for creating self-sustaining systems of excellence. By combining the motivating power of attention with strategies for long-term success, businesses can achieve more than low hanging fruit, but also address root causes which lead to longer lasting improvement. What are your thoughts? Have you experienced the attention effect in your organization? How do you balance the need for leadership focus with sustainable improvement strategies?

CrowdStrike recently published the results of a technical root cause analysis (RCA) stemming from the July 19th, 2024 incident that caused millions of computer system crashes worldwide. The report identifies several factors contributing to the incident and presents mitigative actions. It cites an out-of-bounds memory read leading to the failure of the EDR sensor, causing Windows operating systems to crash, as the root cause. The root cause analysis presents findings and remedies, which form the basis for actions now underway, as summarized in the RCA executive summary: Update Content Configuration System test procedures. This work has been completed. This includes upgraded tests for Template Type development, with automated tests for all existing Template Types. Template Types are part of the sensor and contain predefined fields for threat detection engineers to leverage in Rapid Response Content. Add additional deployment layers and acceptance checks for the Content Configuration System . This work has been completed with an updated deployment ring process, ensuring Template Instances pass successive deployment rings before rollout into production. Provide customers additional control over the deployment of Rapid Response Content updates . New capabilities have been implemented and deployed to our cloud that allow customers to control how Rapid Response Content is deployed, with additional functionality planned for the future. Prevent the creation of problematic Channel 291 files . Validation for the number of input fields has been implemented to prevent this issue from happening. Implement additional checks in the Content Validator. Additional checks are planned for release into production by August 19, 2024. Enhance bounds checking in the Content Interpreter for Rapid Response Content in Channel File 291 . Bounds checking was added on July 25, 2024, with general availability expected August 9, 2024. These fixes are being backported to all Windows sensor versions 7.11 and above through a sensor software hotfix release. Engage two independent third-party software security vendors to conduct further review of the Falcon sensor code and end-to-end quality control and release processes . This work has begun and will be ongoing as part of our focus on security and resilience by design. While these actions and the specific mitigative measures in the RCA report are important, they may not be sufficient. The reason? The root cause may not be purely technical. The Scope of the RCA Was Limited and Reductive The findings reported in the RCA only considered technical, proximal causes. Proximal (or first-order) causes are closest to the event and often don't provide sufficient explanation of what initiated the causal chain leading to the incident. Identifying the causal chain requires looking beyond first-order causes and considering non-technical factors. The analysis failed to answer: What were the prior conditions or actions that created the opportunity for an unmitigated high-risk software change to be deployed to customers? This question can only be answered by taking a systems perspective that includes both technical and non-technical factors. Based on what has been reported, this comprehensive analysis has yet to be conducted. The Root Cause Was Likely Not Technical A statement from the report offers a clue about the nature of the root cause and why the primary cause may not be purely technical: "In summary, it was the confluence of these issues that resulted in a system crash: the mismatch between the 21 inputs validated by the Content Validator versus the 20 provided to the Content Interpreter, the latent [emphasis added] out-of-bounds read issue in the Content Interpreter, and the lack of a specific test for non-wildcard matching criteria in the 21st field." The word "LATENT" stands out. The vulnerability that led to the incident already existed, lying dormant and waiting for a software change to expose it. This form of risk propagation, proposed by James Reason and illustrated by the well-known Swiss cheese model, is not new. Studies of other complex systems have shown that the greatest risk is usually not a failure in a single component, but rather the existence of smaller latent vulnerabilities that, as a result of ongoing changes, align to allow risk to materialize. This raises further questions: What other latent vulnerabilities reside within the software? What future changes will cause these latent risks to breach the defenses? What is causing the vulnerabilities to be introduced in the first place? Why was the software change process ineffective at identifying and mitigating potential risks? The last question suggests an alternative root cause: A failure to effectively handle risk due to planned software changes. A Software Engineering Failure In high-risk sectors such as chemical processing, nuclear energy, and medical devices, safety is paramount, and change is considered a significant source of risk. That's why managing change is regulated to ensure organizations take necessary steps to protect the public, employees, assets, and the environment. It's also why we have process, safety, industrial, and quality engineers to design safety into system processes and ensure it is managed effectively throughout the life-cycle of facilities, products, or services. What appears to be missing is this same level of concern for safety in software engineering and in particular with respect to this incident. The Need to Dig Deeper While the out-of-bounds read error may have caused the sensor failure, there is an argument to be made that it may not be the root cause. To discover the true root cause, we must look beyond technical considerations and proximal causes. We need to dig deeper into the systems that create conditions for vulnerabilities to emerge and lie dormant, waiting for future changes to expose them. There is much to learn from other high-risk domains that can be applied to the practice of software development. However, this knowledge can only be effectively implemented when the real root causes are uncovered. Only then will preventive and mitigative risk measures be truly effective.

Sustainability is often defined as fulfilling current needs without jeopardizing future generations' ability to do the same. In simpler terms, we should not sacrifice the future for short-term gains. However, I believe this definition is incomplete. We must also acknowledge another truth which we learned from our parents, many of whom sacrificed their present needs so that their children could thrive in the future. Interestingly, rather than viewing this as a loss, they counted it as gain. True sustainability is not only about striving for a balance between short-term and long-term objectives. It also involves making an investment: exchanging something of value for something of greater value. This perspective challenges us to rethink our approach to sustainability. It's not just about preserving resources for the future, but also about actively investing in it. Our parents' generation understood this intuitively, making sacrifices that they saw as investments in their children's futures. This expanded view of sustainability invites us to reconsider our approach to global challenges. It suggests that true sustainability isn't just about maintaining a delicate balance or preserving what we have. Instead, it's about making deliberate choices to improve our collective future, even if it means short-term sacrifices. Finding balance is a necessary part of sustainability. However, addressing the most pressing environmental, social, and economic issues will require sacrifice in the present. We should not view this as a loss, but rather as an investment in our future well-being.

Organizations face a complex landscape of regulatory, ethical, and stakeholder expectations. These obligations, both explicit and implicit, shape the operational environment. To thrive, organizations must translate these obligations into tangible commitments or promises. However, true success lies in delivering on these promises, ensuring compliance and building trust. Compliance performance is the bridge between commitments and expectations. By carefully tracking performance against promises – a measure of integrity – organizations gain valuable insights to predict and mitigate risks. This proactive approach is essential for navigating a dynamic regulatory landscape and exceeding stakeholder expectations. Obligations (must happen): serve as the foundational elements, shaping the organization's operational and compliance landscape. They directly influence the promises and commitments that are made. Promises (plan to happen) : are operationalizations of obligations, transforming compliance requirements into concrete actions and commitments. They directly contribute to prediction by providing specific targets and benchmarks. Predictions (forecast to happen): are informed by the performance of promise keeping (integrity). By analyzing historical performance against these parameters, organizations can forecast potential risks and opportunities in meeting obligations. Expectations (should happen) : influenced from obligations are often amplified or modified by predicted performance. The interplay of obligations, promises, and performance is a continuous cycle. As the external environment evolves, organizations must adapt their promises to align with changing obligations. By mastering this dynamic, businesses not only meet compliance requirements but also create sustainable value and build a strong reputation.