SEARCH

Not all obligations are the same or require the same capabilities and approaches to satisfy. One way to understand obligations is to consider them as a hierarchy of needs between commitments associated with accepting legal responsibility and those connected with accepting stakeholder responsibility. These levels create increasing but separate needs to comply with minimum requirements, conform consistently to procedures and practices, improve performance to reach and sustain targets, and advance outcomes associated with stakeholder expectation. To accomplish these each level will have different set of functions, behaviours and interactions unique to the obligations at that level. Starting and Finishing Well Organizations most often begin their compliance journey by focusing on legal requirements associated with regulations. These represent the basic or minimum requirements needed to satisfy the conditions by which a regulatory license is given for a company to operate. When companies begin to internalize their external commitments they start to improve how they meet these basic requirements. They also have an increased desire to accept greater social responsibilities. In fact, many companies have now reached a tipping point where there are just as many, if not more, voluntary obligations associated with stakeholder expectations than those required by regulations. It is for these reasons that meeting obligations now requires more than just following rules (we call this Compliance 1). In addition, organizations need operational programs to meet performance targets and deliver compliance outcomes (i.e., Compliance 2). Adopting Compliance 2 capabilities is what Lean Compliance aims to help organizations establish. To that end, we have observed that many don’t know how compliance programs should work which hinders their ability to implement them and improve effectiveness over time. That is why our approach focuses on teaching organizations the essential concepts and principles that underlie management programs based on an operational model for compliance designed for performance and outcome-based obligations. This model incorporates the science of governing, systems, risk, and promise theories, along with Lean principles and practices to ensure alignment, accountability, and assurance for organizations to meet all their obligations in the presence of uncertainty. We quickly establish these capabilities by following a version of the Lean Startup methodology to establish a minimal viable program where all essential functions, behaviours, and interactions are working together at levels sufficient to deliver benefits – the outcome of compliance. This measure of operability provides a true assessment of effectiveness that all programs must achieve and improve over time. The compliance landscape has changed and so must our approaches. This does not mean reinventing the wheel. What it does require is a different point of view. We need to look up, look forward, and build what is needed to continuously stay between the lines and ahead of risk – not a luxury, but a necessity.

Continuous Improvement (CI) is an essential part of operational excellence to increase the performance of operational processes used in the creation of products or services. Improvement strategies and techniques such as: Plan-Do-Check-Act, LEAN, Six-Sigma and others have been applied by many companies for years with remarkable results. However, when it comes to compliance programs such as: quality, safety, environmental, and regulatory we find that companies are less certain about how to improve performance of these processes let alone effectiveness. With increasing compliance demand coming from government regulations, industry standards, and internal policies and standards, this presents a daunting challenge for many organizations to keep up let alone improve their compliance. Compliance is part of everything a company does Many companies will have a variety of programs dedicated to compliance usually driven by regulatory requirements although for many it is the industry specific standards that take up the majority of their compliance resources. It is common practice for companies to adopt voluntary, industry standards such as ISO 9001 (Quality), 45001 (OH&S), 14001 (Environment) along with others, to provide a baseline for normative behavior with respect to these objectives. While these guidelines and standards are useful, they are management-based in their design and do not prescribe levels of performance or specifics on how to improve. However, they all require that compliance improves in maturity (i.e. capability, competence, outcomes, etc.) over time. The adoption of numerous regulatory and voluntary standards tends to result in a disintegrated set of management systems and processes supporting overlapping and often conflicting obligations. It is not uncommon to have separate systems for quality, environmental, health, safety, security under the name of QEHSS. And the list of letters does not end there as companies in highly regulated, high risk sectors often have dozens of compliance programs to contend with. No wonder the reactive approach to compliance based on audit-fix cycles as the primary driver for improvement needs to change. It simply cannot scale and keep up with risk by reacting to things after they have happened. Compliance needs excellence So how do you improve compliance and would compliance excellence look like? To answer this, it's helpful to first understand that compliance is more than just a state or a condition. Compliance is not just checking off boxes to demonstrate that the right steps were conducted and where you get a "gold star" to say that you did. This is not grade school where we are looking to pass a test. There is much more at stake. The success of a company often hangs in the balance depending on the performance of its compliance programs. Compliance failure often leads to mission failure. While compliance often starts with adhering with "prescriptive" requirement this is a basic level that companies are intended to move beyond. Compliance has a greater purpose and critical role to ensure that companies don't go outside the lines which would otherwise result in loss of margins, loss of customers, loss of trust, and perhaps even loss of the business. To ensure that these losses don't materialize requires knowledge, skill, competency and supporting systems that perform in such a way to always keep companies on track and between the lines. Companies require "operational excellence" in how it does compliance. Wikipedia defines operational excellence in the following way: Operational Excellence is the execution of the business strategy more consistently and reliably than the competition. Operational Excellence is evidenced by results. Given two companies with the same strategy, the Operationally Excellent company will have lower operational risk, lower operating costs, and increased revenues relative to its competitors, creating value for customers and shareholders.[1] It may more simply be interpreted as "Execution Excellence." Some interpretations of this management philosophy are based on earlier continuous improvement methodologies, such as Lean Thinking, Six Sigma, OKAPI and Scientific Management. However, the focus of Operational Excellence goes beyond the traditional event-based model of improvement toward a long-term change in organizational culture. Companies in pursuit of Operational Excellence do two things significantly differently than other companies: they manage their business and operational processes systematically and invest in developing the right culture. Operational Excellence manifests itself through integrated performance across revenue, cost, and risk. From this definition it's possible to imagine operational excellence expanding to include risk, an essential focus of compliance. However, this can only occur when defined more as "Execution Excellence" as opposed to "Cost Reduction." The latter preoccupies many operational excellence initiatives today. However, there is too much at risk to wait for Operational Excellence to embrace this broader definition. Until it does, compliance must itself make "Compliance Excellence" a priority to support their quality, safety, environmental, security and regulatory objectives. This will involve the application of continuous improvement, the elimination of waste and variability, but as importantly – the reduction of risk. The latter requires risk management skills and capabilities lacking from operational excellence but are essential for compliance. Extending Value Chain Analysis (VCA) It's time to take Michael Porter's value chain analysis and include compliance activities along side the value chain. The Value Chain Analysis (VCA) up until now has only considered productivity improvements rather than reducing risk and ensuring compliance. The following high-level diagram incorporates these new perspective along with a few others: Competitive advantage now includes cost, differentiation, focus and compliance leadership. Contending with uncertainty and handling risk better than anyone else may in fact be decisive in determining which companies last and which ones fail to complete their mission.

Obligations come from many sources that include: regulations, standards, policies, mission and value statements, programs, processes, and many others. These are all used to help companies stay between the lines as they create value for their stakeholders. However, many companies are uncertain as to whether or not they are meeting their obligations or even if they have the ability to do so. To be more certain you first need to identify and understand what your obligations are from which you can then measure effectiveness, performance, and compliance. Whether you view compliance as a necessary evil or a necessary good you can still benefit from effective compliance. Consider joining The Proactive Certainty Program™ to take your compliance to the next level.

It is common for companies these days to have several programs to manage both mandatory requirements and voluntary commitments in response to regulatory and industry standards. These programs are often created to match each compliance element or area: Implementing these programs as isolated initiatives can lead to significant duplication and inconsistent practices. There are two primary causes for duplication that if addressed will eliminate excessive waste and improve overall process consistency. These are: Overlapping Compliance Demand (requirements and commitments) Overlapping Compliance Capabilities (resources) Managing Compliance Demand Overlapping compliance demand can be addressed by managing the compliance obligation separately from the requirement or commitment. The ISO 196000 guidelines provide a straightforward approach to effectively manage compliance obligations covering both internal and external demands. An obligation documents (among other things) the decisions a company makes on: how the particular regulation or standard is interpreted, what defines evidence of compliance, and the controls and measures needed to address the associated risks. In essence, the obligation defines " what " the company complies with leaving the " how " to the program and system levels. This alleviates the need for each program to determine the level of obligation which can often lead to differences in priority, and lack of overall alignment with company strategy and objectives. Combining similar demands into a single obligation can provide further benefits. For example, each of the following compliance demands can be addressed by a single obligation: Commitment - ISO 9001:2015 (9.2) - Internal Auditing Requirement - OSHA 29 CFR 1910.119 (o) - Compliance Audits Commitment - OHSAS 18001 (4.5.2) - Evaluation of Compliance Commitment - ISO 14001:2015 (9.1.2) - Evaluation of Compliance Managing overlapping obligations in this way allows organizations to apply a consistent level of rigor (structure, process, resources, etc) based on the level risk. A compliance management system can be used to assist with managing these obligations. This helps ensure appropriate compliance coverage and provides a central place where compliance changes can be managed and coordinated. The ISO 19600 approach embeds the Plan-Do-Check-Act continuous improvement cycle directly into the overall process. This is more intentional than the audit-fix cycle which, as I have commented in a previous blog, is by itself not effective to advance compliance objectives. The ISO guideline can be easily combined with existing management systems to provide an overall governance model particularly when combined with quality (ISO 9001), and risk management (ISO 31000) standards. Managing Compliance Capabilities Each compliance program will have some capabilities that are the same with those needed by other programs. For example, most programs will require risk management. Instead, of having each program have their own risk management capabilities, a central risk function can be used to provide consistent: tools, skills training, and practice improvement. Common compliance capabilities include: Risk Management Change Management Documentation and Record Keeping Measurement and Monitoring Program Management Continuous Improvement In my previous blog, " Do You Need A Different System for Each Regulation" I explore this topic of managing common capabilities in more detail. Managing compliance obligations is critical to effectively manage overlapping compliance demand and reduce duplication and inconsistencies at the program and system levels. Following the ISO 19600 compliance system guidelines can help provide the framework by which to manage these obligations, ensure coverage, and manage changes to compliance.

Compliance at its core is about contending with risk. For the most part this has taken the form of addressing the negative side to prevent such things as financial loss, but also the loss of life, quality, reputation or other things that we care about. However, this is only half the story and perhaps a result of only using half of our brain. In many ways we have focused on the bad dragons and failed to see and realize the benefits of the good ones. The way we think about risk is a significant factor to our effectiveness at contending with uncertainty. What we now know is that our brains are wired in such a way that we see threats easier and earlier than we see opportunities (Thinking, Fast and Slow - Daniel Kahneman). Finding and pursuing opportunities requires tapping into another part of brain which can only be accessed when we slow down and reflect on our situation. This is difficult to do when our lives are reactive, governed by the tyranny of the urgent. However if we do not pursue the positive effects of uncertainty we will not create value; and at most only protect the value we currently have, although that too may not last. The first step to finding good dragons is developing a habit to notice them. Our Brain is Teflon for the Positive and Velcro for the Negative Conor Neil in one of his videos posts talks about how we can take steps to improve our ability to see the positive side of life. This ability is essential for our own happiness and as it turns out also for our pursuit of opportunities. From his blog post Conner Neil writes: "There is a saying that I heard recently from Elsa Punset... "Our brain is teflon for the positive and velcro for the negative" It is a powerful metaphor. It is solidly grounded in psychological research. In good relationships the ratio of positive to negative comments is 7:1.  1 negative comment about a friend needs 7 positive statements to balance out... because our brain is so much more tuned into anything that risks our safety." I encourage you to watch his video (6 minutes) and try his 21 Day challenge. This may help you develop the habit of seeing good things in your life and who knows you might see a good dragon as well. You might even start to better see opportunities to improve your compliance. Here is a list of other articles dealing with the positive side of risk: The Pursuit of Opportunities in the Presence of Uncertainty Lord of the Risks - The Two Towers: Productivity and Compliance

Are you simply complying to regulations or are you building a community of trust? In today’s climate there is much talk about group and to a lesser degree individual rights. However, what seems to be missing are discussions concerning obligations, duties, and responsibilities. Rights do rely heavily on obligations to effect the rights themselves. However, obligations go farther than rights can ever do. Rights are transactional in nature whereas obligations are relational. In fact, obligations are the glue that binds are relationships together. “Obligations arise as part of what it means to be in and to value particular relationships in themselves: being bound in these ways contributes to our growth, our sense of being and being together with others in the world. Obligations are central to this because they work by connecting, by tying us to others.” — Scott Veitch Stakeholders will have rights to be respected, but meeting obligations creates community, more specifically, a community of trust. Trust is a relational matter that is reinforced through obligations. Therefore paying attention to obligations is critical for those that want to build greater trust with their stakeholders.

Stakeholder obligations are promises made to those who have put their trust in your business, your products and in the services you provide. Stakeholders extends beyond shareholders and include employees, suppliers, customers, communities, and the public at large. What stakeholders expect is a measure of assurance that your organization will keep all its promises you have made to them. In return for this assurance, trust is engendered giving rise to the pursuit of shared values along with the acceptance of shared risk. In this blog post we look at what stakeholder trust looks like, the role that risk & compliance has to engender trust, and how you can improve the probability that you have the trust you need for your business. What is the value of trust? The benefit of having trust far exceeds financial returns and the exchange of money. Trust provides the fuel to sustain growth and the ability to thrive. Companies that have stakeholder trust find approval to pursue opportunities and create even more value. Companies without stakeholder trust discover they don’t have approval to operate in the communities they want to work in. Even regulatory approval will be conditional subject to significant scrutiny and inspection. Without stakeholder trust you will not have a business. How do you build trust? Businesses first gain trust by acquiring a regulatory license to operate which requires that specific conditions are met. Meeting regulatory obligations provides an initial level of legitimacy and the first boundary towards stakeholder trust. For companies to succeed they need to build on the legitimacy earned to achieve credibility which is another precursor to trust. Credibility is achieved by working towards social and corporate responsibilities. In some industries this is called a social license to operate demonstrated when stakeholders give their approval to proceed on business initiatives. These responsibilities are concerned with achieving quality, health, safety, environmental and overall sustainability objectives. Compliance and risk programs provide the means to achieve these objectives creating the conditions for trust to exist and to improve. Compliance programs protect against the erosion of value by keeping businesses operating between the lines. Risk programs make certain that obligations are met, promises kept, and values are respected. How do you measure trust? At a basic level it is possible to determine whether or not a company has met the regulatory conditions for it to operate. Regulators utilize reporting, inspectors or auditors to verify that companies have met license requirements and to lesser degree that they will continue to be met in the future. However, when it comes to meeting obligations associated with the broader scope of stakeholder expectations, measurement has been more qualitative than quantitative. A social license or perhaps better called a "stakeholder license" is really an agreement on shared values and shared risk. This contract while not formal includes expectations that shared values are respected, and mutual risk is handled. Trust will increase or be lost based on how well a company manages each. With growing concern on climate change, ESG (Environment, Social and Governance) is gaining more traction and is poised to become an important performance index which could be used to measure the conditions for greater trust to exist. We have all the trust we need. Trust is never static. Companies are either gaining trust or losing it. When risk & compliance programs are working together stakeholders will have the assurance needed for trust to exist and to improve. However, without effective risk & compliance programs, assurance will be lacking, credibility will erode and the company's legitimacy will be at risk. Companies that value stakeholder trust will not leave assurance to chance and will instead establish effective risk & compliance programs to provide the assurance needed for their business to operate and to grow. Perhaps, it is time for your risk & compliance to chart a new course to a new destination: Stakeholder Trust. Lean Compliance helps forward looking organizations improve stakeholder trust by improving the effectiveness of risk and compliance programs. If trust is valuable to you please reach out to us to learn more on how we can protect the trust and improve the trust you now have.

Management of Change (MOC) is part of every effective process and pipeline safety program. Its purpose is to manage risk introduced by implementing planned changes to a facility, pipeline, process or to the organization itself. To accomplish this, the MOC process touches almost every aspect of an organization which provides additional benefits to those looking to get more from their safety program. An effective Management of Change (MOC) system provides: visibility of the quantity and type of changes visibility of the total level of risk being considered visibility of the level of work and where the bottlenecks are a mechanism to bring together the tools and practices across multiple disciplines a process for cross functional teams to work together on changes a place for all information about each change to be stored an audit trail of what happened during each change a collaborative behavior for working together to implement changes safely These benefits are available when companies consider their MOC process as a system rather than just a procedure that needs to be followed when changes are made. The MOC process is unique and one of only a few that crosses functional silos that are commonly found within organizations. In many ways, an MOC process measures the pulse of change, the level of risk, and amount of anticipated work across an organization. These measurements are invaluable to keeping people safe and companies profitable. Plan -Do-Check-Act Questions: In what way has your MOC program improved visibility of what is happening in your organization? Which benefits would most help your organization achieve your desired safety program outcomes? What obstacles are in the way of realizing greater benefits from your MOC program? What step can you take to remove one of these obstacles?

Many organizations are required to have a Management of Change (MOC) procedure to manage risks introduced by planned changes to assets, processes, facilities and to the organization as a whole. However, for many, these procedures are based on previous paper based approaches. While these may meet the letter of the law and pass audits they often do not benefit from exploiting technology and best practices. Even when software is procured or developed they often result in "paving the cow path" instead of improving the process first. Dr. Eliyahu M. Goldratt, creator of the theory of constraints, in one of his lectures makes the following statement: "Technology can bring benefits if, and only if, it diminishes a limitation." Technology here is defined as the application of knowledge and does not need to be hardware or software. Dr. Goldratt's statement takes time to fully appreciate but is profound in its simplicity to describe why many technology projects fail. However, as importantly, it provides a way to understand how technology can be used, but rarely is, to provide significant benefits. Let's look at how this statement can be applied to deploying technology to support the MOC process. Dr. Goldratt suggests asking 4 questions: 1. What is the power of the technology? The power provided by an MOC application comes from its ability to connect related data and using it to drive risk activity: Provide the relevant data and tools to the change process Provide the steps that need to be followed based on related data Automatically track and record activity and work done 2. What limitation does the technology diminish? Using a paper based approach has several limitations with these as the primary ones: Not having relevant data readily available to make safe decisions Not knowing what work had been done or will be done as part of the change process. 3. What rules enabled us to manage this limitation? Rules to work around these limitations include: One process for all types of changes (i.e. only have one change form) Adding several gatekeeper roles (reviews and approvals) to verify work Using standard (and fixed) checklists to drive activity Redoing assessments and verifying drawings Audit afterwards to confirm compliance 4. What new rules will we need? With the removal of the limitations the workarounds can and should also be removed and new rules put in place to exploit the power of the new technology. These would include: Self evidencing process - eliminate QC / gatekeeper activities Replace local optimal rules with holistic optimal rules: dynamic check lists based on data instead of standard fixed checklists for functional sub-processes Use a risk based approach - tailor the level of rigor to the level of risk Consider the entire risk context - all planned changes, data stored in risk registers, HAZOPs, bow-tie assessments, and so on The power provided by using MOC technology is its ability to manage related data and using this information to drive processes based on the entire risk profile. This allows companies to move beyond just verifying that steps are completed to actively managing risk throughout the change process. This is something that paper-based approaches could never do and what is necessary to achieve safety objectives.

The topic of Environmental, Social, and Governance (ESG) programs continues to be in the forefront of many conversations in recent months. Most of these discussions have focused on the investment and reporting side of ESG. However, few conversations have focused on how to advance ESG objectives and operationalize them within organizations. In recent studies we conducted, we explored how external and internal obligations were managed across an organization. In this context, external obligations were those associated with mandatory requirements (mostly regulatory) while internal obligations covered environmental, social, sustainability, and other voluntary commitments. What we learned was that for external obligations: most of the compliance resources are dedicated to regulatory obligations these are managed primarily by audits and inspections a fraction of the processes were controlled using a QMS or EMS roughly 50% of the obligations were identified and managed the level of certainty that internal obligations would be met was MODERATE For internal obligations we learned that: few resources were addressing these obligations these were not being managed most of the processes were uncontrolled or ad-hoc most of the obligations were not documented and did not have clear goals and objectives the level of certainty that internal obligations would be advanced was LOW Given that ESG goals and targets fell mostly under internal obligations and represent as much (and perhaps more) as external obligations, it was difficult for organizations to meet their obligations using traditional compliance functions that prioritized regulatory requirements. Advancing ESG objectives using current approaches, resources, and organizational structures was not enough. In some cases, ESG objectives sat along side of the value chain but not part of it. However, with others, ESG outcomes became part of the value created by an organization. In all cases, a greater degree of alignment and coordination (i.e. governance and operational integration) was needed for organizations to make progress and realize the benefits from ESG along with other compliance efforts. How to Improve the Probability of Success To succeed you must manage all your obligations (ESG, along with others), but more importantly you need to keep your promises connected to them. This requires several things working together to produce the outcome of compliance: Better safety, security, sustainability, quality, lower risk, and ultimately better stakeholder trust. Implementing a management program following as standard such as ISO 37301 can help you achieve those outcomes. But only if you intend to keep your promises. Otherwise, it will just be another standard among others that add more work, cost and deliver few benefits. In a recent webinar, we walked through this standard to better understand what ISO 37301 is all about, how it works, and how to use it to keep all your promises including those associated with ESG. Implementing this standard will help you realize more than just incremental improvements. You will experience transformational benefits that compound year over year which is needed to make progress towards ESG goals and outcomes. You can view this webinar here: Presentation slides are available here :

In recent years many in the compliance industry have observed a shift in regulation from prescriptive to performance and outcome-based designs. What we are seeing is only the beginning of a trickle down effect emerging from regulatory reform over the last few decades across regulatory jurisdictions and across the world. During this time an increasing number of regulatory bodies have started to modernized the function of regulation, its processes and practices, and how regulation itself is regulated (meta-regulation). Most of this transformation has centered around the adoption of risk-based: strategies, operations, and tactics. There are many reasons for why this is happening. However, what is perhaps more important is that it is happening bringing with it continued changes for those who operate under regulation and to the role of compliance.

To effectively meet compliance obligations, it is essential to differentiate regulatory and compliance demand according to their designs. Regulations and standards are typically designed according to one of the following four types: prescriptive management-based performance-based general duty / liability Each type of design requires a different approach and can create different demands on organizations which can be categorized as: Persistent maintenance – needs to be true for all time. Persistent achievement – needs to be achieved by a deadline and then always true after that. Non-Persistence – they need to be true when a certain condition arises. Compliance obligations are the promises that organizations agree to keep with respect to compliance demand. Obligations have in the past been mostly prescriptive in nature. However, increasingly, they are better described as promises to achieve a certain capability of compliance maturity that is expected to improve over time. As such, they will each have their own set of goals, measures and risks. In the context of increasing and often overlapping compliance demand an integrated taxonomy enables companies to rationalize their obligations which can lead to an increase in efficiency and overall effectiveness. Adopting ISO 19600 (obligation management guideline) helps companies to organize and manage their obligations in a consistent manner which when combined with an integrated taxonomy afford organizations with the knowledge they need to help ensure that all their obligations are addressed.