SEARCH

The Compliance Charter In project management, we don't start without a charter. Yet in compliance—where the stakes are often higher and the obligations more complex—many organizations dive in without establishing their foundational document. It's time we borrowed this proven practice and applied it where it matters most: keeping our promises to stakeholders. What Is a Compliance Charter? Drawing from both project management best practices and the structured approach of I SO 37301 , a compliance charter serves as the formal authorization and roadmap for your compliance program—the initiative that will create new organizational capabilities to improve your underlying compliance systems. Just as projects create new capabilities (a new product, system, or service), your compliance program creates new capabilities to advance compliance operability—the organization's ability to consistently deliver on all obligations across safety, quality, environmental, regulatory, and other domains. The charter provides the planning foundation that transforms compliance from scattered activities into integrated operational capability. Think of it as your organization's commitment contract to building the systems, processes, and culture needed to keep promises consistently. The Anatomy of an Effective Compliance Charter Based on proven project charter structures and compliance management principles, your compliance charter should include: Purpose & Business Case : Why this compliance program exists and what new capabilities it will create to improve how your organization manages obligations across all domains. Scope & Boundaries : Which compliance systems and processes will be enhanced or created, and which organizational areas will benefit from these new capabilities. Success Criteria : How you'll measure the effectiveness of your new compliance capabilities—not just audit pass rates, but improved ability to identify, track, and fulfill obligations consistently. Capability Goals : The specific operational competencies your program will build—integrative obligation tracking, real-time compliance monitoring, predictive risk management, or systematic compliance operability across all domains. Leadership Commitment : Top management's demonstrated commitment to building these new compliance capabilities and sustaining them over time. Resource Allocation : The people, budget, technology, and time required. If you're limited to spreadsheets and emails, you'll struggle to maintain any reasonably sized compliance management system. Risk Context : Understanding your organization's internal and external context to identify compliance risks and management approaches. Timeline & Milestones : Key deliverables and checkpoints that demonstrate progress toward operational readiness. Why Your Organization Needs This Organizations face multiple obligations simultaneously across legal, regulatory, and voluntary commitments. Without a charter, compliance efforts become reactive firefighting rather than proactive capability building. The charter forces crucial conversations: What promises are we making? To whom? How will we keep them consistently? Who's accountable? What happens when we don't? Our mission is helping organizations increase stakeholder trust by improving their ability to meet ALL their obligations. That starts with clarity about what you're trying to achieve and how you'll get there. Moving From Charter to Capability Your compliance charter isn't a document you write once and file away. It's a living commitment that guides your program's evolution as it builds the organizational capabilities needed to manage increasingly complex obligations. The charter should drive decisions about which systems to integrate first, what processes to standardize, and how to sequence capability development toward full compliance operability. As your compliance program matures, the charter helps ensure each phase builds operational strength while maintaining focus on the ultimate goal: seamless, reliable compliance delivery at organizational scale. As ISO 37301 emphasizes, effective compliance management requires principles of good governance, integrity, transparency, accountability, and sustainability. Your charter embeds these principles into your organizational DNA from day one. The question isn't whether you need a compliance charter—it's whether you can afford to operate without one. In highly-regulated, high-risk industries, the cost of unclear commitments and scattered efforts far exceeds the investment in getting this foundation right. Start with clarity. Build with purpose. Operate with confidence. Ready to develop your compliance charter? Our T otal Value Advantage Program™ helps organizations establish the essential capabilities needed to achieve compliance operability—the integrative ability to consistently meet all obligations while driving continuous improvement. Because operational compliance isn't just good practice—it's competitive advantage.

The Dual Nature of Compliance Over the years working with companies in highly-regulated industries, I've observed that organizations often struggle with compliance because they fail to distinguish between two fundamentally different types of work. They treat everything as equally urgent, pushing all work through the system regardless of actual need. This creates inefficiency and waste while failing to prevent the risks that matter most. The solution lies in recognizing that compliance involves two distinct flows requiring opposite strategies— pull for promises, push for risk. The Push of Obligations Let's start with what we cannot control. Obligations are pushed onto organizations from the outside world. Regulators don't wait for organizational readiness before issuing new requirements. Legislators pass laws on political timelines. Industry standards evolve. Customers demand certifications according to their procurement schedules. This external push is inevitable—organizations are demand-receivers in the compliance landscape. However, not all obligations come from outside. Organizations regularly push obligations onto themselves through voluntary commitments—sustainability pledges, ethical sourcing standards, diversity targets, voluntary certifications. While theoretically discretionary, competitive pressure and stakeholder expectations often make them feel just as mandatory as regulatory requirements. The critical difference: pull systems can reveal when voluntary obligations create unsustainable bottlenecks, providing data-driven insight to modify or discontinue them—a strategic flexibility that doesn't exist with mandated requirements. Pull for Promises: Making Bottlenecks Visible Obligations and Promises Once obligations exist—whether mandated or voluntary—organizations can use pull principles to fulfill them efficiently. Instead of immediately mobilizing resources when a new requirement appears, compliance work is pulled through the system based on level of commitment and applicability to the organization. A regulatory change announced with a two-year implementation window doesn't need immediate action—it needs a clearly defined trigger point that pulls appropriate resources when action becomes necessary. Pull systems excel at revealing where promise-keeping breaks down. When documentation requests accumulate before audits, when certifications expire before renewals complete, when regulatory deadlines are consistently missed—these visible accumulations pinpoint where capacity is insufficient. Pull systems reveal more than just delays. They also expose excess work from over-commitment, such as redundant reporting requirements that consume resources without adding value. They reveal duplicate delivery on promises due to lack of coordination—different departments doing similar work, preparing parallel compliance reports, or responding independently to the same stakeholder requirement. A compliance kanban board that shows work backing up, the visual management system that highlights both delays and redundancies—these are diagnostic tools that make constraints and waste obvious and actionable. This visibility enables continuous improvement. You're not guessing where to add resources or improve processes; the pull system shows you precisely where promises are falling behind to from obligation to fulfillment. Push for Risk: Prevention Requires Forecasting Risk management operates on entirely different logic. You cannot wait for a data breach to occur before implementing security controls. You cannot pull a response to a compliance violation after it has created regulatory liability. Prevention requires pushing controls, safeguards, and capabilities into place before they're needed—often for events that may never occur. This is fundamentally forecasting-based work. What regulatory changes are on the horizon? What emerging technologies might create new compliance challenges? What systemic vulnerabilities could cascade into organizational crises? Risk management demands horizon scanning, scenario modelling, and proactive deployment of countermeasures. The push approach accepts what appears to be inefficiency or waste as the necessary price of resilience. You build redundant capacity, invest in monitoring systems that may never detect an incident, and create response capabilities that might go unused. These are insurance premiums paid in organizational resources rather than money. Integrative Systems: Using Each Approach for What It Does Best The sophistication lies in connecting these two approaches. Pull-based promise-keeping generates valuable data about where compliance obligations concentrate and where failures occur most frequently. This historical pattern data should inform push-based risk investments. If pull systems consistently reveal bottlenecks in privacy compliance, that's a signal to push additional preventive controls into data governance. If promise-keeping regularly fails during regulatory transitions, that indicates a need to push more change management capability into the organization. The pull system provides the diagnosis; the push system delivers the prevention. From Reactive Chaos to Proactive Capability Organizations that lack this distinction scramble reactively when obligations arrive, pushing emergency work through systems where every new requirement feels like a crisis. There's no differentiation between what needs immediate execution and what requires long-term preparation. Organizations that understand this dual nature use push to build capability ahead of demand, then use pull to execute efficiently when obligations require action. The balance isn't about choosing between push and pull—it's about using each approach for what it does best. Pull for the promises you must keep today. Push for the risks you must prevent tomorrow. When external obligations are pushed at you—and they will be—you'll have pushed sufficient capability into place that you can pull work through efficiently. That's not just effective compliance. It's organizational resilience built on systems thinking. Raimund Laqua is founder and Chief Compliance Engineer at Lean Compliance Consulting, Inc. His focus is helping ethical, ambitious companies in highly-regulated, high-risk industries improve the effectiveness of their compliance programs.

By Raimund Laqua, Founder of Lean Compliance Why Risk Assessments Should Start with Uncertainty Walk into most organizations today, and you'll find risk management teams armed with comprehensive checklists, detailed taxonomies, and colour-coded matrices that promise to capture every conceivable threat. These frameworks are seductive in their apparent completeness—neat categories for operational risks, financial risks, strategic risks, compliance risks. Everything has its place, and every place has its thing. But here's what I've learned after years of working with organizations on their risk frameworks: these traditional risk assessments are treating symptoms, not the disease. The Symptom vs. The Disease Think of risk assessments as medical diagnoses. When a patient presents with a fever, a competent doctor doesn't simply prescribe aspirin and call it a day. The fever is a symptom—an indicator of something deeper that requires attention. The fever might signal anything from a minor infection to something far more serious. To provide effective treatment, you must identify and address the underlying cause. Traditional risk assessments operate like symptom-focused medicine. They catalogue the visible manifestations of risk—the potential for data breaches, supply chain disruptions, regulatory violations, market volatility. These are indeed risks worth considering, but they are symptoms of a more fundamental condition: uncertainty. Uncertainty is the root pathogen in the risk ecosystem. It's the fertile ground from which all risks grow. And just as effective medicine requires understanding the pathogen before prescribing treatment, effective risk management demands that we first understand and contend with uncertainty in all its forms. The Anatomy of Uncertainty Uncertainty isn't monolithic. It comes in distinct varieties, each requiring different approaches and interventions. Understanding these differences is crucial to developing effective risk strategies. Aleatory uncertainty represents the inherent randomness in systems—the fundamental unpredictability that exists even when we have complete information about a process. Think of rolling dice or the precise timing of radioactive decay. No amount of analysis will eliminate this uncertainty because randomness is built into the fabric of the system itself. Epistemic uncertainty , by contrast, stems from our lack of knowledge or understanding. This is the uncertainty that exists because we don't know enough about the system, haven't collected sufficient data, or lack the models to make accurate predictions. Unlike aleatory uncertainty, epistemic uncertainty can potentially be reduced through research, data collection, and improved understanding. But the uncertainty landscape extends beyond even these well-established categories. There's model uncertainty —the risk that our fundamental assumptions about how systems work are flawed. There's ambiguity uncertainty —situations where even the nature of the problem itself is unclear. And there's emergent uncertainty —the unpredictability that arises from complex interactions between multiple systems and stakeholders. The Strategic Response to Uncertainty Once we recognize uncertainty as the source rather than just another item on our risk checklist, our strategic options become clearer and more nuanced. Different types of uncertainty demand different responses, and understanding this matching is where sophisticated risk management begins. Some uncertainties demand isolation. When facing massive, systemic uncertainties that could fundamentally threaten an organization's existence, the wisest course may be complete avoidance. These are the uncertainties so vast and potentially catastrophic that no amount of mitigation can adequately prepare you for their impact. Think of a small technology company choosing not to enter markets dominated by nation-state actors, or a regional bank avoiding exposure to global derivatives markets. Sometimes the best risk management is recognizing when not to play the game at all. Some uncertainties require cushioning. These are the uncertainties that create inevitable risks—situations where negative outcomes will occasionally occur, but where the timing and magnitude remain unpredictable. Here, the strategy isn't prevention but resilience. You build buffers, create redundancies, establish reserves, and develop rapid response capabilities. A manufacturing company that maintains diverse supplier relationships isn't eliminating supply chain uncertainty—they're cushioning themselves against its inevitable manifestations. Some uncertainties can be actively reduced . This is where traditional risk mitigation shines, but only when applied with precision. When uncertainty stems from lack of knowledge or inadequate processes, you can invest in research, data collection, training, and system improvements. When uncertainty arises from insufficient controls, you can implement monitoring and governance mechanisms. The key insight is recognizing which uncertainties are genuinely reducible and focusing your mitigation efforts there. Most uncertainties require mixed strategies. The real world rarely offers pure cases. Most significant uncertainties contain elements that can be reduced, aspects that require cushioning, and components that might necessitate partial isolation. Sophisticated risk management involves decomposing complex uncertainties into their constituent parts and applying the appropriate strategy to each component. Transforming Risk Assessment Practice In my work developing lean approaches to compliance and risk management, I've seen how this uncertainty-first approach fundamentally changes how we conduct risk assessments. Instead of beginning with predetermined risk categories, we start by systematically identifying and characterizing the uncertainties that pervade our environment. Instead of immediately jumping to mitigation strategies, we first classify uncertainties by type and reducibility. The questions change too. Rather than asking "What risks do we face?" we begin with "What don't we know, and what can't we predict?" Rather than "How likely is this risk?" we ask "What type of uncertainty creates this risk, and what does that tell us about our strategic options?" This shift in perspective often reveals blind spots in traditional assessments. It highlights uncertainties that don't fit neatly into conventional risk categories. It exposes assumptions we didn't realize we were making. And it opens up strategic options that symptom-focused approaches might overlook. The Path Forward Through years of consulting with organizations struggling with traditional risk frameworks, I've found that improving risk assessment isn't about abandoning existing frameworks entirely—many traditional tools remain valuable for specific purposes. Instead, it's about establishing uncertainty analysis as the foundation upon which all other risk activities build. This means developing organizational capabilities to identify uncertainties systematically, classify them accurately, and match them with appropriate strategies. It means training teams to think like epidemiologists of risk—tracking uncertainties to their sources rather than just cataloguing their symptoms. Most importantly, it means accepting that effective risk management is less about predicting the future and more about building adaptive capacity to handle whatever uncertainties that future might hold. The organizations that thrive in an uncertain world won't be those with the most comprehensive risk checklists. They'll be those that best understand the uncertainties they face and have developed nuanced, strategic approaches to contending with them. After all, in a world where uncertainty is the only certainty, shouldn't our risk management reflect that fundamental truth?

AI Risk Containment Architecture Industrial leaders in safety-critical, highly regulated sectors like energy, chemical processing, oil&gas, and nuclear face an important challenge: how to harness the transformative power of A I—such as predictive maintenance, process optimization, and deep analytics—without compromising the safety systems, regulatory compliance, and operational integrity that protect people and infrastructure. Direct integration of AI into operational or enterprise systems introduces unacceptable risks, as even minor algorithmic errors can lead to regulatory violations, safety incidents, or catastrophic disruptions. To address this, industries can draw from proven frameworks like ICH Q8 in pharmaceuticals and ISO PAS 8800 in automotive safety, which emphasize containment and isolation of experimental technologies. This paper proposes a similar architecture for AI: one that separates Artificial Intelligence Technology (AIT) into bounded domains with controlled interfaces to Operational Technology (OT) and Information Technology (IT), enabling innovation while preserving compliance and operational excellence. Download our free white paper here:

When it comes to GRC systems, there can be a significant gap between what gets implemented and what's actually needed to achieve the performance and outcomes we're after. GRC system failures can be attributed to (among other things) practitioners lacking the fundamentals: understanding regulatory requirements, control theory, and how to translate compliance obligations into effective socio-technical solutions. At its core, this is requirements engineering and system design work. Yet how many self-proclaimed "GRC engineers" can actually design systems and processes that deliver meaningful data privacy, security, or compliance outcomes? Simply calling yourself an engineer doesn't make you one. This isn't just about credentials—it's about competence and trust. Organizations and the public deserve systems built by people who truly understand their craft. We demand reliability and integrity from our systems; shouldn't we expect the same from the people who build them? Other engineering disciplines have practice standards and licensing for good reason. As GRC automation becomes increasingly critical to organizational governance and public safety, we need similar standards to ensure practitioners are actually qualified for the work they claim to do. It's time to establish formal practice standards for GRC engineering—education requirements, competency assessments, and right-to-practice protections that ensure only qualified professionals design and implement the systems protecting our organizations and communities. What's your take on this? I'd love to hear your thoughts.

Ethics in AI is fundamentally an alignment problem between technological capabilities and human values. While discussions often focus on theoretical future risks, we face immediate ethical challenges today that demand practical solutions, not just principles. Many organizations approach AI ethics as an obstacle to innovation - something to be minimized or sidestepped in the pursuit of capability development. This creates a false dichotomy between progress and safety. Instead, we need to integrate ethics directly into development processes to address real issues and risks. The practical application of ethics doesn't hinder innovation but ensures AI systems are truly safe. This integration requires understanding that AI challenges span multiple dimensions. At its core, AI is simultaneously a technical, organizational, and social problem. Technically , we must build robust safety mechanisms and engineering practices. Organizationally , we must consider how AI systems interact with existing processes and infrastructures. Socially, we must acknowledge how AI reflects and amplifies human values, biases, and power structures. Any effective solution must address all three dimensions. A multi-faceted approach helps us tackle issues like fairness. When we talk about mitigating bias in AI, we're really asking: when is statistical bias a legitimate problem versus simply representing a different valid perspective? Applied ethics in AI helps us address these complex issues along with balancing competing values such as privacy versus security, transparency versus intellectual property protection – with no perfect solutions, only thoughtful compromises. Even seemingly technical decisions carry ethical weight. Consider prompt efficiency, which directly impacts energy consumption – making our usage choices inherently ethical ones with environmental consequences. Technical decisions accumulate to create systems with profound social impacts. This is why we need clear metrics to measure success in ethical AI deployment – how do we quantify fairness, transparency, and explainability in meaningful ways? The distinction between human and artificial intelligence also creates an opportunity to uncover previously overlooked human potential – qualities and capabilities that may have been undervalued in our efficiency-focused world. As we build AI systems, we should continuously ask: where can AI best complement human work, and which capabilities should remain distinctly human? Moving Forward: From Principles to Practice The future of AI will be determined not by what we wish or hope for, but by what we actually create through concrete actions. Instead of abstract principles, we need practical implementations built on clear ethical requirements. In regions considering AI deregulation, organizations must strengthen self-regulation practices. While reduced regulation may accelerate certain types of commercial innovation, it risks neglecting safety innovation without proper oversight and incentives. We need breakthroughs in AI safety just as much as we need advances in AI capabilities. The path forward isn't about choosing between innovation and ethics, but recognizing that ethical considerations make our innovations truly valuable and sustainable. Through all of this, remember the simplest principle: be good with AI.

By Raimund Laqua, Lean Compliance Engineer Mistakes aren't failures—they’re lessons. You see this quote everywhere. LinkedIn. Motivational posters. Team meetings. It sounds wise until you work in compliance. Because when compliance engineers make mistakes, people die. The Problem with Mistake Worship The Challenger explosion. Boeing's 737 MAX crashes. The 2008 financial meltdown. These weren't "learning opportunities"—they were preventable disasters where someone's mistake became everyone else's tragedy. I've watched too many post-incident reviews where we nod solemnly, update our procedures, and promise to "learn from this." But learning from mistakes is fundamentally reactive. We're saying: "Let's fail first, then get better." What if we didn't have to fail at all? Poka-Yoke: From Mistake-Proofing to Promise-Keeping In LEAN management, there's a concept called Poka-Yoke—traditionally defined as mistake-proofing. But I prefer to think of it as engineering processes where obligations will always be met and promises kept. Instead of training people to be perfect, you design systems that reliably help organizations deliver on commitments. You make it easier to keep promises rather than break them. Think about USB-C cables. You can't plug them in wrong because there is no wrong way. The connection is engineered to work every time. Now apply this to compliance. Engineering Reliable Delivery Build obligation fulfillment into the process.  If safety inspections must happen before equipment startup, don't rely only on procedures—make startup electronically impossible without all the essential safety aspects in place and operational. Engineer commitment keeping.  Your car won't start without a seatbelt. Your procurement system shouldn't approve purchases without environmental assessments. Design continuous assurance.  Don't wait for quarterly audits to verify compliance. Build systems that provide real-time confirmation—dashboards that show obligation status, alerts that trigger before deadlines, processes that maintain compliance automatically. The key insight: engineer systems where keeping promises is the natural outcome, even when people are stressed and rushing. When Prevention Fails Even perfect systems have failures. But Poka-Yoke isn't just about prevention—it's about rapid detection. Fail small and fast before small problems become big disasters. Manufacturing uses statistical process control to catch deviations immediately. Compliance needs similar real-time monitoring. Not quarterly reports or yearly audits—constant visibility into drift before it becomes non-compliance. Stop Blaming People, Start Fixing Systems When compliance fails, we ask "Who screwed up?" Better question: "What in our system allowed this to happen?" Individual blame misses the point. In complex systems, human error is usually a symptom of poor design. Fix the system, and you fix the error. The Reality Check Perfect systems don't exist. People will always find workarounds when pressured. But that's exactly why we need Poka-Yoke thinking—design for the humans you have, not the perfect humans you wish you had. Stop celebrating your ability to learn from mistakes. Start celebrating your ability to prevent them. The best lesson is the one you never have to learn the hard way. Raimund Laqua is a Lean Compliance Engineer focused on applying operational and lean principles to operationalizing regulatory and voluntary obligations.

Three operational rings power organizations towards total value from their GRC, ESG, Quality, Security, Regulatory, Ethics, and compliance investments, even when facing uncertainty: 🔸 Ring of Alignment (coordinated effort towards targeted outcomes) 🔸 Ring of Performance (capabilities to meet obligations) 🔸 Ring of Consistency (conformance to standards) Operational Rings of Power These are held together by the fellowship of: 🔸 Feed Forward Processes - leading indicators and actions, and 🔸 Feed Back Processes - lagging indicators and actions When these are operating together as one, obligations can be met and stakeholders will experience the benefits from being in compliance: improved quality, safety, environment, security, sustainability, and so on – the real power of compliance. And who knows, you might even defeat the forces of Mordor and save Middle Earth. Now wouldn't that be something.

By Raimund Laqua, P.Eng. - The Lean Compliance Engineer Uncertainty Creates the Opportunity for Risk I've sat through countless meetings where we talk about being "proactive"—whether it's safety, security, or quality. Yet here we are, still chasing incidents after they happen, still writing corrective actions for problems we should have seen coming. Sound familiar? Here's what I've learned after three decades in risk & compliance: we're fighting the wrong battle. The Real Enemy Isn't What You Think We obsess over the symptoms—incidents, failures, breaches, defects. But here's what we miss: uncertainty creates the opportunity for risk . These incidents are just manifestations of that risk. Hazards, threats, and failure modes? They're all manifestations of uncertainty. Think about your last major incident—safety, security, or quality related. The failure, the breach, the defect—those were risks that became a reality. But the real question is: why didn't we see it coming? Because we weren't looking at the uncertainties that created those risk opportunities in the first place. Why Traditional Programs Feel Like Whack-a-Mole Most risk & compliance management programs treat risk as a pest to eliminate. Write better procedures! More training! Tighter controls! But you can't eliminate risk when uncertainty keeps creating new ones. I've seen this pattern repeatedly across different organizations and domains. The root cause isn't equipment, people, or processes—it's uncertainties that keep creating fresh risk opportunities. What Actually Works The smartest professionals I know don't chase the symptoms of uncertainty (i.e. risk) —they map the uncertainties creating those opportunities. When we run HAZOP s in process safety, we're asking: "What uncertainties exist here, and what risk opportunities might they create?" In cybersecurity, threat modelling does the same thing—identifying uncertainties in system behaviour that create attack opportunities. Quality engineers use FMEA to map uncertainties in manufacturing processes that create defect opportunities. In aerospace, STAMP analysis tracks how uncertainties cascade through control systems, creating risk opportunities at every interaction. Even business consultants figured this out. CYNEFIN maps help teams recognize different types of uncertainty and the unique risk opportunities each creates—whether you're managing operational safety, cyber-security threats, or product quality. The Question That Changes Everything After years of watching organizations struggle with this across multiple domains, I'm convinced the future belongs to teams that hunt uncertainties—not the ones still swatting at symptoms – the effects of uncertainty. Instead of asking "How do we prevent this incident?" try asking "What uncertainties are creating the opportunity for risk to become a reality?"

AI Assistants - Blessing or Curse? The rise of Generative AI has taken the world by storm, and AI assistants are popping up all over the place, providing a new way for people to approach their work. These assistants automate repetitive and time-consuming tasks, enabling individuals to focus on more complex and creative work. However, for some, it is just an improvement in productivity, and they question whether the use of AI assistants may lead to them losing their jobs. For those starting to use AI assistants, they are indeed a blessing, providing much-needed relief for overworked employees. The improved productivity is creating needed capacity and some extra space in already full workloads. However, this is expected to be short-lived as these benefits become normalized and expected. The buffer we now experience will be consumed and used for something – the question is what? No wonder there is a fear that the widespread use of AI assistants may lead to significant job reductions. Some jobs will be redundant, while others will be expected to double their workloads. For instance, if someone used to write ten articles a week, they may now be expected to do twenty using AI assistants. So, where is the real gain for the organization apart from fewer people and perhaps marginal cost reductions? Is this the same story of bottom line rather than top-line thinking. How To Use AI Assistants To Achieve Better Outcomes The key to realizing transformational benefits of AI lies in adapting businesses to fully exploit the capabilities of these tools, without exploiting the people impacted by the technology. Dr. Eliyahu Goldratt (Father of the Theory of Constraints) believed that technology could only bring benefits if it diminished a limitation. Therefore, organizations must ask critical questions to exploit the power of AI technology: What is the power of the new technology? What limitation does the technology diminish? What rules enabled us to manage this limitation? And most importantly, what new rules will we now need? Keeping the old limitations that we had before the new technology limits the benefits we can realize. It is by removing the old rules and adopting new ones that creates transformational benefits. By providing credible answers to these questions, organizations can achieve a return on investment that is both efficient and effective, enabling their employees to focus on higher-level tasks and achieve more significant outcomes – higher returns not just lower costs. This will enable companies to move beyond the short-lived relief of AI and realize its true potential as a transformational tool. Which Path Will You Take? The use of AI will be a threat for some but an opportunity for others. If history repeats itself many organizations will adopt AI assistants, realize the efficiency gains, and pat themselves on the back for a short-term win. However, as these benefits become normalized they will soon be back to where they began. Any gains they might have realized will be lost and they will be left doing more with less except now with their new AI assistant. On the other hand, there will be others who asked the right questions, changed existing processes, and created new rules that will enable them to reap the full benefits of AI technology. They will realize compounding benefits that will accrue over time. What the future holds will depend on which path you take and your willingness to take a longer term perspective focused on improving outcomes rather than just reducing costs. Which path will you take?

There's a growing urgency to establish regulations for artificial intelligence (AI). Public concerns about potential harm and human rights violations are valid. However, proposed regulatory regimes can add significant compliance burdens for organizations already navigating a complex landscape. It's important to consider how existing regulations, standards, and professional oversight bodies can be leveraged for AI. Professional engineers, for example, already adhere to strict ethical codes. Adapting these frameworks to address AI-specific risks could be a quicker and more efficient approach than building entirely new regulatory structures. By focusing on existing resources that safeguard critical infrastructure, public safety, and environmental sustainability, we can promote responsible AI development without stifling innovation. This requires a thoughtful and collaborative approach that balances both innovation and risk mitigation. It’s time we considered Lean AI Regulation.

AI Governance, Assurance, and Safety As AI becomes more prevalent and sophisticated, it is being used in critical applications, such as healthcare, transportation, finance, and national security. This raises a number of concerns that include: AI systems have the potential to cause harm : AI systems can cause harm if they are not designed and implemented properly. For example, if an AI system is used to make decisions in a critical application such as healthcare, and it makes a wrong decision, it could result in harm to the patient. Therefore, it is important to ensure that AI systems are safe and reliable. AI is becoming more complex : AI systems are becoming more complex as they incorporate more advanced algorithms and machine learning techniques. This complexity can make it difficult to understand how the AI system is making decisions and to identify potential risks. Therefore, it is important to have a governance framework in place to ensure that AI systems are designed and implemented properly. Trust and transparency are necessary : Trust and transparency are critical for the adoption and use of AI systems. If users cannot trust an AI system, they will be reluctant to use it. Therefore, it is important to have mechanisms in place to ensure that AI systems are transparent, explainable, and trustworthy. Regulations and standards are needed: As AI becomes more prevalent and critical, there is a need for regulations and standards to ensure that AI systems are safe and reliable. These regulations and standards can help to ensure that AI systems are designed and implemented properly and that they meet certain safety and reliability standards. As a result, AI governance, assurance, and safety are increasingly important and necessary. Let’s take a closer look at what these mean and how they impact compliance. AI Governance AI governance refers to the set of policies, regulations, and practices that guide the development, deployment, and use of artificial intelligence (AI) systems. It encompasses a wide range of issues, including data privacy, accountability, transparency, and ethical considerations. The goal of AI governance is to ensure that AI systems are developed and used in a way that is consistent with legal and ethical norms, and that they do not cause harm or negative consequences. It also involves ensuring that AI systems are transparent, accountable, and aligned with human values. AI governance is a complex and rapidly evolving field, as the use of AI systems in various domains raises new and complex challenges. It requires the involvement of a range of stakeholders, including governments, industry leaders, academic researchers, and civil society groups. Effective AI governance is crucial for promoting responsible AI development and deployment, and for building trust and confidence in AI systems among the public. AI Assurance AI assurance refers to the process of ensuring the reliability, safety, and effectiveness of artificial intelligence (AI) systems. It involves a range of activities, such as testing, verification, validation, and risk assessment, to identify and mitigate potential issues that could arise from the use of AI. The goal of AI assurance is to build trust in AI systems by providing stakeholders, such as regulators, users, and the general public, with confidence that the systems are functioning as intended and will not cause harm or negative consequences. AI assurance is a critical component of responsible AI development and deployment, as it helps to mitigate potential risks and ensure that AI systems are aligned with ethical and legal norms. It is also important for ensuring that AI systems are transparent and accountable, which is crucial for building trust and promoting responsible AI adoption. AI Safety AI safety refers to the set of principles, strategies, and techniques aimed at ensuring the safe and beneficial development and deployment of artificial intelligence (AI) systems. It involves identifying and mitigating potential risks and negative consequences that could arise from the use of AI, such as unintended outcomes, safety hazards, and ethical concerns. The goal of AI safety is to develop AI systems that are aligned with human values, transparent, and accountable. It also involves ensuring that AI systems are designed and deployed in a way that does not harm humans, the environment, or other living beings. AI safety is a rapidly growing field of research and development, as the increasing use of AI systems in various domains poses new and complex challenges. AI safety is closely related to the broader field of responsible AI, which aims to ensure that AI systems are developed and used in a way that is ethical, transparent, and socially beneficial. AI assurance and AI safety are both important concepts in the field of artificial intelligence (AI), but they refer to different aspects of ensuring the proper functioning of AI systems. AI assurance refers to the process of ensuring that an AI system is operating correctly and meeting its intended goals. This involves testing and validating the AI system to ensure that it is functioning as expected and that its outputs are accurate and reliable. The goal of AI assurance is to reduce the risk of errors or failures in the system and to increase confidence in its outputs. On the other hand, AI safety refers to the specific objective of ensuring that AI systems are safe and do not cause harm to humans or the environment. This involves identifying and mitigating potential risks and unintended consequences of the AI system. The goal of AI safety is to ensure that the AI system is designed and implemented in a way that minimizes the risk of harm to humans or the environment. Impact on Compliance AI governance, AI assurance, and AI safety are critical components to support current and upcoming regulations and standards related to the use of AI systems. These functions will impact compliance in the following ways: AI Governance : AI governance refers to the policies, processes, and controls that organizations put in place to manage and oversee their use of AI. Effective AI governance is essential for compliance because it helps organizations ensure that their AI systems are designed and implemented in accordance with applicable laws and regulations. AI governance frameworks can include policies and procedures for data management, risk management, and ethical considerations related to the use of AI. AI Assurance : AI assurance refers to the process of testing and validating AI systems to ensure that they are functioning correctly and meeting their intended goals. This is important for compliance because it helps organizations demonstrate that their AI systems are reliable and accurate. AI assurance measures can include testing and validation procedures, performance monitoring, and quality control processes. AI Safety: AI safety refers specifically to ensuring that AI systems are safe and do not cause harm to humans or the environment. This is important for compliance because it helps organizations demonstrate that their AI systems are designed and implemented in a way that meets safety and ethical standards. AI safety measures can include risk assessments, safety testing, and ethical considerations related to the use of AI. Together, AI governance, AI assurance, and AI safety help organizations comply with regulations and standards related to the use of AI. These measures ensure that AI systems are designed and implemented in a way that meets safety, ethical, and legal requirements. In addition, compliance with AI-related regulations and standards is essential for building trust with stakeholders and ensuring the responsible and ethical use of AI. Measures of AI Governance, Assurance, and Safety The following are steps that organizations can take to introduce AI governance, assurance, and safety: Establishing AI Regulatory Frameworks : Governments, industry, and organizations need to create frameworks that govern the development, deployment, and use of AI technologies. The regulations should include guidelines for data privacy, security, transparency, and accountability. Implementing Ethical Guidelines: AI systems must adhere to ethical guidelines that consider the impact on society, respect human rights and dignity, and promote social welfare. Ethical considerations must be factored into the design, development, and deployment of AI systems. Promoting Transparency and Explainability: AI systems should be transparent and explainable. This means that the decision-making process of AI systems should be understandable and interpretable by humans. This will enable people to make informed decisions about the use of AI systems. Ensuring Data Privacy and Security: Data privacy and security must be a priority for any AI system. This means that personal data must be protected, and cybersecurity measures must be implemented to prevent unauthorized access to the data. Implementing Risk Management Strategies: Organizations need to develop risk management strategies to address the potential risks associated with the use of AI systems. This includes identifying potential risks, assessing the impact of those risks, and developing mitigation strategies. Establishing Testing and Validation Standards : There must be established testing and validation standards for AI systems to ensure that they meet the required performance, reliability, and safety standards. Creating Accountability Mechanisms: Organizations must be held accountable for the use of AI systems. This includes establishing accountability mechanisms that ensure transparency, fairness, and ethical decision-making. Investing in Research and Development: Investment in research and development is crucial to advance the state of AI technology and address the challenges associated with AI governance, assurance, and safety. In next weeks blog post, we take a deep dive into upcoming cross-cutting AI regulations and guidelines that organizations will need to prepare for and where AI Governance, Assurance and Safety will be required: Canadian Bill C-27 AIDA (in its second reading) European Union AI Act (proposed) UK AI National Strategy (updated Dec 18, 2022) USA NIST AI Framework (released Jan 26, 2023) If you haven't subscribed to our newsletter make sure you that you do so you don't miss it.