SEARCH

We have come along way since the early days of the internet when the world was your oyster and the only risk was the risk of not going on-line. Today the internet is different. The opportunities are still high but so are are the threats. Instead of looking out for hazards – sites to avoid – the internet itself has become a hazard. In this post, we explore what it means for the internet to be considered as a hazard and how this might help organizations better contend with risk. The Hazardous Internet Recently I heard of an organization in the financial sector conducting a dark launch of new features their were introducing to their on-line platform. A dark launch is a “safe” way to release production-ready software to a small group without exposing the rest of the user base. This technique provides feedback and performance measurements along with the level of cyber risk. Within seconds of the launch they detected several bots aggressively attacking their platform. Deploying applications on the net is like putting your hand in a tank of piranha fish. When it comes to the internet threats are not a probability that may or may not happen. Threats are a certainty and continuous. Threats are a certainty and continuous. The internet for all intents and purpose is a hazardous environment where prolonged exposure will lead to possible harm – eventually. What Is A Hazard? Organizations need to contend with all kinds of hazards . For example, when it comes to occupational hazards these will include: Chemicals - hazardous chemicals Ergonomic - lifting, pushing, pulling, sitting, standing, lighting, shift work, office, tools, musculoskeletal disorders Health - pandemics, biological, diseases, disorders, injuries, mould Physical - temperature, indoor air quality, noise, radiation Psychosocial - stress, violence / bullying Safety - driving, electrical, forklifts, garages, ladders, machinery, material handling, platforms, slips, trips & falls, tools Workplace - confined spaces, scents, indoor air quality, lasers, temperature, ventilation, violence, weather, working alone Hazards are conditions or actions that may harm a person, business, environment, communities, or anything that we value and want to protect. Hazards are a manifestation of uncertainty – hazards create the opportunity for risk. Hazards are a manifestation of uncertainty – hazards create the opportunity for risk. Fortunately, operating safely in hazardous environments is not a new concern. This is the focus of occupational health and safety, process and pipeline safety, aviation & aerospace and functional safety. Safety in these domains has been studied and practised for decades and long before the internet was introduced. Viewing the internet as a hazard while undesirable in some ways can also be instructive and affords the application of a body of knowledge used in safety domains to help contend with risk. In these areas the bow-tie analysis is used extensively to help operate safely in the presence of hazards. Can it help with handling the hazardous internet? Operating In The Presence Of A Hazard The bow-tie helps us understand two system properties of cyber security: reliability and resilience, which are used to contend with he hazardous internet (i.e. the dragon of uncertainty .) Reliability is a measure of prevention whereas resilience is a measure of recovery. Reliability is a measure of prevention whereas resilience is a measure of recovery. Both prevention and recovery controls are needed when working in hazardous conditions, processes, and as it turns out the internet. Reliability Reliability is the left hand side of the bow-tie where we find prevention controls. Reliability concerns itself with "keeping the lights on." Prevention is better than recovering from a breach. That is why safeguarding against continuous threats is the priority for those operating on-line. The reliability of the system is often defined as “the probability that the system does not fail in a given environment, during a specified exposure time interval.” Nancy Leveson (leader in systems reliability and safety) states that reliability is a controls problem. This means establishing and managing barriers of defence, safeguards, and other measures that prevent threats from becoming a reality. The effectiveness of prevention controls is a predictor of reliability. Resilience Resilience is the right hand side of the bow-tie where we find recovery controls. Reliability concerns itself with "restoring the lights after a disruption." In Eric Hollnagel’s book (Resilience Engineering in Practice, 2010) resilience is defined as, “the intrinsic ability of a system to adjust its functioning prior to, during, or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions." Hollnagel might say that resilience is an adaptation problem. The goal of resilience is to recover in the event of a minor disruption. When these occur, loss mitigation and recovery measures are deployed to limit the disruption and restore reliability. Resilience is needed to contend with risk that cannot be prevented. Resilience is needed to contend with risk that cannot be prevented. Resilience is not a substitute for poor planning or unreliability. At the speed that risk becomes a reality you will never have enough time to adapt after the fact if you are not prepared. The effectiveness of recovery controls is a predictor of resilience. Reliability And Resilience - Yin and Yang In practice, you can’t have one without the other. While it is true that the higher the reliability the less resilience one needs. For example, a system with 100% reliability does not need to recover from failure. However, when failure does occur, resilience can reduce the effects and limit the disruption which in turn reinforces reliability. Often resilience measures find its way on the reliability side of the risk equation. Often resilience measures find its way on the reliability side of the risk equation. As important as the system properties reliability and resilience are they are not sufficient to contend with the hazardous internet. Some risk is irreducible and cannot be prevented or mitigated. For these, margin is needed in the form of capital reserves, buffers, insurance and other contingencies to address losses. A comprehensive risk/certainty strategy and plan ensures that uncertainty in all its forms is effectively handled. You need reliability and resilience to contend with reducible risk and for everything else margin . You need reliability and resilience to contend with reducible risk and for everything else margin . Summary Some organizations are still catching up and coming to grips with the fact that the internet is no longer or ever was a safe place to browse or do business. For them, they will do their best (I am sure) as they hope for the best. Other organizations view the internet differently. They see its potential but realize that it is a hazard that needs to be managed. Unfortunately, the risk cannot be eliminated by removing the hazard so we must learn to operate in the presence of hazards. Viewing the internet as a hazard while undesirable in some ways can also be instructive and affords the application of a body of knowledge used in safety domains to help contend with hazards – a primary source of uncertainty and risk. So it's time to learn how to use BOW-TIES, HAZOPS, BARRIER ANALYSIS, STAMP / STA, FRAM, and other tools of the trade. These are not new but might be new to you.

In this article we will look at a different kind of hazard. Not a physical hazard such as a toxic chemical or flammable gas which are sources for physical harm. Instead, we will look at organizational hazards that are sources of harm to an organization's ability to achieve overall mission success. These are areas of uncertainty that if not addressed create the possibility for "institutional" or "operational" risk. For purposeful and goal-oriented organizations, sources of uncertainty can often be found with respect to its goals, how an organization works, and strategies used to effect change: 1. Uncertainty of the goals and objectives Companies use roadmaps to take them from where they are now to where they would like to be in the future. Uncertainty of any of the elements of the roadmap will impact mission success which include: Uncertainty of where an organization has been in the past Uncertainty with how an organization perceives where they are now Uncertainty with their prediction of the future Not addressing these uncertainties may result in scenarios such as having the right goal but starting at the wrong spot on the roadmap; a place where you have not yet arrived. 2. Uncertainty with the model of the organization Each organization will have some idea or model for how their organization works. The sophistication of the model is not always what is important. What is important is that it is able to predict outcomes. That is, if we do A then we expect B to happen. Causation will lie somewhere between deterministic and probabilistic behaviors. Deterministic processes are characterized by having the same outputs for the same inputs and initial conditions. Whereas, probabilistic processes will have a variety of outputs based on the same inputs and initial conditions. Knowing what kind of processes an organization has will help to determine what strategies to use achieve mission success. 3. Uncertainty with the strategies used to effect change The more complex a system is the harder it is to know what changes will produce a desired change in outcomes. There will always be uncertainty in the outcomes along with a possibility for unintended consequences. However, even when systems are more ordered and deterministic there will be uncertainty in the effectiveness of replacing old behaviors for new ones to achieve different results. Habits are hard to change particularly when they were once good habits. Strategies to Improve the Probability of Success To help determine which strategies to use to improve the certainty of achieving mission success, we can classify organizational systems across the dimensions of order and chaos, and certainty and uncertainty as shown in the following diagram: Static Zone This a system that is ordered, mostly deterministic, and with predictable causation. This defines normal operations and practices for an organization. Standard practices and procedures are the focus and productivity is the ultimate goal which is constantly measured, assessed, and improved. Conformance to standard is embedded in the culture which by its nature resists variation. The side effect is that is also resists change making improvements slow to implement and uncertain. This requires change management strategies to improve the probability that changes are completed and effective. Lack of improvement is the hazard for organizational systems in the static zone. Variable Zone This is a system that is mostly deterministic but has drifted into disorder. This defines abnormal operations and requires a return to normal practices. Behaviors and practices often focus on what is common but not what is best. Processes are needed to address deviance and variability often achieved through audits, analysis, and remediation. Quality management is used to standardize behaviors and practices and improve consistency. Lack of conformance is the hazard and normalization of deviance must be avoided to prevent a drift to failure. Probabilistic Zone This is a system that is mostly ordered but not as deterministic as had been thought resulting in a variety of outcomes. This describes the result of uncertain operations where companies don't know what the results will be exactly. Variability is a result of a lack of knowledge or associated with chance (random variability). Processes may be defined but tend not to be effective (ordered uncertainty). Focus is usually on "best efforts" not "best outcomes". Improved models are needed to effectively buy-down reducible risk by reducing likelihoods and the consequence of undesirable outcomes. In addition, measures are needed to contend with natural variability. This is the domain of Risk Management and Lean Six-Sigma. Lack of knowledge is the hazard due to a failure to learn. Unpredictable Zone This is a system that is disordered and uncertain and defines unpredictable operations. This is often the case when organizations fail to anticipate and protect. Organizations cannot predict to any level of confidence what the outcomes of their efforts will be. This may be the result of unsafe work practices or conditions increasing the chance for breaches that negatively affect quality, safety, security, reputation or any other objectives. The hazard in this case is a lack of protection. Emergency response and incident management is needed to react, stabilize, and improve levels of protection. If you cannot predict then you need to protect as if it will happen. Summary In practice, organizational maturity and type of business determine the zone where most of an organization's systems and processes exist. Companies in highly-regulated, high-risk sectors will require greater levels of organizational maturity to combat uncertainty and disorder as more is at risk. However, even when organizations are performing well under normal operations they are at risk of drifting to other zones due to a lack of attention, rigor, and pro-activity which are themselves hazards to avoid.

Imagine you're attending a meeting to discuss potential dangers during a company restructuring. You, and everyone else present, understand the importance of identifying and mitigating hazards. But then, a key player storms out, claiming there's nothing to worry about. Confused? Welcome to the world of risk management, where narrow definitions often create blind spots and uncertainty. This is exactly what happened to me. We were discussing operational threats stemming from a reorganization , something particularly critical in high-risk industries. The Process Safety Manager (PSM), responsible for traditional hazard assessments, confidently declared he had no business there – "there are no hazards here," he stated before walking out. He was right, but only from a technical standpoint. In his world, "hazards" have a specific meaning. However, he failed to recognize a crucial point: the reorganization itself posed a risk to his ability to manage those very hazards. Changes in roles, responsibilities, systems, and processes could potentially disrupt his established safety protocols. In short, he was overlooking organizational hazards. This incident highlights a critical challenge in risk management: silos and fragmented definitions. Different domains have their own risk vocabularies, often leaving broader threats unseen. What we need is a more holistic approach, something like Total Risk Management (TRM). TRM would act as an umbrella, encompassing all potential sources of uncertainty that can impact an organization's success. It acknowledges that risks go beyond technical hazards and delve into organizational dynamics, reputational concerns, financial vulnerabilities, and more. ISO 31000 from my perspective, recognizes what is well known to many in high-risk industries which is that uncertainty is the root cause of all risk. Uncertainty creates the opportunity for risk independent of its effects. In fact, several risk-based regulations mandate this approach and further define its natures : aleatory and epistemic uncertainty which help direct what measures to use to handle them. These distinctions have helped manage complexities beyond the de-minimis and provide the foundation for a universal definition. We're attempting to implement this philosophy and it's an uphill battle, but one worth fighting. By adopting a broader perspective on both risk and compliance, we can ensure that even during periods of change, we can effectively safeguard our people, operations, and ultimately, our mission. Let's keep the dialogue going! Share your thoughts and experiences with risk & compliance. Together, we can elevate our understanding and create a safer, more resilient future for our organizations.

When life is uncertain we are blind to what may lie ahead. As a result we are more likely to bump into things, fall in a hole, or any number of things that might harm us. Our anxiety will no doubt also be high never sure of what may happen. So we walk slowly, test every step, as limiting as that might be, to keep from hitting a wall, falling in a hole, or walking off the edge of a cliff. This is what it is like for many organizations with their compliance. They don’t know their obligations or the commitments they have made and are unsure of how to stay between the lines. These organizations have a form of compliance blindness. So they act slowly, audit every step, as limiting as that might be, with hopes that everything and everyone stays on-side and heading in the right direction. Never sure of what may happen, anxiety will replace what little assurance they might have. Fortunately, compliance blindness is for the most part curable. Improving Our Vision How do we create the vision needed to move faster while staying between the lines? Compliance needs to contend first with epistemic uncertainty. The lack of knowledge (more than just lack of data) creates the greatest amount of blindness and is reducible by: Knowing your obligations (KYO). Identifying your commitments to meet your obligations (goals, targets, objectives, etc.) and how these commitments will be met. Estimating the uncertainty of keeping all your promises (operational risk) associated with each obligation. Establishing measures to improve the probability to keep all your promises and meet all your obligations. Implementing real-time systems that always let you know the status of your compliance and risk. This will act as a real-time GPS/ radar to improve your vision and avoid obstacles ensuring progress towards mission success. Confidence will replace anxiety, providing the assurance that organizations need. Some will finally be able to sleep at night. What We Still Cannot See There will still be things we cannot know or see. This is a form of aleatory uncertainty which is irreducible. This risk can only be addressed by using margins (buffers, contingency, insurance, etc.) to cushion the effects when we run into something or something runs into us. The amount of margin we need will depend on how much irreducible risk we have. Intentional Blindness Keeping our heads in the sand and staying blind to our obligations is a blindness that can and should be avoided. If we don't buy down reducible risk we will need even more margin than we would have otherwise. We will need to cover the loss of reputation, quality, safety, trust, and perhaps the loss of our business. These costs will be much higher than the measures to buy-down risk in the first place. Is your organization suffering from compliance blindness?

A seemingly simple question was asked of Satya Nadella, CEO of Microsoft, that resonates with profound implications: "Why do cars have brakes?" The answer given was "So they can go fast." The wisdom encapsulated in his answer unveils a deep understanding of the science behind regulation and compliance and how they work together. The Brakes-Compliance Nexus At first glance, the connection between mechanical brakes and organizational compliance might seem distant. Yet, the essence of both lies in the pursuit of equilibrium between movement and restraint. Just as brakes empower cars to accelerate while maintaining safety, compliance enables organizations to surge ahead while adhering to ethical and legal standards. This intersection between brakes and compliance mirrors the principles of cybernetics —a field that studies control systems and communication in machines and living organisms. External Regulation requires Internal Compliance Imagine a world where cars sped along highways at varied and unrestricted velocities—a recipe for chaos and accidents. To prevent such mayhem, governments establish speed limits, serving as external regulators that impose a standard pace for safe travel. This external control mechanism parallels the role of compliance regulations in organizations. Similar to speed limits, compliance obligations act as benchmarks, guiding companies to navigate within ethical and legal boundaries. However, to meet external regulations requires compliance. Just as drivers commit to adhering to speed limits as a promise of responsible driving, organizations pledge to comply with regulations as a condition of their legal and social license to operate. This commitment necessitates a process to ensure compliance—a practice mirrored in the automotive world by a driver's conscious control over their speed, facilitated by the use of brakes. This process is called: self-regulation. Effective Compliance requires Effective Regulation The interplay between compliance and regulation is not unlike a system of cooperating processes—effective compliance requires effective regulation, and vice versa. Just as a car's braking system is a measure of compliance allowing the driver to self-regulate speed, organizations deploy compliance mechanisms to self-regulate within the constraints of legal, ethical, and social obligations. This reciprocal relationship is the crux of effective compliance. The reason why organizations are not effective at compliance with external regulations is that they are not effective at regulating their functions, behaviours, and interactions. Saying this another way, organizations usually don't have a "compliance" problem they have problem with self-regulation. Conclusion In the world of automobiles, brakes are more than just tools for deceleration – they represent the delicate equilibrium between speed and control. In the same way, compliance isn't merely a checklist to be ticked off; it's an essential capability that allows organizations to navigate the dynamic landscape of risk while achieving their goals. Just as drivers commit to staying within speed limits, businesses must commit to complying with regulations. For this they need the function of self-regulation - the science behind compliance, and the "brakes" to allow them to go fast. So, the next time you hit the brakes in your car, remember the invaluable lesson they offer – the art of balancing speed and control, a lesson that resonates far beyond the realm of automobiles.

This is a summary of my presentation made recently on the topic of Lean Logistics which you can download below. Introduction I am Raimund Laqua, Founder, and Chief Compliance Engineer at Lean Compliance. Today, I'm excited to delve into the realm of Lean Logistics and the profound impact that LEAN has on managing uncertainty within the value chain. Join me as we explore the intricacies of risk, the power of Lean principles, and the integration of value chain analysis to improve the probability of mission success.

When people hear the phrase, “Operational Compliance” they often think of it in the same way as “Operational Risk” - a siloed function to audit conformance to legal rules that sits apart and not embedded within the business. However, this defines “Procedural Compliance” which is based on a traditional and reactive model for compliance. Instead, “Operational Compliance”, which is based on a holistic and proactive model, defines a state of operability when all essential compliance functions, behaviours, and interactions exist and perform at levels necessary to create the outcomes of compliance. These outcomes are associated with keeping promises connected with: safety, security, sustainability, environmental, quality, regulatory adherence, corporate ethics, responsible AI, and ultimately stakeholder trust. “Operational Compliance” is governed by two fundamental organizational obligations: (1) Stay between the lines, and (2) Stay ahead of risk. These can only be advanced when compliance is integral to the value chain and when obligations are operationalized which are essential aspects of "Operational Compliance." Elevate your compliance by taking a step away from procedural towards Operational Compliance - a more effective way to do compliance. Authors Note (Raimund Laqua): Follow me on LinkedIn or Subscribe to Lean Compliance (free) to stay notified regarding my upcoming book on "Operational Compliance" expected to be published later this year.

Complying with regulatory acts is not optional and ignorance of the law is not a defence. A credible compliance program will help organizations stay within the law by being aware of legal obligations and safeguarding against the risk of violating regulatory and legal boundaries. At the same time, a credible compliance program needs a credible plan to design, build, operate, maintain, and improve over time. Creating a task list and doing the basics are not enough to establish credibility or achieve effectiveness. In this article we take a deep dive into the Canadian [ guidelines ] regarding corporate compliance programs along with 5 immutable principles for program success. Purpose of a Corporate Compliance Program The Canadian guidelines on corporate compliance defines the purpose for a compliance program in the following way: A good corporate compliance program helps to identify the boundaries of permissible conduct, as well as identify situations where it would be advisable to seek legal advice. In essence a corporate compliance program keeps organizations operating within regulatory and legal lines. These lines form the basic boundaries for compliance with respect to a regulatory license to operate. Additional obligations will come from stakeholder commitments which have more to do with a social license or at minimum; internal boundaries defined by corporate values. These will in turn create additional boundaries that go beyond the basics. Benefits of a Corporate Compliance Program According to the guideline, a credible and effective corporate compliance program generates three broad benefits: it signals an entity’s seriousness in tackling and addressing the legal obligations and ethical considerations facing businesses today; reduces costs of compliance by helping to clarify, for business managers and officers, the boundaries of permissible conduct as well as situations that could put their business at risk of violating the Acts; and should there be any violations of the Acts, it provides a possibility for the business to mitigate the cost of non‑compliance. The following specific benefits may also be realized: maintaining a good reputation; improving a business’ ability to recruit and retain staff—a business with a reputation for compliance is likely to attract higher‑quality employees and have a better employee retention rate; improving a business’ ability to attract and retain customers and suppliers who value companies that operate ethically; reducing the risk of non‑compliance; triggering early warnings of potentially illegal conduct; allowing a business to qualify for favourable treatment in sentencing, or reducing costs related to litigation, fines, AMPs, adverse publicity and the disruption to operations resulting from an investigation and/or proceedings before the court reducing the exposure of employees, management and the business to criminal or civil liability; educating employees as to the appropriate course of conduct if called upon to provide evidence in the course of an inquiry or if the company is the target of such an inquiry; assisting a business and its employees in their dealings with the government—for example, by identifying contraventions of the regulatory acts early enough to request immunity or leniency; and increasing awareness of possible conduct in breach of regulatory acts among competitors, suppliers and customers in the market. With respect to stakeholder obligations (internal or external) the following additional benefits may also accrue: reduced impact on the environment safer work environment greater data protection and privacy increased legitimacy greater stakeholder value greater trust Basic Requirements for a Corporate Compliance Program A credible and effective compliance program is one that addresses the risk profile of the business taking into account its resources and activities. In all cases a compliance program should have these seven basic elements as described in the guideline: Management Commitment and Support – Management's clear, continuous and unequivocal commitment and support is the foundation of a credible and effective corporate compliance program. Risk‑based Corporate Compliance Assessment – A thorough assessment of the potential risks faced by a company will allow it to properly design compliance strategies that address those risks. Corporate Compliance Policies and Procedures – A corporate compliance program should be tailored to the operations of a business and establish internal controls that reflect its risk profile. Compliance Training and Communication – A credible and effective corporate compliance program includes on‑going training and communications focusing on compliance issues for staff at all levels who are in a position to potentially engage in, or be exposed to, conduct in breach of the Act. Monitoring, Verification and Reporting Mechanisms – Monitoring, verification and reporting mechanisms are vital to the success of any corporate compliance program. Consistent Disciplinary Procedures and Incentives for Compliance – Consistent disciplinary actions as well as appropriate compliance‑related incentive plans demonstrate the seriousness with which the business views conduct in breach of the Act and its commitment to compliance. Compliance Program Evaluation – A program’s ability to deliver its core objective must continuously be assessed. It is also necessary to monitor new developments regarding the Acts and business activities to determine their impact on the program. However, to realize the broader set of compliance benefits organizations will need to go beyond these basic requirements. A Credible Program Needs a Credible Plan Instead of doing the basics, organizations should do what is essential to realize compliance benefits and contend with operational risk. A credible and effective program with needed capabilities to achieve and sustain the outcome of compliance evidenced by realized benefits requires a credible plan. Programs at an operational level manage systems and processes that achieve compliance objectives. These systems are social-technical in nature and objectives will vary in type and performance requirements. This all happens in the presence of uncertainty and may itself be subject to internal standards and guidelines. The following are 5 immutable principles of program success adapted from Glen Alleman’s ([ Five Immutable Principles of Project Success ]). PRINCIPLE PLANNING QUESTIONS EVIDENCE PRINCIPLE IS FOLLOWED ​1. Define what compliance looks like. Where are we heading? What are our goals and targets? What are our obligations & promises? How will we know when we are in compliance and when we are not? Program Scope & Context Obligations / Promises Register Concept of Operations ​2. Create plan to realize and sustain compliance. ​How will we meet all our obligations? How will we keep all our promises? How will we always stay between the lines? How will we manage change? How will we improve? ​Integrated Master Plan & Schedule (IMPS) 3. Resource the plan. ​Do we have enough resources (people, technology, knowledge, capabilities, capacity etc.) to satisfy the plan? Program Resource Plan 4. Estimate and handle uncertainty. ​What impediments or opportunities will we encounter? What could go wrong? What needs to go right? How will we recover when boundaries are breached? What is the nature of uncertainty (aleatory, epistemic, ontological, etc.) What is our risk appetite? What is our risk tolerance? Risk and Opportunity Register Risk-adjusted IMPS Risk Management Plan 5. Measure progress. ​How will success be measured? (MoE) How will performance be measured? (MoP) How will conformance be measured? (MoC) How will risk be measured? (MoR) Benefits realized Outcomes advanced Risk ameliorated Following these principles has proven to increase the probability of success across all domains by helping organizations develop and execute credible program / project plans.

When it comes to meeting revenue, margins, and overall business objectives many organizations establish performance-based systems and processes to ensure that they meet their targets. However, when it comes to keeping compliance promises associated with quality of service, impact on the environment, worker and public safety, organizations often put in place less rigorous systems where the notion of performance is connected more to cost rather than advancing outcomes. Many organizations also limit their compliance efforts to reducing liability and avoiding prosecution by establishing audit processes to close the gap between work-as-prescribed and work-as -done. Compliance performance is measured by the size and number of gaps that are discovered and the costs associated with closing them. That is not the story for some organizations that aim higher and commit to achieving broader goals for their compliance such as: zero violations, zero emissions, zero fatalities, zero incidents, zero harm, zero breaches and other standards. There are many good reasons why companies will want to do this which I have written about here and here . For these organizations a different approach is taken, one that establishes processes that not only close the gaps to standard but also raises the standard towards the ideal. Even when they are closing gaps they will take a more holistic perspective that focuses on outcomes and effectiveness at the same time as efficiency and cost. Closing Gaps Maintaining consistency to a standard is the primary function of a compliance system and is accomplished by closing the gap between work-as-imagined or work-as-prescribed and work-as done .: Conformance gaps : what standards are we not consistently achieving that if we did would advance compliance effectiveness? However, there are other gaps that also need to be addressed: Performance gaps: what are we doing that if we did more of would improve compliance effectiveness? Capability gaps: what are we not doing that if we did would improve compliance effectiveness? Achievement gaps: what objectives are we not achieving that if we did would advance compliance effectiveness? Uncertainty gaps: what threats or opportunities hinder or advance our objectives to meet all our obligations? The conformance gap is by far the most common and often the only one that many companies pay attention to particularly with respect to prescriptive obligations. However, these are what are called necessary, but not sufficient conditions to achieve or advance targeted compliance outcomes. You could say that closing these gaps are not improvements at all but rather steps along the way to operational compliance where real improvements can start to be made. Raising Standards Achieving effectiveness is the purpose of all compliance programs and accomplished by raising standards as needed to achieve the targeted levels as measured against progress towards compliance outcomes such as vision zero targets (zero harm, zero violations, zero incidents, and so on). This is not unlike how how a LEAN organizations use pull systems to improve the performance of their production processes. Performance issues are often hidden although they commonly manifest themselves as stockpiles of inventory. What is difficult is knowing which part of the process to change that will result in overall increases in productivity and the reduction of these stock piles. You can imagine asking the very same question when it comes to obligation debt where the gaps also pile up. Where do you improve your compliance performance? In LEAN thinking we pull customer demand (rather than pushing it) to stress a production process to expose the parts in the process that are hindering performance the most. These are the activities that are not able to keep up that create wait times upstream which lets you know what to improve first, second, and so on. This approach is repeated until the flow through production creates zero wait times and continuous flow is achieved: zero waste and the highest performance. Using this process Taiicho Ohno was able to double the capacity of Toyota's manufacturing with the same number of people. The same can be achieved with respect to doubling a company's ability to meet their obligations with the same cost. Wouldn't that be good! What a pull system does for manufacturing is what raising standards does for compliance. When you raise standards you quickly observe the areas that are holding you back the most. You will then have a ranked list of areas to improve to unleash greater compliance capacity, efficiency, and obligation performance. You will also be able to identify any uncertainty in meeting obligations which will tell you where to put your risk controls. The Challenge The challenge that many organizations face is how to do both: close gaps while raising standards at the same time. It is a dance that most never learn. Many never move beyond closing gaps and many will wait until a major incident has occurred before they raise their standards. Unfortunately, waiting is not only a waste when it comes to manufacturing, it is also a waste when it comes to compliance. Compliance is famously known for bottom line thinking focused on passing audits. Seldom is any attention given for top line considerations which would include better outcomes for the organization. We know that in order to achieve mission success organizations need to focus on both top and bottom lines, however, what many don't know is that this is also true for meeting obligations. The compliance dance is not really anything new. It is the same dance that organizations have applied for years to their value chain and now need to apply to their compliance chain. You take two steps forward, and then one step up, do the hokey pokey and turn your compliance around. That's what its' all about.

The purpose of a quality program is fundamentally to improve the quality of something. However, with today's focus on quality systems and conformance to standards, this is often overlooked and why we need to revisit what quality is and how it can be improved. Companies that only implement quality systems will at best improve the quantity of things and risk not making a qualitative difference in outcomes. Quality by its very definition requires making distinctions between qualitative differences of products and services in ways that improve the suitability for its intended use. However, perhaps more importantly, "does this characteristic also qualitatively improve customer satisfaction?" Both of these questions extend beyond numerical to value-based comparisons for their answers. Over the last decade there has been significant attention given to the quantitative aspect of quality with Six Sigma and LEAN leading the way. In fact, even when considering qualitative characteristics they are often mapped to quantitative measures to serve as a "proxy", although not always a good one. Quantitative measurements are considered by many as better than qualitative measurements. One of the reasons given for this is that the former are objective whereas qualitative measurements are subjective and therefore prone to biases. However, they serve different purposes and you cannot replace one for the other. You need both if you want to improve quality, otherwise you risk only improving quantifiable aspects of a product or service at the risk of actually improving quality. This focus on quantitative measures has also been applied to quality management systems where key performance indicators are measured and monitored. Management systems are regulated, as their production counterparts are, to maintain a consistent output using: standard operating procedures, measurements and monitoring, inspections and audits, and so on. You could say that systems manage the quantitative aspect of quality. What is missing is the management of the qualitative aspect of quality and this is where quality programs come in. Quality programs are focused on qualitatively improving an attribute or outcome. Programs manage the gap between the quantitative world based on facts and the qualitative world based on values. One way to understand this is by considering the following scenario involving regulating the temperature of a house. Houses typically have a heating and cooling system (HVAC) to regulate temperature. The objective of the HVAC system is to maintain the internal temperature of the house at the parameter set by a thermostat. This parameter is called the, set point, and represents a numerical value for temperature. The HVAC system is always answering the question, "is the temperature in the house equal to the set point?" The answer is given as an offset (positive or negative) used to determine whether to heat or cool the house. However, what the HVAC system cannot do is answer the question, "is the room comfortable?" That is a qualitative measure which requires a value judgment. If you have more than one person who live in your house you know that each person will have a different idea of what is "comfortable." This value decision is made by a person who then adjusts the thermostat (i.e. set point) accordingly. This is precisely what quality programs do, they facilitate making value decisions connected with customer satisfaction which are then used to adjust set points to underlying systems (management and production) to achieve the desired outcome. This is in some fashion a form of regulation based on a qualitative assessment instead of a quantitative measure. While qualitative regulation is an important capability missing from many organizations, it perhaps is not the most important function of a quality program. There is still another question that quality programs answer that can significantly influence customer satisfaction and it is this, "are our systems capable of achieving customer satisfaction?" In the case of the heating and cooling scenario, "is the HVAC system capable of keeping the room comfortable?" an HVAC system may not: be fast enough to heat or the cool the room in response to external changes in temperature, adequately address humidity control the temperature evenly across the entire house Addressing these may require a different HVAC system that is more capable, or at a minimum, require improvements to the performance of the system. These are changes that the owner of the house may choose to do to be more comfortable. In the same way, quality program owners decide on changes to underlying systems to improve customer satisfaction. It is by making these decisions that the gap between quantitative and qualitative or output and outcomes is managed. Without a quality program to determine these changes companies are at risk of only improving the quantity of things without making a qualitative difference in outcomes.

When it comes to compliance there are two primary obligations that you cannot ignore: stay between the lines and stay ahead of risk. Staying between the lines is focused on keeping risk out and certainty in. We want to operate within ethical, legal, and beneficial boundaries necessary to maintain mission success. This is accomplished by such things as codes of conduct, rules, limits, guardrails, protocols, guidelines, procedures, and policies. Improvements are triggered by incidents of operating near or outside the lines. Staying ahead of risk is focused on advancing the probability of mission success. This is a dynamic and continuous endeavour to keep the dragons of uncertainty at bay and far enough away to interfere with our mission. This is accomplished by contending with uncertainty using margins and buying down risk to levels needed for our strategy to succeed. Improvements are triggered by the presence of uncertainty between us and our objectives.

The following is a list of 10 things that I learned about compliance that may not be well known to those outside of compliance or even those who are compliance veterans. 1. Compliance protects value and makes certain it is created. 2. Compliance does not hinder innovation, it creates the opportunity for it. 3. Uncertainty is the root cause of all risk - negative and positive. 4. Risk that really matters are the ones connected with goals and objectives. 5. Risk-adjusted plans improve the probability of success in the presence of uncertainty not in spite of it. 6. LEAN reduces waste to create capacity for more value. 7. Governance provides oversight and actively steers towards better outcomes. 8. Compliance culture is built with action not only by what people believe. 9. Taking ownership of obligations is a prerequisite for compliance success. 10. Keeping promises is the best way to ensure obligations are always met. And one more .. The "C" in compliance stands for care because where there is care you will find safety, security, sustainability, quality, and other compliance outcomes. What have you learned about compliance?