SEARCH

In the world of compliance there is often confusion between those who are accountable for compliance and those who are responsible. You may have heard it said that everyone is responsible for compliance or safety or quality – you can “fill in the blank”. At a high level this makes sense. However, when looking more closely, we know responsibilities are distributed across an organization often aligned with managerial accountability and specialized roles needed to meet each obligation. Everyone might be responsible but not everyone has the same responsibility. From the many compliance roles that exist there is one that is unlike the others and often overlooked — the role of an Obligation Owner. In this article we explore what an Obligation Owner is, their responsibilities, and how important this role is for compliance success. What is an Obligation Owner? An Obligation Owner is an individual with delegated or assigned authority to answer for an organization's compliance obligations. These obligations may consist of legal requirements, industry regulations, internal policies, and ethical standards that the organization must adhere to. The Obligation Owner serves as a central point of contact, coordination, and oversight for compliance-related matters within the scope of the obligations they own. The RACI (Responsible, Accountable, Consulted, Informed) model is a framework that defines roles and responsibilities for tasks and processes within an organization. The Obligation Owner aligns with this model by assuming the role of the "Accountable" party for compliance obligations. Accountability for obligations are often aligned with managerial accountability. The Obligation Owner promotes accountability by establishing clear objectives, documenting policies and procedures, establishing lines of responsibilities, and tracking progress. They hold individuals and teams responsible for their compliance-related tasks and actions as specified using a responsibility assignment matrix. Regularly monitoring compliance efforts, providing feedback, and recognizing achievements encourages a proactive mindset among employees, empowering them to make and keep promises (commitments) associated with obligations. What are the Responsibilities of Obligation Owners? While Obligation Owners take on obligation accountability they are also responsible to ensure the work of compliance happens. This includes identifying objectives and setting appropriate targets and goals. Once compliance objectives are identified, the Obligation Owner must ensure that they are documented and communicated effectively throughout the organization. This includes creating policies, procedures, and guidelines that outline the expectations and commitments for each obligation. Obligation Owners must also ensure collaboration with various stakeholders, such as legal teams, department managers, and subject matter experts, to properly align with each obligation. They will also need to provide guidance and support for those who are responsible to meet each obligation. This is enabled by cultivating a culture of collaboration and pro-activity. Obligation Owners also play a critical role in monitoring compliance efforts within the organization. They need to ensure processes are in place for ongoing monitoring, regular audits and assessments, and review of compliance metrics to identify any non-compliance issues along with areas of improvement and risk. When necessary corrective and preventative actions are taken to make certain the organization always stays between the lines and ahead of risk with respect to each obligation. The Importance of Obligation Owners The role of an Obligation Owner is often overlooked but is indispensable in achieving and maintaining compliance within organizations. Through the efforts of Obligation Owners, organizations can ensure adherence to legal requirements, industry standards, ethical practices and internal obligation requirements minimizing compliance risks. By assuming accountability for obligations they make certain that obligation objectives are achieved and the other roles of the RACI model are filled and conducted effectively.

One of the principles we learn from LEAN is that: If you can't see it you can't improve it. We also talk about going to the GEMBA (scene of the crime) to walk and see the value stream while engaging those that contribute to it in problem solving and improvement. We need to do the same for compliance. Unfortunately, for many companies compliance is mostly buried and remains hidden within policies, procedures, and administrative processes. No wonder companies find compliance difficult to improve. If you can't see the process you can't improve it. It's time to return to the GEMBA of compliance, to walk the compliance stream, and engage those that help improve staying between the lines. However, to do this you need to know where it is; compliance needs to be visible. The first step is to identify all your obligations which will in turn help you to know what the goals and objectives are, what is critical to compliance, the risks that need to be addressed, and the controls that are needed to increase the certainty of achieving your outcomes. Creating a "Compliance Map" is one of the ways that will help you see better so you can create your improvement roadmap to escape the vicious reactive cycle and experience the benefits of the virtuous proactive cycle.

One of the first steps to improvement is creating the ability to "see" or "visualize" what it is you want to change. This is one of the key tenants of the LEAN mindset and it applies not only to the flow of work but also to the flow of data. In many organizations, data of all kinds remain largely hidden and not directly available to those that need it. Critical data is often buried in documents, reports, excel spreadsheets, numerous databases, and also now in the "Cloud". Many hours are wasted as people search for information they need to perform their jobs. This situation is expected to worsen as the demand for data continues to increase. Unfortunately, making data visible and readily available has not advanced as far as many had hoped. Even with the availability of numerous information technologies and now AI, information remains mediated behind administration staff, power users, and those that can remember were the report you want is located. The choice of technologies is an important factor to address hidden data. However, there are other significant factors that contribute to why data remains hidden. These factors have more to do with how data is governed rather than what technology is used. Examples include: Managing data in silos making data more difficult to find Not utilizing existing technologies that could help to make information more visible Continuing to support legacy systems that should otherwise be retired Recreating data whenever information cannot be found rather than identifying the root cause and fixing the process Not knowing what data is critical and what data can and should no longer be stored The management and availability of data is essential to supporting compliance processes. Without improvement in data visibility companies will continue to waste valuable resources recreating data, storing unnecessary data, and searching for information needed to perform roles. Question to Answer: What benefits would you see if data was more visible and easier to access? What would need to change to see improvements in how data is managed and made available? What steps can you take towards those changes?

In this blog post we walk through the approach developed by Marissa Kephart in collaboration with Lean Compliance to define a golden thread of assurance for an environmental program. In this post we look at the use of a Dependency (or Design) Structure Matrix (DSM) to better understand the interactions of The12 Environmental Pillars (download them here ), which interactions are essential, and which ones contribute the most to overall program effectiveness. This information will help determine which should be part of the golden thread. In Part 2, we will consider the use of a balanced scorecard to monitor the golden thread and provide insights for decision makers on how to improve overall program performance. What is a Golden Thread? To provide assurance that environmental obligations will be met, an environmental program must perform such that its outcomes are continuously advanced towards the overall goal of community sustainability. This outcome is created by the product of the interaction of 12 environmental pillars. A “golden” thread that runs through the pillars of an environmental program – Environmental Golden Thread – can serve to provide assurance that essential capabilities exist and are operational. It can also provide traceability and transparency for retrospective and prospective analysis, ensuring the integrity of the environmental program and all its systems and processes. Using an Environmental Golden Thread can also provide leadership and management with valuable insights to help make better decisions associated with environmental obligations, commitments, and investments. Additionally, this thread will enable better coordination and alignment of effort across an organization in support of overall program objectives. What is a DSM? A Dependency Structure Matrix (DSM) is a tool used to represents a system and its components to better understand critical dependencies. A DSM models system elements and their corresponding information exchange, interactions, and relationship in a compact visualization to highlight the important dependencies. An environmental program will include many aspects which can be modelled using a DSM. We have used it here to model the 12 environmental pillars which need to be advanced simultaneously towards the goal of community sustainability.

Change can be and often is a significant source of risk for organizations. That's why managing risk resulting from change is one of the most important risk measures to introduce and continuously improve over time. In highly-regulated, high-risk industries this process is called Management of Change or MOC. However, its application is of value to all organizations looking to be more resilient with their operations and improve the probability of mission success. Management of Change is a means by which new and latent risk can be identified and treated when organizational, procedural, regulatory or process change occur. MOC processes act as preventative measures against adverse events due to risks introduced by change. It does this by helping to expose weaknesses in the underlying practices and tools across safety-critical processes and systems. In practice, Management of Change will touch and interact with all safety-critical and many mission-critical processes within an organization. In this capacity, MOC provides companies with a pulse and an earlier warning of the level of uncertainty across the organization. This is very much needed during times of disruption such as what is happening now during the COVID pandemic. For this reason MOC is an important risk control that should be one of the first to implement as part of any risk management program. Companies with mature MOC capabilities experience additional benefits similar to those resulting from applying LEAN to improve process flow. Instead of removing waste, MOC programs help to remove sources of risk lowering the probability of safety incidents over time. This has a side effect of improving the certainty that planned changes create the desired outcomes while avoiding undesirable effects. Do you have a change management process in place? Does it effectively manage risk due to planned changes? Is it being used to give you a risk pulse of the measure of uncertainty within your organization? More information about Management of Change can be found here .

Every company currently certified for ISO 9001 will need to re-certify at some point in time. This is an opportunity to go beyond just re-writing procedures and introduce new behaviours and practices to generate better quality outcomes. In this blog, I will discuss four new behaviours introduced in 2015 that companies still struggle with today. Key Drivers of ISO 9001:2015 The changes introduced in 2015 in many ways were a response to the low adoption of the process approach when it was originally introduced in 1990. At that time the standard was very prescriptive which, although not intended, created the conditions that favoured a check box approach to quality. It was common for companies to become certified without seeing any real improvement in the quality of their products or services. This was not the case for all companies as many did in fact improve their quality processes by adopting the standard. However, the original goals were still largely unmet and legitimacy of the standard itself was at risk. The 2015 version addressed those issues along with other needed improvements by promoting a more holistic approach with less prescription but with broader scope. The following changes are key examples of the direction the standard has taken: Risked Based Thinking over Reactive Practices Process Based Approach over Disparate Activities Outcomes over Check-Box Compliance Continuous Improvement over Audit-Fix cycle More Than Rewriting Procedures Having a standard that is now performance-based leaves flexibility for each company to determine the "how" part to best achieve the intended outcomes. This means that a prescriptive check-box strategy to compliance is no longer the best or preferred option. Additionally, this will rule out a cookie cutter approach and a one-size fits all mentality. The specific methods and level of rigor that will be needed will depend on the maturity of other processes and practices within the organization. These will be different for every company. The International Accreditation Forum (IAF) Guidelines for ISO 9001:2015 makes the following statement: "[iso9001] promotes the need to demonstrate system effectiveness and the application of risk-based thinking through the process approach. This may result in the need for a variation of auditing techniques, therefore witnessed assessments may be necessary as part of the transition program." Making risk-based thinking part of a quality program is not only a matter of writing a procedure that says you will conduct risk assessments every two years. While this may be a place to start, embedding risk-based thinking requires a change in mindset along with the introduction of new skills and tools. While risk is inherent in every organization it manifests itself more whenever changes are introduced. Therefore, the way in which a company manages changes should provide significant evidence on how well risked-based thinking is embedded throughout the organization. Even More than Process and Risk-Based Thinking While adopting the process approach and risked-based thinking are essential to achieving re-certification, another perhaps even more important change is the focus on outcomes instead of on prescriptive compliance. Defining, measuring and providing evidence that outcomes are being achieved is what drives an effective quality program. Also, outcomes are defined through the eyes of the customer and not by what a company believes is good quality. This is precisely the difference between verification and validation required in the Pharma and Medical device industry. While you can verify that a product meets: quality, safety, and regulatory standards, it may not function well for the intended use for the product. As an example, it is possible to have a pacemaker that was designed per spec but still fails to keep your heart pumping. This failure results from confusing quality output over quality outcomes. The adoption of continuous improvement is also required by ISO 9001:2015 along with almost every other compliance regulation and guideline. Many of which have adopted the same Plan-Do-Check-Act vocabulary. Continuous improvement, however, means more than just re-framing activity under the letters PDCA as many are tempted to do. Instead, continuous improvement involves a more profound change from being reactive to being proactive. Planning once a year for improvements while good is not the type of continuous improvement that is expected. Evidence of this change will be seen by how companies resource this approach. Many companies today seldom fund improvement activity of any kind and instead wait for things to break before they are fixed. Without a finding from an audit some companies will not invest in changes no matter how good they might be. Waiting for failure has not worked for servicing equipment and as many now realize doesn't work for processes either. No longer can companies wait until complaints arrive, or until non-conformance is measured to create improvement actions. Improvement (done safely and in a compliant manner) now needs to be a routine occurrence and not an exception. This is not an easy mindset to change. However, LEAN has much to teach us about how to do continuous improvement well as many who have adopted it will tell. Better Outcomes Companies that want to move beyond basic compliance by embracing a proactive mindset focused more on customers, systems, risk management, and continuous improvement will be rewarded in the marketplace. For others, who believe that a simple re-writing of procedures is all that is necessary, they will find their work will not deliver the promised benefits.

Every plan, business, or endeavour happens in the presence of uncertainty. That is why your value chain needs to operate between the lines of productivity (to increase margin) and compliance (to reduce risk). Together, they afford an organization resilience against disruption and progress towards achieving mission objectives. The value chain is responsible for creating value in the eyes of the stakeholders and it does so in the presence of uncertainty. Productivity programs serve the value chain by improving margins through operational excellence. Margins are necessary to mitigate the effects of aleatory (i.e. irreducible) uncertainty. It also affords an organization a degree of resilience against disruption. Compliance programs also serve the value chain by mitigating the effects of epistemic (i.e. reducible) uncertainty. It does this by buying down risk through effective quality, safety, security, environmental, and regulatory systems and processes. To succeed in the presence of uncertainty a balanced scorecard should include objectives and measures that let's you know how well you are doing across productivity, value, and compliance streams.

The RACI model has been used to help manage projects successfully. Could it also be used to help manage obligations? In this blog post we explore how meeting obligations can be improved using a RACI model to clarify compliance responsibilities. It's time to add RAM to our compliance. RACI for Projects The RACI model was introduced in the 1950s to clarify roles and responsibilities for project tasks. At the basic level responsibilities are categorized by roles (R)esponsible, (A)ccountable, (C)onsult and (I)nform known by the letters RACI. Typically, one person will be accountable (one neck to grab principle) for the task itself to make sure that it is done correctly, on-time, and on-budget. Whereas, one or more persons will be responsible to perform the work, provide knowledge, or required to be kept in the loop when a decision is made or a task is complete. This mapping is represented as a Responsibility Assignment Matrix otherwise known as RAM. Here is an example of RAM for baking a cake: Project: Bake a Cake ​ ​ ​ Task Mom Dad Children 1. Select a recipe A/R/C C C 2. Purchase ingredients I A/R R 3. Prepare ingredients A/R ​ R ​4. Bake cake A/R I I 5. Serve cake R A/R R For the first task, Mom is both accountable and responsible for selecting a recipe for the cake. She will consult with the rest of the family as to what kind of cake they would like to have. Dad is accountable to purchase the ingredients and is responsible along with the children to go to the grocery store to buy them. Mom needs to be kept in-the-loop to know when all the ingredients are ready. Mom then is accountable for preparing the ingredients by following the recipe. The children are responsible to help her with that. Mom then places the cake into the oven and lets the rest of the family know when the cake is ready to eat. The last step Dad is accountable to serve the cake and clean up afterwards. Of course, everyone is responsible to eat their own portion of the cake. Using a responsibility assignment matrix (RAM) is a powerful tool that helps to: avoid "too many cooks" in the kitchen avoid overwhelming team members with unnecessary information remove confusion as to who does what and when provide clear lines of accountability keep everyone who needs to be (stakeholders) in the loop A RACI Model for Compliance Variations to the basic RACI model are used to accommodate different kinds of project work. This is also the case for projects associated with compliance. Meeting compliance obligations can be considered as a project and will benefit from using an adapted RACI model such as RACIV to help clarify compliance responsibilities: Project Definition Compliance Definition (A)ccountable to answer for the correct and thorough completion of the work. (A)ccountable to answer for the effectiveness of the work. (C)onsult ​to provide subject matter expertise. (C)onsult to provide subject matter expertise. (R)esponsible to perform the work. (R)esponsible to achieve compliance objectives. (I)nform to be kept up-to-date. (I)nform to be kept up-to-date ​ ​ (V)erify to provide confidence (assurance) that objectives are achievable. To apply the RACIV model each obligation is considered as a micro project where objectives instead of tasks are used and associated with a responsibility assignment matrix (RAM). Objectives are promises that organizations make to meet mandatory or voluntary obligations. Promise theory tells us that obligations are evaluated by the obligee – the person, organization, or institution that imposes the obligation. This is usually performed by an external auditor or certification body. However, verifying that promises are being kept is the responsibility of the obligor and the reason for adding the (V)erify role to the RACI model. In the following example, an organization has promised to achieve 4 objectives to satisfy the obligation of reaching net zero carbon emissions by 2050. In practice, objectives (which have been simplified here) should be specific, measurable, achievable, realistic, and time-bounded (i.e. they should be SMART goals). Obligation: Achieve net zero carbon emissions by 2050 ​ ​ ​ ​ ​ Objectives Plant Manager Environmental Specialist Plant Managers / Supervisors Audit Team Stake-holders 1. Achieve 40-50% below 2005 levels by 2030. A RC RC V I 2. Establish targets for 2035, 2040, and 2045 ten years in advance. A RC RC V I 3. Establish measures and strategies to achieve targets. A CR R V I 4. Report yearly on progress against each target. A R C V I Using a RAM increases visibility of who is accountable for each objective and ultimately answerable for it. Accountability for obligations of this kind are delegated following an accountability structure for the organization. Organizations in highly-regulated, high-risk sectors will establish a clear line of sight from the top to the bottom for critical to compliance obligations. A RAM also shows who is responsibility to provide subject matter expertise, perform the work to achieve the objective, who will verify that standards have been followed and targets have been achieved, and who needs to be kept in-the-loop when material changes have been made with respect to meeting the overall obligation. Adding RAM to your Obligation/Promise Registers The best place to incorporate a responsibility assignment matrix (RAM) is in your obligation / promise registers. The following worksheets demonstrate how this can be done and are available for download: Obligations / Promise Register Worksheet with RISK and RAM:

More companies are becoming aware that they are too reactive when it comes to compliance. In my previous blog , I discussed four misuses of audits that result from a reactive approach. In this blog, I will look at the other side and present four steps that companies can take to move the pendulum from reactive to proactive compliance. Instead of steering compliance by looking through the rear view mirror at what has already happened, compliance now is looking ahead, deciding where it wants to go and steering towards better outcomes. This change starts with knowing where you want to go. 1. Take ownership of all obligations (mandatory and voluntary) Taking ownership means more than simply complying with a given guideline, standard or regulation. Ownership means being responsible and answering for the outcomes of compliance obligations (i.e. the promises made to stakeholders). It is therefore necessary to have clear and unambiguous objectives for what you want compliance to accomplish. The following will help clarify compliance objectives so that those accountable will know what and how compliance outcomes will be accomplished: Document the context and expectations for each obligation Define what constitutes evidence of compliance Define how progress against outcomes will be measured Identify what standard will be used to establish normative processes (ex. ISO 9001:2015, ISO 31000, ISO 37301, etc.) Identify what is needed (structure, resources, technology, culture, etc.) by the organization to achieve the desired outcomes Identify and evaluate risks (both threats and opportunities) for each obligation Embed obligations, controls, and risk treatment into compliance programs, systems and processes 2. Embed compliance into programs, systems and processes Compliance requirements manifest themselves inside a business in many ways. However there are two contexts that address the majority of a company's compliance obligations: (1) management systems such as: quality, safety, environmental, risk management, and audit, and (2) compliance-critical processes such as: human resources, security, finance, design, manufacturing, maintenance, supplier management, and other processes under regulation (i.e. controlled processes). In all these cases, compliance benefits from being directly embedded into each process rather than only by means of inspections or audits. Embedding will enable the level compliance to be known at all times rather than after an audit. With this in mind the following are important measures to collect: Measures of Effectiveness (MoE) – critical to program success, independent of any technical implementation. Measures of Compliance (MoC) – critical to compliance, where failure maybe cause for reassessment of the program Measures of Performance (MoP) – measures that relate to the operations of the compliance program, systems, and processes. 3. Monitor in real-time the status and the ability to stay in compliance Regulators (and proactive companies) are interested in knowing the level of compliance right now, in the past, and more importantly if there is sufficient capability of being in compliance tomorrow. Unfortunately, many companies are not certain of their level compliance until an audit has been conducted. This is far too late to be used as a means of governing compliance programs. Even still, they may not know if they have adequate capacity or capability to sustain compliance against changing and increasing demands. Companies should establish real-time monitoring so they are always certain of their level and capacity to meet compliance. Many are already spending excessive effort conducting pre-audits, internal audits, and third-party audits only to discover that they have been to some degree out of compliance. Less effort is expended by achieving and staying in compliance all the time. This the similar to losing weight. It is easier to keep the weight off rather than to gain and lose it time after time. However, what is more important is by keeping the weight off you can experience the benefits of a healthier life-style all the time. You will have the energy to do the things that really matter and are important to you. Why wait for an audit when you can experience the benefits of being in compliance right now? The reason companies do wait is because they do not understand there are benefits beyond passing an audit. They are not aware that the reason for compliance is to achieve the outcomes which include: greater customer satisfaction, better quality, reduced safety incidents, less impact on the environment, lower risks, and many more. These outcomes are what really matter and who wouldn't want these benefits right now. 4. Improve compliance on an incremental and continuous basis Improvements of any kind need to be made in a safe manner that maintains compliance. It is easier to make these changes incrementally and on a continuous basis. LEAN has taught us that improvements made this way can add up to substantial savings as well as increased capacity over time. It is no wonder that many standards require continuous improvement and have adopted the Plan-Do-Check-Act (PDCA) cycle introduced first by Deming. There are several sources for improvements and include: Proactive strategies (ex. LEAN, process maturity, risk-based thinking, etc.) Internal continuous feed-back and feed-forward processes External audits and review Adopting or modifying existing obligations Companies that do not take a proactive approach with compliance may find that they are not able to sustain even their existing level of compliance under the weight of increasing regulations. For them, the result will be: increased risk, loss of trust from their stakeholders, and for some, loss of their business. However, companies that follow the steps outlined above will find they no longer wait for customer complaints to arrive, audit findings to be found, or for issues to mount up before they make improvements. They also will not see compliance as a tax on productivity that must always be reduced. Being proactive will become for them an ethical choice about keeping their promises and embedding them into the DNA of the organization.

Compliance resiliency is important to maintain compliance in response to changes to business or business climate. For organizations to be effective at meeting all their obligations they will need to ensure that their compliance programs support two kinds of resiliency: Resilience as bounce back (reactive) to preserve state or condition Resilience as bounce forward (proactive) to change state or condition What does it mean to be resilient?

 Resilience is often defined as “the capacity of a system to absorb disturbance, undergo change, and retain the same essential functions, structure, identity, and feedbacks.”[12] 

The kind of capabilities an organization needs will depend on whether their goal is to maintain the ability to sustain a status quo (security) or the ability to adapt and improve (resilience) [2].

In the first case the objective is to bounce back (reactive), whereas, in the second the objective is to bounce forward (proactive). Recognizing this difference is crucial to sustainable business as well as compliance outcomes. What is compliance resiliency? Traditionally, compliance has focused on meeting prescriptive obligations where the goal is to consistently follow standard procedures and processes. Controls are put in place to ensure that prescribed rules are followed and outputs are created safely, with integrity and quality. Consistency is a critical measure of performance and passing an audit is the measure of success.   In response to change (anticipated or actual), resiliency in this case means to bounce back. However, when it comes to advancing compliance outcomes towards such things as zero emissions, zero violations, zero incidents, zero fatalities, and zero harm, the focus for compliance is now on continuous improvement, managing risk and making progress towards promised outcomes. Risk controls (measures) are put in place to ensure that objectives are achieved, and outputs are evaluated against their contribution towards the advancement of outcomes. Meeting objectives is a critical measure of performance, and making progress is the measure of success. In response to change (anticipated or actual), resiliency in this case means to bounce forward. References: [1] Resilience Alliance Gunderson (2002) [2] Adapted and modified from Seager (2008, p. 445) from the paper, "RESILIENCE MANAGEMENT INFORMATION SYSTEMS – ACHIEVING SUSTAINABILITY IN TURBULENT ENVIRONMENTS ", 2014, Thomas Günther Koslowski

Taiichi Ohno, the father of LEAN, taught about the removal of waste, standard work, and continuous flow. However, that is only part of his story. He also taught that the production leader is the one who "breaks" the standard. When he made an improvement, he took out his very best person from line. It is what that person did next that was so amazing. These freed up resources would work on further improvements, that resulted in even more people removed from the line. In the end, he would have enough people to start an entire second production line . Instead of fractional improvements he was able to double his capacity. Now, imagine doing the same for compliance. You would also reduce waste, standardize work, and streamline the work flow. However, that would only be part of what is possible. Freed-up resources from the reactive side of compliance would be moved over to the proactive side. They could anticipate changes, address root causes, and introduce new capabilities to always stay in compliance. If you did this, you could double your capacity to meet your compliance obligations. And we know, this is the kind of improvement needed if companies are to meet all their mandatory and voluntary commitments today and to continue to meet them in the future.

One of the challenges companies face when addressing compliance is its dynamic nature – compliance is never at rest. Even when you decide to be proactive and start addressing non-conformance, you can never stop. However, that is what many companies do when they enter the conformance zone . After a compliance project has done its work, companies often observe that things are better, there are fewer fires to fight, and the workplace is more engaged in standard practices. This is what it looks like when you are in the conformance zone . However, they mistakenly believe that they can now disband their project team, cut back on support, and go into maintenance mode. When they do they also go back to being reactive resulting in the inevitable loss of ground they worked so hard to gain. This happens time and again for companies that have a project without a continuous improvement culture. Projects are used to catch up on compliance only to fall back again after the project is over. If they only continued their efforts they would have experienced life in the proactive zone where you are: always ahead, certain of compliance, and always advancing program objectives. This is where an actual return on investment (ROI) is possible. Conformance to standard practices is only one aspect of compliance. Reducing non-conformance to standards is necessary, however, it is also important to understand that this is only one instrumental goal towards achieving program outcomes such as: fewer incidents, fewer defects, fewer toxic releases, and so on. When you enter the conformance zone you cannot let your guard down. Continuous improvement is necessary to move beyond to the proactive zone where outcomes can be advanced. The good news is that the resources that were once needed to support reactive compliance can be moved to the proactive side to start work on program objectives. In other words, the cost of non-conformance that companies already fund can be put to better use to fund the proactive zone . There are three risks that you must avoid if you want to improve the effectiveness of your compliance program: Staying in the reactive zone Taking your hands of the wheel when things start to improve when you enter the conformance zone Not benefiting from better outcomes in the proactive zone