SEARCH

When it comes to compliance alignment we need to have answers to the following two questions: 1. How do compliance pillars (programs) depend on each other? 2. How do business functions contribute to meeting pillar obligations? For the first we use a compliance pillar Dependency Structure Matrix (DSM). Each pillar will have a PDP (Policy Deployment Plan (for example, there will be one for safety, security, and so on.) What we want to know is how each pillar depends on any of the others to fulfill their commitments. For example, How much does security support safety? If you ever wondered how to get more than the sum of your compliance parts, this is how you do it. For the second question we do the same analysis across functional groups.  Again, each function will have their own PDP consisting of their promises for each of the compliance pillars. What we are evaluating is each function’s contribution to overall safety, security, and so on. Knowing this information will help you prioritize your efforts to cover all your obligations as well as strengthen pillars and/or functions where compliance risk is the greatest.

“We need to move beyond compliance.” I used to think that moving beyond compliance was the answer. Many others did too. It seemed like the obvious next step. But after thinking more carefully over the last 10 years, I've realized that's not the solution. In fact, it could make things worse. When we say, “we need to move beyond compliance” where exactly do we need to move to? This is where the rub lies, and what's bothered me. Let me explain. Traditionally, we've viewed compliance through a narrow lens: ensuring adherence to prescriptive rules imposed by law. While it's essential to meet these obligations, it’s also limiting. It implies that compliance is merely a hurdle to clear or a box to check, rather than a cornerstone of responsible business. While many still view compliance using this narrow lens, the reality is the landscape has changed. Compliance has and continues to expand to encompass a broader spectrum of responsibilities. ISO 37301, for example, defines compliance as fulfilling all obligations, both mandatory and voluntary – those that are compelled by law and others we voluntarily decide to adopt. This definition recognizes that businesses have a duty to operate ethically and sustainably, beyond what the law requires. However, what this means is that: We don’t need to move beyond compliance. We need to catch up to where compliance now is. This does require going beyond “basic compliance” – adhering to legal requirements – towards “total compliance” – fulfilling all obligations, including those imposed by ethical and beneficial motivations. This is the next step, motivated by a genuine commitment to doing what's needed to meet all obligations, not just the basics. It's about assurance that organizations will keep the promises they have made. In fact, on a daily basis, catching up to compliance would look like a continuous process of making and keeping promises (a measure of integrity) associated with organizational, project, and operational obligations: Macro-ends (outcome-based) - outcomes, values, code of ethics, duties & liabilities Micro-ends (performance-based) - targets, key results, outputs Macro-means (management-based) - management standards, plans, processes Micro-means (prescriptive) - design standards (codes), rules, tasks, work instructions, procedures Instead of moving beyond compliance, let’s instead strive to keep our promises.

I've been asked this question several times, so I thought I'd share my answer here: The short answer is no. The longer answer is that Lean Compliance is a new practice area of Lean specifically for compliance, created in 2017 by Raimund Laqua, PMP, P.Eng. (Founder and Chief Compliance Engineer at Lean Compliance Consulting, Inc.). Lean Compliance is a methodology designed to overcome the challenges introduced by old-factory thinking, reactive behaviours, and traditional training, inspection, and audits as the means to ensure obligations are met. The Lean Compliance approach helps organizations eliminate compliance waste, leverage existing talent and capabilities, adopt proactive behaviours, establish operational programs and systems, and engage in continuous improvement to establish a virtuous cycle that effectively contends with modern-day risk, performance, and outcome-based obligations. While the practice of Lean Compliance is new, many of its principles come from existing areas of practice, including Lean Management, Lean Startup, Lean TPS, Engineering, Systems Thinking, Cybernetics, Promise Theory, Uncertainty and Risk Management, Performance Management, and Ethics. This may seem overwhelming; however, so is designing a car. That’s why we have engineers! The good news is that driving a car is much easier and something everyone can learn. It is this reason that we created "The Proactive Certainty Program." This is a four-step process that every organization can easily adopt to transform compliance from procedural or paper-based compliance to operational compliance using the principles of Lean Compliance. The question you need to answer is: Are you ready to learn to drive compliance towards better outcomes?

Historically, the responsibility of decision-making has predominantly fallen upon humans. However, with the rapid evolution of artificial intelligence, the landscape has shifted, and decisions are now frequently made by machines. Here are examples of questions that need to be answered? Should autonomous decision-making determine what is safe? Should it make decisions within what is already determined as being safe? When should human oversight and intervention occur? How much uncertainty is necessary and risk before this is needed? How should the use of AI be governed when used in safety devices or as part of a safety component? This poses a fundamental question: which decisions are appropriate for computers to make, and by what standards should these by governed? In this article, we will examine the use of decision support systems (DSS) and their role in decision-making, including their ability to function as autonomous decision makers. Furthermore, we will explore the implications of this shift on organizational compliance for entities that opt to utilize this technology. Decision Support Systems Decision Support Systems (DSS) are a class of information systems that help individuals or organizations make choices by providing relevant data and models to facilitate analysis, visualization, and interpretation of information. The ultimate goal of a DSS is to support decision-making processes by providing users with the necessary information and insights to make informed decisions based on a variety of criteria, such as cost, risk, efficiency, and effectiveness. DSS typically includes software tools, techniques, and models that enable users to access and analyze data from different sources, perform “what-if” analyses, create scenarios, and generate reports. Examples of decision support systems include financial planning software, inventory management systems, and supply chain optimization tools. How Have DSS Changed? Decision support systems (DSS) have been enhanced in recent years by the integration of artificial intelligence (AI) technologies. AI-enabled DSS can provide more accurate and personalized recommendations, improve decision-making speed, and reduce human errors. Here are some of the ways AI have improved DSS: Automated Data Analysis : AI algorithms can automatically process large volumes of data and identify patterns, trends, and anomalies that may be overlooked by human analysts. This capability can help users make more informed decisions by providing them with accurate and timely information. Personalized Recommendations : AI-enabled DSS can provide personalized recommendations based on an individual user's preferences and past behaviors. This approach can improve decision-making outcomes by tailoring the suggestions to the specific needs of each user. Predictive Analytics : AI-powered DSS can perform predictive analytics to anticipate future trends, events, and outcomes. This can help users identify potential risks and opportunities and adjust their decisions accordingly. Natural Language Processing : AI algorithms can understand and interpret natural language inputs, such as text or speech. This capability can improve user experience by enabling them to interact with the DSS in a more natural and intuitive way. Machine Learning : AI-enabled DSS can use machine learning algorithms to improve the accuracy of its predictions and recommendations over time. The system can learn from its past decisions and outcomes and adjust its models and parameters to optimize its performance. AI technologies have transformed decision support systems by enhancing their accuracy, speed, and personalization. This evolution has enabled organizations and individuals to make better-informed decisions, improve their efficiency, and gain a competitive advantage. However, DSS now have something else to offer – the possibility of autonomous decision-making. Autonomous Decision-Making Decision support and autonomous decision-making are both capabilities to assist with decision-making processes. However, they differ in their level of automation and human involvement. Decision support, including those enhanced by AI, focus on supporting decision making rather than making decisions. Decision support systems typically require human input to generate recommended decisions. The ultimate decision-making power remains with the human user, who can choose to accept, reject or modify the recommendations generated by the DSS. On the other hand, autonomous decision-making involves the use of artificial intelligence algorithms to make decisions automatically without human intervention. The AI algorithms analyze data, learn from patterns, and generate decisions based on this analysis. The decision-making process is entirely automated, with no human input required. Here are some advantages and disadvantages of decision support systems (DSS) and autonomous decision making using AI: Advantages of Decision Support Systems (DSS): Improved decision-making : DSS can provide decision-makers with access to more comprehensive and accurate data. This can improve the quality of decision-making and help organizations make more informed decisions. Speed and efficiency : DSS can automate the process of data analysis and provide real-time decision support. This can help organizations make faster and more efficient decisions. Flexibility: DSS can be designed to meet the specific needs of an organization or department. This means that decision-makers can customize the system to address their unique needs. Disadvantages of Decision Support Systems (DSS): Complexity : DSS can be complex and difficult to use, requiring specialized knowledge and training. This can make it challenging for non-experts to use the system effectively. Dependence on data quality : DSS rely on data quality to generate accurate recommendations. If the data used by the system is flawed or incomplete, it can lead to inaccurate or biased results. Limited scope : DSS are designed to provide decision support for specific tasks or processes. This means that they may not be effective for more complex decision-making processes. Advantages of Autonomous Decision-Making using AI: Speed and efficiency: AI can analyze data at a much faster rate than humans, allowing for faster decision-making and improved efficiency. Consistency : AI algorithms can make decisions consistently, without the variability that can come with human decision-making. Scalability : AI can handle large volumes of data, making it an effective tool for organizations dealing with big data. Disadvantages of Autonomous Decision Making using AI: Lack of human oversight: AI systems can make decisions (an act on them) without human input, leading to potential biases or errors. Dependence on data quality: Like DSS, AI systems rely on data quality to generate accurate results. If the data used is flawed or incomplete, it can lead to inaccurate or biased results. Complexity: AI algorithms can be complex and difficult to understand, making it challenging for non-experts to use or interpret the results. While DSS and autonomous decision-making have their own advantages and disadvantages, it is important for organizations to carefully consider their needs and goals before implementing these systems. Additionally, it is crucial to ensure the accuracy and integrity of the data used in decision-making processes, regardless of the system used. What Impact Does Autonomous Decision-Making have on Compliance? Autonomous decision making using AI can have both positive and negative impacts on compliance, depending on how the technology is implemented and monitored. On the positive side, AI-enabled autonomous decision-making systems can help organizations improve compliance by: Reducing Bias : AI algorithms can make decisions based on objective data and criteria, which can reduce the impact of human biases that may lead to non-compliant actions. Enhancing Accuracy: AI-powered systems can process large volumes of data and analyze it accurately and consistently, which can help organizations identify potential compliance issues and take corrective actions quickly. Improving Efficiency: AI systems can automate routine compliance tasks, such as monitoring and reporting, which can reduce the workload of compliance staff and improve their productivity. Enabling Predictive Compliance : AI can analyze historical data and identify patterns and trends that may indicate future compliance risks. This approach can help organizations anticipate potential compliance issues and take preventive actions before they occur. However, there are also potential risks and challenges associated with the use of autonomous decision-making systems in compliance: Lack of Human Oversight: Autonomous systems may make decisions that violate ethical or legal standards if not adequately monitored by human experts. Therefore, organizations must ensure that human oversight and control mechanisms are in place to avoid such risks. Limited Transparency: The use of complex AI algorithms can make it difficult for compliance staff and external regulators to understand how decisions are made. Lack of transparency can undermine trust and confidence in the system and raise compliance risks. Unintended Consequences : Autonomous systems can generate unexpected results that may lead to unintended consequences that violate ethical or legal standards. Therefore, organizations must ensure that their systems are designed to anticipate and mitigate such risks. While autonomous decision-making using AI can help improve compliance, it is critical to balance the potential benefits with the potential risks and challenges. Organizations must ensure that their systems are transparent, explainable, and subject to appropriate human oversight and control mechanisms to achieve the desired outcomes. Not My Final Thoughts When making decisions, and more importantly acting on them, involving uncertainty where people, public, or the environment may be at risk, it becomes a moral imperative. It is up to humans to determine what level of safety is acceptable and what risks are tolerable, not machines. Therefore, it is the responsibility of humans to establish the parameters within which AI operates, including the acceptable level of risk. This ultimately holds people accountable for the outcomes of their decisions, a responsibility that machines are unable to fulfill, regardless of its level of "intelligence". Where does the science experiment end and responsible engineering begin? The idea of unsupervised or autonomous decision-making by AI systems promotes a use where decisions can step outside the lines and create risk. To provide assurance that organizations stay within appropriate boundaries, they must ensure that their employees, as well as their systems (including AI), are operating ethically and within regulatory frameworks. Perhaps, the risk is not so much in making decisions but on deciding which ones to act on which should probably be left to humans to decide particularly when the things we care about are at risk. What do you think?

Many organizations begin meeting compliance obligations using Compliance 1 practices. These are founded on basic capabilities that are mostly reactive in nature focused on meeting prescriptive regulatory requirements. Compliance is added "on top" of what is already happening. The hope is that this will be enough to satisfy external regulators and maintain a regulatory license to operate. While this is how most start it is not the way compliance should continue. Obligations today have expanded beyond regulatory prescription to encompass a broader set of commitments. Many of these are risk-based focused on performance and advancing outcomes such as net zero emissions, zero incidents, and so on. These have more to do with providing legitimacy for a social license rather than strictly regulatory adherence. To contend with these broader obligations many organizations scale up their compliance by doubling down on their existing practices. Unfortunately, Compliance 1 practices lack the capability to provide the assurance that stakeholders require. Today's compliance challenges requires proactive and systems capabilities that integrate with the business and not just sit on top of it. It also has to contend with uncertainty and risk. We call this Compliance 2 which compared with Compliance 1 is analogous to the difference between total quality management (TQM) and quality control & assurance (QC/QA), or Safety 1 and Safety 2 from the safety domain. Adopting Compliance 2 requires establishing processes to define the lines followed by the operational capabilities to stay within them. Operational compliance is responsible to implement these capabilities and processes. The internal audit function still has a role under Compliance 2. However, auditing now focuses on evaluating effectiveness as measured against compliance outcomes. This will include evaluating the level of compliance and operational risk. If you are ready to elevate your compliance consider joining The Proactive Certainty Program™

Many of you may be familiar with the concept of digital twins in futuristic factories, but what if I told you your business is already building one, right now? The truth is, every company, from the corner bakery to the global conglomerate, is accumulating a powerful – and often unrecognized – tool: its digital twin. Imagine this: a vast collection of data – customer interactions, sales figures, website clicks. Valuable information, certainly, but without context, it's akin to a disorganized warehouse. This is where the current landscape is changing. In today's hyper-instrumented world, every click, transaction, and interaction is captured, generating a mountain of data. Yet, without proper organization, it becomes overwhelming and unusable. That's where meta data steps in. This isn't about your customers; it's about your internal operations – the processes, systems, and the flow of information that make your business tick. Think of it as the labelling system for your digital world, creating the opportunity for real-time intelligence as well as compliance. By meticulously building a robust foundation of meta data, you're essentially creating a digital replica of your business – a digital twin. This unseen partner unlocks a game-changer for compliance: real-time assurance. The digital twin serves as your "golden thread" of compliance. It's a continuously updated digital record that tracks evidence, your commitments (regulations!), and ultimately, your obligations. Imagine a clear audit trail readily available at your fingertips. No more waiting for audits to find out that you are off-side and at risk. But the power goes beyond simple record keeping. The digital twin empowers a proactive approach to compliance. It acts as a virtual model, allowing you to identify potential issues before they snowball into problems. This translates to improving the probability of staying between the lines and ahead of risk. The big idea? Just collecting data is no longer enough. At Lean Compliance, we understand the importance of context and connections. By harnessing the power of meta data and your hidden digital twin, you're not just organizing your data; you're building a powerful compliance ally, ready to navigate the ever-changing regulatory landscape with confidence. This is the future of compliance – real-time, proactive, and driven by the insights hidden within your own business.

I realize this statement may be controversial or even provocative to some, but I kindly ask that you hear me out. For many organizations, compliance sits apart from what the organization does. It’s often seen as an obstacle in the way of innovation and getting things done. This perspective often arises from having a narrow view of compliance influenced by years of prescriptive and legal regulations. However, this perspective is only part of what compliance now means and why we need to think about compliance differently. Let’s start with the definition of compliance found in the international standard ISO 37301:2021, Compliance is the outcome of meeting all your obligations. This definition implies there are two aspects to compliance: Compliance is an outcome, that arises from Meeting all your obligations This parallels the dictionary definitions for compliance most often described as: The state of conformity with official requirements The act or process of complying Let's look at the first part. Compliance as Obligations The first thing we can say about compliance is that it involves obligations. Without obligations there is no need for compliance. Obligations are explicit requirements that in some cases will be legal in nature, some will be ethical, and others are beneficial to mission success. Whatever the motivation, these requirements are explicitly defined and are intended to create outcomes beyond just that of conformance. It's also generally understood that not meeting obligations may also create outcomes: losses arising from not meeting the obligation (penalties, fines, sanctions, etc.), and loss of value associated with unrealized obligation outcome Obligations can be expressed in several ways that include: rules to be adhered to, practices to follow, targets to achieve, or outcomes to advance. No matter the shape or size, or when compelled by law, moral values, or corporate strategy, obligations give rise for the need of the act of compliance. Compliance Promises This brings us to the second part of the definition: meeting the obligation – the act or process of complying. When a company decides to accept an obligation, for example: to achieve carbon neutrality by 2035 they are making a commitment, in this case with an environmental obligation. However, in practice this can be any obligation imposed from outside or inside of organization. Until the obligation is accepted, there is no need for the act of compliance. When it is accepted, a commitment is made to engage in the act of complying. According to Promise Theory (Mark Burgess), compliance commitments describe promises an organization makes and intends to keep to meet a given obligation. Promises shape policy, strategies, goals and objectives for the organization to meet all their obligations. In essence, promises define the means rather than the ends. Compliance as a Regulatory Process Now we come to the heart of the matter. The primary means by which compliance meets organizational obligations is by regulation. I don't meet regulations, but rather the regulatory process. Many organizations view regulation narrowly as: Rules : A set of rules or principles that control how something is done. These rules are often set by an authority, like a government agency, to ensure safety, fairness, or a certain standard. It can also be define by internal policy. The act of controlling : The process of enforcing these rules or principles. This can involve things like inspections, licensing, and penalties for non-compliance. As a result of changes in the compliance landscape in recent decades, meeting obligations has become more than adherence to rules or the establishment of controls. Fundamentally, compliance involves regulating organizational behaviours and actions to meet accepted obligations of all shapes and sizes. This regulatory process is not the responsibility of the compliance function or limited to what is traditionally considered as compliance obligations. In fact, meeting such things as production schedules, sales quotas, or new product launches also requires a regulatory function which for the most part reside with functional managers although they simply call this activity – management . When we look more broadly, we can see that every part of the organization is working to achieve compliance with respect to their specific goals and objectives. You may recognize this as the chain of accountability. Employees are meeting obligations from Managers Managers are meeting obligations from Directors Directors are meeting obligations from General Managers General Managers are meeting obligations from the CEO CEO is meeting obligations from the Board The Board is meeting obligations from Stakeholders Everything an organization does is compliance. Now, I am not saying management should now adopt a check-box or audit approach that is followed by traditional compliance functions. In fact, just the opposite. Compliance should adopt an operational and performance-based approach found in functional departments. Functional managers know how to negotiate operational goals and objectives, develop strategies and plans, monitor performance, and continuously improve. While their obligations are related to operational objectives they still require a commitment (a promise) that must be kept. This is the contract between one accountability level and another. In this sense, functional managers have been practising the act of compliance for years and many excel at it. Pressing the point further, some use the Lean practice of Hoshin Kanri (policy deployment) / Catchball to align operational goals and objectives with organizational values and outcomes. What is unfortunate is this process traditionally has not included compliance obligations. This presents an opportunity for organizations to leverage these capabilities to better operationalize all their obligations. Eating the Other Half of the Elephant We have observed in recent years that at least half of an organization’s obligations come from internal policy and not from external regulations. These obligations are not compelled by law but instead are voluntarily chosen to support stakeholder expectations. These obligations are often associated with quality, environmental, ethics, safety, security, sustainability and other expectations that have more to do with a social license rather than a legal license to operate. While these obligations do overlap with legal obligations they require operational capabilities similar to those found in functional units across other parts of the organization rather than a compliance department. This is Not a New Path I realize many do not view compliance in this way which is not surprising. Their compliance experience for the most has come from finance and legal where obligations are prescriptive and enforcement is reactive. They do not know what compliance looks like from an operational and proactive perspective. This is not the first time organizations have faced this situation. Back in the 1980s a similar thing happened with the quality movement. Back then we strove to achieve zero-defects utilizing quality control (QC) and quality assurance (QA) roles. This is not fundamentally different from achieving vision zero targets such as: zero incidents, zero non-conformance, or zero violations. What is different is we don't need to do it like we did back in the 80s. What we have learned since then is that inspection and audits seldom improve quality. Instead quality needs to be designed into products, services, and processes. Today, we can't imagine managing quality without managing it in every part of the value creation process. This approach is what is needed now to meet safety, security, sustainability, environmental, ethical, and even regulatory compliance obligations. We need to manage all our obligations in every part of value creation. The good news is that organizations have been doing the act of compliance with respect to operational objectives for years in production, sales, marketing, HR, and other business functions. They have for the most part the capabilities needed to meet all their obligations. They just need to leverage the capabilities they already have. However, this won't happen until they realize that everything an organization does is compliance.

When it comes to AI we must: Keep Humans In The Loop When there is a chance of harm, the decision to proceed is an ethical choice and can only be made by humans. AI should not make ethical decisions for you. They are not accountable and cannot answer for the outcomes. However, having humans in the loop means more than participating in an approval control process and checking a box. Accountable and responsible parties must be involved in identifying ethical dilemmas, impacts & risks, solutions, and arriving at a decision that is consistent with organizational values. What steps can you take starting today to ensure your organization is responsible with its use of AI?

This event has already occurred. Given that uncertainty and risk are on everyone's minds we have decided to go ahead and offer this workshop so you could benefit from important risk management principles and practices to improve the probability of project success in the presence of the COVID-19 uncertainties. In consideration of the public health recommendations this workshop to will now be a virtual format. This event will still take place on Saturday March 28th . However, the timing for the event has been adjusted based on the new format. The event will take place from 9 am until 12 pm and consist of three 50 minute sessions with 10 minute breaks between each session. The PMI chapter (PMI-CTT) will still be offering 3.0 PDUs for eligible attendees. However, this event is open to everyone. If you are involved with projects and looking for ways to improve your chances of success, you will benefit from this workshop. I would like to express my appreciation to the PMI-CTT chapter for all their hard work to make this workshop possible. This new format will provide the opportunity for more people to take advantage of this workshop and learn important risk management principles and practices which are needed more than ever in the presence of the COVID-19 uncertainties. If you haven't registered you can do so at this link . We look forward to connecting with you on Saturday, March 28th. It's time to defeat the dragon of uncertainty.

In the last few decades there has been a paradigm shift towards risk-based regulators and regulation.   In the traditional model regulators identify the public harm, conduct an assessment, and come up with prescriptive treatments (rules) that industry is expected to adhere to.    Adhering to these rules is what compliance has meant and still does in many sectors but that is changing.   Regulators in high-risk sectors are modernizing their approaches to better contend with uncertainty.   They are transitioning towards being a risk-based regulator. If you want to learn more on this, I recommend you read the work by Malcolm Sparrow.   Risk-based regulators understand that industry is closer to the risk specifically with respect to determining how best to handle them.   In this new model, regulators establish performance and outcome-based obligations for industry to achieve and advance.    This requires organizations take on more of the risk function, defining treatment, and monitoring to satisfy the obligations.  This also means organizations must be proactive if they expect to meet obligations that arise from risk-based regulation. They need to set goals, define objectives, and make progress towards specified outcomes.  To manage this shift, compliance must be more than procedural, it must now become operational.

At a fundamental level compliance programs protect the value stream from threats that hinder the creation of value. Each program contributes to keeping the value chain safe from various risk including: quality risk, occupational safety risk, security risk, and so on. These programs are socio-technical in nature in that they recognize the interaction between people and technology often across multiple levels of organization. Rasmussen's Risk Management Framework (also known as Rasmussen's ladder) provides useful insights when it comes to understanding risk across social-technical boundaries to achieve safety objectives along with other risk objectives. Rasmussen originally developed his approach as part of a proactive risk management strategy, however, its primary application has been as an accident analysis tool (ACCIMAPS) for complex socio-technical systems. Rasmussen's Risk Management Framework This framework has its roots in systems thinking based on the notion that accidents are hidden in normal operations and do not need special causes. This is similar to Safety II (Holnagel, 2017), and Deming's work that defects are caused by normal causes (natural variation). Rasumussen's model and others since represent a growing trend away from "root causes" or you might say "special causes" for systemic failures. Rasmussen' suggests the following system boundaries by which to map structure, components and their interactions:

Compliance often becomes a labyrinth of obligations, commitments, controls, audits, processes, and many other activities and artifacts that are built up over time which makes compliance more complicated and difficult to manage, operate, and maintain. In many ways, this not unlike the software domain that contends with legacy code, technical debt, and changing and new requirements. In compliance, obligations are the requirements, and promises are the specifications used to engineer systems and processes to deliver on objectives that will in turn achieve the outcome of compliance. What if there was a way to streamline compliance in the same way that software engineers refactor code resulting in a simpler, more effective program? Lean Obligation Management for Compliance This approach focuses on simplifying the compliance burden by systematically removing unnecessary elements (i.e. compliance waste). Imagine it as de-cluttering or refactoring your management program by removing old obligations, restructuring poorly define promises, and addressing obligation debt. To understand how this can be accomplished we need to understand the nature of obligations and promises. Obligations : These are the requirements for each internal or external obligation. They define what your organization is expected to achieve in terms of compliance (adherence to rules, conformity to standard practices, achievement of performance targets, or the advancement of compliance outcomes: the benefits of being in compliance. Promises : These are the commitments, the specifications, your organization identifies to fulfill all their obligations. They detail how and to what degree you'll meet the requirements (e.g., designated data security officer role, mandatory annual compliance training, improving net zero targets, realizing better safety and security). Lean Obligation Management in Action This approach focuses on systematically removing unnecessary elements from your program, resulting in a simpler and more effective system. 1. Remove outdated or no longer applicable obligations. Obligations evolve and change over time. Regularly audit your management program to identify and remove obligations (internal or external) that are no longer applicable or have been superseded. This frees your organization from the weight of outdated compliance measures. 2. Remove duplicate promises. Duplication can bloat your program and introduce inconsistencies. Identify and remove any redundant compliance promises within your program. This ensures a single, clear commitment for each obligation, simplifying program management and reducing the risk of errors. 3. Remove promises that are no longer connected to an obligation (zombies). Sometimes, promises are made within an organization that no longer serve a purpose. These "compliance zombies” add to the overall cost without delivering any value. Lean Obligation Management encourages you to remove them along with the controls, workflows and processes that are no longer needed. 4. Consolidate promises within promise fulfillment systems based on common capabilities . Identify commonalities in how your organizations fulfills its compliance promises. Group similar promises together and consolidate them within dedicated promise fulfillment systems. These systems can be specific tools, processes, or workflows designed to efficiently address multiple compliance requirements. This reduces redundancy and streamlines your overall compliance efforts. 5 . Integrate New Obligations and Promises Strategically. When new regulations or stakeholder expectations introduce fresh compliance requirements, don't simply add them on top of your existing program. Instead, use the knowledge gained from Step 1 to strategically integrate them. This can be achieved through three key approaches: Leveraging Existing Fulfillment Systems: Look for opportunities to fulfill the new obligations using existing compliance systems you already have in place. These systems might be designed for similar purposes or share some overlapping functionalities. This approach reduces redundancy and streamlines the implementation of the new requirements. Adapting Existing Systems: If the new obligations have some overlap with existing compliance areas, consider modifying your current fulfillment systems to accommodate the additional requirements. This can be a cost-effective solution if the changes needed are minor. Developing New Fulfillment Systems: For entirely new compliance needs that don't align with existing systems, you may need to develop dedicated fulfillment systems. These systems should be designed to be efficient and effective in meeting the specific requirements of the new obligations. If you find yourself unable to follow these steps, it's a strong signal that your compliance program has become overly complex and you may have lost control of your compliance. Lean Obligation Management provides an approach to gain control back by promoting compliance simplicity. By actively managing the promises your organization makes to meet obligations, you gain a clear understanding of your compliance efforts and ensure they remain effective and easy to understand for everyone involved. Benefits of Lean Obligation Management: By actively reducing unnecessary elements and ensuring clear promises meet specific obligations, you can achieve a simpler, more effective program capable of meeting all your compliance needs. This will help create the following benefits: Reduced Program Complexity : A leaner management program with clear promises for each obligation is easier to maintain, implement, and understand for all stakeholders. Improved Efficiency : By focusing on essential compliance elements, your program operates more efficiently, saving time and resources. Enhanced Agility : A streamlined program allows you to adapt to changing external and internal obligations more readily. Proactive Management of New Obligations : Evaluating the true nature of new obligations before integrating them allows for a more strategic approach to compliance.