SEARCH

It is common for companies these days to have several programs to manage both mandatory requirements and voluntary commitments in response to regulatory and industry standards. These programs are often created to match each compliance element or area: Implementing these programs as isolated initiatives can lead to significant duplication and inconsistent practices. There are two primary causes for duplication that if addressed will eliminate excessive waste and improve overall process consistency. These are: Overlapping Compliance Demand (requirements and commitments) Overlapping Compliance Capabilities (resources) Managing Compliance Demand Overlapping compliance demand can be addressed by managing the compliance obligation separately from the requirement or commitment. The ISO 196000 guidelines provide a straightforward approach to effectively manage compliance obligations covering both internal and external demands. An obligation documents (among other things) the decisions a company makes on: how the particular regulation or standard is interpreted, what defines evidence of compliance, and the controls and measures needed to address the associated risks. In essence, the obligation defines " what " the company complies with leaving the " how " to the program and system levels. This alleviates the need for each program to determine the level of obligation which can often lead to differences in priority, and lack of overall alignment with company strategy and objectives. Combining similar demands into a single obligation can provide further benefits. For example, each of the following compliance demands can be addressed by a single obligation: Commitment - ISO 9001:2015 (9.2) - Internal Auditing Requirement - OSHA 29 CFR 1910.119 (o) - Compliance Audits Commitment - OHSAS 18001 (4.5.2) - Evaluation of Compliance Commitment - ISO 14001:2015 (9.1.2) - Evaluation of Compliance Managing overlapping obligations in this way allows organizations to apply a consistent level of rigor (structure, process, resources, etc) based on the level risk. A compliance management system can be used to assist with managing these obligations. This helps ensure appropriate compliance coverage and provides a central place where compliance changes can be managed and coordinated. The ISO 19600 approach embeds the Plan-Do-Check-Act continuous improvement cycle directly into the overall process. This is more intentional than the audit-fix cycle which, as I have commented in a previous blog, is by itself not effective to advance compliance objectives. The ISO guideline can be easily combined with existing management systems to provide an overall governance model particularly when combined with quality (ISO 9001), and risk management (ISO 31000) standards. Managing Compliance Capabilities Each compliance program will have some capabilities that are the same with those needed by other programs. For example, most programs will require risk management. Instead, of having each program have their own risk management capabilities, a central risk function can be used to provide consistent: tools, skills training, and practice improvement. Common compliance capabilities include: Risk Management Change Management Documentation and Record Keeping Measurement and Monitoring Program Management Continuous Improvement In my previous blog, " Do You Need A Different System for Each Regulation" I explore this topic of managing common capabilities in more detail. Managing compliance obligations is critical to effectively manage overlapping compliance demand and reduce duplication and inconsistencies at the program and system levels. Following the ISO 19600 compliance system guidelines can help provide the framework by which to manage these obligations, ensure coverage, and manage changes to compliance.

Compliance at its core is about contending with risk. For the most part this has taken the form of addressing the negative side to prevent such things as financial loss, but also the loss of life, quality, reputation or other things that we care about. However, this is only half the story and perhaps a result of only using half of our brain. In many ways we have focused on the bad dragons and failed to see and realize the benefits of the good ones. The way we think about risk is a significant factor to our effectiveness at contending with uncertainty. What we now know is that our brains are wired in such a way that we see threats easier and earlier than we see opportunities (Thinking, Fast and Slow - Daniel Kahneman). Finding and pursuing opportunities requires tapping into another part of brain which can only be accessed when we slow down and reflect on our situation. This is difficult to do when our lives are reactive, governed by the tyranny of the urgent. However if we do not pursue the positive effects of uncertainty we will not create value; and at most only protect the value we currently have, although that too may not last. The first step to finding good dragons is developing a habit to notice them. Our Brain is Teflon for the Positive and Velcro for the Negative Conor Neil in one of his videos posts talks about how we can take steps to improve our ability to see the positive side of life. This ability is essential for our own happiness and as it turns out also for our pursuit of opportunities. From his blog post Conner Neil writes: "There is a saying that I heard recently from Elsa Punset... "Our brain is teflon for the positive and velcro for the negative" It is a powerful metaphor. It is solidly grounded in psychological research. In good relationships the ratio of positive to negative comments is 7:1.  1 negative comment about a friend needs 7 positive statements to balance out... because our brain is so much more tuned into anything that risks our safety." I encourage you to watch his video (6 minutes) and try his 21 Day challenge. This may help you develop the habit of seeing good things in your life and who knows you might see a good dragon as well. You might even start to better see opportunities to improve your compliance. Here is a list of other articles dealing with the positive side of risk: The Pursuit of Opportunities in the Presence of Uncertainty Lord of the Risks - The Two Towers: Productivity and Compliance

Are you simply complying to regulations or are you building a community of trust? In today’s climate there is much talk about group and to a lesser degree individual rights. However, what seems to be missing are discussions concerning obligations, duties, and responsibilities. Rights do rely heavily on obligations to effect the rights themselves. However, obligations go farther than rights can ever do. Rights are transactional in nature whereas obligations are relational. In fact, obligations are the glue that binds are relationships together. “Obligations arise as part of what it means to be in and to value particular relationships in themselves: being bound in these ways contributes to our growth, our sense of being and being together with others in the world. Obligations are central to this because they work by connecting, by tying us to others.” — Scott Veitch Stakeholders will have rights to be respected, but meeting obligations creates community, more specifically, a community of trust. Trust is a relational matter that is reinforced through obligations. Therefore paying attention to obligations is critical for those that want to build greater trust with their stakeholders.

Stakeholder obligations are promises made to those who have put their trust in your business, your products and in the services you provide. Stakeholders extends beyond shareholders and include employees, suppliers, customers, communities, and the public at large. What stakeholders expect is a measure of assurance that your organization will keep all its promises you have made to them. In return for this assurance, trust is engendered giving rise to the pursuit of shared values along with the acceptance of shared risk. In this blog post we look at what stakeholder trust looks like, the role that risk & compliance has to engender trust, and how you can improve the probability that you have the trust you need for your business. What is the value of trust? The benefit of having trust far exceeds financial returns and the exchange of money. Trust provides the fuel to sustain growth and the ability to thrive. Companies that have stakeholder trust find approval to pursue opportunities and create even more value. Companies without stakeholder trust discover they don’t have approval to operate in the communities they want to work in. Even regulatory approval will be conditional subject to significant scrutiny and inspection. Without stakeholder trust you will not have a business. How do you build trust? Businesses first gain trust by acquiring a regulatory license to operate which requires that specific conditions are met. Meeting regulatory obligations provides an initial level of legitimacy and the first boundary towards stakeholder trust. For companies to succeed they need to build on the legitimacy earned to achieve credibility which is another precursor to trust. Credibility is achieved by working towards social and corporate responsibilities. In some industries this is called a social license to operate demonstrated when stakeholders give their approval to proceed on business initiatives. These responsibilities are concerned with achieving quality, health, safety, environmental and overall sustainability objectives. Compliance and risk programs provide the means to achieve these objectives creating the conditions for trust to exist and to improve. Compliance programs protect against the erosion of value by keeping businesses operating between the lines. Risk programs make certain that obligations are met, promises kept, and values are respected. How do you measure trust? At a basic level it is possible to determine whether or not a company has met the regulatory conditions for it to operate. Regulators utilize reporting, inspectors or auditors to verify that companies have met license requirements and to lesser degree that they will continue to be met in the future. However, when it comes to meeting obligations associated with the broader scope of stakeholder expectations, measurement has been more qualitative than quantitative. A social license or perhaps better called a "stakeholder license" is really an agreement on shared values and shared risk. This contract while not formal includes expectations that shared values are respected, and mutual risk is handled. Trust will increase or be lost based on how well a company manages each. With growing concern on climate change, ESG (Environment, Social and Governance) is gaining more traction and is poised to become an important performance index which could be used to measure the conditions for greater trust to exist. We have all the trust we need. Trust is never static. Companies are either gaining trust or losing it. When risk & compliance programs are working together stakeholders will have the assurance needed for trust to exist and to improve. However, without effective risk & compliance programs, assurance will be lacking, credibility will erode and the company's legitimacy will be at risk. Companies that value stakeholder trust will not leave assurance to chance and will instead establish effective risk & compliance programs to provide the assurance needed for their business to operate and to grow. Perhaps, it is time for your risk & compliance to chart a new course to a new destination: Stakeholder Trust. Lean Compliance helps forward looking organizations improve stakeholder trust by improving the effectiveness of risk and compliance programs. If trust is valuable to you please reach out to us to learn more on how we can protect the trust and improve the trust you now have.

Management of Change (MOC) is part of every effective process and pipeline safety program. Its purpose is to manage risk introduced by implementing planned changes to a facility, pipeline, process or to the organization itself. To accomplish this, the MOC process touches almost every aspect of an organization which provides additional benefits to those looking to get more from their safety program. An effective Management of Change (MOC) system provides: visibility of the quantity and type of changes visibility of the total level of risk being considered visibility of the level of work and where the bottlenecks are a mechanism to bring together the tools and practices across multiple disciplines a process for cross functional teams to work together on changes a place for all information about each change to be stored an audit trail of what happened during each change a collaborative behavior for working together to implement changes safely These benefits are available when companies consider their MOC process as a system rather than just a procedure that needs to be followed when changes are made. The MOC process is unique and one of only a few that crosses functional silos that are commonly found within organizations. In many ways, an MOC process measures the pulse of change, the level of risk, and amount of anticipated work across an organization. These measurements are invaluable to keeping people safe and companies profitable. Plan -Do-Check-Act Questions: In what way has your MOC program improved visibility of what is happening in your organization? Which benefits would most help your organization achieve your desired safety program outcomes? What obstacles are in the way of realizing greater benefits from your MOC program? What step can you take to remove one of these obstacles?

Many organizations are required to have a Management of Change (MOC) procedure to manage risks introduced by planned changes to assets, processes, facilities and to the organization as a whole. However, for many, these procedures are based on previous paper based approaches. While these may meet the letter of the law and pass audits they often do not benefit from exploiting technology and best practices. Even when software is procured or developed they often result in "paving the cow path" instead of improving the process first. Dr. Eliyahu M. Goldratt, creator of the theory of constraints, in one of his lectures makes the following statement: "Technology can bring benefits if, and only if, it diminishes a limitation." Technology here is defined as the application of knowledge and does not need to be hardware or software. Dr. Goldratt's statement takes time to fully appreciate but is profound in its simplicity to describe why many technology projects fail. However, as importantly, it provides a way to understand how technology can be used, but rarely is, to provide significant benefits. Let's look at how this statement can be applied to deploying technology to support the MOC process. Dr. Goldratt suggests asking 4 questions: 1. What is the power of the technology? The power provided by an MOC application comes from its ability to connect related data and using it to drive risk activity: Provide the relevant data and tools to the change process Provide the steps that need to be followed based on related data Automatically track and record activity and work done 2. What limitation does the technology diminish? Using a paper based approach has several limitations with these as the primary ones: Not having relevant data readily available to make safe decisions Not knowing what work had been done or will be done as part of the change process. 3. What rules enabled us to manage this limitation? Rules to work around these limitations include: One process for all types of changes (i.e. only have one change form) Adding several gatekeeper roles (reviews and approvals) to verify work Using standard (and fixed) checklists to drive activity Redoing assessments and verifying drawings Audit afterwards to confirm compliance 4. What new rules will we need? With the removal of the limitations the workarounds can and should also be removed and new rules put in place to exploit the power of the new technology. These would include: Self evidencing process - eliminate QC / gatekeeper activities Replace local optimal rules with holistic optimal rules: dynamic check lists based on data instead of standard fixed checklists for functional sub-processes Use a risk based approach - tailor the level of rigor to the level of risk Consider the entire risk context - all planned changes, data stored in risk registers, HAZOPs, bow-tie assessments, and so on The power provided by using MOC technology is its ability to manage related data and using this information to drive processes based on the entire risk profile. This allows companies to move beyond just verifying that steps are completed to actively managing risk throughout the change process. This is something that paper-based approaches could never do and what is necessary to achieve safety objectives.

The topic of Environmental, Social, and Governance (ESG) programs continues to be in the forefront of many conversations in recent months. Most of these discussions have focused on the investment and reporting side of ESG. However, few conversations have focused on how to advance ESG objectives and operationalize them within organizations. In recent studies we conducted, we explored how external and internal obligations were managed across an organization. In this context, external obligations were those associated with mandatory requirements (mostly regulatory) while internal obligations covered environmental, social, sustainability, and other voluntary commitments. What we learned was that for external obligations: most of the compliance resources are dedicated to regulatory obligations these are managed primarily by audits and inspections a fraction of the processes were controlled using a QMS or EMS roughly 50% of the obligations were identified and managed the level of certainty that internal obligations would be met was MODERATE For internal obligations we learned that: few resources were addressing these obligations these were not being managed most of the processes were uncontrolled or ad-hoc most of the obligations were not documented and did not have clear goals and objectives the level of certainty that internal obligations would be advanced was LOW Given that ESG goals and targets fell mostly under internal obligations and represent as much (and perhaps more) as external obligations, it was difficult for organizations to meet their obligations using traditional compliance functions that prioritized regulatory requirements. Advancing ESG objectives using current approaches, resources, and organizational structures was not enough. In some cases, ESG objectives sat along side of the value chain but not part of it. However, with others, ESG outcomes became part of the value created by an organization. In all cases, a greater degree of alignment and coordination (i.e. governance and operational integration) was needed for organizations to make progress and realize the benefits from ESG along with other compliance efforts. How to Improve the Probability of Success To succeed you must manage all your obligations (ESG, along with others), but more importantly you need to keep your promises connected to them. This requires several things working together to produce the outcome of compliance: Better safety, security, sustainability, quality, lower risk, and ultimately better stakeholder trust. Implementing a management program following as standard such as ISO 37301 can help you achieve those outcomes. But only if you intend to keep your promises. Otherwise, it will just be another standard among others that add more work, cost and deliver few benefits. In a recent webinar, we walked through this standard to better understand what ISO 37301 is all about, how it works, and how to use it to keep all your promises including those associated with ESG. Implementing this standard will help you realize more than just incremental improvements. You will experience transformational benefits that compound year over year which is needed to make progress towards ESG goals and outcomes. You can view this webinar here: Presentation slides are available here :

In recent years many in the compliance industry have observed a shift in regulation from prescriptive to performance and outcome-based designs. What we are seeing is only the beginning of a trickle down effect emerging from regulatory reform over the last few decades across regulatory jurisdictions and across the world. During this time an increasing number of regulatory bodies have started to modernized the function of regulation, its processes and practices, and how regulation itself is regulated (meta-regulation). Most of this transformation has centered around the adoption of risk-based: strategies, operations, and tactics. There are many reasons for why this is happening. However, what is perhaps more important is that it is happening bringing with it continued changes for those who operate under regulation and to the role of compliance.

To effectively meet compliance obligations, it is essential to differentiate regulatory and compliance demand according to their designs. Regulations and standards are typically designed according to one of the following four types: prescriptive management-based performance-based general duty / liability Each type of design requires a different approach and can create different demands on organizations which can be categorized as: Persistent maintenance – needs to be true for all time. Persistent achievement – needs to be achieved by a deadline and then always true after that. Non-Persistence – they need to be true when a certain condition arises. Compliance obligations are the promises that organizations agree to keep with respect to compliance demand. Obligations have in the past been mostly prescriptive in nature. However, increasingly, they are better described as promises to achieve a certain capability of compliance maturity that is expected to improve over time. As such, they will each have their own set of goals, measures and risks. In the context of increasing and often overlapping compliance demand an integrated taxonomy enables companies to rationalize their obligations which can lead to an increase in efficiency and overall effectiveness. Adopting ISO 19600 (obligation management guideline) helps companies to organize and manage their obligations in a consistent manner which when combined with an integrated taxonomy afford organizations with the knowledge they need to help ensure that all their obligations are addressed.

In a world of competing and overlapping compliance demands, siloed departments, and numerous stakeholders the role of an architect is needed more than ever. Whether you are building compliance programs, management systems, or actual buildings; lessons learned from architecture can provide helpful insights and approaches to address today's compliance challenges. An important role of an architect is to take multiple stakeholder concerns and achieve as much of the intended outcome as possible. "An architect is a generalist, not a specialist — the conductor of a symphony, not a virtuoso who plays every instrument perfectly. As a practitioner, an architect coordinates a team of professionals that include structural and mechanical engineers, interior designers, building-code consultants, landscape architects, specifications, writers, contractors and specialists from other disciplines. Typically, the interest of some team members will compete with the interest of others. An architect must know enough about each discipline to negotiate and synthesize competing demands while honoring the needs of the client and the integrity of the entire project." — 101 Things I Learned in Architecture School (Matthew Frederick) Architects find limitations and constraints as creative challenges. When building compliance platforms some of the creative tensions that arise include: prescriptive versus descriptive process versus content behavior versus systems do it now versus do it later top down versus bottom up audit-fix versus continuous improvement ease of use versus utility user experience versus functionality safety versus productivity quality versus performance one process versus multiple processes simple versus comprehensive immediate versus long term tactical versus strategic schedule versus cost And so on Architecture provides techniques and tools that are helpful to balance these kind of concerns. One powerful technique is to focus on the process and not on the end goal which seems counter-intuitive. Being process oriented means ( from 101 Things I learned in Architecture School ): seeking to understand a problem before chasing solutions not force-fitting solutions to old problems onto new problems removing yourself from prideful investment in your projects and being slow to fall in love with your ideas making design investigations and decisions holistically (that address several aspects of a design problem at once) rather than sequentially (that finalize one aspect of a solution before investigating the next) making design decisions conditionally — that is, with the awareness that they may or may not work out as you continue toward a final solution knowing when to change and when to stick with previous decisions accepting as normal the anxiety that comes from not knowing what to do working fluidly between concept-scale and detail-scale to see how each informs the other always asking "What if ...?" regardless of how satisfied you are with your solution Many of these ideas ares similar to those found in LEAN and Design Thinking to help solve problems and find solutions to the most difficult challenges that companies are now facing. Fixing compliance problems with short term tactical solutions is not enough. What is needed are more holistic approaches that deliver more value to all stakeholders and this is what architects do best. To find learn more on how Lean Compliance can help architect your compliance programs or management systems visit our website at www.leancompliance.ca

System dynamics (SD) according to the System Dynamics Society   is a computer aided approach to policy analysis and design.  It applies to dynamic problems arising in complex social, managerial, or ecological systems – literally any dynamic systems characterized by interdependence, mutual interaction, information feedback, and circular causality. The term "System Dynamics" was coined by Jay Forester at MIT in 1961.  The aim was to explore dynamic responses to changes made either within or outside of a system to explain the past and predict the future.  This makes System Dynamics useful for better understanding and improving sociology-technical problems in the domain of quality, safety, environmental, and regulatory programs and systems. When trying to understand systems we often start by taking a snapshot of the situation which creates a static and linear causality representation of reality.  This is perhaps, a first order approximation which may provide useful initial insights.  However, to more fully understand the past and predict the future a dynamic model is needed that represents the interdependence of system components.  This is where causal loops are used. Causal loop diagrams (CLDs) were introduced by Jay Forester (1961) and developed further since. The purpose of a CLD's is to map out the structure and influences to system behavior.  In theory, there are two kinds of causal loops: reinforcing or balancing.  Negative reinforcing causal loops are called vicious cycles and have unfavourable outcomes. Positive reinforcing causal loops ware called virtuous cycles and have favourable results.  Balancing loops keep the system at equilibrium. At a high-level managed quality, safety, environmental, and regulatory systems are designed to maintain consistency. The audit / fix cycle forms a negative feedback loop that uses corrective actions to adjust the system output back within control limits. This forms a balancing causal loop. However, the effect of these adjustments can destabilize a system when capabilities to restore equilibrium are inadequate. This is amplified when a system must achieve new levels of performance outside of its current capabilities. It is here that SD becomes an important tool to help policy makers better improve outcomes of their compliance programs.  SD can help to evaluate policy changes made as part of performance-based obligations to ensure that underlying systems have the capabilities, capacity, and competencies to achieve and sustain new levels of performance. This assists the function of the program level of a managed system to: Introduce change by means of continuous improvement without destabilizing the underlying system Adjust system capabilities to meet increasing performance demand Evaluate and adjust outcomes to optimize overall system effectiveness

Many companies will be familiar with the terms Total Quality Management (TQM), or Total Production System (TPS). They began initially to describe a Japanese-style management for quality improvement. TQM (and its variants) represent a philosophy of a broad and systemic approach to managing organizational quality which sets the context for a quality management system (QMS). It extends beyond the quality of products and services to the quality of all issues within an organization. When it comes to safety efforts the evolution towards using safety management systems (SMS) has become standard practice for industries that include aerospace, chemical industry, and now a matter of priority for others such as the pipeline industry in the US. However, in recent years, major incidents have made it clear that there is still a necessity for companies to improve their safety capabilities through the application of systematic and proactive approaches: "not as a stand-alone activity that is separate from the main activities and processes of the organization, but as an integrated part of total performance management" [2] Building on the success of TQM, in 1998, Geoetsh (1998), introduced the concept of Total Safety Management (TSM) as a performance-oriented approach. The fundamentals of this approach include: a strategic approach to safety, emphasis on performance assessment, employee empowerment, reliance upon robust methods of risk analysis, and continual improvement. More specific organizational processes have been proposed since by various organizations. Integration of safety with quality, environment and productivity have also been proposed by means of: Strategic and cultural integration in order to enhance learning, continuous performance, stakeholder involvement and participative management. Coordination of common business processes between safety, quality, environment. Correspondence of different standards (ex. ISO 9001, 14000, 31000, etc.) with cross-references and possibly a common information system. However, while there is utility in these approaches they do not get to the heart of the matter which is a need for a systematic methodology that is risk-based, performance-oriented with a focus on continuous improvement. TOSCA Approach to TSM A European project under the name of TOSCA (Total Operations Management of Safety Critical Activities) has proposed the following five principles for TSM based on effective risk management (RM) principles derived from ISO 31000: RM should be part of all decision making and organizational processes and provide a capability for creating value for business; RM should be based on best available risk information to create a common operational picture about risks; Participative risk management must ensure that all the needs of stakeholders are taken into account while their knowledge about risks is brought into play; Knowledge management should be part of risk management so that all knowledge about risks is managed effectively and all RM techniques are better integrated; Performance monitoring and operational feedback is necessary for making RM dynamic, iterative, and responsive to change. At the same time, this will facilitate continual improvement of the organization Each of these principles are defined and elaborated in their proposed methodology. However, it is the second principle that I believe communicates where the fundamental paradigm shift needs to occur. It is common for safety management systems to focus their attention on correcting safety problems to return to normal operations. This is the same focus that quality has in the use of corrective and preventive actions (CAPA) processes. As I have discussed in previous blog posts, this is known as feed-back control which is reactive in nature. There is no predictive or anticipatory capabilities to foresee future states or events. This is why a feed-forward process is needed using a model-driven control. It is the model that provides predictive capabilities that can help to address the effects of uncertainty before they happen. It is important to note that performance indicators can now be measured not in terms of outcomes (lagging indicators) but instead as antecedents (leading indicators) so that changes are made before undesired outcomes are produced. Adopting Total Safety Management (TSM) will require that existing safety management systems change from reactive to proactive behaviors. Effective risk management is at the core of this change and it is here that continuous improvement is needed. More information about TSM can be found in the following reference materials: References: [1] Total Safety Management: Principles, processes and methods, 2016, T. Kontogiannis, M.C. Leva & N. Balfe [2] Total Safety Management: What are the Main Areas of Concern int he Integration of Best Available Methods and Tools, 2014, Maria Chiara Leva, Nora Balfe, Tom Kontogiannis, Emmanuel Plot, Micaela De Michela [3] TOSCA (Total Operations Management for Safety Critical Activities) project