SEARCH

Compliance systems are used to help companies stay between the lines as well as improve the certainty of meeting stakeholder obligations. The purpose of each is different and so will the strategies needed for improvement. When it comes to improving systems including those supporting quality, safety & security, environmental, and regulatory objectives you need to know where your leverage points are and how to use them. Donella Meadows discusses 12 leverage points in her article, "Leverage Points: Places to Intervene in a System" In Meadows's article 12 leverage points are presented in reverse order of effectiveness that can be grouped in terms of system changes to material, process, design and intent: Material Change: 12. Constants, parameters, numbers (such as subsidies, taxes, standards). 11. The sizes of buffers and other stabilizing stocks, relative to their flows. 10. The structure of material stocks and flows (such as transport networks, population age structures). 9. The lengths of delays, relative to the rate of system change. Process Change: 8. The strength of negative feedback loops, relative to the impacts they are trying to correct against. 7. The gain around driving positive feedback loops. 6. The structure of information flows (who does and does not have access to information). Design Change: 5. The rules of the system (such as incentives, punishments, constraints). 4. The power to add, change, evolve, or self-organize system structure. 3. The goals of the system. Change in Intention: 2. The mindset or paradigm out of which the system — its goals, structure, rules, delays, parameters — arises. 1. The power to transcend paradigms. The greatest leverage comes from understanding the "why" or the purpose of a system and in some cases changing the paradigms on which a system was created. For example, if a system was designed to close the gap between organizational behavior and a code of conduct then it will focus more heavily on negative feedback to correct for deviations. However, if a system is designed to continually raise standards towards an ideal or aspirational obligation goal or objective then the focus will be more on positive feedback to amplify desired behaviours to better achieve them over time. We have found that companies are able improve their compliance more effectively when they change from a reactive to a proactive mindset with respect to their compliance systems. This starts by: Taking ownership of all stakeholder obligations Improving compliance processes on an incremental and continuous basis Developing systems that indicate in real-time the status of your compliance and ability to advance outcomes. By following these steps companies are better able to apply leverage points to ensure that they do meet their compliance obligations while expending less cost with greater effect.

In this post we will look at the topic of compliance governance which is the act of steering to keep organizations between the lines and heading in the right direction. A compass will help you find your way when the landscape is flat or otherwise two dimensional. With a compass you will know where you are relative to where you want to go no matter how lost you become. It has saved the lives of countless people for many years and still does today although modern day equivalents are now available. Most of us now use what is called a GPS or Global Positional System. This works much the same way as a compass does and when combined with a real-time map has significantly improved getting to one's destination with the occasional misstep when the map is not accurate or complete. Compliance Navigational System Organizations that decide to keep all their promises will also need a navigational system . In the past, audits functioned in a similar way as a compass did. It worked when the terrain was mostly known, flat and when conditions did not change very often. However, this is no longer (or perhaps never was) the case. Compliance now needs a modern day navigational system equivalent to a GPS, a real-time map, and steering mechanism to stay between the lines and stay on course. This is the function of compliance governance when combined with programs. Together they form the navigational system for compliance. Compliance Governance Compliance governance begins with knowing where you are and where you want to go in order to plot your course. The destination for compliance is determined by a company's regulatory license to operate along with its social licence. These are tempered by the organization's appetite and tolerance for risk. Where you are on the map is determined by the capabilities of your existing compliance systems and processes. Compliance Compass The Hoshin Kanri method is a popular LEAN approach used to steer organizations by aligning strategy with outcomes. It uses what is called an X-Matrix that functions as a compass to ensure that all planned effort is working towards long term priorities and compliance standards. The X-matrix is oriented in the following way: North : guiding standards, priorities or goals South : long term outcomes, results, or breakthrough objectives West : short term objectives, initiatives, or actions East : processes or metrics to improve and track progress The corners are used to map the correlation or contribution between each component of the matrix starting at the bottom and working your way around clock-wise. The X-Compass can become a GPS when real-time tracking and mapping of obligations is integrated. This is where digital threads come into play combined with obligation and risk registers. From a compliance standpoint a digital thread is more than just a collection of metrics. It defines measures necessary to maintain the integrity of an organization and keep it heading towards its goals without crashing – it is a measure of assurance ( i.e. a golden thread). Compliance Steering (feed-forward) Compliance programs are the means that compliance steers towards greater effectiveness in order to meet all of its obligations. While systems focus on consistency (staying on course), the role of a program is to advance outcomes by steering towards them. A compliance program takes specified outcomes (i.e. destinations) and maps them to systems and processes to ensure that resources and capabilities are available to meet them. When gaps are identified initiatives are created to close them. Each compliance program will have its own set of outcomes that it is trying to improve such as: reducing safety incidents, reducing risk, reducing costs, increase reporting of near misses, and so on. As targets change to align with higher standards, each program directs underling systems by adjusting capabilities, capacity, processes, and system controls. Programs operate as a feed-forward process to regulate outcomes. Course Corrections (feed-back) It is well understood that you can have compliance systems that are operational and yet fail to achieve the intended outcomes. Validating that systems actually are advancing towards targeted outcomes is an essential program level process and is very different from verifying system performance or conformance. Projects and initiatives are also used by programs to close gaps to improve the level of effectiveness. Compliance Radar (avoiding danger) Today compliance needs the means to know where it is in real time relative to where it is heading. Compliance must also have the means to look ahead to see and anticipate obstacles. The risk management function operates as a radar to keep organizations out of danger. Measures are put in place to prevent risk events from occurring similar to warning indicators and reduce their effects should they happen similar to the role that air bags play. Compliance radars can take many forms including the bow-tie analysis above which can help plot courses that are more likely to be safe and certain. This is more effective when both leading (before the risk event) and lagging (after the risk event) data is available in real-time. Cruise Control (not as good as it sounds) Compliance without governance often ends up operating in what is known as maintenance mode or cruise control. When this happens steering essentially stops. Systems end up operating with just enough resources to perform each process but none for improvements or raising standards. This will lead to compliance drift or if you like “running" to failure. Summary Compliance needs to move beyond using audits as the primary means to steer compliance. Looking through the rear view window only ever made sense when the danger being avoided is chasing you from behind. Setting compliance to cruise control is also not an option if you intend on reaching your destination. As compliance's focus now includes the advancement of regulatory and voluntary outcomes a better navigational system is needed one that can negotiate today's compliance landscape and uncertainty. This system must be proactive and support feed-forward, and real-time processes that can continually steer compliance towards greater effectiveness over time.

Compliance is often seen as a necessary evil – a set of rules and regulations that stifle innovation and bog down operations. But what if, instead, it was a necessary good – a program to ensure and protect value creation – Compliance with Benefits . Uncover the Benefits By elevating compliance, you're not just following the law; you're establishing effective measures to deliver on all your obligations and commitments made. Effective Safety and Security : Compliance with safety regulations and stakeholder commitments protects your employees and reduces the risk of accidents and injuries. Strong data security practices, embedded in the value chain safeguard sensitive information and ensure privacy rights are protected. Sustainability at the Core: Environmental regulations guide responsible resource management and waste reduction. Embracing these practices not only demonstrates environmental commitment but also fosters cost savings and brand reputation. Unwavering Quality : Commitment to deliver customer satisfaction ensures consistent product and service quality. This builds customer trust and loyalty, leading to a competitive edge. Integrity Above All : Following ethical business practices, as mandated by compliance regulations and expected by all your stakeholders fosters a culture of honesty and transparency. This builds stakeholder trust, which is critical for long-term mission success. The 5 Pillars of a Benefits-Driven Compliance Program To fully reap the benefits of compliance, these five core principles are essential: Ownership : Take full responsibility for understanding and meeting all your obligations. Empower your organization to be accountable for compliance within their roles. Promises Made, Commitments Delivered : When designing compliance programs, keep the outcomes in mind. Ensure you have the capabilities you need to deliver on all your promises associated with both external and internal obligations. Real-Time Monitoring : Proactive monitoring and risk measures help identify and contend with potential issues before they escalate. Regularly review processes, evaluate control effectiveness, and assess your overall capacity to meet obligations. Continuous Compliance : Continuous delivery of value requires continuous compliance to protect and ensure value is created. Actively seek ways to improve your practices, stay updated on changing regulations, and adapt effectively to deliver better outcomes. Learning and Proactive Culture: Foster open communication and encourage your organization to learn from compliance challenges. Invest in training and empower open dialog and partnerships with all your stakeholders. Building Compliance as Competitive Advantage By embracing these principles, you cultivate a proactive, learning environment around compliance. This translates to a safer, more secure, and sustainable organization. It fosters trust with stakeholders, enhances your reputation, and ultimately propels your business towards long-term success. Remember, compliance isn't a roadblock; it's a program that helps deliver benefits – the outcomes from always being in compliance and ahead of risk.

LEAN uses the Japanese word KAIZEN (change for the better) to communicate its intent with respect to continuous improvement. KAIZEN is a form of intervention and has proven to work well at the PROCESS level. However, when it comes to changing management SYSTEMS it has not had the impact that many had hoped it would. While removing waste is of some benefit it does not get to the root cause which has more to do with lack of effectiveness than efficiency. To improve management systems specifically those related to quality, safety, security, sustainability, environmental and regulatory objectives, we need interventions that go beyond processes and procedures to approaches that consider the organization as a whole. An Ideal Systems Model To move closer to holistic approach, we need a systems model for the organization. It is with this systems view in mind that we consider how improvement interventions might work, specifically the Total Systems Intervention (TSI) approach introduced by Flood and Jackson (1995) [1] An organization comprises technical and human activities . Interactions in organizations are represented in terms of an interactive mixture of technical and human activities. The whole system framework is, then, a horizontally and vertically integrated set of technical and human activities. Activities of an organization must be efficiently and effectively controlled while maintaining viability of the organization . Activities are controlled by technical procedures, and socio-cultural and socio-political rules and practices. Procedures, rules and practices must attune so that viability can be achieved. Environmental factors may also be influenced or controlled. Activities of an organization must be directed to achieve some purpose. An organization will normally have an officially declared mission to which these activities are ideally directed. People in organizations appreciate (1) to (3) above in different ways. Individuals and groups naturally make their own interpretations of the interacting activities, the way activities are controlled, and the organization's purpose. They hold a view of their own role and purpose in the organization which can cause conflict, a lack of cohesion, inefficiency, ineffectiveness, rigidity and non-viability in the organization. (3) and (5) above must be harmonized through organizational design and management style . An organizational design and management style must be chosen that balance people's needs with the organization's needs, remembering that the organization's needs also reflect the business or organizational context. The whole organizational effort must accept responsibility for the impact of policies on the biological and social environments. A Model for Systems Intervention (TSI) Total Systems Intervention (TSI) is a methodology intended to enable practicing managers to operationalize the principles of Critical Systems Thinking (CST) and a framework known as System of Systems Methodologies (SOSM) which are considered as essential to properly address the complexity of business systems. When applied to organizational problem solving Total Systems Intervention (TSI) extends the breadth and depth of systems interpretation to assist managers in deciding an intervention approach. The emphasis for Flood and Jackson's creation of TSI was the observation that any manager wishing of use a systems methodology was faced with having to decide which approach to use among a multitude of diverse approaches each with their own metaphorical understandings of reality. From their work the following theoretical principles were derived: Organizations are too complicated to understand using one management model, and their problems are too complex to tackle with quick fixes. Organizations, their strategies, and their problems should be investigated using metaphorical analysis. Metaphors that seem appropriate for highlighting organizational strategies and problems can be linked to appropriate systems-based methodologies to guide an intervention. Different metaphors and methodologies can be used in a complementary way to address different aspects of organizations and their problems. It is possible to appreciate the strengths and weaknesses of different systems methodologies and to relate each to certain organizational concerns and problems. TSI sets out a systemic cycle of inquiry with interaction back and forth between the three phases (creativity, choice, and implementation). Facilitators and clients are both engaged at all stages of the TSI process Flood and Jackson proposed that our capacity to manage organizations effectively (and this includes compliance) will be enhanced if: we admit to the diversity of the ‘messes’ confronting managers, we continue to develop a rich variety of methodologies, and we constantly ask “What kind of problem situation can be managed with which sort of methodology?” TSI provides a framework for answering these questions. TSI consists of a three phase methodology consisting of a cycle of inquiry by which a suitable intervention approach might be chosen: What this Means For KAIZEN Advancing compliance outcomes such as quality, safety, security, sustainability, environmental, regulatory either individually or simultaneously requires an overarching shift from reactive, piecemeal interventions to a total systems approach. Kaizen is used in LEAN practices as an intervention approach to change things for the better. Although typically applied to address small issues in a short period of time it is not limited to one time or continuous improvements at the line or process level. KAIZENs can be effective at the system level but will require practitioners to have a different mindset, along with diverse set of methodologies to implement improvement interventions. Total Systems Intervention (TSI) provides a systems approach to assist in determining what methodology to use to address "system sized problems" (i.e. "messes"). It affords organizations a framework to evaluate and compare the effectiveness of intervention methodologies which is of particular value to risk and compliance programs with respect to policy development and improvement. References: [1] Total Systems Intervention: A Practical Face to Critical Systems Thinking [2] R. L. Flood-Total Systems Intervention (TSI): a Reconstitution, 1995 [3] Jackson, 2010; Reynolds et al., 2010

Promises might be your super power to help you meet all your obligations, Obligations and promises are tightly connected and hold prominent positions in law particularly when it comes to agreements and contracts. Through this legal lens a promise binds someone to an obligation when an intention is declared and witnessed. Intuitively, many will know that telling others of your intentions strengthens your resolve to follow through with the obligation. We also know that when intentions are voluntarily made our resolve is stronger than when coerced or forced. It seems the process of making promises positively affects are ability to keep them. It's interesting that compliance focuses much of its attention on identifying, tracking, and auditing obligations. Very little consideration is given to the other side of the equation: making, tracking, and managing promises. In this article we look at the research by Mark Burgess and what he calls " Promise Theory ." to see how it might help organizations better meet all their obligations by keeping their promises. Perhaps, promises might be the super power compliance needs? Let's find out. Promise Theory Mark Burgess (a theoretical physicist) in 2006 proposed what he calls Promise Theory. This theory was developed to deal with autonomous distributed systems although its usefulness extends much further. Promise Theory is defined as a "model of voluntary cooperation between individual, autonomous actors or agents who publish their intentions to one another in the form of promises.” Promise theory is based on these concepts: Intention – this is the desired outcome. Promise – when an intention is publicly declared to an audience it becomes a promise. Imposition – an attempt to induce cooperation from another agent (i.e. implant an intention) Obligation – an imposition with a cost or penalty for non-compliance Assessment – a determination of whether or not a promise has been kept or not. Agent - the person or thing making a promise. This can be an inanimate object serving as a proxy for human intent. Agents cannot promise for anyone else. Promise theory changes the focus from managing obligations to managing promises. Focus on Obligations Obligation theories assume that agents choose behaviour based on an obligation to follow the rules. We are obligated to take a certain action. Compliance often focuses on obligations where impositions are made that are associated with a penalty or cost. Systems designed using obligation theory use imperative control focused on how things should happen. Focus on Promises Promise Theory on the other hand offers a different approach focusing on intention and outcome. The behaviour of agents is voluntary and have autonomy to act as needed to satisfy their obligations. Systems designed to support promise theory use declarative control in the form of what should happen, not how. Instead of mandatory behaviours to create compliance attention is on voluntary cooperation. Why is Promise Theory Important For Compliance? Promise Theory offers a way for organizations to conceptualize obligations more holistically to better address challenges facing compliance today. Divergence of Obligations Traditionally, many of today's obligations arise from taking a reductive approach to compliance which in turn results in a divergence of attention and action creating greater complexity and uncertainty particularly with respect to contribution towards outcomes. Tracking each action back to an obligation is hard enough and next to impossible to connect back to outcomes. This divide and conquer approach creates a combinatorial explosion of tasks and activities. Promise Theory on the other hand, offers a way for obligations to converge satisfied by promise fulfillment systems similar to a services model approach used in healthcare, IT, and other service-based industries. Instead of a divergence of actions, a promise-based approach creates the opportunity for actions to converge which reduces complexity and uncertainty in meeting desired outcomes. Unmatched Obligations Many organizations may do a good job of tracking obligations but fall short when it comes to managing promise to ensure obligations are met. They have the obligation but not the corresponding promises to go along with it. Promise Theory provides a framework to engineer compliance. It helps organizations provide assurance by ensuring that every obligation has a connected promise. Unmatched obligations to promises may be a better indicator of future compliance performance than simply auditing actions. Lack of Resilience Compliance systems based on a divide and conquer approach become more numerous, complicated and fragile over time. These systems are unable to keep up and as result increase the level of uncertainty and corresponding risk. Promise based systems by their very nature are more adaptive by focusing on outcomes. They have better chance of delivering the original intent rather than only following a particular rule. They also can leverage capabilities to reduce cost and improve effectiveness. Unsupported Obligations Many of today's obligations go beyond rule-based obligations and now include performance and outcome-based designs. Pursuit of these objectives require a greater degree of cooperation and coordination not found in many organizations, particularly those that follow a command and control regime. Promise-based systems are better suited to advance goals associated with goal-based regulations and standards where obligations are voluntary and cooperation is needed. Unmitigated and Preventable Risk Obligation-based systems tend to assume certainty of the conditions and what actions to execute. However, promise-based systems are inherently goal-seeking and when implemented properly should incorporate risk-based principles to improve the certainty of achieving the desired outcome. In practice, they contend with uncertainty better because they assume that it exists right from the start. Summary For compliance to keep up with the growth in obligations it must adopt a holistic-systems approach. In essence, compliance will never be able to build enough controls and manage them at that level necessary to meet all of its obligations. Compliance will do better if it manages systems that deliver promises based on Promise Theory. Application of this theory goes against traditional command and control structures found in many if not most computer systems and common management practices today (although this is changing with the advent of generative AI). However, when organizations adopt this approach it results in systems that are more sustainable, predictable, and more certain of making progress towards targeted compliance outcomes, than following rules every could. Even the process of making promises strengthens an organization's resolve to follow through on its obligations. Making promises creates a moral bond on top of any legal ones that may exist. This moral connection may well be the super power that helps ethical organizations meet all their obligations. You might say it doubles their resolve and their chances of compliance success. A double-helix for compliance. Resources: A Theory of Voluntary Cooperation (markburgess.org) Thinking in Promises: Designing Systems for Cooperation by Mark Burgess Promise Theory: An introduction (book)

We've curated a comprehensive list of 100 essential concepts and skills (divided into 25 groups of 4) that can help you navigate the compliance landscape and mitigate risks more effectively. By developing a strong grasp of these and applying them judiciously, you can significantly improve your compliance efforts to better stay between the lines and ahead of risk: Four Properties of Effective Compliance Four Types of Regulatory Designs Four Categories of Obligations Four Types of Obligations Four Types of Promises Four Types of Commitments Four Capabilities of Operational Compliance Four Properties of Positive Compliance Culture Four Stages of Compliance Team Formation Four Key Properties of Compliance Systems Four Types of Work Specifications Four Types of Compliance Measures Four Types of Indicators Four Types of Responsibilities Four Key Compliance Roles Four Types of Internal Controls Four Types of Risk Four Methods of Risk Assessment Four Types of Responses for Negative Risk Four Types of Responses for Positive Risk Four Methods for Root Cause Analysis Four Types of Problem Solving Four Methodologies for Improvement Four Steps of Improvement Four Key Benefits When Compliance is Effective Details for each follow. 100 Things You Need To Know to Master Compliance 1. Four Properties of Effective Compliance: Proactive : Effective compliance programs are proactive in their approach to identifying and mitigating risks. This means that compliance professionals are actively looking for potential risks, rather than waiting for problems to arise. They take steps to prevent violations before they occur, through regular risk assessments, monitoring and testing, and training programs. Integrative : Effective compliance programs are integrative in nature, meaning that they are fully integrated into the organization's overall strategy and operations. Compliance professionals work closely with other departments within the organization, such as legal, finance, and operations, to ensure that compliance is integrated into their daily activities. This approach helps to ensure that compliance risks are identified and addressed in a timely and effective manner. Risk-based : Effective compliance programs are risk-based, meaning that they prioritize risks based on their likelihood and potential impact. Compliance professionals use a risk-based approach to design compliance controls and procedures, and to allocate resources to areas where the greatest risks exist. By focusing on the most significant risks, compliance programs can be more effective and efficient in preventing violations. Operational : Effective compliance programs are operational in nature, meaning that they are designed to be practical and effective in real-world situations. Compliance professionals work to design and implement compliance controls and procedures that are tailored to the specific needs of the organization, taking into account its size, complexity, and industry. They also ensure that compliance controls and procedures are implemented and enforced in a consistent and effective manner across the organization. 2. Four Types of Regulatory Designs: Macro-Ends (Outcome-Based): This regulatory design sets broad outcome-based goals or objectives, but allows regulated entities to determine the best means of achieving those goals. This approach focuses on achieving desired outcomes rather than prescribing specific means of achieving them. Macro-Means (Performance-Based): This regulatory design sets broad performance standards or goals that regulated entities must meet, but leaves the specific means of achieving those goals up to the entity. This approach provides flexibility to regulated entities to find the most cost-effective means of meeting the regulatory goals. Micro-Ends (Standards-Based): This regulatory design specifies detailed technical standards or specifications that regulated entities must meet in order to comply with the regulation. This approach is similar to the micro-means approach but is focused on technical specifications rather than specific rules or requirements. Micro-Means (Rules-Based): This regulatory design specifies detailed rules or requirements that regulated entities must follow in order to comply with the regulation. This approach is highly prescriptive and leaves little room for interpretation or flexibility by regulated entities. 3. Four Categories of Obligations: Legal obligations : These are obligations that arise from laws and regulations that govern behaviour in a particular jurisdiction. Examples of legal obligations include paying taxes, complying with workplace health and safety regulations, and respecting intellectual property rights. Contractual obligations : These are obligations that arise from a contractual agreement between two or more parties. Examples of contractual obligations include delivering goods or services within a specified time frame, paying for goods or services received, and maintaining confidentiality. Moral obligations : These are obligations that arise from ethical principles or personal beliefs about what is right and wrong. Examples of moral obligations include treating others with respect and fairness, being honest and transparent, and not causing harm to others. Social obligations : These are obligations that arise from a person's membership in a particular community or society. Examples of social obligations include contributing to the welfare of the community, participating in civic activities, and respecting cultural norms and values. 4. Four Types of Obligation: Persistent Achievement : These obligations require ongoing effort to achieve a specific goal or outcome. The goal may be to maintain a certain level of performance, meet a set of standards or requirements, or achieve a specific objective. These obligations typically require consistent, sustained effort over time. Persistent Maintenance : These obligations require ongoing effort to maintain a particular state or condition. This may involve maintaining a physical asset, complying with regulatory requirements, or adhering to established procedures or standards. These obligations are focused on maintaining a consistent level of performance or quality over time. Non-Persisten t: These obligations are time-limited and have a specific endpoint. They may involve completing a one-time task or project, meeting a specific deadline, or fulfilling a short-term obligation. Once the obligation is fulfilled, it no longer requires ongoing effort or attention. Contingent : These obligations are dependent on certain conditions or events. They may require a specific action or response if certain conditions are met, or if a particular event occurs. For example, an employment contract may include contingent obligations related to bonuses or promotions that are dependent on meeting specific performance metrics. Contingent obligations may be time-limited or ongoing, depending on the conditions or events that trigger them. 5. Four Types of Promises: Express promises : These are promises that are explicitly made in words or writing, such as a verbal agreement or a written contract. I mplied promises : These are promises that are not explicitly made but are implied by the circumstances or conduct of the parties involved. For example, if a restaurant serves you food and you pay for it, there is an implied promise that the food is safe to eat and free from harmful contaminants. Conditional promises: These are promises that are made subject to certain conditions or contingencies. For example, a contractor may promise to complete a construction project by a certain date, but that promise may be conditioned on receiving timely payments from the client. Gratuitous promises : These are promises that are made without any expectation of receiving something in return. For example, a friend may promise to help you move to a new apartment without asking for anything in return. 6. Four Types of Commitments: Best efforts : This is a promise to use one's best efforts to achieve a particular outcome, but without any guarantee of success. For example, a seller may promise to use their best efforts to sell a certain number of products, but there is no guarantee that they will actually reach that target. Reasonable efforts : This is a promise to use a reasonable level of effort to achieve a particular outcome. This is a lower standard than the best efforts commitment/promise, but still requires a meaningful effort to be made. For example, a service provider may promise to use reasonable efforts to complete the work on time. Continuous efforts : This is a promise to continue to make efforts over a specified period of time, rather than achieving a particular outcome. For example, a contractor may promise to provide services for a certain period of time, regardless of whether a specific outcome is achieved. Performance milestone : This is a promise to achieve specific performance milestones, rather than achieving a single overall outcome. For example, a contractor may promise to achieve certain milestones, such as completing the foundation work or finishing the framing, before receiving payment. 7. Four Capabilities of Operational Compliance: Operational Governance: This capability refers to the framework of policies, procedures, and standards that govern an organization's compliance operations. It includes the establishment of roles and responsibilities, the development of risk management strategies, and the oversight of compliance activities and establishing of context, scope, and risk profiles. Operational Programs : This capability refers to the specific initiatives that an organization implements to advance compliance towards compliance outcomes. It includes processes to improve aligning operational systems with organizational values and compliance outcomes. Examples include: policy deployment, Hoshin Kanri, accountability frameworks, etc. Operational Systems : This capability refers to the technology and systems that an organization uses to support operational compliance. It includes the use of automation, data management systems, document/records management, and monitoring and reporting tools along with specific systems for each compliance domain (ex. vulnerability management systems, incident management systems, etc.) Operational Processes : This capability refers to the processes that an organization uses to manage its operations and ensure compliance. It includes the design and implementation of workflows, the development of procedures and guidelines, and the integration of compliance requirements into business operations. 8. Four Properties of Positive Compliance Culture: Strong leadership commitment : A culture of compliance starts at the top. Leaders must demonstrate a strong commitment to compliance by setting the tone from the top, providing resources, and communicating expectations. Open communication: Employees should feel comfortable speaking up about compliance concerns, asking questions, and reporting potential violations without fear of retaliation. This requires an environment of open communication and transparency. Clear policies and procedure s: A culture of compliance requires clear policies and procedures that are easy to understand and follow. These policies should be regularly updated and communicated to all employees. Ongoing training and education : Compliance training and education should be ongoing and tailored to the needs of the organization. This can include regular training sessions, updates on changes in regulations, and other forms of education to help employees stay informed and engaged. 9. Four Stages of Compliance Team Formation: Forming : In this stage, team members are introduced to each other and begin to get to know each other. They often feel uncertain about their role in the team and are still figuring out how to work together effectively. Storming : In this stage, conflicts and tensions may arise as team members begin to work more closely together. They may disagree about goals, procedures, and individual roles, leading to a period of adjustment and negotiation. Norming : In this stage, the team begins to establish a more cohesive and harmonious working environment. They develop a common understanding of goals and expectations, and individual roles become more clearly defined. Performing : In this stage, the team is fully functional and working together to achieve common goals. They are focused on achieving success and have a high level of trust and cooperation with each other. This stage requires ongoing effort and attention to maintain the effectiveness of the team. 10. Four Key Properties of Compliance Systems: Interconnectedness : A system is made up of interconnected parts that work together to achieve a common goal. The behaviour of one part affects the behaviour of the other parts, and the system as a whole. Interdependence : The parts of a system are interdependent, meaning that they rely on each other to function properly. If one part of the system fails or malfunctions, it can have ripple effects on the entire system. Feedback : Systems have feedback mechanisms that allow them to monitor their own performance and make adjustments as needed. These feedback loops can be positive, where a system reinforces its own behaviour, or negative, where a system corrects or adjusts its behaviour to achieve a desired outcome. Emergence : Systems exhibit emergent behaviour, meaning that the behaviour of the system as a whole is greater than the sum of its individual parts. This emergent behaviour can be difficult to predict or understand based solely on the behaviour of the individual parts. Since, compliance is an outcome of meeting obligations it is therefore an emergent property. 11. Four Types of Work Specifications Policy : Policies are high-level statements that outline an organization's commitment/promises, goals, values, and overall approach to meet obligations. They provide a framework for decision-making and guide the development of more detailed work specifications. Process : Processes are a series of steps or activities that need to be completed in a specific order to achieve the desired result. They define the overall flow of work and provide a road map for achieving a particular outcome. Procedure : Procedures provide detailed, step-by-step instructions that describe the specific tasks and activities required to complete each stage of the process. They provide guidance for carrying out work consistently and efficiently. Work instruction: Work instructions provide specific guidance for performing individual tasks within the overall process. They provide detailed, step-by-step instructions for carrying out specific activities, including information on the tools and equipment required, the sequence of steps to be followed, and any safety or quality considerations that need to be taken into account. 12. Four Types of Compliance Measures: Measures of Effectiveness : These measures are used to assess how well an organization is achieving its goals and objectives. They focus on the outcomes or results of a particular activity or process, and are often tied to key performance indicators (KPIs) that are directly linked to the organization's compliance strategy (ex. progress / advancement towards compliance outcomes). Measures of Performance : These measures are used to evaluate the efficiency and productivity of an organization or a particular process. They focus on how well resources are being used to achieve specific compliance goals and objectives, and are often expressed as ratios or percentages (ex. rate we are buying down compliance risk, and capacity to keep our promises). Measures of Conformanc e: These measures are used to ensure that work adheres to established guidelines, standards and procedures. They focus on conformance to standards, regulatory requirements, and other established norms and expectations (ex. count of evidence of compliance). Measures of Assurance: These measures are used to provide confidence that work is being carried out in a reliable and trustworthy manner. They focus on the effectiveness of controls and safeguards that are in place to mitigate risks and ensure compliance with established standards and procedures. Measures of assurance may include audits, inspections, and other forms of testing and evaluation to verify that work is being carried out as intended (ex. confidence in our ability to always stay between the lines and ahead of risk). 13. Four Types of Indicators: Performance indicators : These indicators are used to measure the performance of a business, process, or individual against predefined goals or targets. Examples include sales revenue, customer satisfaction scores, and employee productivity. Risk indicators : These indicators are used to identify and assess potential risks to a business or project. Examples include safety incident rates, financial risks, and regulatory compliance risks. Financial indicators: These indicators are used to track the financial performance of a business or project. Examples include revenue growth, profit margins, and return on investment (ROI). Sustainability indicators : These indicators are used to measure the social, environmental, and economic impact of a business or project. Examples include carbon emissions, energy consumption, and social responsibility ratings. 14. Four Types of Responsibilities: Accountable : The person who is accountable for meeting an obligation. This person is answerable for the outcome and responsible to take ownership for the obligation, task or decision, and is often the person who has the authority to decided on the level of commitment. The accountable person may delegate doing the work of compliance to responsible persons, but remains accountable for the obligation. Responsible : The person who is responsible for doing the work of compliance. This person is expected take take ownership for processes, tasks, and objectives and to ensure that it promises are kept, within budget, and to the required standard. Consult : The person who is consulted is not responsible for meeting the obligation, but is asked to provide input or advice to help inform the decision-making process. This person may have expertise or knowledge that is relevant to an obligation or the how the obligation might be met, and their input is valued and taken into consideration. Inform : The person who is informed is not responsible for meeting or doing the work of compliance but is kept up-to-date on the progress and outcome of compliance goals and objectives. This person may need to be informed for various reasons, such as to maintain awareness of important developments or to ensure that they are able to carry out their own responsibilities effectively. 15. Four Key Compliance Roles: Compliance Officer : The compliance officer is responsible for overseeing the compliance program and ensuring that the organization operates within legal and regulatory guidelines. This person also provides guidance to employees, conducts training and education, and ensures that internal policies and procedures are up to date. Risk Manager : The risk manager identifies, assesses, and manages risks that could impact the organization's compliance efforts. This person is responsible for developing risk management plans, monitoring the effectiveness of those plans, and communicating any changes in risk to the compliance officer. Investigator : The investigator is responsible for conducting investigations into potential compliance violations. This person gathers evidence, interviews witnesses, and determines whether a violation has occurred. The investigator then provides a report to the compliance officer, who determines the appropriate course of action. Auditor : The auditor is responsible for conducting regular audits of the organization's compliance program. This person reviews policies and procedures, conducts interviews with employees, and reviews documentation to ensure that the program is effective and compliant with legal and regulatory requirements. The auditor then provides a report to the compliance officer, who determines whether any changes or improvements are necessary. 16. Four Types of Internal Controls: Administrative controls : Administrative controls include policies and procedures established by management to manage the activities of the organization. These controls may include segregation of duties, access controls, and management oversight. Detective controls : Detective controls are designed to identify errors, omissions, or other problems after they occur. Examples of detective controls include audits, reconciliations, and data analysis. Preventive controls : Preventive controls are measures put in place to stop problems before they occur. These controls are designed to deter potential risks and reduce the likelihood of errors or fraud. Examples of preventive controls include access controls, physical security measures, and authentication procedures. Corrective controls : Corrective controls are actions taken to correct errors or mitigate problems after they have occurred. These controls may include reporting systems to track errors, investigations of incidents, and disciplinary actions against employees who violate policies or procedures. 17. Four Types of Risk: Compliance risk : Compliance risk refers to the potential for an organization to violate laws, regulations, or industry standards that apply to its operations. This includes the risk of financial loss, legal action, and reputational damage that can result from non-compliance. Operational risk : Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, systems, or human error. In the context of compliance, operational risk can arise from weaknesses in compliance processes, systems, or controls that make it more difficult for an organization to comply with applicable regulations. Safety/security/sustainability risk : Safety, security, and sustainability risks refer to the potential for an organization to harm people, property, or the environment due to non-compliance. These risks can arise from a failure to comply with regulations that are designed to protect the safety and well-being of employees, customers, and the environment. Strategic risk : Strategic risk refers to the potential for an organization to fail to achieve its strategic objectives as a result of non-compliance. In the context of compliance, strategic risk can arise when an organization fails to effectively manage compliance risks that are aligned with its overall strategic goals and objectives. Failure to manage strategic compliance risks can result in significant reputational and financial consequences for an organization. 18. Four Methods of Risk Assessment: Quantitative Risk Assessment: This method uses numerical data and statistical analysis to measure the likelihood and potential impact of a risk event. It involves calculating the probability of a risk occurring, the potential consequences, and the cost associated with managing or mitigating it. Qualitative Risk Assessmen t: This method uses subjective judgment and expert opinions to assess risks based on their perceived likelihood and potential impact. It involves identifying and analyzing risks based on factors such as the severity of consequences, the likelihood of occurrence, and the effectiveness of existing controls. Model-based Risk Assessmen t: This method uses computer models and simulations to predict the likelihood and potential impact of a risk event. It involves creating a mathematical model of the system being assessed and running simulations to test different scenarios and assess the risk associated with each. Scenario-based Risk Assessment : This method involves analyzing potential scenarios that could lead to a risk event and assessing the likelihood and impact of each scenario. It involves brainstorming potential scenarios, analyzing each one in detail, and identifying the most likely scenarios to occur. 19. Four Types of Responses for Negative Risk: Avoid : This response involves taking steps to eliminate the risk or avoid the situation that creates the risk altogether. This may involve changing the scope of the project, reassigning tasks, or simply avoiding the activity that creates the risk. Transfer : This response involves shifting the risk to another party, such as an insurance provider, a contractor, or a third-party vendor. This is often done through the use of contractual agreements or insurance policies. Mitigate : This response involves taking steps to reduce the likelihood or impact of the risk. This may involve implementing additional controls, improving processes, or enhancing resources to better manage the risk. Accept : This response involves accepting the risk and developing a plan to manage it. This may involve setting aside contingency funds, developing a risk mitigation plan, or creating a plan to respond in the event that the risk occurs. 20. Four Types of Responses for Positive Risk: Enable : This response involves taking steps to enhance the probability or positive impact of the risk. This may involve allocating additional resources or creating a favorable environment to increase the likelihood of the risk occurring. Exploit : This response involves taking advantage of the opportunity presented by the positive risk. This may involve reallocating resources or modifying plans to maximize the benefits of the risk. Share : This response involves sharing the benefits of the positive risk with other parties. This may involve partnering with other organizations or stakeholders to jointly benefit from the risk. Accept : This response involves accepting the positive risk and developing a plan to manage it. This may involve setting aside resources to maximize the benefits of the risk, or developing contingency plans in case the risk does not materialize as expected. 21. Four Methods for Root Cause Analysis: 5 Whys : A simple but effective method that involves repeatedly asking "Why?" until the root cause is identified. Fish-bone diagram : Also known as an Ishikawa diagram, this method uses a visual representation of the possible causes and their relationships to help identify the root cause. Fault tree analysis : A deductive method that uses logic diagrams to identify the combinations of events or conditions that could lead to the problem. Apollo Root Cause Analysis (ARCA) : A structured approach commonly used in high-reliability industries to identify the root cause of an event or problem. It involves defining the problem, assembling a cross-functional team, describing the event, identifying causal factors, determining the root cause using the "Apollo question," developing and implementing corrective actions, and verifying effectiveness. 22. Four Types of Problem Solving: Troubleshooting : This type of problem-solving involves identifying and resolving specific issues or failures that arise in a system or process. Troubleshooting typically involves a step-by-step approach to identify the root cause of a problem and develop a solution to fix it. Gap from Standards : This type of problem-solving involves identifying areas where current performance or processes fall short of established standards or requirements. The focus is on identifying and closing the gap between current performance and the desired performance or process. Target State : This type of problem-solving involves defining a specific desired state or outcome and working backwards to identify the steps needed to achieve that outcome. The focus is on developing a clear vision of the desired outcome and then breaking it down into actionable steps. Open-Ended: This type of problem-solving is used when the problem is not well-defined or the desired outcome is not clear. The focus is on exploring different options and possibilities, generating new ideas, and testing hypotheses to determine the best course of action. This approach is often used in research and development or in situations where the problem is complex and multifaceted. 23. Four Methodologies for Improvement: Continuous Improvement : Continuous Improvement, also known as Kaizen, is a methodologies that focuses on making incremental improvements to processes, products, or services over time. It involves regularly reviewing and analyzing performance metrics, identifying areas for improvement, and implementing changes to increase efficiency, reduce waste, and improve quality. Lean/Six Sigma : Lean/Six Sigma is a methodology that combines two approaches to process improvement: Lean and Six Sigma. Lean focuses on reducing waste and increasing efficiency, while Six Sigma focuses on reducing defects and improving quality. Together, they provide a comprehensive approach to process improvement that involves identifying and eliminating waste, reducing variation, and improving customer satisfaction. Lean Startup : Lean Startup is a methodology that focuses on creating new services or products with minimal resources and maximum efficiency. It involves testing ideas and assumptions quickly and using customer feedback to make informed decisions about product development. This approach allows startups to iterate rapidly and avoid investing significant resources in ideas that may not succeed. Agile : Agile is a methodology that is commonly used in software development but can be applied to any project. It involves breaking down work into small, manageable chunks and prioritizing them based on customer value. Agile teams work in short iterations, regularly reviewing and adapting their approach to ensure they are delivering value to customers efficiently. This approach allows teams to be flexible and responsive to changing requirements or customer needs. 24. Four Steps of Improvement: Plan : In this step, the team identifies a problem or opportunity for improvement and develops a plan for how to address it. This includes setting objectives, establishing metrics for success, and creating a detailed plan for implementation. Do : In this step, the team carries out the plan that was developed in the previous step. This may involve making changes to processes, implementing new tools or technologies, or testing new approaches to see if they are effective. Check : In this step, the team measures the results of the changes made in the previous step to determine if they have been effective in achieving the desired outcomes. This involves gathering data and analyzing it to identify trends, patterns, and areas for further improvement. Act : In this final step, the team takes action based on the results of the previous step. This may involve implementing further changes, refining the existing approach, or taking corrective action if the results were not as expected. The team then goes back to the planning step to continue the cycle of improvement 25. Four Key Benefits When Compliance Is Effective: Protection from legal and financial risks : Effective compliance helps companies to identify and mitigate risks that could lead to legal or financial consequences. By adhering to laws and regulations, companies can avoid fines, penalties, lawsuits, and reputational damage. Improved operational efficiency : Compliance programs require companies to establish processes and procedures that help to streamline operations and reduce inefficiencies. Compliance can also help to identify areas where improvements can be made, leading to increased productivity and profitability. Increased employee morale: Effective compliance programs promote ethical and responsible behaviour among employees, which can lead to a positive workplace culture. When employees understand the importance of compliance and feel supported by management, they are more likely to be engaged, motivated, and committed to their work. Enhanced reputation and trust : Companies that prioritize compliance are seen as more trustworthy and reliable by customers, stakeholders, and investors. Effective compliance programs can help to build a positive reputation and improve brand value, which can lead to increased customer loyalty and business growth.

Getting into shape is not very different from getting into compliance. Sometimes (most often) you need the help of a program and a coach to improve your chances of success. Personal Fitness When it comes to physical fitness most view this as beneficial and worth pursuing. And yet many of us struggle to achieve the level of fitness we would like, never mind sustaining it over time. However, with good intentions and hope filling our sails, we often take up the challenge (probably several times) and join a fitness club. There we will find all the equipment we need to get into shape. This will be perfect! So we tell ourselves. Upon arriving at the gym we are immediately overwhelmed by all the “professionals” who are much fitter than we are, all the equipment we don’t know how to use, and the acute awareness of how "out of shape" we really are. Our sails are no longer filled with the hope we once had as waves of discouragement cross the bow. It appears that having access to all the fitness equipment in the world is not enough. Without knowing how to use them the right way, and for the right purpose we will never become any fitter. In fact, using the equipment may make things worse leading to a possible injury; physically and most likely emotionally when our hope is replaced by discouragement. What we need is some structure, knowledge, and expertise to successfully negotiate the fitness terrain. We need a program to provide the structure and we need a coach to provide knowledge and experience. Together these will improve our chances of success and once again fill our sails with hope. Compliance Fitness Getting into shape is not very different from getting into compliance. Over the years we noticed that many organizations may have the compliance equipment (or some of it at least) but never achieve compliance operability (i.e. fit for purpose). Companies pay the price but never enjoy the benefits. They have a gym membership but do not have the structure, knowledge, or expertise to help them navigate the compliance terrain towards better outcomes. Compliance Program and Coach That is why we created and offer “ The Proactive Certainty Program™ ”. With this program guided by our compliance coaches we help you take your compliance parts and make them work together to finally achieve compliance operability so you can start enjoying the benefits that come from being in compliance. As has been said many times before, "Give a Man a Fish, and You Feed Him for a Day. Teach a Man To Fish, and You Feed Him for a Lifetime." Our intent is to teach you how to fish – how to always stay in compliance. If you are looking to get into compliance shape consider becoming a member of The Proactive Certainty Program™. Let us help you learn to always stay between the lines and ahead of risk.

Increasingly standards and regulatory bodies are promoting a holistic approach to compliance. However, many companies still implement compliance programs using an element-by-element approach that reinforces silo-ed behaviours and practices. This reductive and specialized approach, left to itself, will greatly diminish the effectiveness of the measures used to protect and ensure delivery of total value. In this article, we will explore why silos are still used, what new compliance standards and regulations require, and how organizations can overcome the effects of compliance silos to improve overall effectiveness. Organizational Structures In many asset intensive companies accountability tends to be aligned to mirror the structure of the assets themselves. Many companies adopt a hierarchical management structure centred around operations and maintenance functions. This organization provides a single point of accountability for performance of process functions along with providing effective resourcing of specialist skills to keep a plant or facility operational. A challenge for these kinds of organizations is how best to organize the management of systems and processes that are cross-functional. Compliance programs tend to be distributed across functional groups such as: quality, process safety, occupational safety, regulatory compliance, environment, and so on. Managers for these processes tend not to report to the same director or vice president. It's no wonder why it's difficult to find a single point of accountability for a scope large enough to oversee the entire breadth that new regulations and standards require. This is perhaps one of the greatest obstacles to adopting holistic and programmatic compliance. Evolution of Compliance Strategies Regulations and standards have evolved over the years to respond to new challenges and learn from prior approaches. However, these changes have not always been adopted to the degree that many had hoped. This has left companies lagging behind often resorting to using old behaviours to address new requirements. In the book entitled, "Guidelines for Risk Based Process Safety" published by the Center for Chemical Process Safety, Chapter 2 provides an excellent overview of how strategies have changed over the decades. While this is in the context of process safety, much of the history is shared with other compliance regulations and standards. The following diagram (my annotations in RED) from this book presents the progression beginning with the focus on standards: Standards and compliance based approaches tended towards prescriptive specifications which afforded consistency and could be verified easily by checklists. However, the new compliance strategies are performance based requiring cross-functional processes. In order to apply continuous improvement and risk based thinking companies need to go beyond simple compliance towards the use of systems so that overall outcomes can be achieved and risks can be managed. In recent years, this systems focus has increased the scope of several regulations and standards extending them beyond what is done by existing functional groups. Many companies are struggling to find a place in the organization to own the elements along with the system itself. It's not uncommon to find many companies using existing practices and behaviours to meet new demands while keeping existing management structures mostly intact. However, this results in companies falling further behind when it comes to the adopting the practices that are needed to achieve overall system effectiveness. Why This Matters – It's all about risk A systems-based approach allows companies to take advantage of synergies across processes, practices, and behaviours along with eliminating duplication. However, this is not the only reason why systems are used. A systems-based program provides the means to achieve outcomes and contend with risk. In fact, that's the purpose behind compliance programs. James Reason introduced the Swiss Cheese model to illustrate how even small holes in safety barriers can lead to adverse effects. This model, adapted below for ISO 9000:2015, shows each component as layers that have their own processes and practices. These layers work together to produce the overall outcomes of the quality program. As shown in the following diagram, latent or active failures even small can allow threats to materialize. It is by understanding how these breaches connect with each other that the overall system can be adequately protected. To further this idea, the API Recommended Practice 1173 for Pipeline Safety Management System introduced in 2015, rightly states in their introduction: "Major accidents with high consequences rarely occur due to a safety breakdown of a single activity but instead occur because of an alignment of weaknesses across multiple activities. While safety efforts may be applied individually to each activity more effective safety performance is achieved when viewing the linked activities as processes" This holds true not only for safety but for all compliance programs. It is necessary to look across all programs to effectively manage risk. This is difficult to do when implementing processes in isolation within functional silos and when there is no clear accountability for the entire system. Overcoming Compliance Silos This brings us to the question of what can companies do to benefit from the new holistic compliance strategies when they are predominately organized in hierarchies. A common approach used to support cross-functional processes is the matrix structure. This is used for projectized work which while different than management systems can offer some insights into similar issues and approaches. With respect to projects, asset-based organizations tend to have a "weak" matrix organization as defined in the PMBOK®. Functional managers have stronger authority relative to project managers which makes sense given that ultimate accountability for such things as quality, safety and risk lies with those that own the assets. In a previous blog , I introduced the concept of programs and systems. The role of a management program is similar to the use of programs used to manage related projects. Programs ensure system-wide outcomes and introduce changes to ensure alignment with program priorities and objectives. Introducing a program role to oversee multiple compliance systems would help in the same way that programs help co-ordinate related projects. However, to fully benefit from this approach it's important to give that role greater accountability than that typically found in "weak" matrix organizations. The program role must have accountability at the same level as functional directors to ensure program outcomes. This creates a "strong" matrix organization at least with regards to compliance programs. A program role would be accountable for: The outcomes of the compliance system and related processes Aligning corporate strategies and initiatives to program goals and objectives Providing resources to operate, manage, and improve underlying systems Identifying and managing program risks Co-coordinating cross-functional responsibilities to deliver system outcomes

All too often companies find that they are only one accident, one explosion, one fatality, or one recall away from not only losing their regulatory license, but also (perhaps more importantly) losing their social license to operate. The concept of a social license is a complex topic on which several papers, books, and presentations have been written. This concept grew out of the resource sector with roots in social contracts theory. John Morrison's book [1], "The Social License – How to Keep your Organization Legitimate" is an excellent source for those who wish to dive deeper into this topic. A social license is not a formal one. It is granted by a community (i.e. network of stakeholders) based on factors such as: legitimacy, trust and consent. A social license is hard to measure but you know when you don't have it. This is often made visible when a organization does not receive government approval to proceed with a project. The definition of a social license varies based on the type of business, industry, and stakeholder. Jim Cooney (thought leader on the topic of social responsibility and sustainability issues) writes that a social license may mean [4]: Corporate social responsibility (CSR) Sustainable economic, environmental and social development Community rights and entitlements Social justice: distributional and procedural fairness Evolution in the decision-making power of government A new social contract that legitimizes corporations by redefining their obligations to society Any broad public policy issue that is not addressed in government approval processes for industrial projects Although, the nature and how a social license is obtained may vary, it results in the identification and follow-through of stakeholder obligations [3] both mandatory and voluntary. How well a company meets these obligations will determine to what extent their social license survives after an adverse situation. Threats Companies may find after a significant incident has occurred that regaining their social license may be more challenging than addressing regulatory issues. The loss of trust is particularly at risk and as we know, trust takes time to earn and is quickly lost. "If you once forfeit the confidence of your fellow citizens, you can never regain their respect and esteem – Abraham Lincoln (1854)" Trust can only be addressed after the legitimacy of the business has been established [2]. Legitimacy, is also the last line of defence should the other boundaries be rescinded for whatever reason. Legitimacy is the foundation on which a social license is sustained. The stronger a company's legitimacy the more resilient it is to threats against their social license. Countermeasures Morrison [1] presents several factors that contribute to a company's legitimacy. From a compliance perspective the following two are essential to demonstrate that obligations are being treated seriously: Company structure, governance, and accountability (meeting obligations) Due diligence, mitigation and prevention (doing no harm) Sarah A. Altshuller, author of the corporate social responsibility chapter in the book, "Corporate Legal Compliance Handbook [5]," writes: "... failure to demonstrate that a company is fulfilling its commitments to stakeholders can be costly. There are strong business reasons, therefore, to leverage and integrate CSR commitments and compliance processes." There are international and national standards that can be applied to help manage obligations such as: ISO 26000 (Social Responsibility), ISO 37301(Compliance Management System), and others that deal with specific domains such as quality, health and safety, environment, process and pipeline safety, and so on. What's important is that social license obligations are reflected and tracked throughout all management systems and processes within the organization. Doing so will provide greater evidence of legitimacy and reinforce that obligations are managed effectively. Where to Start An important step that organizations can take to increase legitimacy is to document each obligation made to stakeholders. To operationalize these obligations the following additional steps are recommended: Document the context and expectations (i.e. outcomes) Define what constitutes evidence of compliance Identify what standard is being used to establish normative processes Identify what is needed (structure, resources, technology, culture, etc.) by the organization to achieve the desired outcomes Identify and evaluate risks (both threats and opportunities) for each obligation Identify implementation steps to embed obligations into the organization References: [1] - John Morrison, The Social License – Keeping Your Organization Legitimate [2] - https://socialicense.com/ [3] - ISO 37301, ISO 19600 defines obligations as being either requirements (mandatory) or commitments (voluntary). Both of which are treated the same way in terms of this discussion. [4] - http://www.ryerson.ca/content/dam/csrinstitute/pdf/Jim%20Cooney%27s%20powerpoint%20presentation.pdf [5] - http://www.csrandthelaw.com/2016/08/11/corporate-social-responsibility-and-compliance-a-functional-convergence/

Ensuring that organizational obligations and policies are effectively deployed and upheld is a critical task. This is where Hoshin Kanri, a Lean practice, comes into play. Hoshin Kanri offers a structured approach to operationalize obligations across organizations, providing a roadmap to align objectives, ensure accountability, and drive continuous improvement. In this blog post, we will delve into the framework of policy deployment using Hoshin Kanri, shedding light on its key components and how it helps organizations steer towards better outcomes. The Framework: Policy Deployment using Hoshin Kanri At its core, policy deployment using Hoshin Kanri is about translating high-level organizational goals and policies into actionable plans that permeate throughout the organization. This framework can be summarized as follows:

In today’s world of compliance, organizations face a dual challenge: not only must they faithfully adhere to regulations, but they must also make significant progress in their compliance efforts. This requires compliance to be reliable and effective. Eliyahu Goldratt, the visionary thinker behind the Theory of Constraints, introduced in his book, Beyond the Goal, definitions for reliability and effectiveness: Unreliability : things that should have been done but were not Ineffectiveness : things that should not have been done but nevertheless were done Though traditionally applied to operational throughput, these definitions hold remarkable value when employed in the context of compliance. In this article, we'll explore how organizations can apply Goldratt's principles to achieve both reliable and effective compliance while introducing new measurements and rules to drive the desired behaviours. Reliability: Consistently doing what should be done Goldratt's definition of unreliability - "things that should have been done but were not" - establishes the heart beat of compliance, integrity, and a commitment to keeping promises. Compliance is unreliable to the degree that an organization does not do what should be done. According to Goldratt, the end result of being unreliable, in terms of the organization as a whole, is that the company fails to fulfil its commitments to the external world. The BP Deepwater Horizon oil spill in 2010 stands out as a prime example of a company failing to do what should have been done in terms of safety and environmental compliance. In this catastrophic incident, BP compromised safety practices, lacked adequate emergency response preparedness, and neglected environmental responsibility. The result was one of the largest environmental disasters in U.S. history, with severe consequences, including environmental impacts, extensive legal and financial penalties, reputational damage, operational challenges, and leadership changes. Effectiveness: Not doing what should not be done Goldratt's concept of ineffectiveness, described as "things that should not have been done but nevertheless were done," complements reliability by offering a perspective on compliance progress. Compliance is ineffective to the degree that an organization does things that should not be done. If we continue to do things that we should not be doing, what is the end result? The answer is at worst mission failure and at least significant waste. For example, Volkswagen (VW), one of the world's largest automakers, was under tremendous pressure to meet strict emissions standards, especially in the United States. To comply with these regulations while maintaining high-performance diesel vehicles, VW engineers developed a sophisticated software known as a "defeat device." This software manipulated emission tests to make the company's diesel engines appear much cleaner and environmentally friendly than they were in real-world driving conditions. Volkswagen did what should not be done. You Do What You Measure Goldratt reminds us that measurements play a dual role in our endeavours. They act as navigational aids, offering insights into our current position and guiding us towards our desired destination. A common example of this is the GPS found in a car that informs us of our status. Measurements also serve as instruments of influence, shaping our behaviours and actions. However, it's vital to bear in mind that we are dealing with humans and organizations composed of humans, as Eliyahu Goldratt noted: "Tell me how you measure me, and I'll tell you how I behave." When selecting measurements, it is important to do so with the understanding that they should encourage individual parts to contribute to the overall well-being of the company. This is particularly relevant when it comes to compliance and making progress towards compliance outcomes. For compliance to succeed, organizations can follow Goldratt's advice by introducing measurements that foster desired behaviours: Define Clear Compliance Outcomes: Begin by clearly defining the compliance outcomes you aim to achieve. These outcomes should encompass broader objectives beyond mere adherence, such as strengthening risk management, enhancing stakeholder trust, and realizing the benefits from being in compliance: better safety, security, sustainability, quality and so on. Prioritize Outcome-Driven Activities : Align your compliance activities with the defined outcomes. Prioritize initiatives that directly contribute to progress in achieving those outcomes while eliminating or optimizing tasks that do not. Embrace Outcome-Oriented Metrics : Shift from traditional, compliance-focused metrics to outcome-oriented ones. Measure progress based on the achievement of desired compliance outcomes rather than merely tracking adherence to individual regulations. Encourage Cross-Functional Collaboration: Break down silos within your organization by fostering collaboration among departments responsible for compliance. Encourage teams to work together to achieve shared compliance objectives. Continuously Adapt and Improve : Embrace a culture of continuous improvement, where lessons learned from compliance efforts drive innovation and refinement. Regularly review and update your strategies based on outcomes and insights. Eliyahu Goldratt's Theory of Constraints, rooted in concepts such as reliability and effectiveness, offers valuable guidance for organizations seeking to transform their compliance operability. By introducing measurements and rules that focus on achieving desired behaviours and outcomes, organizations can achieve both reliability and effectiveness in their compliance efforts. While reliability (always doing what should be done) ensures an unwavering commitment to fulfilling obligations, effectiveness (not doing what should not be done) encourages ethical behaviours resulting in better compliance outcomes. This holistic approach empowers organizations to not only meet compliance requirements but also make significant strides toward broader compliance objectives.

In recent years, Governance, Risk, and Compliance (GRC) frameworks have become essential tools for integrating diverse capabilities and facilitating decision-making and alignment between the board and the CEO and to some degree between the CEO and operations. While GRC is helpful, mostly in IT, it still lacks what is necessary to drive organizational alignment and performance across enterprise functions. The challenge lies in applying GRC effectively in the midst of existing cultures, management systems and structures, and organizational dynamics. GRC needs to be more than an integration layer that sits on top of what is already there. It needs to be an integrative force. This is where LEAN principles and practices can add significant advantage. Understanding the Gap One of GRC's core purposes is to bridge the gap between organizational obligations and operational realities in the presence of uncertainty. However, applying GRC as an “integration layer” on top of a reactive and siloed organization can and usually makes matters worse not better. The saying, "paving the cowpath" comes to mind. The large number of management frameworks adds further complexity with many overlapping and competing with each other. Introducing frameworks such as the OCEG model may inadvertently burden management teams resulting in more work making alignment even more difficult to obtain. Rather than attempting to glue (i.e. integrate) together a multitude of disparate pieces, organizations should strive for a holistic "integrative" approach. This approach comprises leveraging what is already present within the organization and making it work cohesively as a system. The goal being to align all functions towards a common purpose, transcending mere integration and fostering a lean, aligned, and effective organization. LEAN: The Integrative Force LEAN, a management philosophy with roots in the manufacturing sector, holds the key to achieving an integrative force for GRC. Let's explore how LEAN principles can address the challenges and improve organizational performance: 1. Customer-Centric Focus The foundation of LEAN lies in directing the organization's efforts towards a single point of focus: the customer. When applied to GRC, this principle ensures that all governance, risk management, and compliance practices are geared towards meeting organizational outcomes. By prioritizing stakeholder needs, organizations can make operational decisions that align with their goals and objectives and improve the probability of mission success. 2. Reduction of Waste LEAN's emphasis on reducing waste aligns with the challenges faced by GRC. Many inefficiencies in organizational processes stem from uncertainties and variability. By tackling waste head-on, organizations free up valuable resources, time, and effort; creating the capacity for proactive and integrative initiatives. 3. Prioritizing Value-Add Work LEAN encourages organizations to differentiate between value-add and non-value-add activities. Applying this principle to GRC directs attention to activities that directly contribute to mission success. By prioritizing value-add work, GRC becomes a transformative force that adds strategic value, enabling organizations to focus on what truly matters. 4. Fostering Continuous Improvement Continuous improvement is the backbone of LEAN. Similarly, for GRC to thrive, organizations must embrace a culture of constant assessment and enhancement. This iterative approach fosters adaptability and resilience, enabling organizations to stay ahead of risk that threatens mission success. Towards an Integrative Future GRC's true potential lies in embracing an integrative approach that transcends mere integration. Rather than adding complexity to existing structures and practices, organizations should leverage integrative principles and practices as found in approaches such as LEAN. By directing their efforts towards stakeholder obligations, waste reduction, value-add work, and continuous improvement, organizations can unleash the true potential of GRC across and within the entire organization. Aligning enterprise capabilities becomes a seamless and strategic process when GRC is used as an integrative force to improve the probability of mission success.