SEARCH

Many organizations recognize that meeting all their obligations and staying ahead of risk requires adopting a holistic, proactive, and integrative approach to compliance. However, they also find themselves trapped by a siloed, reactive, and divided practice reinforced by years of prescriptive rules and audits. They often tell me, I know we need to change but we have too much on our plate. We’re too busy putting in controls, auditing, and working on corrective actions to be proactive. Perhaps one day we will be in better shape to change. But I tell them, That day will never come, you will never catch up, and you will never make the changes you need to really protect value creation and keep all your stakeholder commitments. The difference between compliance failure or success depends on one decision: One Day or Day 1? You need to decide to change today. You may not know what’s needed or how to proceed at first. That can be improved over time. But no change will happen until you decide to start. You can wait until something bad happens and when it might be too late to change. Or You can decide to make One Day into Day 1.

Jame Clear, author of Atomic Habits, writes: “You do not rise to the level of your goals, You fall to the level of your systems” He is correct. Left on our own we drift into disorder away from our goals. Systems prevent you from falling into disorder. Systems act as a guardrail by resisting change to reduce variation. Now, how do you raise your system levels? That’s the role of management programs which introduce change. They adjust system targets to higher levels of performance to advance overall outcomes. Programs bridge the gap between operational objectives and organizational outcomes by elevating the quality of our systems. Without them you fall to the level of procedural conformance. With them you elevate your compliance to higher standards of safety, security, sustainability, and other compliance objectives. Programs are an essential component of operational compliance, necessary (but not sufficient) to meet performance and outcome-based obligations. Are you missing this essential function of compliance?

Technology is a pervasive force that significantly influences our lives in various ways, particularly with the widespread integration of AI. The impact of software on us is not always apparent, as we've learned from years of using social media. It's crucial to be aware of how technology can amplify certain behaviors while constraining others. Gone are the days when we could perceive technology as neutral, merely consisting of data collection, processing, or output devices. We now understand that information possesses influence beyond our explicit requests or desires. In many ways, information has agency. Therefore, it's imperative to ensure that our technology choices align with our values, contribute to our objectives, and, most importantly, reinforce the behaviors essential for achieving our mission. Failing to do so may result in reinforcing what benefits technology at the expense of our own interests. Be mindful of your technology choices and choose wisely.

A common problem facing organizations in highly regulated, high-risk environments is how to properly govern their operations to ensure they meet all their obligations and keep all their stakeholder commitments. This problem in many ways is about aligning the ends with the means, or better, bridging the gap between organizational outcomes and operational objectives. In fact, it’s a problem of managing compliance in the middle. When one considers the combinatorial explosion of obligations and associated risks connected with safety, security, sustainability, quality, regulatory along with ethical conduct the problem is almost intractable. This is evidenced by a large number of end points, connections, and interactions to control particularly when addressing the problem through a reactive and reductive model centred on controls, tasks, issues, and corrective actions. Technology offers some relief by enabling certain processes and making some more efficient. However, automation can all too often result in baking in processes, or what we used to call, “paving the cowpath” resulting in greater fragility rather than agility to contend with uncertainty and complexity. To reduce complexity and improve overall compliance effectiveness organizations will adopt different strategies some of which are compelled by regulation, others are voluntarily chosen. These can be categorized by their primary focus: standardizing practices, integrating controls, or operationilzing systems. Standardize Practices - example: management system standards and frameworks (ISO, ICH, NIST, CSA, FDA, OSHA, etc.) Integrate Processes - example: GRC (Governance, Risk and Compliance ) Operationalize Systems - example: Lean TCM (Total Compliance Management) These approaches overlap to various degrees but differ in how they work, and where they operate within an organization. In this article we explore each of them and compare their advantages and disadvantages. Standardize Practices ISO management systems standards such as ISO 37301 (CMS) are examples of this approach. ISO standards are a set of internationally recognized guidelines designed to assist organizations in achieving operational excellence, ensuring quality, and promoting continual improvement. These standards are developed by the International Organization for Standardization (ISO), a non-governmental organization that brings together experts from various industries to create consensus-based specifications. The primary objective of ISO management standards is to establish a common framework that organizations can implement to enhance efficiency, reduce risks, and meet the expectations of stakeholders. These standards cover a wide range of disciplines, including quality management, environmental management, information security, and occupational health and safety. Implementation of ISO management standards typically involves a systematic approach, starting with a thorough understanding of the organization's processes and objectives. Organizations seeking certification adhere to the specific requirements outlined in the relevant ISO standard. The implementation process often includes the development of documented policies, procedures, and guidelines, as well as the establishment of key performance indicators to measure progress. Certification, which is usually assessed by independent third-party auditors, serves as a formal recognition that the organization's management system conforms to the specified ISO standard. Achieving and maintaining ISO certification demonstrates a commitment to excellence and can enhance an organization's reputation, fostering trust among customers, partners, and regulatory authorities. One of the fundamental principles of ISO management standards is the concept of continual improvement. Organizations are encouraged to regularly review and refine their management systems to adapt to changes in the internal and external environment. Continuous monitoring, measurement, and evaluation of performance metrics help identify areas for enhancement and ensure that the organization remains responsive to evolving circumstances. This iterative process not only drives efficiency but also cultivates a culture of innovation and adaptability within the organization. In essence, ISO management standards provide a dynamic and flexible framework that empowers organizations to navigate the complexities of today's business landscape while fostering a commitment to ongoing improvement and customer satisfaction. Potential Weaknesses While ISO standards provide valuable guidelines for organizations seeking to enhance their processes and ensure quality, there are some key weaknesses associated with their implementation: Rigidity and Formality : ISO standards can be perceived as rigid and overly formal, leading to a potential disconnect between the prescribed requirements and the dynamic needs of certain organizations. This formality may hinder innovation and creativity within some contexts, especially in rapidly evolving industries where flexibility is crucial. Resource Intensiveness: Achieving and maintaining ISO certification can be resource-intensive, particularly for small and medium-sized enterprises (SMEs). The documentation, training, and audit processes involved can be time-consuming and costly, posing a challenge for organizations with limited budgets or manpower. Focus on Documentation : ISO standards often emphasize extensive documentation to demonstrate compliance. While documentation is essential for clarity and accountability, an excessive focus on paperwork can lead to a "box-ticking" mentality, where organizations prioritize meeting documentation requirements over genuine process improvement and effectiveness. Limited Adaptability: ISO standards may not always adapt quickly enough to emerging trends, technologies, or industry-specific nuances. This limitation can make it challenging for organizations in cutting-edge or highly specialized fields to fully align their management systems with the most current best practices. Lack of Strategic Guidance : ISO standards provide a framework for establishing management systems but may not offer specific strategic guidance tailored to individual organizations. This can result in organizations achieving ISO certification without necessarily aligning their management systems with their strategic goals. Perceived Bureaucracy: The implementation of ISO standards can sometimes be viewed as bureaucratic, especially by employees who may feel burdened by additional administrative tasks. This perception may hinder employee engagement and commitment to the principles of the ISO management system. Overemphasis on Documentation Compliance: In some cases, organizations may prioritize demonstrating compliance with documentation requirements rather than focusing on the underlying principles and effectiveness of the management system. This can lead to a superficial adherence to ISO standards without realizing the intended benefits. It's important to note that these weaknesses do not negate the overall value of ISO standards. Organizations should carefully consider their specific needs, industry context, and strategic objectives when deciding to adopt and implement ISO management standards. Integrate Processes Governance, Risk, and Compliance (GRC) frameworks are an example of this approach. GRC is a holistic framework that integrates three critical components of organizational management: governance, which involves the establishment of structures and processes for decision-making and accountability; risk management, which focuses on identifying, assessing, and mitigating potential threats to an organization's objectives; and compliance, which ensures adherence to relevant laws, regulations, and internal policies. The GRC framework aims to harmonize these elements to promote effective decision-making, mitigate risks, and ensure compliance with legal and regulatory requirements. Within a GRC framework, governance sets the tone for the organization by defining its strategic objectives and establishing the framework for decision-making. It involves the allocation of responsibilities, creation of policies, and development of communication structures to guide the organization toward its goals. Risk management within GRC involves the identification, assessment, and prioritization of potential threats to the achievement of objectives. This proactive approach enables organizations to implement strategies to mitigate risks and capitalize on opportunities effectively. Compliance, the third pillar of GRC, ensures that an organization operates within the bounds of relevant laws, regulations, and internal policies. It involves monitoring, reporting, and taking corrective actions to address any non-compliance issues. The GRC framework operates synergistically, providing a structured approach to managing the complex interplay between governance, risk, and compliance. Implementation often involves the use of technology and specialized software solutions to streamline processes, enhance visibility, and facilitate real-time monitoring. GRC frameworks not only help organizations avoid legal and financial pitfalls but also contribute to overall business resilience and sustainability. By embedding a culture of accountability and transparency, GRC facilitates the establishment of robust internal controls, ultimately leading to improved decision-making, stakeholder trust, and long-term organizational success. Potential Weaknesses While Governance, Risk, and Compliance (GRC) frameworks offer valuable tools for managing and aligning organizational processes, they are not without potential weaknesses. Here are some common weaknesses associated with GRC frameworks: Complexity : GRC frameworks can be intricate and complex, particularly in large organizations. The complexity may lead to confusion among employees and make it challenging to implement and maintain the framework effectively. One-Size-Fits-All Approach : Some GRC frameworks may adopt a generic or standardized approach that might not suit the specific needs and nuances of an organization. This can result in inefficiencies and may not adequately address the unique risks and compliance requirements of the organization. Lack of Integration: Integration is the by-word of GRC and issues may arise if the GRC framework is not well-integrated with existing business processes and systems. Siloed information and disconnected processes can hinder the effectiveness of risk management and compliance efforts. Overemphasis on Conformance : In some cases, organizations may focus too heavily on adherence to procedures, neglecting the broader aspects of governance and risk management. This can lead to a reactive approach rather than a proactive one. Resistance to Change : Implementing a GRC framework often requires significant changes in organizational culture, processes, and structures. Resistance from employees and stakeholders can impede successful adoption and implementation. Resource Intensive: Developing, implementing, and maintaining a GRC framework can be resource-intensive. Small and medium-sized enterprises may find it challenging to allocate the necessary resources for a comprehensive GRC program. Technology Dependence : Some organizations heavily rely on technology solutions for GRC management. While technology is essential, over-dependence on tools without a solid understanding of underlying principles and processes can be a weakness. Inadequate Communication : Effective communication is crucial for the success of any GRC framework. Weaknesses may emerge if there is a lack of clear communication regarding roles, responsibilities, and expectations related to governance, risk, and compliance. Insufficient Training and Awareness: Employees may not fully understand the importance of GRC or their roles in the framework. Lack of training and awareness can result in non-compliance and ineffective risk management practices. Despite these weaknesses, a well-designed and effectively implemented GRC framework can provide substantial benefits to organizations. It's crucial for organizations to carefully tailor GRC practices to their specific needs, regularly assess their effectiveness, and continuously improve their approach to governance, risk management, and compliance. Operationalize Systems Lean TCM (developed by Lean Compliance) is an example of this strategy. Lean TCM takes a different approach from other methodologies by considering a different set of questions: What would compliance look like if it was already an integral part of the value chain? How could effectiveness be realized right from the start? What is necessary to meet all obligations and keep promises? How would it need to operate and what is essential for operability? Instead of standardizing and integrating all the pieces of a “broken” system at the task or process level, Lean TCM endeavours to establish an integrative operating model that works at the point where obligations become promises. Lean TCM operates in the middle of an organization, bridging the gap between outcomes and objectives which is essential to achieve effectiveness (i.e. the realization of benefits). Unlike traditional compliance approaches, Lean TCM does not replace existing management standards; instead, it elevates them to a higher level, providing essential capabilities that extend beyond mere certification. It addresses both Compliance 1 (rules and practices) and Compliance 2 (targets and outcomes), encompassing legal and social licenses to operate. This framework serves as a guiding navigator for organizations, ensuring the right balance between reactive and proactive behaviors and practices. Drawing inspiration from various management disciplines such as Total Quality Management, Continuous Improvement, Lean Startup, Hoshin Kanri, ISO standards (e.g., ISO 37301 for CMS and ISO 31000 for RM), Performance Management, Promise Theory, and Cybernetics, Lean TCM is designed to tackle modern-day compliance challenges. It enables organizations to not only achieve more benefits than certification alone but also handle regulatory and stakeholder obligations efficiently. The framework emphasizes sustainability, trust-building, and the fulfillment of obligations, equipped with strategies for improvement, alignment, and accountability at every organizational level. The Lean TCM Framework provides organizations with a holistic, proactive, and integrative approach to operate in highly regulated and high-risk environments. It serves as more than just a means to an end, defining an operational approach for sustainable mission success. The Operational Compliance Model within Lean TCM ensures that compliance is not just a set of rules but an operational function, achieving Minimal Viable Compliance (MVC) by incorporating regulatory design principles derived from systems theory and cybernetics. Additionally, Lean Compliance offers advanced programs such as The Proactive Certainty Program™ and The Elevate Compliance Program, both designed to facilitate compliance transformation, strengthen defenses, and address modern compliance challenges with assurance. Lean TCM emphasizes the following: You start with something that is already operational, simpler, and capable of delivering benefits. The point of intervention happens where obligations align with promises, outcomes align with objectives, and the ends align with the means. Adds the function of management programs missing from management system standards, including GRC frameworks. Implemented using Lean Startup to accelerate learning and improvement Focuses on outcomes and operational risk. Harnesses lean principles to reduce waste to create the opportunity for proactive improvements. You learn to drive towards compliance outcomes by driving right from the start. Weaknesses: While Lean Total Compliance Management (Lean TCM) offers a robust framework for organizations to enhance their compliance efforts, there are certain weaknesses associated with this approach: Novel Implementation (lean startup): Lean TCM utilizes the Lean Startup approach which may not be as familiar to those who have followed traditional bottom-up approaches. Resource Intensiveness: Similar to other comprehensive compliance frameworks, Lean TCM may demand significant resources, both in terms of time and financial investment. Smaller organizations or those with tight budgets may find it challenging to allocate the necessary resources for successful implementation. Resistance to Change : The introduction of a holistic and integrative compliance approach may face resistance from employees accustomed to traditional compliance methods. The shift towards a proactive and operational compliance culture might encounter pushback, requiring effective change management strategies to ensure successful adoption. Limited Experience : While Lean TCM incorporates well known principles and practices from different domains, its overall approach may not be as familiar. This could pose a challenge for organizations looking for traditional methods. Not Elevating Minimal Viable Compliance : While the concept of achieving Minimal Viable Compliance (MVC) is integral to Lean TCM, there is a risk of organizations focusing solely on meeting the minimum requirements rather than striving for continuous improvement and excellence in compliance practices. Dependency on Existing Capabilities: Lean TCM emphasizes elevating existing resources for compliance benefits. However, organizations with inadequate existing capabilities or those lacking a strong foundation in relevant management principles may struggle to realize the full potential of Lean TCM. Limited Industry-Specific Guidance : Lean TCM provides a broad framework applicable across various industries and compliance domains, but it may lack specific guidance tailored to certain sectors with unique compliance challenges. Organizations in highly specialized fields may need to supplement Lean TCM with industry-specific expertise. Potential Overemphasis on Effectiveness: The focus on outcomes may lead to an overemphasis on outcomes potentially neglecting the importance of efficiency. Despite these weaknesses, organizations can mitigate challenges by carefully assessing their specific needs, participate in educational programs, and develop a tailored roadmap for their organization. An Aside From the Past For those working in the IT industry in the 90’s may remember using CORBA ( www.corba.org ). The CORBA approach is based on the concept of a middleware infrastructure, known as the Object Request Broker (ORB), which facilitates communication and interaction between distributed objects. Back then we attempted to create business objects written in Java for every object of interest to the business which would then be integrated together using a CORBA broker. Sounds great! It also sounds very familiar and similar to the approaches taken by GRC frameworks and to a lessor degree management system standards. As you can imagine, there was not enough time, energy or funding to define and integrate everything, so CORBA implementations usually failed. This is an important lesson for any holistic approach particular those that depend on tight coupling of objects and the need for everything to be perfect. This is something that Lean TCM attempts to address by operating in the middle, above the task and procedure level, and using concept of minimal viable programs (MVPs), which can elevated over time. Implementing CORBA also taught me that just because you integrate everything together doesn’t mean you will end up with more than you started with apart from now having to manage all the integration touch points. When you connect reactive processes together you still end up with a reactive system. Integration only makes sense when used to build a system that is capable of delivering benefits which is something that many organizations fail to understand. Summary In this article we explored three key strategies for achieving success in compliance within highly regulated, high-risk environments. The common challenge faced by organizations in these environments is effectively governing their operations to meet obligations and stakeholder commitments while bridging the gap between organizational outcomes and operational objectives. The strategies discussed include standardizing practices, integrating processes through Governance, Risk, and Compliance (GRC), and operationalizing systems with Lean Total Compliance Management (Lean TCM). The first strategy involves standardizing practices using management standards, which provide recognized guidelines to enhance efficiency, reduce risks, and meet stakeholder expectations. While management system standards offer valuable guidance, potential weaknesses include rigidity, resource intensiveness, and a potential overemphasis on documentation compliance. The second strategy focuses on integrating processes through GRC frameworks, harmonizing governance, risk management, and compliance. Despite its advantages, GRC frameworks have potential weaknesses, such as complexity, a one-size-fits-all approach, and the challenge of integration with existing business processes. The third strategy introduces Lean TCM, a unique approach developed by Lean Compliance that operationalizes obligations by integrating compliance into the value chain. Lean TCM addresses Compliance 1 and Compliance 2 requirements, offering a holistic, proactive, and integrative approach. However, potential weaknesses include its novel implementation using Lean Startup, limited industry-specific guidance, and potential resistance to something different. In essence, each strategy has its strengths and weaknesses, and organizations must carefully consider their specific needs, industry context, and strategic objectives when choosing a compliance approach. While ISO standards, GRC frameworks, and Lean TCM offer valuable insights, successful implementation requires a tailored approach, ongoing assessment, and a commitment to continuous improvement.

With compliance in all of its manifestations (safety, security, sustainability, quality, environmental, regulatory, etc.) taking on a more integral role in the operations of an organization it also takes on greater responsibilities. One of these is the pursuit of operational excellence. Operational excellence refers to an organizational philosophy and management approach that focuses on consistently achieving optimal performance and efficiency in all aspects of business operations. It involves the continuous improvement of processes, systems, and workflows to enhance productivity, reduce waste, and deliver high-quality products or services. Operational excellence is often associated with Lean management principles, Total Quality Management (TQM), and other methodologies that aim to create a culture of continuous improvement. The Shingo Institute (home of the Shingo Prize) is a non-profit organization that focuses on promoting organizational excellence using a methodology that has gained prominence for its transformative approach to achieving operational excellence and continuous improvement. At the heart of the Shingo Model™ are three pivotal insights that guide organizations toward mission success. In this article, we delve into these insights along with one that we learned as part of Lean Compliance and explore how these are beneficial to compliance excellence: Insight #1: Ideal Results Require Ideal Behaviour, Insight #2: Purpose and Systems Drive Behaviour, Insight #3: Principles Inform Behaviour, and Insight #4 : Programs Elevate Systems (Lean Compliance) Insight 1: Ideal Results Require Ideal Behaviour Central to the Shingo Model™ is the understanding that achieving ideal results necessitates cultivating ideal behaviours within an organization. This insight emphasizes the critical role of leadership in setting the tone for expected behaviours. Leaders are urged to inspire and model the behaviours that align with the organization's goals, fostering a culture where everyone is committed to excellence. By promoting a mindset where individuals take ownership of their actions (along with obligations) and continuously strive for improvement, organizations can create a ripple effect of positive behaviours that lead to optimal outcomes. This insight encourages leaders to not only focus on end results but to also consider the behaviours and practices that drive those results. Insight 2: Purpose and Systems Drive Behaviour The second key insight of the Shingo Institute Management System underscores the influence of purpose and systems on shaping organizational behaviour. Purpose serves as a guiding force, aligning the actions of individuals and teams with the overall mission and vision of the organization. When individuals understand the purpose behind their work, they are more likely to engage in behaviours that contribute to the achievement of organizational goals. Additionally, systems play a crucial role in influencing behaviour. The design and structure of systems within an organization can either support or hinder the desired behaviours. The Shingo approach encourages leaders to examine and optimize systems to ensure they drive behaviours that align with the organization's purpose and goals. Insight 3: Principles Inform Behaviour The third insight centres around the idea that principles inform behaviour. The Shingo Institute Management System is built on a set of guiding principles that serve as a compass for decision-making and action. These principles, which include humility, respect, and continuous improvement, are the foundation for creating a culture of excellence. By embedding these principles into the organizational DNA, leaders can guide behaviour at all levels. Principles inform the choices individuals make, the way teams collaborate, and the overall culture of the organization. This insight emphasizes the importance of aligning actions with enduring principles to foster a sustainable culture of excellence. Insight 4: Programs Elevate Systems (Lean Compliance) This insight comes from Lean TCM (Total Compliance Management) emphasizing the idea that management programs elevate system performance. Whereas, systems are designed to resist change by removing variability, management programs introduce change to advance outcomes. Management programs drive system performance levels needed to advance targeted compliance outcomes. In essence, programs regulate systems towards desired outcomes in the same way that systems regulate processes toward desired outputs. This insight emphasizes the importance that to achieve better outcomes you need programs to elevate systems. Conclusion The Shingo Institute’s along with the Lean Compliance Model offer profound approaches to organizational and compliance excellence. By recognizing the interplay between ideal behaviour, purpose-driven systems and programs, and guiding principles, organizations can create a framework for continuous improvement and mission success. Embracing these insights empowers leaders and teams to cultivate a culture where behaviours are aligned with organizational goals and obligations, driving sustained excellence and adaptability in a dynamic business environment.

Controls without systems are not controls, they are only processes. In many compliance domains meeting obligations is seen as a controls problem. As a result, documenting, building, managing, and monitoring controls is at the forefront of compliance activities. This is reinforced if not driven by industry management system standards which conceptualize compliance in the same way and provide a long list of controls that you “should” implement. However, focusing solely on controls often results in losing sight of the big picture. Many have lost sight of the forest for the trees. Controls are processes that adjust operating system parameters to maintain output between targeted values. Technically, controls perform the function of regulation needed to achieve compliance to a given standard of performance. This applies to all systems including socio-technical ones. However, all too often controls are implemented without knowledge of what they are intended to control, how they work, or what they are supposed to accomplish. Many may not be connected to the systems they are intended to control. They may even operate at cross-purposes implemented to work separately and not together. This is definitely a significant source of compliance waste. Instead of compliance systems, many organizations have control management systems often not doing more than mapping controls to regulatory elements. They might even have all the boxes checked and able to pass an audit. What many organizations don’t have (but need) are controlled systems to deliver on commitments associated with their obligations. They need systems capable of creating the outcomes of compliance. Compliance is about regulation and you cannot regulate without a system – you cannot regulate with controls alone. If you are not realizing desired outcomes from your compliance efforts, check to make sure your controls are connected, operational, and are effective at regulating your safety, security, sustainability, quality, environmental, regulatory and ethics systems. Don’t lose sight of compliance for the controls.

Modern compliance must regulate at faster rates to keep an organization always on-side and operating between acceptable safety, security, sustainability, quality, regulatory and ethical levels. In an electrical circuit, voltage regulation (maintaining a consistent voltage level) is achieved using a feedback process that measures the output to adjust the circuit to remove variation from the output. In modern switch-mode power supplies this happens at a frequency between 20,000 to 2 million cycles per second. In theory, the frequency of regulation is chosen to be fast enough to maintain variation in the output within acceptable levels. The greater the variation in input voltage the higher the regulation frequency needs to be. This is not unlike how audit-correction cycles work. In theory, audits and corrections should happen as frequently as necessary to maintain adherence to standard within acceptable levels. The number of days spent operating outside the lines along with the time it takes to return to acceptable levels are measures of compliance effectiveness and performance respectively. However, what many don't consider is: The more often things change, the higher the frequency of audits need to be. Let’s assume you audit conformance to prescribed controls once every year. It's therefore possible to be off-side for an entire year before it’s noticed plus the time it takes to correct the deviation – hopefully before the next audit. In the worst case, it could be two years before you get back on-side. What impact would being off-side for two-years have on your operations? That’s why audits are often too slow and too late to protect value creation. Never mind that audits seldom evaluate effectiveness against targeted compliance goals and outcomes. As change can be a significant source of risk, organizations in highly regulated, high-risk sectors use a Management of Change ( MOC ) process to keep up with the speed of risk due to planned changes. This process functions as a real-time compliance regulator to keep an organization always operating between the lines. Here are a few questions to consider when planning your compliance: How long do you wait before knowing when you are off-side? What are acceptable levels of effectiveness and performance for compliance? What capabilities and capacities do you need to regulate your compliance to meet your measures of success? What strategies can you apply to always stay between the lines?

Not all holes are hazards, not all risks matter The risks that matter are between you and your objective.

In the IT industry where I spent much of my early career, a significant amount of resources are dedicated to integrating components together. This is needed to build enterprise solutions made from capabilities across a variety of existing and new technologies. A common architectural principle used for this kind of integration is to minimize coupling, how tightly they are connected, between the solution and its components. That way you can, in theory, replace the components with something else downstream. You can also avoid unintended side effects when code changes. Along with the design goal to achieve loose coupling it is also standard practices to achieve a high-level of encapsulation – hiding the internals of the components from the solution that uses it. Both of these design principles are intended to minimize disruption arising from future changes to either the solution or its components. While these design principles makes sense for IT solutions, they are not what's needed for compliance. Instead, compliance needs to achieve a tighter coupling and greater transparency with the value chain. You could say in technical terms, there is an impedance mismatch between IT and compliance objectives. What Compliance Needs from IT Compliance needs an integrative approach with the value chain not just integrate with it. This also applies to the tools an technologies that are used to support compliance. However, IT solutions struggle to realize these principles particularly SAAS and cloud applications. While they may integrate with your business they seldom provide the means for compliance to be an integral part of the value chain so that the business always knows if it is operating between the lines. Negotiating the cultural and architectural differences between compliance and IT is critical for compliance to achieve higher levels of performance and effectiveness. This is more important now with the advent of artificial or rather machine intelligence where we need greater levels of transparency, explain-ability, and trust.

Digital twins are virtual counterparts of physical entities that merge real-time data from sensors and IoT devices with sophisticated analytics and simulation, facilitating monitoring, analysis, and optimization of operations and assets. Alongside benefits of Digital Twins, the integration of Artificial Intelligence (AI) introduces additional considerations and risks commensurate with how digital twins are used either as a Digital Shadow, Decision Support, or for Autonomous Control: Digital Shadow: Digital twins provide real-time representations of physical entities, offering insights without direct interaction. AI algorithms enhance the analysis of data within digital twins, but they also introduce the risk of bias or errors if not carefully trained and validated. Moreover, AI-driven decisions may be opaque, making it challenging to understand their rationale and assess their reliability. Decision Support: Digital twins can serve as decision support tools by providing actionable intelligence through advanced analytics and simulation. AI algorithms within digital twins enable predictive modeling and optimization, but they may also amplify errors or biases present in the data. Additionally, complex AI models may lack interpretability, hindering decision-makers' ability to trust and understand their recommendations. Autonomous Control: Digital twins in its most advanced state enable autonomous control by acting on decision-making based on real-time data and predictive insights. AI algorithms drive autonomous actions within digital twins, enhancing efficiency and responsiveness. However, they also introduce risks of malfunction or adversarial attacks, potentially leading to unintended consequences or safety hazards. Additionally, AI-driven autonomous systems may face ethical considerations regarding accountability and transparency in decision-making. While the integration of AI enhances the capabilities of digital twins, it also introduces considerations related to algorithmic bias, interpretability, and system reliability. Addressing these considerations requires rigorous validation, transparency, and ethical oversight to ensure the responsible and effective use of AI within digital twin technologies across diverse applications and industries. Digital Twin Safety In light of the risks associated with digital twins, particularly when integrating Artificial Intelligence, establishing robust safety programs is imperative to protect the public and effectively contend with potential risks. A comprehensive Digital Twin Safety Program should encompass rigorous risk assessment, validation, and continuous monitoring mechanisms. This involves identifying and evaluating potential risks arising from data inaccuracies, algorithmic biases, cybersecurity threats, and system malfunctions. Additionally, the safety program should prioritize transparency and accountability in decision-making processes, ensuring that stakeholders understand the basis of AI-driven actions and can intervene if necessary. Regular audits and evaluations of digital twin systems are essential to identify emerging risks and adapt mitigation strategies accordingly. In addition, collaboration between industry stakeholders, regulatory bodies, and technology developers is crucial to establish standards, guidelines, and best practices for the responsible deployment of digital twin technologies that use machine intelligence capabilities. By implementing robust safety programs, organizations can mitigate risks, safeguard public welfare, and foster trust in the use of digital twins across various domains.

Continuous improvement is needed across all business functions including those that are responsible for safety, security, sustainability, quality, regulatory, and other stakeholder obligations. Whether you are responsible for maintenance, continuous improvement, or capital projects there comes a day when you need to provide an answer to which projects you should do and in what order to improve the probability of mission success. Let’s imagine that today you are that person who has to decide. Here is your challenge should you chose to accept it: Mission Possible Note: while this scenario is fictitious, it is based on real-world examples I have been involved in over the years. Scenario You are the CI Officer responsible for continuous improvement across your organization. You have compiled a list of candidate projects that promise improvements to productivity (margin, throughput, costs, waste, etc.) as well as better outcomes for compliance, quality, safety, security, and so on. Some of these projects depend on others, and some may cause significant disruption before benefits are realized. Each has different costs, benefits, and risk associated with them. Some may actually fail, and some are critical to mission success. You need to decide which ones to do and in what order so they don’t compromise current outcomes or productivity. In other words, improvements can’t break the bank or the business. Ideally, changes (on the whole) should generate financial gains sufficient to fund other projects creating a virtuous cycle of improvement. Problem Create a self-funding continuous improvement (CI) portfolio providing a rank order of projects that optimizes overall outcomes and productivity while avoiding negative impacts to the business. Assume the first set of projects will receive sufficient capital to get things going. This initial set should be optimized to minimize the initial investment but sufficient to create future gains to fund successive improvements based on the rank ordering of projects. New projects will be added at the end of each year and incorporated into the portfolio of projects. Assumptions and Constraints Your organization provides highly regulated services to customers. Your organization is organized as functional teams with hierarchical management. Advancing outcomes is preferred over cost reductions. The project portfolio should be self-funding beyond the initial seed investment. Mission critical projects have highest priority. No staff reductions. Eliminated resources will be reallocated to support further improvements. Assume a 5 year planning horizon with 20% new projects added each year. Assume that 33% (1/3rd) of the projects are critical to mission success but with various degrees of criticality. Methodology and Approach How would you meet this challenge? What approach would you use? What principles could be applied to categorize and select projects? What additional information do you need to know about the business, projects or otherwise? What capabilities are needed to meet the portfolio objectives? How would you ensure improvement benefits are realized? How would you manage and measure progress across the five years? And finally, would you accept this challenge? Why or why not?