SEARCH

With all the talk about artificial intelligence it’s easy to get caught up in a world of machine models, digital twins, and virtual reality. It’s important to remember that we don’t live in these worlds; we live in reality. The world we live in is not the “Matrix” nor is it a game we can start over with a push of a button. We have one life to live and one world to live in. The question is how best to live our real lives in the real world. May we have the courage to face and meet the demands of reality rather than escaping to simulated worlds with artificial friendships and artificial lives.

Many organizations identify the need for a program to help them meet all their compliance obligations. They will then procure a computer program (or a suite of them) that claims to be the best solution to their compliance challenges and help them achieve compliance success. After implementation, they may observe the solution has helped them report on data and metrics, store and manage procedures, keep track of controls, and remind them when to get ready for their next audit. However, many will also discover their quality, security, safety, sustainability, or environmental outcomes have not improved. They are still just as uncertain as they were before that their compliance efforts are making a difference to what really matters. What they most likely thought they purchased was a compliance program; something that could actually advance outcomes and help them stay ahead of risk. A computer program while necessary to manage information and may help to achieve certification is not enough for compliance success. If you want to make a qualitative difference to compliance outcomes you need a compliance program and preferably one that is operational. Don’t make the mistake between computer and compliance programs. Make sure you have what you really need for mission and compliance success.

The decline of moral integrity Every time we skip past an EULA (end-user license agreement) and just click the checkbox we give up something and probably more than we realize. We have given up: our data our privacy rights our software ownership the content we create and other things that may not be in our best interest. But more than all of those, we have given up our moral integrity. This doesn't mean these practices were necessarily illegal or in violation of any government regulation. However, slowly but surely, we have agreed to practices that in some cases were arguably unethical, unjust, unfair, and unwarranted. Even the act of not reading the EULA but signing it anyways has ceded moral territory. We reinforced by our actions that these licenses don't matter and what we are giving up doesn't matter as well. We were implicitly being asked to "just trust." And here's the thing, by agreeing to what is unethical we become more unethical ourselves. Over-time we lower our standards, our values and our morality. And for what? Who knows what else we might agree to knowingly or unknowingly for the promise of a shiny new application, platform or AI chat-bot. How far are we willing to lower our standards? There is more at stake then access to software; we are at risk of losing our souls. With the rise of Artificial Intelligence systems, the demand for data and access to our digital representations are growing without bounds. Many have already naively given up confidential corporate and private data to AI chat-bots putting themselves and their businesses at risk. We are placing our trust in something where trust was not earned. We haven't performed our due diligence. We did not ask critical and important questions. We just clicked the box. How did we get here? It's not hard to believe that years of skipping EULAs has trained us to just trust in technology and the organizations behind them. Don't look too closely or ask too many questions, and don't read the small print. Just click the box and everything will be fine. We may believe we don't have any choices, but we always do. Don’t accept anything that weakens your ability to live by your higher standards or might otherwise comprise your moral integrity.

Which Zone Are You Operating In? Regulatory designs of which there are four primary types spanning micro-means to macro ends, demand different operational capabilities for compliance. In fact, at least half an organization's obligations are non-legal requirements having more to do with outcomes and performance rather than rules or controls. Meeting all these obligations requires measures of conformance, measures of performance, measures of effectiveness, and measures of assurance. To establish these capabilities organizations must transform how they address compliance. They need to take on operational principles and practices that help ensure that essential functions, behaviours, and interactions are working at levels sufficient to create the outcome of compliance. However, many organizations are caught in a prescriptive, reactive, and reductive trap where audits, complaints, and incidents are the only drivers for change. They are operating at the edge of uncertainty; one violation, one injury, one defect, or one mishap away from mission failure. They are in operating in the: REACTIVE COMPLIANCE ZONE. It’s here that compliance functions as a guardrail; the last line of defence at the end of the line. Instead of operating at the edge of uncertainty, ethical and forward-thinking organizations operate in the: PROACTIVE COMPLIANCE ZONE. It’s there where compliance functions as an offensive force ensuring that organizations are always between the lines and ahead of risk. Instead of a guard rail, compliance is a dynamic enabler of compliance outcomes, proactivity, and holistic improvements triggered by the presence of uncertainty not only incidents that happened in the past. Operating in the PROACTIVE COMPLIANCE ZONE creates a strong compliance culture ensuring not only compliance success but also mission success.

Can you have a balanced scorecard without compliance? When it comes to navigating organizations many use a balanced scorecard (BSC) to keep their businesses in the air and on course. A balanced scorecard maps strategic measures and initiatives to appropriate aspects of the business. Along with value chain activities many only use one wing to keep them aloft — productivity programs. Productivity programs improve margin to contend with aleatory uncertainty (having to do with chance) to cover losses that cannot be avoided or reduced. However, there are other outcomes that a company needs to achieve such as: safety, security, sustainability, quality, regulatory, and more. It’s here that certainty programs are used to achieve compliance associated with buying-down risk that is reducible – those connected with epistemic uncertainty (lack of knowledge). Certainty programs create a second wing that truly balances corporate activities to keep businesses flying in the air and on course towards total value. Compliance failure means mission failure. To ensure mission success make sure compliance is part of your Balanced Scorecard.

When it comes to audits there is a popular meme that goes something like this: Before the audit : documents out of conformance During the audit: documents in conformance After the audit : documents out of conformance We like to laugh at this, and many just say it’s just human behaviour. When do we clean up our home? Right before our friends and family come over. It’s just what we all do. However, I believe the problem is much worse than waiting to tidy up our house. The problem has more to do with our behaviours throughout the year rather than the condition of what is being audited. So what’s going on? Why do we wait until people come over before we tidy things up when we could experience the benefits from having a place for everything and every thing in its place? In the case of our homes, we may value the approval of others more than experiencing the benefits of living in clean and tidy home. We may also not want or can not put in the effort to keep our homes clean. We need to be compelled by external forces more than our internal values. In some ways we are behaving like children having always to be told to clean our rooms. When it comes to audits we value a stamp of approval more than doing what we know is right all the time. This demonstrates a lack of integrity, and frankly also a lack of honesty. However, that’s not the worst of it. Companies hoping to act more like adults will conduct pre-audits to get ready for an internal audit to get ready for an external audit. If that sounds absurd – it is. This train of audits may improve the chances of passing an audit but it doesn’t address the problem of motivation. Henry Ford was right Henry Ford once said, “Quality is doing it right when no one is looking.” He was right. Not only is doing the right thing when no one is watching a measure of quality, it’s also a measure of integrity. And that's why ethical, forward-looking companies practice proactive compliance. Instead of waiting for an auditor to tell them if they were off-side they establish measures to make sure they never are. They always keep their rooms clean because they know it’s the right thing to do. They also know that it will deliver benefits. These organizations are able to say: “Audit us whenever you like. We already know the answer." They can also say: "The time we are saving by avoiding excessive audits we use to get ahead of our competition who spend their time getting ready for their many audits, performing corrective and preventive actions, and paying back for losses from not meeting their obligations throughout the year.” It's not about audit readiness The goal is not to always be ready for an audit as many suggest. That still focuses too much on external motivation. Instead, the goal is to behave with integrity. This means keeping the promises we made connected with our legal license to operate and stakeholders expectations. We need to become an organization that our stakeholders can trust not because we pass an audit once a year but because we are trustworthy, reliable, and keep all our promises everyday – all day. You can continue to practice reactive compliance and perhaps even reduce some of your losses. Or You can practice proactive compliance and avoid the losses altogether, and experience the benefits that come from always being between the lines and ahead of risk. So, clean up your documents and put in a process to keep them always evergreen. Do it not because you are told, but because you are keeping your promise to meet all your obligations.

When it comes to compliance a lack of clarity and alignment often leads to program failure. This manifests in many ways that include discontent, negative attitudes, lack of motivation, and a lack of engagement from obligation owners along with those responsible for the work of compliance. Ultimately, misalignment leads to obligations not being met, promises not kept, and an increase in overall compliance risk. Alignment is a measure of compliance integrity. Achieving and maintaining alignment is therefore an important performance objective for all compliance programs whether that is safety, security, sustainability, quality, regulatory, ethics, or other managed outcomes of the organization. Establishing alignment based on the five principles of program success is a good place to start and will help identify areas of improvement. Are we aligned on: Destination : the outcomes, our goals, where we are heading? Strategy : the plan and approach to getting to our destination? Capabilities : the resources, budget, talent, technologies, functions, and time needed to follow the strategy? Obstacles and Opportunities that need to be negotiated or exploited to improve the probability of success? Measures of Success : measures of effectiveness, performance, conformance, and assurance? Having conversations and dialog around these questions can be difficult particularly when existing answers are vague and ambiguous. You may need to clarify these first which when done in a participatory fashion will help also improve alignment as well. Sometimes having an outsider lead the discussion can help diffuse tensions, help identify important insights, and facilitate a successful outcome. We need to always remember that it's not the plan but the planning that is most important. These conversations should be held periodically and used to drive continual improvement towards program success. This contributes to the development of a virtuous cycle of conformance where things get better and the faster things get better over time. And It all begins with a conversation. Lean Compliance offers a "Plan for Success" kaizen (change for the better) engagement to help you and your team create a risk-based plan for program success: Facilitator led workshop to develop risked-based compliance plan for your program based on the 5 principles of program success. Engagement: 5 Sessions / 1.5 Hours Each / Teams of 4 or less Format: Facilitated, Online (Zoom) Outcome: Compliance Program Plan for Success Use this engagement to help facilitate greater team and program alignment.

As a young engineer in the 1990s, I took on the role of IT Manager, my first management position. Now, for those that can remember, IT at that time was exploding on the scene. Communication, information and computing were expanding in capabilities, scope, and scale across all businesses and sectors around the world. We were experiencing the beginning of the digital era and things were happening. The company I worked at was an Integrated Circuit (IC) manufacturer, one of only a few in Canada. As a business we too were shifting from analog to digital circuits. From an IT perspective, we had just started our journey away from mainframes to client-server topologies, local networking to the web, MRP to ERP, and PCs were being used at work and also in the home. On the design and engineering front, we were adopting advanced Computer Aided Design (CAD) technologies (Mentor and Silicon Graphics), we were developing software to support data collection and automation. We were building databases as fast as we could manage, along with implementing Commercial-Off-The-Shelf (COTS) document and records management solutions. At the same time, we were adopting ISO standards for quality, SPC, six sigma, and what we now call LEAN. Imagine Khan-ban on the shop floor of an integrated circuits manufacturer! IT was involved in everything and in many ways leading the charge. It was common practice for managers to meet with their staff on Fridays to review the status of the week’s activities. So, that’s what I did as well, at least at the start. It didn’t take too long for me to realize this was not working. Our weekly meetings were spent discussing what we did rather than what was needed for the week ahead. We had too much to do to focus only on the past. When we finally came to "Next Steps" we almost always ran out of time. At this point, physiologically, we were also thinking more about the weekend. This all made sense, but something needed to change. As a young manager and wanting to prove myself I decided to make a bold move. We shifted our staff meeting to Monday. This practice, was against the norm. However, what I would later find out, this shift changed everything for the better. We still spent time talking about the activities of the prior week. However, our gaze was clearing set on the week ahead and what we needed to do as a team to succeed. We started to change from reactive thinking, focused on what was or wasn’t done to proactive thinking, focusing on what's needed to meet our objectives going forward. We were also in a better mindset. Having come back refreshed from the weekend we were now ready psychologically to face the future. The morale of my team picked up, instead of feeling always behind we started to get ahead. We felt we had more agency to negotiate the obstacles and exploit the opportunities that were in front of us. We felt we could succeed, and we did. Years have passed since my early days as a manager. IT has moved onto the cloud, managing outsourced services, integrating dev-ops, deploying mobile, internet-of-things and platforms, adopting cybersecurity, and AI among other things. Businesses also use far more management standards across almost every domain. What has not changed is: Uncertainty and risk are still knocking on our front door. Just like back when I was a young manager, we need to be proactive. Unfortunately, the common practice for management still has not changed. For many it's still reactive and focused on the past. In fact, the majority of management standards call out the need for management review which is very much like meeting with staff on Fridays. It's time to make a bold move. Change your management reviews to management previews. Meet with your staff on Mondays when your mindset is on the future and when you can still do something to improve your probability of success. Take it from me, it will change everything for the better.

We are launching something new!   Elevating Compliance Community of Practice The purpose of this initiative is to bring together compliance practitioners, professionals and obligation owners across all domains and sectors to advance the state of compliance to better contend with always staying between the lines and ahead of risk.   Why are we doing this?   Unless compliance learns to work together within and across silos it will never fulfill its purpose to protect and ensure value creation. There are many specialized compliance groups and associations but few, if any, that focus on the entire domain of compliance and how it needs to work holistically, proactively, and in an integrative manner.   Compliance started off with meeting prescriptive, regulatory requirements. Over time, these requirements expanded in scope, scale, and design. Organizations now need more than procedures and paper compliance, they need capable programs and systems to advance performance and outcome obligations. We are now in the world of: Operational Compliance something I have written about in well over 400 articles which will form part of my upcoming book . So stay tuned for that.   What's new and what will change?   Along with our monthly webinars, we started weekly Elevate Compliance Huddles  earlier this year. These will continue and expand to cover more topics and areas of interest.   Our weekly newsletter will also evolve to include a Community of Practice  section which may in time become it's own thing.   Looking Forward   We are very excited about this initiative which very much aligns with Lean Compliance's goals and objectives. Compliance needs to change and for the better. And this initiative will help with that. I am thrilled to be bringing together folks from around the world. Frankly, we can't do it alone and I need your help.   If you are interested in being part of our Community of Practice  please make sure you sign up for our newsletter. In addition, if you haven't registered for our weekly huddles or monthly webinars please do so. This initiative could not happen without you; all our subscribers, members, and those that engage us in helping them achieve compliance success.   Thank you,   Ray.   Raimund Laqua, PMP, P.Eng. Founder, Chief Compliance Engineer Lean Compliance The Operational Compliance Experts

A critique is going around that process management needs to be more holistic. I couldn’t agree more. Unfortunately, for many this means adopting a process-centric view of the organization. The rationale is since organizations are made up of processes the key to success is to identify, catalogue, manage, and improve all our processes. This approach takes everything that is essential and reduces it to a process – a part of the whole but not the whole itself. To accomplish this many things need to be conflated in order to fit into a process-centric view of the world. Ironically, this ends up being more reductive and far from the holistic approach that many are looking for. This obsession with processes creates a problem that many struggle to overcome which is a lack of effectiveness. Many organizations have all the processes they believe they need yet still fail to deliver the goods. They have plenty of trees but not enough forest. How this impacts compliance The process-centric approach pervades compliance, particularly management systems. Even with using a robust framework designed with strong architectural principles you can still fail to achieve the purpose for having compliance in the first place. In fact, all too often when I review an organization’s compliance what I find is scaffolding, and partial framing that are insufficient to create something that is operational. They have many of the parts, many of the processes, but lack the essential capabilities needed to achieve compliance operability – compliance that is fit for purpose, able to achieve compliance, and capable of realizing the intended benefits. To make matters worse, if asked when they might start delivering benefits the answer is always: we don't reach effectiveness until step 5 of our maturity process, but don’t worry we will get there in the end. Unfortunately, many never do, and those that do arrive too late. Need for something that works Many organizations would be better off with compliance that is working – that is operational –even if the capability was that of a scooter, rather than having a garage full of car parts that maybe – one day – will finally become a car that works. Without an operational perspective you can never fully know how to improve a process or even what processes you actually need until you understand its purpose and how it fits into the overall system. For compliance, establishing processes and building frames may help you pass an audit. However, it will only be when they work together to form an operational system that you will finally start to realize benefits. Instead of being busy building frames and processes, compliance needs to be busy experiencing the benefits that come from being in compliance. This is necessary for all organizations that intend to deliver total value .

The following outline should help you build a persuasive business case for improving compliance to protect and ensure total value for your organization. Remember to adapt it to your specific context and provide data-driven evidence to support your claims . I. Executive Summary Briefly state the problem of inadequate compliance. Highlight the importance of total value (safety, security, sustainability, legal, quality, profit, trust). Briefly summarize the proposed solution and its expected benefits. II. Current State Assessment Identify specific compliance areas with weaknesses. Quantify the current cost of non-compliance (e.g., fines, reputational damage, lost productivity, inadequate safety, security, sustainability, quality, trust). Describe the current compliance processes and limitations. III. Opportunity: Total Value through Improved Compliance Define "total value" for your organization (safety, security, etc.). Explain how improved compliance will contribute to each aspect of total value. Use data or examples to illustrate the positive impact. IV. Proposed Solution: Improving Compliance Framework Describe the proposed solution (e.g., improved management programs, compliance software, standard adoption, accountability frameworks, data monitoring, digital twin, golden pipeline, golden thread, etc.). Explain how the solution addresses weaknesses identified in Section II. Outline the implementation timeline and resource requirements. V. Financial Analysis: Investment vs. Return Estimate the initial cost of implementing the solution. Project the long-term cost savings and revenue gains from improved compliance. Utilize a cost-benefit analysis or ROI (Return on Investment) calculation to quantify the return. VI. Risk Assessment and Mitigation Identify potential risks associated with implementing the solution. Develop mitigation strategies for each identified risk. VII. Conclusion and Recommendations Summarize the key points of the business case. Reiterate the value proposition of improved compliance for total value creation. Recommend approval of the proposed solution and next steps. VIII. Appendix Include detailed data, reports, or calculations supporting your claims. Additional Considerations: Tailor the outline to your specific industry, regulations, and compliance needs. Highlight success stories of companies that improved compliance and total value. Address potential concerns of stakeholders who may resist change. Quantify the impact whenever possible to present a compelling case. Tool Considerations: The following tools help to identify value contributions, uncertainty and risk, and help with decision making with respect to options: DSM (Dependency Structure Matrix) Business / Systems Mapping Bow-tie Analysis Total Value Chain Analysis (includes compliance chain) Monte Carlo Analysis Obligations / Promise Register Analytic Hierarchy Process (AHP) Five Principles of Compliance Program Success A Simplified Example The details and tools used in this example will vary depending on your organization and the complexity of the compliance program. However, it demonstrates how to structure a business case that utilizes data analysis, uncertainty estimation, and a focus on total value creation to present a compelling argument for improved compliance. Business Case: Improving Data Security Compliance for Total Value Creation Executive Summary: Our current data security practices expose us to potential data breaches, regulatory fines, and reputational damage. This business case proposes implementing a comprehensive data security compliance program. This program will enhance data security, reduce compliance risks, and contribute to achieving total value for our organization, encompassing aspects like security, trust, legal compliance, and potential cost savings. Current State Assessment: Recent internal audits identified vulnerabilities in data access controls and employee training on data security protocols. We have experienced two minor data breaches in the past year, resulting in customer notification costs and reputational damage. Upcoming industry regulations will impose stricter data security requirements. The estimated cost of non-compliance includes: Potential regulatory fines: $1 million (based on industry benchmarks) Data breach notification and remediation costs: $500,000 per incident (historical average) Reputational damage: Difficult to quantify, but can lead to customer churn and lost revenue. Opportunity: Total Value through Improved Compliance Total value in this context includes: Security : Improved data security posture reduces the risk of breaches and protects sensitive customer data. Trust : Strong data security practices build trust with customers, partners, and investors. Legal Compliance : Meeting industry regulations avoids hefty fines and potential legal repercussions. Cost Savings : Reduced risk of data breaches minimizes notification and remediation costs. Proposed Solution: Data Security Compliance Program The program includes: Data Security Policy and Procedures : Develop a comprehensive policy outlining data handling protocols, access controls, and incident response procedures. Employee Training : Implement mandatory data security training programs to educate employees on best practices. Includes training for leadership and management on governance and risk processes. Technology Investments: Upgrade data security software and infrastructure to strengthen data encryption and access controls. Compliance Management Software: Utilize software to automate compliance tasks, track progress, and identify potential vulnerabilities. Financial Analysis: Investment vs. Return Initial Investment: Development and implementation of data security policy and procedures: $200,000 Employee training: $100,000 Technology upgrades: $500,000 Compliance management software: $100,000 Total Initial Investment: $900,000 Projected Returns: Avoided regulatory fines: $500,000 (annualized) Reduced data breach costs: $750,000 per year (based on risk mitigation estimates) Estimated value in increased stakeholder trust: $1 million (annualized) Return on Investment (ROI): Using a simple ROI calculation, the projected payback period is less than one year. However, a more comprehensive analysis using Monte Carlo simulation will be conducted to account for uncertainties in cost-saving estimates. Risk Assessment and Mitigation: Risk : Difficulty in changing employee behavior regarding data security practices. Mitigation: Develop a communication and change management plan to emphasize the importance of data security and the benefits of the program. Risk : Unexpected costs associated with technology upgrades. Mitigation: Conduct thorough vendor research and obtain multiple quotes before finalizing technology purchases. Conclusion and Recommendations: Investing in a comprehensive data security compliance program offers a significant return on investment. It enhances data security, strengthens customer trust, ensures compliance with regulations, and potentially reduces costs associated with data breaches. Based on the positive financial outlook and risk mitigation strategies, we strongly recommend approval of this program. Appendix: Detailed cost breakdown for program implementation. Historical data on data breach incidents and associated costs. Detailed benefits analysis including gains to total value. Monte Carlo simulation results for ROI analysis with uncertainty ranges.

When it comes to operationalizing obligations, compliance must understand how operations and organizational structures work together to turn strategy into total value. This will look different across industry sectors, but each will have an operational model that must be understood to know where promises must be kept to meet external and internal obligations. The following maps are helpful to identify where these places are: Total Value Chain Map Organizational Model Locations / Facility Map IT / Data Map Supplier Matrix Stakeholder Map Decision Rights Map Program / Systems Map Management Calendar SIPOC Capability Map Obligation / Promise Owner Map along with several others. The Operating Model Canvas book is a good place to start understanding operating models from which you can identify where compliance needs to fit. If you need help to update your compliance map, consider joining The Proactive Certainty Program . This program helps you transform your compliance to achieve higher levels of operability and effectiveness.