SEARCH

In a world of competing and overlapping compliance demands, siloed departments, and numerous stakeholders the role of an architect is needed more than ever. Whether you are building compliance programs, management systems, or actual buildings; lessons learned from architecture can provide helpful insights and approaches to address today's compliance challenges. An important role of an architect is to take multiple stakeholder concerns and achieve as much of the intended outcome as possible. "An architect is a generalist, not a specialist — the conductor of a symphony, not a virtuoso who plays every instrument perfectly. As a practitioner, an architect coordinates a team of professionals that include structural and mechanical engineers, interior designers, building-code consultants, landscape architects, specifications, writers, contractors and specialists from other disciplines. Typically, the interest of some team members will compete with the interest of others. An architect must know enough about each discipline to negotiate and synthesize competing demands while honoring the needs of the client and the integrity of the entire project." — 101 Things I Learned in Architecture School (Matthew Frederick) Architects find limitations and constraints as creative challenges. When building compliance platforms some of the creative tensions that arise include: prescriptive versus descriptive process versus content behavior versus systems do it now versus do it later top down versus bottom up audit-fix versus continuous improvement ease of use versus utility user experience versus functionality safety versus productivity quality versus performance one process versus multiple processes simple versus comprehensive immediate versus long term tactical versus strategic schedule versus cost And so on Architecture provides techniques and tools that are helpful to balance these kind of concerns. One powerful technique is to focus on the process and not on the end goal which seems counter-intuitive. Being process oriented means ( from 101 Things I learned in Architecture School ): seeking to understand a problem before chasing solutions not force-fitting solutions to old problems onto new problems removing yourself from prideful investment in your projects and being slow to fall in love with your ideas making design investigations and decisions holistically (that address several aspects of a design problem at once) rather than sequentially (that finalize one aspect of a solution before investigating the next) making design decisions conditionally — that is, with the awareness that they may or may not work out as you continue toward a final solution knowing when to change and when to stick with previous decisions accepting as normal the anxiety that comes from not knowing what to do working fluidly between concept-scale and detail-scale to see how each informs the other always asking "What if ...?" regardless of how satisfied you are with your solution Many of these ideas ares similar to those found in LEAN and Design Thinking to help solve problems and find solutions to the most difficult challenges that companies are now facing. Fixing compliance problems with short term tactical solutions is not enough. What is needed are more holistic approaches that deliver more value to all stakeholders and this is what architects do best. To find learn more on how Lean Compliance can help architect your compliance programs or management systems visit our website at www.leancompliance.ca

System dynamics (SD) according to the System Dynamics Society   is a computer aided approach to policy analysis and design.  It applies to dynamic problems arising in complex social, managerial, or ecological systems – literally any dynamic systems characterized by interdependence, mutual interaction, information feedback, and circular causality. The term "System Dynamics" was coined by Jay Forester at MIT in 1961.  The aim was to explore dynamic responses to changes made either within or outside of a system to explain the past and predict the future.  This makes System Dynamics useful for better understanding and improving sociology-technical problems in the domain of quality, safety, environmental, and regulatory programs and systems. When trying to understand systems we often start by taking a snapshot of the situation which creates a static and linear causality representation of reality.  This is perhaps, a first order approximation which may provide useful initial insights.  However, to more fully understand the past and predict the future a dynamic model is needed that represents the interdependence of system components.  This is where causal loops are used. Causal loop diagrams (CLDs) were introduced by Jay Forester (1961) and developed further since. The purpose of a CLD's is to map out the structure and influences to system behavior.  In theory, there are two kinds of causal loops: reinforcing or balancing.  Negative reinforcing causal loops are called vicious cycles and have unfavourable outcomes. Positive reinforcing causal loops ware called virtuous cycles and have favourable results.  Balancing loops keep the system at equilibrium. At a high-level managed quality, safety, environmental, and regulatory systems are designed to maintain consistency. The audit / fix cycle forms a negative feedback loop that uses corrective actions to adjust the system output back within control limits. This forms a balancing causal loop. However, the effect of these adjustments can destabilize a system when capabilities to restore equilibrium are inadequate. This is amplified when a system must achieve new levels of performance outside of its current capabilities. It is here that SD becomes an important tool to help policy makers better improve outcomes of their compliance programs.  SD can help to evaluate policy changes made as part of performance-based obligations to ensure that underlying systems have the capabilities, capacity, and competencies to achieve and sustain new levels of performance. This assists the function of the program level of a managed system to: Introduce change by means of continuous improvement without destabilizing the underlying system Adjust system capabilities to meet increasing performance demand Evaluate and adjust outcomes to optimize overall system effectiveness

Many companies will be familiar with the terms Total Quality Management (TQM), or Total Production System (TPS). They began initially to describe a Japanese-style management for quality improvement. TQM (and its variants) represent a philosophy of a broad and systemic approach to managing organizational quality which sets the context for a quality management system (QMS). It extends beyond the quality of products and services to the quality of all issues within an organization. When it comes to safety efforts the evolution towards using safety management systems (SMS) has become standard practice for industries that include aerospace, chemical industry, and now a matter of priority for others such as the pipeline industry in the US. However, in recent years, major incidents have made it clear that there is still a necessity for companies to improve their safety capabilities through the application of systematic and proactive approaches: "not as a stand-alone activity that is separate from the main activities and processes of the organization, but as an integrated part of total performance management" [2] Building on the success of TQM, in 1998, Geoetsh (1998), introduced the concept of Total Safety Management (TSM) as a performance-oriented approach. The fundamentals of this approach include: a strategic approach to safety, emphasis on performance assessment, employee empowerment, reliance upon robust methods of risk analysis, and continual improvement. More specific organizational processes have been proposed since by various organizations. Integration of safety with quality, environment and productivity have also been proposed by means of: Strategic and cultural integration in order to enhance learning, continuous performance, stakeholder involvement and participative management. Coordination of common business processes between safety, quality, environment. Correspondence of different standards (ex. ISO 9001, 14000, 31000, etc.) with cross-references and possibly a common information system. However, while there is utility in these approaches they do not get to the heart of the matter which is a need for a systematic methodology that is risk-based, performance-oriented with a focus on continuous improvement. TOSCA Approach to TSM A European project under the name of TOSCA (Total Operations Management of Safety Critical Activities) has proposed the following five principles for TSM based on effective risk management (RM) principles derived from ISO 31000: RM should be part of all decision making and organizational processes and provide a capability for creating value for business; RM should be based on best available risk information to create a common operational picture about risks; Participative risk management must ensure that all the needs of stakeholders are taken into account while their knowledge about risks is brought into play; Knowledge management should be part of risk management so that all knowledge about risks is managed effectively and all RM techniques are better integrated; Performance monitoring and operational feedback is necessary for making RM dynamic, iterative, and responsive to change. At the same time, this will facilitate continual improvement of the organization Each of these principles are defined and elaborated in their proposed methodology. However, it is the second principle that I believe communicates where the fundamental paradigm shift needs to occur. It is common for safety management systems to focus their attention on correcting safety problems to return to normal operations. This is the same focus that quality has in the use of corrective and preventive actions (CAPA) processes. As I have discussed in previous blog posts, this is known as feed-back control which is reactive in nature. There is no predictive or anticipatory capabilities to foresee future states or events. This is why a feed-forward process is needed using a model-driven control. It is the model that provides predictive capabilities that can help to address the effects of uncertainty before they happen. It is important to note that performance indicators can now be measured not in terms of outcomes (lagging indicators) but instead as antecedents (leading indicators) so that changes are made before undesired outcomes are produced. Adopting Total Safety Management (TSM) will require that existing safety management systems change from reactive to proactive behaviors. Effective risk management is at the core of this change and it is here that continuous improvement is needed. More information about TSM can be found in the following reference materials: References: [1] Total Safety Management: Principles, processes and methods, 2016, T. Kontogiannis, M.C. Leva & N. Balfe [2] Total Safety Management: What are the Main Areas of Concern int he Integration of Best Available Methods and Tools, 2014, Maria Chiara Leva, Nora Balfe, Tom Kontogiannis, Emmanuel Plot, Micaela De Michela [3] TOSCA (Total Operations Management for Safety Critical Activities) project

It is unlikely that organizations will be able to meet all their stakeholder obligations without the benefits of engineering. However, this engineering must extend beyond individual disciplines to consider a broader set of knowledge, skills, and competencies to keep businesses operating between the lines, the public safe, and proactively meet environmental challenges. In this article we consider how both compliance and engineering have changed and why a new kind of engineering is emerging – one focused on compliance. The Nature of Compliance The compliance landscape has changed. Obligations are numerous, growing, and far reaching covering mandatory and voluntary commitments, along with environmental, social, and governance (ESG) objectives. In recent years we have also experienced a shift in regulation from prescriptive to performance and outcome-based designs. There are many reasons why this shift is happening. The primary being regulatory reform happening across the world as regulatory bodies have begun to modernize the function of regulation, its processes and practices, and how regulation itself is regulated (meta-regulation). These changes both to regulation and compliance itself are having profound effects on organizations that operate under regulation. Organizations that want to take greater ownership of their obligations are finding the traditional audit / fix cycles they have used in the past are not enough to keep their promises and stay ahead of risk. As a countermeasure organizations are directing their efforts towards internalizing obligations, managing and improving compliance performance, and making progress on compliance outcomes. This will involve the application of scientific principles from multiple domains covering management theories, regulatory designs, system dynamics, organizational behaviours, information technologies, accountability frameworks, risk and uncertainty, to name a few. However, what has been missing which is now needed is an engineering approach. In essence, compliance needs to be engineered rather than just audited. What we need are Compliance Engineers . The Nature of Engineering At a basic level engineers design and build things by applying scientific principles and technology. Professional engineering is defined in the Professional Engineers Act in Ontario, Canada where I practice as: Any act of planning, designing, composing, evaluating, advising, reporting, directing or supervising (or the managing of any such act); That requires the application of engineering principles; and Concerns the safeguarding of life, health, property, economic interests, the public welfare or the environment, or the managing of any such act. Over the years the scope and nature of engineering problems has changed in a similar way as the compliance landscape. Engineering solutions have increasingly required cross functional considerations. This broader approach is particularly the case with respect to the safeguarding of life, health, property, economic interests, and the welfare of the environmen t. Engineering in these cases often cross sociology-technical boundaries which requires a more holistic and systems approach and one that focuses on risk. This is not unlike the problems that compliance has also tried to address. The Compliance Engineering Nexus Compliance has become an operational function within organizations that involves technical, management, and social components to work together as a system to achieve compliance outcomes such as: safety, resilience, security, quality, and others. Compliance is effective when it improves the probability of mission success which it does by guarding against and buying down risk. These measures form risk & compliance controls (risk treatments if you like) that prevent and mitigate the effects of incidents, violations, defects, emissions, and so on. This requires an operational model that is engineered to advance outcomes over time, contends with uncertainty, and performs efficiently. This model must have measures of effectiveness, measures of performance, and measures of conformance to properly identify capabilities and scale resources to always meet obligations. Those familiar with compliance will know that many organizations focus only on measures of conformance and to a far lesser degree performance and effectiveness. Many view their effectiveness only in terms of not being fined rather than on advancing outcomes. Failure to focus on outcomes will eventually lead to mission failure. Nature of a Compliance Engineer Compliance needs to be engineered. This will require engineers who are multi-disciplinary and can cross the technical-social divide. They also need to be educated and trained in compliance to effectively build systems and processes that are able to reduce risk and advance compliance outcomes. In my estimation we need Compliance Engineers who should have knowledge, skills, and competencies that focus on: Theories related to Regulatory Designs, Promises & Obligations, Cybernetics, Uncertainty & Risk, Management Accountability & Trust Frameworks, Organizational Behaviours and Dynamics, Ethics, Policies Designs, Change Management, etc. Engineering principles related to safety, security, climate change, environmental, etc. Management programs and standards: quality, safety, environmental, sustainability, security, IT, etc. Systems Engineering (goal-seeking, purposeful, full stack systems) Computer Engineering (algorithms, machine learning, automation, digitalization, etc.) Lean Engineering (performance improvement, interventions, lean enablers, etc.) Data Management and Statistics Risk-based Thinking and Practices Design and Problem Solving Skills Project Management With this capability Compliance Engineers could help organizations build effective and robust compliance systems, processes, and practices. Compliance Engineers would also lead by example by upholding the values that compliance is striving towards. The following is a excerpt from the Code of Ethics of Canadian Professional Engineers which aligns well with ethical organizations: Professional engineers shall conduct themselves in an honourable and ethical manner. Professional engineers shall uphold the values of truth, honesty and trustworthiness and safeguard human life and welfare and the environment. In keeping with these basic tenets, professional engineers shall: Hold paramount the safety, health and welfare of the public and the protection of the environment and promote health and safety within the workplace; Offer services, advise on or undertake engineering assignments only in areas of their competence and practise in a careful and diligent manner; Act as faithful agents of their clients or employers, maintain confidentiality and avoid conflicts of interest; Keep themselves informed in order to maintain their competence, strive to advance the body of knowledge within which they practise and provide opportunities for the professional development of their subordinates; Conduct themselves with equity, fairness, courtesy and good faith towards clients, colleagues and others, give credit where it is due, and accept, as well as give, honest and fair professional criticism; Present clearly to employers and clients the possible consequences if engineering decisions or judgments are overruled or disregarded; Report to their association or other appropriate agencies any illegal or unethical engineering decisions or practices by engineers or others; Be aware of and ensure that clients and employers are made aware of societal and environmental consequences of actions or projects and endeavour to interpret engineering issues to the public in an objective and truthful manner; and Treat equitably and promote the equitable treatment of all clients, colleagues and coworkers, regardless of race, religion, gender, sexual orientation, age, physical or mental ability, marital or family status, and national origin. Summary Traditional risk & compliance functions operating in silos on their own cannot meet the demands imposed by new regulatory frameworks and designs. Neither will adopting management standards or new information technologies if they are not designed or implemented to work together. Engineers have for years used scientific principles and the ability to consider multiple constraints to design efficient and effective systems. This is precisely what is needed for organizations to meet outcome and performance-based compliance objectives that drive towards zero emissions, zero incidents, zero violations, zero defects, and other industry targets. We need to engineer our compliance not just audit our conformance. We need Compliance Engineers.

4 types of obligations 4 compliance functions 4 purposes 4 measures

Recent revisions to compliance standards and regulations have introduced changes to the way we think about and manage risk. You can look at: ISO 9001:2015, ISO 31000:2009, ICH Q9, API RP 1173, CSA, NEB, and many others and notice that risk is no longer what it used to mean. You will also notice that the risk tools have also changed, and risk management has taken a different path. Risk is no longer just about managing loss, it has become an optimization strategy to increase the certainty of achieving objectives. Here are 5 ways in which risk management has changed: 1. Risks are tied to outcomes Risk management up until now has been focused on loss prevention. Attention is given to understand the probabilities of events that may negatively impact our programs, systems or processes. This has been helpful but often results in risk registers being filled with risks, many of which, that do not really matter. Connecting risks to objectives allows risk managers to know which risks to address and which ones to ignore. 2. The focus of risk is on the effects on objectives Risk management has also primarily focused on the probabilities of risk events. ISO 31000 changed this focus to " the effects of uncertainty on objectives ." This does not remove the consideration of probabilities, however, it does move the analysis more on how objectives will be effected by uncertainty. One of the benefits of taking this approach is that it can help with risks where prediction is very difficult. For those who are familiar with Black Swans, we know that probabilities are a poor predictor of outcomes. Prioritizing on effects may result in better mitigation than only looking at likelihoods. 3. The effects of risks are both negative and positive Consideration of both negative and positive effects substantially transforms the value of risk management. Analyzing threats and opportunities advances risk management beyond just driving down risk. Instead, it allows risk to be used as an optimization strategy to increase the certainty of achieving outcomes. This requires, among other things, that many of the current risk tools (which were significantly influenced by the focus on loss prevention), change to support positive risk and opportunity enablement. Risk managers may also need to take on a more active posture in seeking out opportunities rather than only addressing existing hazards or the effects of failure modes. 4. Risk moves further into operations Traditional as well as enterprise risk management has until recently focused on extrinsic risk. These are external risks that may impact our business. However, the attention has now moved further into the operations of the business where the focus is on intrinsic risk. Intrinsic risks are those that are internal to our programs, systems and processes. Identifying these may require an increased knowledge of management systems and manufacturing processes to understand how to best prevent threats or enhance opportunities. The maturity of applying risk management to production processes is far along in some industries. At the same time, understanding how to identify risks embedded in quality, health and safety, and environmental programs may require additional training and expertise. 5. The role of risk is elevated by risk-based thinking Some folks have criticized ISO for using the phrase "risk-based thinking" in their ISO 9001:2015 revision of the quality management standard. The major issue has been the lack of prescription on how risk-based thinking should be done. This criticism is reasonable given the fact that many companies up until now have worked mostly with prescriptive regulations using a check-boxed approach to compliance. They have not yet had to deal with the shift to performance-based approaches that many standards and regulatory bodies have recently taken. The onus is now on each company to figure out the "how" part of risk-based thinking. While this maybe challenging in the short term, it should result in a more comprehensive approach to risk management tailored to each company's risk profile. This is a good thing. For those that are familiar with "Design Thinking", or "Lean Thinking" will know, the advantage of this type of approach is that it focuses first on the mindset before tools are ever considered. A tools-first approach has often led to inadequate risk assessments due to the lack of understanding of the limitations of the preferred tool. On the other hand, using a risk-based thinking approach will help risk practitioners choose the best tools for each risk context. Here is a definition for risk-based thinking that captures the essential aspects from recent changes to risk management: Risked-based thinking requires companies be proactive instead of waiting for audit findings to identify areas of risk and improvement. The latter is what we call the, The Reactive Uncertainty Trap™. As many have commented about quality, you cannot inspect your way to quality – you need to design it in. The same is true for compliance. You cannot audit your way to better compliance. Instead, you need to apply proactive strategies like risk-based thinking to make certain you are always in compliance. If you are an ethical, ambitious company and want to avoid, The Reactive Uncertainty Trap™ consider joining The Proactive Certainty Program™

Organizations today face frequent and increasing regulatory changes across multiple jurisdictions, domains, and categories. It is these changes that often become a significant source of risk to an organization’s resilience if not done carefully. Therefore, it is of vital importance that organizations successfully manage the impact of regulatory change before and when they occur. Impacts Introduced By Regulatory Change Regulations when changed may affect a number of areas of a business that include: 1. Strategy, goals, and objectives outlined in policies , 2. Processes, standards, and practices documented in procedure documents, 3. Roles, responsibilities, and personal as part of the organizational structure, and 4. Sites, facilities and equipment structured as assets These areas are considered critical having the greatest potential when changed to impact existing controls, expose latent risk, or introduce new risks to an organization. Each area of impact may have its own change process to address specific risk considerations but will usually follow a risk-based process as outlined below. Risk-based Change Process Implementing regulatory change will involve actions and sometimes requires the benefits of a project to implement. However, in all cases the impacts of a regulatory change need to be first identified and understood. The identification of impacts is usually done as part of a change process. In highly regulated, high-risk industries this process is called Regulatory Management of Change (MOC) while others simply call it Regulatory Change Management . To effectively manage regulatory change companies will adopt a risk-based process to identify and address direct and indirect impacts. This process will move a regulatory change through a series of stages where activities are performed by assigned resources often determined by the nature and the areas impacted by the change. The change process starts with the Initiate step to capture specifics of the regulatory change along with the risk context of the organization. Differences in risk culture will impact the level of rigour required in subsequent steps of the process involving planning, approvals, implementation, verification and close out: 1. Initiate Regulatory Change Identify regulatory change Identify changed compliance outcomes and objectives Identify risk context 2. Assess Impacts Engage stakeholders impacted by the change Conduct impact analysis (policy, organizational, procedure, asset) Identify change objectives (what you intend to implement) Conduct risk assessment 3. Plan Implementation Create implementation plan (technical changes) Create transition plan (changes to behaviour, culture, values, etc.) Create stakeholder communication plan Identify necessary approvals 4. Approve Implementation Obtain necessary approvals to proceed with implementation of regulatory change 5. Implement Regulatory Change Execute plans Notify stakeholders Conduct necessary training and qualification 6. Verify Regulatory Change Verify training and change objectives are met Verity that it is safe to restart changed process or use changed product Validate compliance outcomes 7. Close Regulatory Change Capture lessons learned Communicate to stakeholders Update documents, records, and systems The purpose of following this process is to increase the probability for changes to be implemented successfully with minimal risk to the organization. Each change will go through the same stages but the level of rigour will differ based on the level of risk introduced by the change itself. For example, low risk changes may be fast-tracked and use prescribed risk-adjusted procedures while higher risk changes may involve a more comprehensive assessment and implementation. In all cases, each change is tracked and monitored so that organizations will always know the status of its overall operational and compliance risk. Benefits of Using A Risk-based Change Process The benefits of using a regulatory change process that is risk-based are many and include: Increased visibility of risk Improved stakeholder notification and communication Standardized approach to treating risk Coordination of timing to reduce overall disruption Greater alignment with business strategy and goals Opportunity for process improvement through the capturing of lessons learned The most important benefit of course is the increased certainty that impacts arising from regulatory change do not become a significant source of risk for the business.

This may sound like a far-fetched idea, but it's closer to reality than you might think. The question is, should we be so eager to give up our autonomy to machines and is it worth the cost? It's true that AI is capable of remarkable feats, such as analyzing vast amounts of data and making predictions based on that information. In exchange for giving AI access to all of our data (and that of everyone else), we're told that it will provide us with recommendations, decide our best course of action, and even act on our behalf when we're unable or unwilling to do so. But what does this mean for our own learning, understanding, and critical thinking? If we rely solely on AI to tell us what to do and what to believe, do we risk losing the ability to make our own decisions, form our own opinions, or even think? The technology may be advancing rapidly, but wisdom is something that can only be gained through experience, reflection, and the passage of time. We should be wary of rushing headlong into a future where machines are making all the important decisions for us. It's essential that we draw a line between what we're willing to entrust to AI and what we're not. The power of technology should be used to augment our own abilities, not replace them entirely. We must maintain our own agency and not become completely dependent on machines. So let's not be too hasty in our eagerness to hand over the reins to AI. We must continue to cultivate our own wisdom and critical thinking skills, even as we embrace new technological advances. Let's make sure that our hope for the future includes a healthy dose of caution and a commitment to maintaining our autonomy. They say that wisdom is often lost on the youth. Let’s hope that wisdom is not lost on all of us.

Companies of all sizes need: Processes to repeatedly execute steps in the creation of value Systems to ensure the consistent following of these processes Programs to ensure that these systems are effective in delivering value Governance to establish direction, goals and culture Continuous improvement is needed for all of these, however, the objective for improvement will differ: Systems improve efficiency - meeting performance targets Programs improve effectiveness - advancing outcomes Governance improves culture - creates the conditions for success Different strategies and approaches will be needed to support each of these objectives. For example, LEAN is helpful to reduce waste and improve efficiencies at the process level. On the other hand, the improvement of effectiveness requires application of strategies that are more proactive in nature that consider: outcomes, risks, and change management. When considering where to make improvements understanding the purpose of each management function helps to make sure that change produces the intended results.

Increasingly, we have observed that regulatory and standards bodies are expecting companies to use capability maturity models to improve performance and advance outcomes related to targets such as: zero incidents, zero fatalities, zero harm, zero emissions, zero violations and so on. While capability maturity models are not new they have seldom been used to improve compliance. This is beginning to change. One of the places where capability maturity models has been used successfully is in software development specifically in aerospace and the defense applications. The CMMI (Capabilities Maturity Model Integration) Institute publishes and develops maturity models continuing research previously conducted by Carnegie Mellon University. The CMMI Institute claims their models can be used to guide process improvement across projects, division or an entire organization. The latest version of the CMMI model is V2 with specific versions for product and service development, service establishment and management, and product and service acquisition. In response to regulatory changes towards outcome and performance-based obligations we have adapted the CMMI model to better support the capabilities needed to advance outcomes over time . In our model, Level 3 defines the achievement of "SYSTEM" status when: Management is pro-active A systems perspective is taken that considers interactions and dependencies as well as components and elements Uncertainty is evaluated and addressed using managed risk controls Continuous improvement practices exist at the process and system level These minimum operability requirements must be met before any real progress in outcomes can be made. Fundamentally, better outcomes are obtained when processes behave more like a purposeful-system rather than as individual parts. This comes directly from systems theory which teaches that outcomes are the emergent properties of the product of a system's interactions rather than the sum of its parts. As management incorporates double and triple-loop learning as part of a system they are able to optimize for outcomes which drives performance improvement. System adaptation (a program level function) occurs in response to feed-forward communications from the environment in which a system exists.

To help you achieve your outcomes we are offering a free  copy of our Bow-Tie Analysis PowerPoint template. Our template incorporates smart shapes to make it easy to document your analysis. Both threats and opportunities are supported. Now you can prepare your defenses against threats and your attacks on opportunities. May it help you defeat the dragon of uncertainty! Download your template here.

The Challenge Counting near misses, incidents, defects, violations, and other non-conformance is of value and necessary as part of prescriptive: regulation, industry standards, and internal policies. However, when it comes to complying with performance and outcome-based commitments where the goal is to achieve zero fatalities, zero explosions, zero violations, and zero defects then you need a risk-based process that uses proactive actions informed by both lagging and leading indicators. While many companies are rich in lagging indicators they are poor in leading indicators. To address this, many attempt to turn lagging indicators into leading indicators which is not possible no matter how hard you try. Although, with proactive oversight you can turn lagging indicators into leading actions (more on this later). Many organizations try to use measures of conformance to predict and possibly prevent future occurrences. However, lagging indicators of this kind can never distinguish between whether your risk controls are effective or if you were just "lucky". They are also too late to prevent what has already occurred and for those looking to improve safety, quality, environmental, or regulatory outcomes this is a big deal. Lagging Indicators and Actions Lagging indicators measure what has already happened specifically after a risk event has occurred. Lagging indicators are always retrospective, too late, and of no value with respect to the past events. Lagging indicators are still beneficial as they help to identify failure modes or vulnerabilities albeit after the fact. This data can in turn be used to initiate actions to mitigate the effects of the adverse event, which is considered as a corrective and lagging action. Lagging indicators can also be used to strengthen control processes to prevent re-occurrence of the unwanted event or mitigate its effects. This is a preventive action and leading with respect to future risk . Leading Indicators and Actions Leading indicators , on the other hand, are derived from the control processes that are in place to prevent unwanted events before they happen. They are on the left side of the bowtie diagram and before the risk event. Leading indicators include measures of effectiveness of the preventive controls which are predictive in terms of the likelihood of a given risk event. Leading indicators must have predictive power to be considered effective. The effectiveness of controls contributes to the probability of occurrence of the risk event. Leading actions are steps taken to improve the effectiveness of both preventive and mitigative controls to improve the level of protection to achieve an acceptable level of risk which is the purpose of risk management and the standard for overall compliance effectiveness. Bottom Line Lagging indicators can never be leading as they measure things after the risk event. They may have utility to predict future risk events but this is limited as they often measure things related to symptoms not the root cause. The best leading indicators are those that have predictive utility and connected to preventive controls. This information provides advance warning of a possible risk event and an opportunity to do something about it. Consider joining The Proactive Certainty Program where we help you develop operational leading and lagging indicators (among other things) for your compliance programs.