SEARCH

Cost reduction programs while sometimes necessary all too often end up removing value and expose companies to unnecessary risk. Deferring maintenance, not doing critical improvements, pushing more work on employees, switching to cheaper suppliers, and even moving to the cloud may eliminate some costs in the short term, but may also impact future benefits and affect a company's ability to meet its compliance obligations. As change can be a significant source of risk it is important that companies put in place an effective change process that covers possible impacts to critical programs, systems, and processes. An effective change process acts as a layer of defense against exposure to risks caused by changes to compliance systems. Embedding a risk assessment into this process also ensures that risks are properly identified, evaluated, and implemented along with the change itself. The following diagram depicts a simplified change process to manage changes to critical programs, systems, and processes: 1. Scoping define the proposed change identify affected programs, systems and processes identify alternatives estimate savings and costs 2. Impact / Risk Assessment identify impacts on identified programs, systems, and processes identify impacts affecting critical to compliance objectives (CTCs) identify threats and opportunities, evaluate risks, and determine prevention/mitigation and enable/exploit controls create implementation and risk response plans 3. Approvals obtain necessary approvals, based on accountability and level of risk, to proceed with implementation 4. Implementation implement change and risk response plans 5. Verification verify that changes were made according to plan and standard procedures Implementing a change process requires that critical systems are identified first, followed by critical to compliance (CTC) objectives so that impacts can be identified and monitored. CTCs are key results, activities, documented evidence, reports and so on, identified as critical to meeting agreed to compliance obligations. Identifying these is part of proactively managing overall compliance (shown in the following compliance map) to maintain a continuous state of compliance. Effects impacting CTCs can be anticipated and addressed to ensure that there are never any gaps in meeting compliance obligations. Cost reduction programs benefit from an effective change process to ensure that potential savings are not offset by costs associated with increased exposure to risk. In addition, an effective change process can also provide the following benefits: a stage and gate approach to properly sequence the work a cross-functional team derived based on the identified scope and impacts the tools and practices needed to implement changes safely visibility of the level of risk associated with all changes being introduced visibility as to the level of work and bottlenecks across all changes All of these benefits help to ensure that risks are addressed, compliance is maintained, and that the promised savings are actually achieved.

The primary purpose of risk management is to handle the possible effects of uncertainty against specified objectives. This handling involves establishing risk treatments where effectiveness is measured by the difference in risk levels between treated and untreated risk. This difference is often referred to as, “residual risk.” It is the objective of risk managers to establish risk treatments so that residual risk is below an organization’s risk tolerance. To accomplish this an organization first needs to know the level of risk they will, should, or can tolerate. This is defined by the level of risk below which an organization is willing to accept the positive or negative outcomes of not meeting their obligations. In other words, they will tolerate whatever happens for all risk below this level. The next step in establishing risk treatments is to understand the nature of the compliance risk which involves evaluating the uncertainty associated with an organization’s capability to meet each obligation. Risk is always associated with uncertainty as defined by ISO 31000 where risk is, “the effects of uncertainty on objectives.” We can therefore classify risk treatments according to the nature of this uncertainty as follows: Risk due to epistemic uncertainty; lack of knowledge or know how; this risk is reducible. Risk due to aleatory uncertainty ; caused by inherent randomness or natural/common variation; this risk is irreducible. Reducible risk is treated by buying down uncertainty to improve the probability of meeting each obligation. In some compliance domains this is called preventable risk. Irreducible risk is treated by applying margin in the form of contingency, management reserve, buffers, insurance and other measures to mitigate the effects of the risk. In practice, many organizations buy-down what they can afford and accept the consequences for the residual risk should it become a reality. Companies tend to consider any residual risk as if it were irreducible and treat it with margins. This begs the question of why not treat all compliance risk as irreducible which by-the-way many do. The answer can be found by considering the factors that contribute to an organization’s financial margin. A company's margin is significantly and negatively impacted by the cost of realized reducible compliance risk. These costs are associated with such things as defects, incidents, breaches, violations, emissions, and other non-conformance. All of these are sources of waste which for the most part can be and should be reduced or eliminated. This waste not only hurts the bottom line but also a company's reputation. Organizations that do not address risk that's reducible will never have enough margin to cushion for the effects of risk that's irreducible. Saying it another way, the more a company invests in buying down reducible risk the more margin they will have to use for the things that really matter. It is incumbent on management to effectively buy-down reducible risk to avoid unnecessary and preventable waste (i.e. the effects of uncertainty), to improve margins and increase the probability of mission success. For everything else, they should ensure there is sufficient margins to cushion the effects when and if they are realized.

In my years working across high-risk, highly regulated industries like medical device, pharmaceuticals, and energy, compliance used to be a simple matter of ticking legal boxes. But that's no longer enough, and hasn’t been for some time. Today, compliance is about fulfilling all our commitments, not just the ones mandated by law. Think of it as keeping promises – the promises we make to our stakeholders, as outlined in ISO-37301 and Promise Theory . “Promises are the uniquely human way of ordering the future, making it predictable and reliable to the extent that this is humanly possible.”– Hannah Arendt” The gap between making those promises and following through is a measure of our integrity – are we walking the walk, not just talking the talk? In fact, a strong compliance integrity score can be calculated by the number of promises kept compared to the number made. The problem is, many still see compliance as an after-the-fact audit function, solely focused on legal compliance. Sure, that might keep them licensed to operate, but it doesn't inspire confidence that they will achieve the goals that really matter. That’s why to truly build trust and ensure success, organizations are moving towards a more proactive and integrative approach to compliance. They’re weaving a "golden thread" of assurance that encompasses not just legal obligations, but also voluntary commitments to safety, security, sustainability, quality, environmental, and ethics. This fortified compliance chain will lead to greater trust from everyone who has a stake in their success – employees, partners, suppliers, customers, communities, and beyond.

Compliance is often organized into isolated functions that are separate from the production management structure. However, we know that programs that support: quality, safety, risk, regulatory, environmental, and other compliance objectives, are not effective when implemented in isolation. Instead, they are more effective when seen as horizontal capabilities that cross the entire value stream. It's time to make the vertical compliance function into a horizontal compliance capability.

LEAN when applied properly is an effective measure to improve the probability of mission success. All the waste that LEAN seeks to eliminate is caused by the same thing: uncertainty, and this uncertainty creates the opportunity for risk – the true waste that threatens mission success. Here are a few examples of how this happens: We create defects because of uncertainty associated with process capabilities, standards, and work practices. We conduct excess processing because of uncertainty associated with what is only needed - what is value add and what is not. We over produce because of uncertain production requirements. We wait because of uncertainty associated with: process control, equipment reliability, or maintenance activities. We create excess inventory because of uncertain demand requirements and external risk We transport more than necessary because of logistics uncertainty. We move more than necessary because of uncertainty associated with work procedures and standards. We have non-utilized talent because we are uncertain of the skills people have and how best to use them. If you want to eliminate waste, eliminate uncertainty first.

Compliance is an essential aspect of any business, ensuring that organizations operate within the legal and regulatory framework set by the government. It is a critical component that helps organizations maintain their reputation, protect their stakeholders, and avoid potential legal or financial penalties. However, complying with regulations can be a daunting task, especially for small and medium-sized businesses that may not have dedicated compliance teams or the necessary resources. To help organizations navigate the complex world of compliance, the Lean 5S methodology can be applied to obligations, ensuring that companies are organized and structured in a way that promotes compliance. Here's how: 1. Sort: Start by identifying all compliance obligations that apply to your organization. This could include regulatory requirements, contractual obligations, or internal policies. Once identified, remove any obligations that are no longer relevant or necessary, reducing clutter and streamlining compliance processes. This step can help organizations stay focused on the obligations that matter, ensuring that resources are directed towards meeting those obligations. 2. Set in Order: Once you have sorted through the obligations, organize them in a logical and systematic way. This could involve categorizing obligations by compliance area, risk level, or regulatory authority. Establish clear guidelines for managing and monitoring compliance, making it easier for employees to understand and follow. This step can help organizations stay on top of their compliance obligations, ensuring that they are prepared for regulatory audits and inquiries. 3. Shine: Ensure that all compliance-related processes are working effectively and efficiently. This may involve conducting regular assessments, reviewing policies and procedures, and identifying areas for improvement. By shining a light on compliance processes, organizations can identify potential risks and take steps to mitigate them, reducing the likelihood of compliance violations. 4. Standardize: Develop clear and consistent compliance standards that are easy for employees to understand and follow. This could involve creating checklists, developing training programs, and establishing protocols for managing and monitoring compliance obligations. By standardizing compliance processes, organizations can ensure that employees are aware of their compliance obligations and are equipped with the necessary tools to meet those obligations. 5. Sustain: Maintain and continuously improve compliance processes by regularly reviewing and updating policies and procedures, conducting training programs, and fostering a culture of compliance within the organization. This can help ensure that compliance is integrated into the company's day-to-day operations and becomes a part of its overall business strategy. By sustaining a culture of compliance, organizations can build trust with their stakeholders and avoid costly legal and financial penalties. In today's regulatory environment, compliance is more important than ever. Failure to comply with regulations can have severe consequences, including hefty fines, legal action, and damage to a company's reputation. By using the Lean 5S methodology, organizations can streamline compliance processes, reduce the risk of non-compliance, and build a culture of compliance that helps them stay ahead of regulatory changes. So, if you haven't yet implemented the Lean 5S methodology for your compliance obligations, there's no better time to start than now!

ISO 19600 and 37301 define compliance as the outcome of meeting a company's obligations. These obligations arise from such things as regulations, standards, policies, guidelines, permits, contracts, codes of conduct and many other sources. A subset of these will be legal obligations which tend to be prescriptive in nature, for example, "Companies must report all tier one releases within 24 hours." Whereas, industry standards and guidelines tend to be more risk and performance-based where companies are expected to make progress towards reducing such things as emissions, violations, fatalities, breaches, and so on. Intermediate targets for these obligations may be dictated by regulatory bodies making them mandatory, however, the means by which these are achieved is usually left to each organization based on their level of risk. Independent of the source of the obligations or whether they are mandatory of voluntary we can categorize them by four different types each with their own specific demands on the organization as shown in the following diagram: Each type of obligation will in turn give rise to compliance objectives in order to meet the obligation demand. Companies will put in place compliance systems of processes to efficiently manage and ensure these objectives are met taking advantage of shared capabilities and resources to keep the costs within sustainable levels commensurate with a tolerated level of obligation risk across categories that include: safety, regulatory, reputation, environmental and other areas of concern. Compliance Systems To understand how best to meet each compliance objective we need to understand the dynamics of systems and specifically purposeful systems that are goal-seeking which is the case for compliance which where systems are used to ensure meeting targeted objectives. Dr. Russell Ackoff defined a system as: " a whole which is defined by its function in a larger system of which it's a part. For a system to perform its function it has essential parts: Essential parts are necessary for the system to perform its function but not sufficient Implies that an essential property of a system is that it can not be divided into independent parts. Its properties derive out of the interaction of its parts and not the actions of its parts taken separately." It is this last part which is often overlooked that I want to focus our attention on. Outcomes vs. Objectives: Making progress towards compliance outcomes is a primary measure of effectiveness for compliance programs. Since outcomes are an emergent property of compliance systems it is important that we understand how the parts interact with each other to create the outcome of compliance. To help with this we need to clear up confusion around the notions of outcomes, objectives, goals, results, and even initiatives. For now we will define and consider the difference between outcomes and objectives since they are the primary components of a compliance system (c.f. ISO 19600, ISO 37301:2021 ). Outcomes : these are the ends that we expect to attain over time and where progress is expected through the achievement of planned objectives. Examples of these include: zero incidents, zero harm, zero breaches, zero emissions, zero defects, and many others. These are often described in qualitative terms but may also have defined measures of effectiveness to indicate progress towards the targeted outcome. Objectives : these are the ends that we expect to attain within the period covered by planning. These results contribute to making progress towards the targeted compliance outcome. An outcome may require several objectives done in parallel, sequentially, continuously, and some contingent on others. Some form of causation model (deterministic, probabilistic, linear, non-linear, etc.) is used to estimate the confidence level of achieving the desired outcomes by means of objectives. In cases of greater uncertainty these models will be adjusted over time as more information is gathered and correlation between objectives and outcomes are better known. Objective Criteria and Evaluation Objective Criteria: these are attributes that describe an objective. These may consist of measures of performance, conformance, risk, or other attributes that are used to evaluate whether an objective has or is being met. Objective Scorecard: a qualitative and/or quantitative evaluation of the attributes that define an objective. These are often aggregated to form a single score used to rank the overall status of each objective. A point worth mentioning is that measures of effectiveness are usually associated with outcomes and often measured as progress towards these outcomes. However, in some cases where objectives require obtaining a specified result over a period of time, the objective may also have a measure of progress. An example would be reducing the level of risk to an acceptable level for a given objective over time. Those familiar with performance-based systems will notice that evaluation of outcomes is a form of performance assessment rather than an audit. Assessments are usually conducted more frequently to measure the ability to achieve outcomes as opposed to audits which are conducted to validate outcomes have been achieved or the existence of evidentiary material related to prescriptive conformance. This differentiation is important particularly when trying to maintain a status of compliance during the period between when audits are conducted. An Example From Occupational Safety In this example we will look at making progress towards zero safety incidents which is a goal that many organizations have. For our purposes we will define as the outcome of our safety compliance system as zero incidents . To make progress towards zero incidents (the ultimate or terminal goal) there will be a number of objectives to be managed by a safety compliance system. Here is a list of examples: Increase the number of documented near misses Create a safe work culture as evaluated by an organizational culture survey Ensure effective safeguards on machinery and equipment Provide effective safety training for all workers and contractors Ensure works use PPE appropriate for the level of risk Maintain and train against up to date safe-work procedures and practices Establish and maintain an effective joint health and safety committee Establish an effective emergency response system Conduct a yearly risk and hazard assessment Reduce the level of safety risk by 10% year over year Each of these objectives will have their own set of criteria relative to current conditions, the planning time frame, and targeted results. Let's take a look at one of these objectives in more detail, "Establish an effective emergency response system." This objective would include attribute criteria such as: Activation of emergency response plan occurs within X hours of a reported incident. Affected stakeholders notified within X hours. Response plan is updated after risk and hazard assessments. Performance of emergency response plan is tested once per year. Local authorities are notified within X hours. Response teams receive refresher training once per year. Some of these criteria come directly from regulations while other may come from internal policies and other sources. Objectives and their attributes will have dependencies with other objectives which will also need to managed. In addition, each objective will require a set of capabilities (some shared) to meet all its criteria. And finally, objectives may be connected with other safety obligations. What does this all mean? For compliance to be effective organizations must be clear about the outcomes they are trying to achieve and the objectives that need to be met to get there. Objectives are more than gaps identified by audit findings. Objectives define what is needed to ensure that obligations are met continuously all the time so there are no gaps in the first place. They also define what is needed to realize compliance outcomes – the benefits from being in compliance.

Business success is often measured by a single metric: profit. However, in today's economic climate, organizations are increasingly recognizing the importance of a broader concept - Total Value . This goes beyond just the financial bottom line and encompasses protecting value creation across all aspects of a company's operations. Protecting Total Value The saying goes, "we don't protect what we don't value." This contributes to why compliance doesn't have the role that it should. Organization's just don't value the outcomes needed to ensure mission success. When a company prioritizes short-term gains over compliance, it essentially devalues the very things that contribute to its long-term success. By neglecting safety regulations, environmental standards, or ethical practices, a company puts its reputation, integrity, and even the safety of its employees at risk. These are the very things it needs to protect to build trust with stakeholders and achieve corporate sustainability. Present Bias Is Not A Gift Imagine a business that cuts corners to maximize profit. This may lead to non-compliance with safety and security regulations along with breaking promises made to stakeholders to achieve adequate safety and security performance targets. While short-term profits might increase, a potential incident could damage the company's reputation, incur hefty fines, and erode stakeholder trust. It only takes one violation, one incident, or one non-conformance to realize significant loss of value. This is an example of "Present Bias" – the tendency of people to give stronger weight to payoffs that are closer to the present time when considering trade-offs between two future moments. Here's where the concept of T otal Value Advantage comes in. Building on Michael Porter's Value Chain Analysis, this approach recognizes that competitive advantage goes beyond just price and product features. It encompasses all aspects that deliver value to a company's stakeholders in the broadest sense of the term: customers, suppliers, shareholders, employees, communities, or the public at large. Establishing effective compliance programs that actively manage its role to protect and ensure Total Value both in the present and the future, a company gains a significant advantage. It demonstrates its commitment to responsible practices, builds trust with customers and partners, and fosters a safe and productive work environment. This, in turn, attracts and retains talent, enhances brand reputation, and ultimately leads to corporate sustainability. The Bottom Line Focusing solely on profit is a short-sighted strategy. However, by embracing the concept of Total Value and recognizing the crucial role compliance plays to protect its creation, businesses can improve the probability of mission success. This leads to a Total Value Advantage , fostering trust, building resilience, and ultimately achieving corporate sustainability. It's time to change the sign for compliance to read, "We Protect Total Value."

Like other sectors, health care also requires innovation. Current models are based on a reactive and transactional approach to how health care is delivered. As patients, we wait for symptoms to present themselves before making any improvements to our health. In a similar way, health care providers often wait for regulatory changes before making adjustments to the systems that deliver the needed care. What is common to both is all the waiting. Time for Change   I attended a presentation a few years back on the topic of Health Systems Innovation  at McMaster University (Hamilton, Ontario), where the discussion focused on the future of health care, what it might look like, and how it can change from a reactive model to one that is proactive, participatory and where risk is shared. The speakers where: Dr. Des Gorman (Faculty of Medical and Health Sciences, University of Auckland), and Mrs. Danielle Freschette (Executive Director, Health Systems Innovation and External Relations, Royal college of Physicians and Surgeons of Canada) Here is my brief summary of the presentations and ensuing discussions. What I found most interesting is that many of the issues presented are also found in other sectors. Health care is not the only industry that suffers from being too reactive. We have the wrong model Reactive Transactional Funding the wrong things Regulation that constrains innovation Health care is moving towards Participatory health care Self-management Focus on outcomes Co-development Mutualised risk Process agnostic Insights Within 5-7 years whatever new system you put in place becomes corrupt. People figure out how to game it. We need to design systems that are intended to be gamed but where everyone wins. People want to pay for outcomes not activity (i.e. transactions). Yet, there is little motivation to do anything other than continue to transact. Evidence based medicine was introduced to reduce variation and improve outcomes but is no longer innovating. We should have a strong skepticism around data and its use. Data only tells "half" the story. Health care is not ready for industry 4.0. We are not teaching people how to adapt. In many cases providers do not have the capacity to change. In Canada (specifically Ontario) there are too many pilot programs. Not enough have reached the point of viability and able to scale. Innovation is currently driven by technicians and technology. Technology should not be the driving factor; patient outcomes should be instead. For health care to be proactive it needs to be based on outcomes and competency We need greater participation from all areas of health care if we are to come up with better approaches. There is no lack of desire to do this but a lack of effective ways to engage everyone. We need to create the conditions that encourage innovation not stifle it. My thoughts Health care systems are based on a model that is not sustainable and it has been this way for some time. There are many factors that contribute to this and there is a multitude of options for how to improve. However, what is not clear, is how these innovations are funded, introduced, and scale to achieve the intended benefits. Some of these can be done incrementally. but others may require changes to current systems to enable these innovations. What is clear, is that more engagement is necessary from all who provide health care and those that benefit from it. Perhaps, this is where innovation is most needed. A participatory approach based on mutualised risk that focuses on patient outcomes might just be the kind of innovation we need to become more proactive with our health care. This approach may also be helpful in other industries that are highly regulated, where risks need to be managed, and that suffer from being too reactive. Amendment In the years since I wrote this the Healthcare system in Ontario has started to transition towards a teams-based approach to improve overall coordination and improve support for proactive health care strategies. Having recently undergone surgery to remove a gall bladder I have now experienced first hand the level of care which was excellent. After the surgery I was sent home as part of a virtual nurse program. During this program which lasted two weeks, I took my vitals each day which where uploaded using a tablet and then interacted with nurses and physicians through video sessions. Throughout this entire process I was treated with respect, dignity and with great care. More work is still needed to address systemic issues across the healthcare systems along with new realities of sustainability and burn-out. However, several of the shortcomings I wrote about have now been addressed at least within the primary care system which I am very grateful.

Talking about oneself does not come easily to some of us. This can get in the way of building trust with the people we work with. But how much should you share and how much is TMI – too much information? In the spirit of building trust, I thought I might risk sharing a few things about myself. To start with I am the CEO and founder of Lean Compliance. I started this business in 2017 to help forward-looking compliance leaders succeed at keeping their organizations between the lines and ahead of risk. To achieve this success, I believe that compliance must be more proactive, integrative, and capable to contend with risk to ensure total value is protected and created. This requires a new approach that aligns more with operational excellence than it does audit and reporting. I am currently authoring a book on the topic of, "Operational Compliance: Staying Between the Lines and Ahead of Risk". This is based on my experience across my career working for hundreds of organizations and companies in highly regulated, high-risk industries and lessons learned making compliance work. This has given me a unique perspective having witnessed how safety, security, sustainability, quality, environmental, legal, and regulatory programs and technologies are used to advance compliance outcomes.  I also write and publish weekly blog articles, and speak on the topics of risk, compliance, ethics, AI, and Lean principles and practices. I recently started a community of practice to help all compliance practitioners across all sectors elevate their compliance. This community meets every Monday @ Noon on Zoom. I chair the AI Committee at E4P (Engineers for the Profession) advocating for the recognition and right to practice for emerging engineering disciplines. As a profession we need to do more to elevate the role engineering across the multiple disciplines that are needed today such as AI engineering, Cybersecurity, Quantum and many others. As a professional engineer I recognize that I have a duty to uphold the public welfare as paramount and this informs my work and how I engage with clients, my community, and others to advance human flourishing. In many ways, this has raised my ethical standards which I hope will in turn do the same for my clients. In conjunction with my church, I also facilitate a monthly Biz Group for christian business leaders to help connect our faith with our practice. Ultimately, how we lead is grounded by the values we hold and what we believe demonstrated by our actions. Aligning these is a measure of Integrity and is something we must all continue to work on. I also have three wonderful grown kids and the best wife a man could ever have. I don’t believe we come into this world half complete in need of someone to complete us. However, my wife has added more to my life than I could have imagined making it better than I thought possible. Finding a life partner is indeed a wonderful thing. So, now you know a little more about me. How about you? How did you get into compliance, and what are you currently working on?

The following questions were asked in an interview with Raimund Laqua, Founder and Chief Compliance Engineer at Lean Compliance. 1. What made you decide to start Lean Compliance? Over the last 25 years I noticed that many companies start well with their compliance initiatives but they don't end well. It always was 2 steps forward and 3 steps back. It was hard for them to advance their safety, quality, environmental and regulatory compliance programs when the ground was constantly shifting beneath their feet due to changes in standards, regulations, organizational structures, leadership and so on. There had to be a way to help these companies that are struggling to stay above water to do better and in the process achieve better outcomes. That is why I started Lean Compliance to answer that question. 2. Why did you pick the name Lean Compliance? Early on I realized that companies could not make any improvements if all their resources were tied up fighting fires. To advance compliance more, capacity was needed and that is precisely what LEAN helps with. LEAN has helped many companies and industries to reduce waste in their processes. This creates room for further improvements to be made including those needed for compliance. As far as using the word "Compliance" goes, I am not fond of it. Few people like compliance and it brings with it negative connotations. I always knew that compliance needed to go beyond conformance and focus instead on outcomes. This should if done properly be received more positively. Perhaps, someday we might call it something else. Until then, I am trying to change our mindset from being reactive and negative and tilt it towards being proactive and positive. 3. What are the challenges that you see with how compliance is currently done? This may seem odd to mention, but the most serious problem has to do with our attitude towards compliance. Most companies see compliance as a necessary evil instead of as a necessary good. This attitude reinforces a reactive behavior that only deals with compliance after the fact. Companies spend most of their time paying off their compliance debt by addressing corrective actions. However, this takes too long and prevents them from benefiting from the outcomes of their investment. It's like a mortgage to them that they hope to pay off eventually not realizing that when they do they will have paid several times for it in interest. Another important challenge is how standards and regulations have changed. They are not as prescriptive as they once were. Many are now management or performance based requiring companies to continuously improve and advance outcomes. Its no longer enough to just follow procedures, companies now need to actually improve safety, quality, and environmental impacts. This requires knowledge of how to deliver effective programs and systems and this is something that many companies are lacking. 4. How does Lean Compliance help companies address these challenges? There are no silver bullets, or one time fixes. Depending on how much compliance debt a company has will determine how best to proceed. That is why we created, "The Proactive Certainty Program." This program follows a process we developed that helps companies to continuously improve their compliance so that they not only pay off their debt but stay out of debt. As each company is different we tailor this process based on the capabilities and competencies they already have. 5. What would you like to say to those who are feeling the weight of compliance but not sure what to do next? Don't wait for a heart attack before you decide to improve your health. In the same way, don't wait for an incident or an audit finding before you act. As with your health, being proactive can decrease the likelihood of a heart attack in addition to bringing with it the benefits of a healthier life style. Compliance functions the same way. It all begins with your attitude and that is something that you need to change. We can help you do the rest.

Audit is not the function that fulfills obligations. It’s the function that verifies you are keeping your commitments associated with them. What delivers on obligations is an Operational Compliance Program . Here's a breakdown of the different functions: Audit : An audit is an independent review process that verifies if an organization is following the rules and procedures it has set for itself. It's like a financial examiner looking at a company's books to make sure everything adds up. An audit can identify areas where controls are weak or where procedures aren't being followed. However, it seldom validates effectiveness with respect to achieving goals, performance targets, or compliance outcomes. Operational Compliance Program : This is the program that actually ensures an organization meets its obligations. It's a set of policies, systems, processes, procedures, and training that helps an organization understand and follow the rules, conform to standard practices, achieve performance targets, and advance compliance outcomes. An effective compliance program will have things like a code of conduct, clear guidelines for different activities, and regular monitoring to identify and address any issues. It will also have continuous improvement processes to improve its effectiveness over time. Imagine you promised a friend you'd help them move (your obligation). An audit would be like calling them afterwards to see if they actually moved (verification). But the real key to fulfilling your obligation is keeping your promise to show up on moving day and helping them lift boxes (compliance program). That is the purpose of an operational compliance program. It is the proactive function that helps you meet your commitments, while an audit is the reactive assessment that verifies if you're doing what you said you would. Compliance Effectiveness The heart of an effective compliance program is integrity - closing the gap between what we promised and our actions. Integrity is a measure of compliance performance and a leading indicator of effectiveness: Compliance Integrity = Number of Promises Kept / Number of Promises Made If you want to know how well compliance is working measure how well an organization keeps its promises and commitments. However, the final word on whether or not obligations are satisfied will always be the authority that created the obligation. For external obligations this may be a regulatory agency, court judgments, or legislature. When it comes to internal or voluntary obligations this will be corporate or organizational governance. Auditing of voluntary obligations can and is often misunderstood. For example, if you adopt an ISO standard for quality, the certification you receive is based on a conformance audit with that standard. While this standard is voluntary it creates an obligation to maintain the practice or risk losing your certification. What's important to realize is that certification audits do not validate if you have met your internal obligations associated with goals, performance targets, or quality outcomes. These obligations are defined by the organization acting in the role as internal regulator and it's these obligations that internal audit should be evaluating. Why? because no one else is! In many cases internal audit is only concerned with external or legal obligations. The interesting thing is there are just as many internal as there are external obligations. Organizations may report on these but seldom have the programs to advance or make progress towards the promised outcomes. ESG and Sustainability obligations fit into this category although others exist across every compliance domain. What Does this Mean for Compliance? Audit plays an important role to verify organizational practices but is not the function that delivers on internal or external obligations. The function that is responsible is an Operational Compliance Program which works with the business to make and keep promises with respect to satisfying obligations. While it doesn’t own the obligations it provides the expertise and capabilities to equip the business to always stay between the lines and ahead of risk. Failure to deliver on obligations is not a failure of audit but rather a failure of your compliance program. An effective compliance program will always let you know in real-time if you are keeping your promises with respect to both internal and external obligations. This helps organizations make course corrections while there is still time to do something about it – something that audit cannot provide.