SEARCH

It is unlikely that organizations will be able to meet all their stakeholder obligations without the benefits of engineering. However, this engineering must extend beyond individual disciplines to consider a broader set of knowledge, skills, and competencies to keep businesses operating between the lines, the public safe, and proactively meet environmental challenges. In this article we consider how both compliance and engineering have changed and why a new kind of engineering is emerging – one focused on compliance. The Nature of Compliance The compliance landscape has changed. Obligations are numerous, growing, and far reaching covering mandatory and voluntary commitments, along with environmental, social, and governance (ESG) objectives. In recent years we have also experienced a shift in regulation from prescriptive to performance and outcome-based designs. There are many reasons why this shift is happening. The primary being regulatory reform happening across the world as regulatory bodies have begun to modernize the function of regulation, its processes and practices, and how regulation itself is regulated (meta-regulation). These changes both to regulation and compliance itself are having profound effects on organizations that operate under regulation. Organizations that want to take greater ownership of their obligations are finding the traditional audit / fix cycles they have used in the past are not enough to keep their promises and stay ahead of risk. As a countermeasure organizations are directing their efforts towards internalizing obligations, managing and improving compliance performance, and making progress on compliance outcomes. This will involve the application of scientific principles from multiple domains covering management theories, regulatory designs, system dynamics, organizational behaviours, information technologies, accountability frameworks, risk and uncertainty, to name a few. However, what has been missing which is now needed is an engineering approach. In essence, compliance needs to be engineered rather than just audited. What we need are Compliance Engineers . The Nature of Engineering At a basic level engineers design and build things by applying scientific principles and technology. Professional engineering is defined in the Professional Engineers Act in Ontario, Canada where I practice as: Any act of planning, designing, composing, evaluating, advising, reporting, directing or supervising (or the managing of any such act); That requires the application of engineering principles; and Concerns the safeguarding of life, health, property, economic interests, the public welfare or the environment, or the managing of any such act. Over the years the scope and nature of engineering problems has changed in a similar way as the compliance landscape. Engineering solutions have increasingly required cross functional considerations. This broader approach is particularly the case with respect to the safeguarding of life, health, property, economic interests, and the welfare of the environmen t. Engineering in these cases often cross sociology-technical boundaries which requires a more holistic and systems approach and one that focuses on risk. This is not unlike the problems that compliance has also tried to address. The Compliance Engineering Nexus Compliance has become an operational function within organizations that involves technical, management, and social components to work together as a system to achieve compliance outcomes such as: safety, resilience, security, quality, and others. Compliance is effective when it improves the probability of mission success which it does by guarding against and buying down risk. These measures form risk & compliance controls (risk treatments if you like) that prevent and mitigate the effects of incidents, violations, defects, emissions, and so on. This requires an operational model that is engineered to advance outcomes over time, contends with uncertainty, and performs efficiently. This model must have measures of effectiveness, measures of performance, and measures of conformance to properly identify capabilities and scale resources to always meet obligations. Those familiar with compliance will know that many organizations focus only on measures of conformance and to a far lesser degree performance and effectiveness. Many view their effectiveness only in terms of not being fined rather than on advancing outcomes. Failure to focus on outcomes will eventually lead to mission failure. Nature of a Compliance Engineer Compliance needs to be engineered. This will require engineers who are multi-disciplinary and can cross the technical-social divide. They also need to be educated and trained in compliance to effectively build systems and processes that are able to reduce risk and advance compliance outcomes. In my estimation we need Compliance Engineers who should have knowledge, skills, and competencies that focus on: Theories related to Regulatory Designs, Promises & Obligations, Cybernetics, Uncertainty & Risk, Management Accountability & Trust Frameworks, Organizational Behaviours and Dynamics, Ethics, Policies Designs, Change Management, etc. Engineering principles related to safety, security, climate change, environmental, etc. Management programs and standards: quality, safety, environmental, sustainability, security, IT, etc. Systems Engineering (goal-seeking, purposeful, full stack systems) Computer Engineering (algorithms, machine learning, automation, digitalization, etc.) Lean Engineering (performance improvement, interventions, lean enablers, etc.) Data Management and Statistics Risk-based Thinking and Practices Design and Problem Solving Skills Project Management With this capability Compliance Engineers could help organizations build effective and robust compliance systems, processes, and practices. Compliance Engineers would also lead by example by upholding the values that compliance is striving towards. The following is a excerpt from the Code of Ethics of Canadian Professional Engineers which aligns well with ethical organizations: Professional engineers shall conduct themselves in an honourable and ethical manner. Professional engineers shall uphold the values of truth, honesty and trustworthiness and safeguard human life and welfare and the environment. In keeping with these basic tenets, professional engineers shall: Hold paramount the safety, health and welfare of the public and the protection of the environment and promote health and safety within the workplace; Offer services, advise on or undertake engineering assignments only in areas of their competence and practise in a careful and diligent manner; Act as faithful agents of their clients or employers, maintain confidentiality and avoid conflicts of interest; Keep themselves informed in order to maintain their competence, strive to advance the body of knowledge within which they practise and provide opportunities for the professional development of their subordinates; Conduct themselves with equity, fairness, courtesy and good faith towards clients, colleagues and others, give credit where it is due, and accept, as well as give, honest and fair professional criticism; Present clearly to employers and clients the possible consequences if engineering decisions or judgments are overruled or disregarded; Report to their association or other appropriate agencies any illegal or unethical engineering decisions or practices by engineers or others; Be aware of and ensure that clients and employers are made aware of societal and environmental consequences of actions or projects and endeavour to interpret engineering issues to the public in an objective and truthful manner; and Treat equitably and promote the equitable treatment of all clients, colleagues and coworkers, regardless of race, religion, gender, sexual orientation, age, physical or mental ability, marital or family status, and national origin. Summary Traditional risk & compliance functions operating in silos on their own cannot meet the demands imposed by new regulatory frameworks and designs. Neither will adopting management standards or new information technologies if they are not designed or implemented to work together. Engineers have for years used scientific principles and the ability to consider multiple constraints to design efficient and effective systems. This is precisely what is needed for organizations to meet outcome and performance-based compliance objectives that drive towards zero emissions, zero incidents, zero violations, zero defects, and other industry targets. We need to engineer our compliance not just audit our conformance. We need Compliance Engineers.

4 types of obligations 4 compliance functions 4 purposes 4 measures

Recent revisions to compliance standards and regulations have introduced changes to the way we think about and manage risk. You can look at: ISO 9001:2015, ISO 31000:2009, ICH Q9, API RP 1173, CSA, NEB, and many others and notice that risk is no longer what it used to mean. You will also notice that the risk tools have also changed, and risk management has taken a different path. Risk is no longer just about managing loss, it has become an optimization strategy to increase the certainty of achieving objectives. Here are 5 ways in which risk management has changed: 1. Risks are tied to outcomes Risk management up until now has been focused on loss prevention. Attention is given to understand the probabilities of events that may negatively impact our programs, systems or processes. This has been helpful but often results in risk registers being filled with risks, many of which, that do not really matter. Connecting risks to objectives allows risk managers to know which risks to address and which ones to ignore. 2. The focus of risk is on the effects on objectives Risk management has also primarily focused on the probabilities of risk events. ISO 31000 changed this focus to " the effects of uncertainty on objectives ." This does not remove the consideration of probabilities, however, it does move the analysis more on how objectives will be effected by uncertainty. One of the benefits of taking this approach is that it can help with risks where prediction is very difficult. For those who are familiar with Black Swans, we know that probabilities are a poor predictor of outcomes. Prioritizing on effects may result in better mitigation than only looking at likelihoods. 3. The effects of risks are both negative and positive Consideration of both negative and positive effects substantially transforms the value of risk management. Analyzing threats and opportunities advances risk management beyond just driving down risk. Instead, it allows risk to be used as an optimization strategy to increase the certainty of achieving outcomes. This requires, among other things, that many of the current risk tools (which were significantly influenced by the focus on loss prevention), change to support positive risk and opportunity enablement. Risk managers may also need to take on a more active posture in seeking out opportunities rather than only addressing existing hazards or the effects of failure modes. 4. Risk moves further into operations Traditional as well as enterprise risk management has until recently focused on extrinsic risk. These are external risks that may impact our business. However, the attention has now moved further into the operations of the business where the focus is on intrinsic risk. Intrinsic risks are those that are internal to our programs, systems and processes. Identifying these may require an increased knowledge of management systems and manufacturing processes to understand how to best prevent threats or enhance opportunities. The maturity of applying risk management to production processes is far along in some industries. At the same time, understanding how to identify risks embedded in quality, health and safety, and environmental programs may require additional training and expertise. 5. The role of risk is elevated by risk-based thinking Some folks have criticized ISO for using the phrase "risk-based thinking" in their ISO 9001:2015 revision of the quality management standard. The major issue has been the lack of prescription on how risk-based thinking should be done. This criticism is reasonable given the fact that many companies up until now have worked mostly with prescriptive regulations using a check-boxed approach to compliance. They have not yet had to deal with the shift to performance-based approaches that many standards and regulatory bodies have recently taken. The onus is now on each company to figure out the "how" part of risk-based thinking. While this maybe challenging in the short term, it should result in a more comprehensive approach to risk management tailored to each company's risk profile. This is a good thing. For those that are familiar with "Design Thinking", or "Lean Thinking" will know, the advantage of this type of approach is that it focuses first on the mindset before tools are ever considered. A tools-first approach has often led to inadequate risk assessments due to the lack of understanding of the limitations of the preferred tool. On the other hand, using a risk-based thinking approach will help risk practitioners choose the best tools for each risk context. Here is a definition for risk-based thinking that captures the essential aspects from recent changes to risk management: Risked-based thinking requires companies be proactive instead of waiting for audit findings to identify areas of risk and improvement. The latter is what we call the, The Reactive Uncertainty Trap™. As many have commented about quality, you cannot inspect your way to quality – you need to design it in. The same is true for compliance. You cannot audit your way to better compliance. Instead, you need to apply proactive strategies like risk-based thinking to make certain you are always in compliance. If you are an ethical, ambitious company and want to avoid, The Reactive Uncertainty Trap™ consider joining The Proactive Certainty Program™

Organizations today face frequent and increasing regulatory changes across multiple jurisdictions, domains, and categories. It is these changes that often become a significant source of risk to an organization’s resilience if not done carefully. Therefore, it is of vital importance that organizations successfully manage the impact of regulatory change before and when they occur. Impacts Introduced By Regulatory Change Regulations when changed may affect a number of areas of a business that include: 1. Strategy, goals, and objectives outlined in policies , 2. Processes, standards, and practices documented in procedure documents, 3. Roles, responsibilities, and personal as part of the organizational structure, and 4. Sites, facilities and equipment structured as assets These areas are considered critical having the greatest potential when changed to impact existing controls, expose latent risk, or introduce new risks to an organization. Each area of impact may have its own change process to address specific risk considerations but will usually follow a risk-based process as outlined below. Risk-based Change Process Implementing regulatory change will involve actions and sometimes requires the benefits of a project to implement. However, in all cases the impacts of a regulatory change need to be first identified and understood. The identification of impacts is usually done as part of a change process. In highly regulated, high-risk industries this process is called Regulatory Management of Change (MOC) while others simply call it Regulatory Change Management . To effectively manage regulatory change companies will adopt a risk-based process to identify and address direct and indirect impacts. This process will move a regulatory change through a series of stages where activities are performed by assigned resources often determined by the nature and the areas impacted by the change. The change process starts with the Initiate step to capture specifics of the regulatory change along with the risk context of the organization. Differences in risk culture will impact the level of rigour required in subsequent steps of the process involving planning, approvals, implementation, verification and close out: 1. Initiate Regulatory Change Identify regulatory change Identify changed compliance outcomes and objectives Identify risk context 2. Assess Impacts Engage stakeholders impacted by the change Conduct impact analysis (policy, organizational, procedure, asset) Identify change objectives (what you intend to implement) Conduct risk assessment 3. Plan Implementation Create implementation plan (technical changes) Create transition plan (changes to behaviour, culture, values, etc.) Create stakeholder communication plan Identify necessary approvals 4. Approve Implementation Obtain necessary approvals to proceed with implementation of regulatory change 5. Implement Regulatory Change Execute plans Notify stakeholders Conduct necessary training and qualification 6. Verify Regulatory Change Verify training and change objectives are met Verity that it is safe to restart changed process or use changed product Validate compliance outcomes 7. Close Regulatory Change Capture lessons learned Communicate to stakeholders Update documents, records, and systems The purpose of following this process is to increase the probability for changes to be implemented successfully with minimal risk to the organization. Each change will go through the same stages but the level of rigour will differ based on the level of risk introduced by the change itself. For example, low risk changes may be fast-tracked and use prescribed risk-adjusted procedures while higher risk changes may involve a more comprehensive assessment and implementation. In all cases, each change is tracked and monitored so that organizations will always know the status of its overall operational and compliance risk. Benefits of Using A Risk-based Change Process The benefits of using a regulatory change process that is risk-based are many and include: Increased visibility of risk Improved stakeholder notification and communication Standardized approach to treating risk Coordination of timing to reduce overall disruption Greater alignment with business strategy and goals Opportunity for process improvement through the capturing of lessons learned The most important benefit of course is the increased certainty that impacts arising from regulatory change do not become a significant source of risk for the business.

This may sound like a far-fetched idea, but it's closer to reality than you might think. The question is, should we be so eager to give up our autonomy to machines and is it worth the cost? It's true that AI is capable of remarkable feats, such as analyzing vast amounts of data and making predictions based on that information. In exchange for giving AI access to all of our data (and that of everyone else), we're told that it will provide us with recommendations, decide our best course of action, and even act on our behalf when we're unable or unwilling to do so. But what does this mean for our own learning, understanding, and critical thinking? If we rely solely on AI to tell us what to do and what to believe, do we risk losing the ability to make our own decisions, form our own opinions, or even think? The technology may be advancing rapidly, but wisdom is something that can only be gained through experience, reflection, and the passage of time. We should be wary of rushing headlong into a future where machines are making all the important decisions for us. It's essential that we draw a line between what we're willing to entrust to AI and what we're not. The power of technology should be used to augment our own abilities, not replace them entirely. We must maintain our own agency and not become completely dependent on machines. So let's not be too hasty in our eagerness to hand over the reins to AI. We must continue to cultivate our own wisdom and critical thinking skills, even as we embrace new technological advances. Let's make sure that our hope for the future includes a healthy dose of caution and a commitment to maintaining our autonomy. They say that wisdom is often lost on the youth. Let’s hope that wisdom is not lost on all of us.

Companies of all sizes need: Processes to repeatedly execute steps in the creation of value Systems to ensure the consistent following of these processes Programs to ensure that these systems are effective in delivering value Governance to establish direction, goals and culture Continuous improvement is needed for all of these, however, the objective for improvement will differ: Systems improve efficiency - meeting performance targets Programs improve effectiveness - advancing outcomes Governance improves culture - creates the conditions for success Different strategies and approaches will be needed to support each of these objectives. For example, LEAN is helpful to reduce waste and improve efficiencies at the process level. On the other hand, the improvement of effectiveness requires application of strategies that are more proactive in nature that consider: outcomes, risks, and change management. When considering where to make improvements understanding the purpose of each management function helps to make sure that change produces the intended results.

Increasingly, we have observed that regulatory and standards bodies are expecting companies to use capability maturity models to improve performance and advance outcomes related to targets such as: zero incidents, zero fatalities, zero harm, zero emissions, zero violations and so on. While capability maturity models are not new they have seldom been used to improve compliance. This is beginning to change. One of the places where capability maturity models has been used successfully is in software development specifically in aerospace and the defense applications. The CMMI (Capabilities Maturity Model Integration) Institute publishes and develops maturity models continuing research previously conducted by Carnegie Mellon University. The CMMI Institute claims their models can be used to guide process improvement across projects, division or an entire organization. The latest version of the CMMI model is V2 with specific versions for product and service development, service establishment and management, and product and service acquisition. In response to regulatory changes towards outcome and performance-based obligations we have adapted the CMMI model to better support the capabilities needed to advance outcomes over time . In our model, Level 3 defines the achievement of "SYSTEM" status when: Management is pro-active A systems perspective is taken that considers interactions and dependencies as well as components and elements Uncertainty is evaluated and addressed using managed risk controls Continuous improvement practices exist at the process and system level These minimum operability requirements must be met before any real progress in outcomes can be made. Fundamentally, better outcomes are obtained when processes behave more like a purposeful-system rather than as individual parts. This comes directly from systems theory which teaches that outcomes are the emergent properties of the product of a system's interactions rather than the sum of its parts. As management incorporates double and triple-loop learning as part of a system they are able to optimize for outcomes which drives performance improvement. System adaptation (a program level function) occurs in response to feed-forward communications from the environment in which a system exists.

To help you achieve your outcomes we are offering a free  copy of our Bow-Tie Analysis PowerPoint template. Our template incorporates smart shapes to make it easy to document your analysis. Both threats and opportunities are supported. Now you can prepare your defenses against threats and your attacks on opportunities. May it help you defeat the dragon of uncertainty! Download your template here.

The Challenge Counting near misses, incidents, defects, violations, and other non-conformance is of value and necessary as part of prescriptive: regulation, industry standards, and internal policies. However, when it comes to complying with performance and outcome-based commitments where the goal is to achieve zero fatalities, zero explosions, zero violations, and zero defects then you need a risk-based process that uses proactive actions informed by both lagging and leading indicators. While many companies are rich in lagging indicators they are poor in leading indicators. To address this, many attempt to turn lagging indicators into leading indicators which is not possible no matter how hard you try. Although, with proactive oversight you can turn lagging indicators into leading actions (more on this later). Many organizations try to use measures of conformance to predict and possibly prevent future occurrences. However, lagging indicators of this kind can never distinguish between whether your risk controls are effective or if you were just "lucky". They are also too late to prevent what has already occurred and for those looking to improve safety, quality, environmental, or regulatory outcomes this is a big deal. Lagging Indicators and Actions Lagging indicators measure what has already happened specifically after a risk event has occurred. Lagging indicators are always retrospective, too late, and of no value with respect to the past events. Lagging indicators are still beneficial as they help to identify failure modes or vulnerabilities albeit after the fact. This data can in turn be used to initiate actions to mitigate the effects of the adverse event, which is considered as a corrective and lagging action. Lagging indicators can also be used to strengthen control processes to prevent re-occurrence of the unwanted event or mitigate its effects. This is a preventive action and leading with respect to future risk . Leading Indicators and Actions Leading indicators , on the other hand, are derived from the control processes that are in place to prevent unwanted events before they happen. They are on the left side of the bowtie diagram and before the risk event. Leading indicators include measures of effectiveness of the preventive controls which are predictive in terms of the likelihood of a given risk event. Leading indicators must have predictive power to be considered effective. The effectiveness of controls contributes to the probability of occurrence of the risk event. Leading actions are steps taken to improve the effectiveness of both preventive and mitigative controls to improve the level of protection to achieve an acceptable level of risk which is the purpose of risk management and the standard for overall compliance effectiveness. Bottom Line Lagging indicators can never be leading as they measure things after the risk event. They may have utility to predict future risk events but this is limited as they often measure things related to symptoms not the root cause. The best leading indicators are those that have predictive utility and connected to preventive controls. This information provides advance warning of a possible risk event and an opportunity to do something about it. Consider joining The Proactive Certainty Program where we help you develop operational leading and lagging indicators (among other things) for your compliance programs.

We have come along way since the early days of the internet when the world was your oyster and the only risk was the risk of not going on-line. Today the internet is different. The opportunities are still high but so are are the threats. Instead of looking out for hazards – sites to avoid – the internet itself has become a hazard. In this post, we explore what it means for the internet to be considered as a hazard and how this might help organizations better contend with risk. The Hazardous Internet Recently I heard of an organization in the financial sector conducting a dark launch of new features their were introducing to their on-line platform. A dark launch is a “safe” way to release production-ready software to a small group without exposing the rest of the user base. This technique provides feedback and performance measurements along with the level of cyber risk. Within seconds of the launch they detected several bots aggressively attacking their platform. Deploying applications on the net is like putting your hand in a tank of piranha fish. When it comes to the internet threats are not a probability that may or may not happen. Threats are a certainty and continuous. Threats are a certainty and continuous. The internet for all intents and purpose is a hazardous environment where prolonged exposure will lead to possible harm – eventually. What Is A Hazard? Organizations need to contend with all kinds of hazards . For example, when it comes to occupational hazards these will include: Chemicals - hazardous chemicals Ergonomic - lifting, pushing, pulling, sitting, standing, lighting, shift work, office, tools, musculoskeletal disorders Health - pandemics, biological, diseases, disorders, injuries, mould Physical - temperature, indoor air quality, noise, radiation Psychosocial - stress, violence / bullying Safety - driving, electrical, forklifts, garages, ladders, machinery, material handling, platforms, slips, trips & falls, tools Workplace - confined spaces, scents, indoor air quality, lasers, temperature, ventilation, violence, weather, working alone Hazards are conditions or actions that may harm a person, business, environment, communities, or anything that we value and want to protect. Hazards are a manifestation of uncertainty – hazards create the opportunity for risk. Hazards are a manifestation of uncertainty – hazards create the opportunity for risk. Fortunately, operating safely in hazardous environments is not a new concern. This is the focus of occupational health and safety, process and pipeline safety, aviation & aerospace and functional safety. Safety in these domains has been studied and practised for decades and long before the internet was introduced. Viewing the internet as a hazard while undesirable in some ways can also be instructive and affords the application of a body of knowledge used in safety domains to help contend with risk. In these areas the bow-tie analysis is used extensively to help operate safely in the presence of hazards. Can it help with handling the hazardous internet? Operating In The Presence Of A Hazard The bow-tie helps us understand two system properties of cyber security: reliability and resilience, which are used to contend with he hazardous internet (i.e. the dragon of uncertainty .) Reliability is a measure of prevention whereas resilience is a measure of recovery. Reliability is a measure of prevention whereas resilience is a measure of recovery. Both prevention and recovery controls are needed when working in hazardous conditions, processes, and as it turns out the internet. Reliability Reliability is the left hand side of the bow-tie where we find prevention controls. Reliability concerns itself with "keeping the lights on." Prevention is better than recovering from a breach. That is why safeguarding against continuous threats is the priority for those operating on-line. The reliability of the system is often defined as “the probability that the system does not fail in a given environment, during a specified exposure time interval.” Nancy Leveson (leader in systems reliability and safety) states that reliability is a controls problem. This means establishing and managing barriers of defence, safeguards, and other measures that prevent threats from becoming a reality. The effectiveness of prevention controls is a predictor of reliability. Resilience Resilience is the right hand side of the bow-tie where we find recovery controls. Reliability concerns itself with "restoring the lights after a disruption." In Eric Hollnagel’s book (Resilience Engineering in Practice, 2010) resilience is defined as, “the intrinsic ability of a system to adjust its functioning prior to, during, or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions." Hollnagel might say that resilience is an adaptation problem. The goal of resilience is to recover in the event of a minor disruption. When these occur, loss mitigation and recovery measures are deployed to limit the disruption and restore reliability. Resilience is needed to contend with risk that cannot be prevented. Resilience is needed to contend with risk that cannot be prevented. Resilience is not a substitute for poor planning or unreliability. At the speed that risk becomes a reality you will never have enough time to adapt after the fact if you are not prepared. The effectiveness of recovery controls is a predictor of resilience. Reliability And Resilience - Yin and Yang In practice, you can’t have one without the other. While it is true that the higher the reliability the less resilience one needs. For example, a system with 100% reliability does not need to recover from failure. However, when failure does occur, resilience can reduce the effects and limit the disruption which in turn reinforces reliability. Often resilience measures find its way on the reliability side of the risk equation. Often resilience measures find its way on the reliability side of the risk equation. As important as the system properties reliability and resilience are they are not sufficient to contend with the hazardous internet. Some risk is irreducible and cannot be prevented or mitigated. For these, margin is needed in the form of capital reserves, buffers, insurance and other contingencies to address losses. A comprehensive risk/certainty strategy and plan ensures that uncertainty in all its forms is effectively handled. You need reliability and resilience to contend with reducible risk and for everything else margin . You need reliability and resilience to contend with reducible risk and for everything else margin . Summary Some organizations are still catching up and coming to grips with the fact that the internet is no longer or ever was a safe place to browse or do business. For them, they will do their best (I am sure) as they hope for the best. Other organizations view the internet differently. They see its potential but realize that it is a hazard that needs to be managed. Unfortunately, the risk cannot be eliminated by removing the hazard so we must learn to operate in the presence of hazards. Viewing the internet as a hazard while undesirable in some ways can also be instructive and affords the application of a body of knowledge used in safety domains to help contend with hazards – a primary source of uncertainty and risk. So it's time to learn how to use BOW-TIES, HAZOPS, BARRIER ANALYSIS, STAMP / STA, FRAM, and other tools of the trade. These are not new but might be new to you.

In this article we will look at a different kind of hazard. Not a physical hazard such as a toxic chemical or flammable gas which are sources for physical harm. Instead, we will look at organizational hazards that are sources of harm to an organization's ability to achieve overall mission success. These are areas of uncertainty that if not addressed create the possibility for "institutional" or "operational" risk. For purposeful and goal-oriented organizations, sources of uncertainty can often be found with respect to its goals, how an organization works, and strategies used to effect change: 1. Uncertainty of the goals and objectives Companies use roadmaps to take them from where they are now to where they would like to be in the future. Uncertainty of any of the elements of the roadmap will impact mission success which include: Uncertainty of where an organization has been in the past Uncertainty with how an organization perceives where they are now Uncertainty with their prediction of the future Not addressing these uncertainties may result in scenarios such as having the right goal but starting at the wrong spot on the roadmap; a place where you have not yet arrived. 2. Uncertainty with the model of the organization Each organization will have some idea or model for how their organization works. The sophistication of the model is not always what is important. What is important is that it is able to predict outcomes. That is, if we do A then we expect B to happen. Causation will lie somewhere between deterministic and probabilistic behaviors. Deterministic processes are characterized by having the same outputs for the same inputs and initial conditions. Whereas, probabilistic processes will have a variety of outputs based on the same inputs and initial conditions. Knowing what kind of processes an organization has will help to determine what strategies to use achieve mission success. 3. Uncertainty with the strategies used to effect change The more complex a system is the harder it is to know what changes will produce a desired change in outcomes. There will always be uncertainty in the outcomes along with a possibility for unintended consequences. However, even when systems are more ordered and deterministic there will be uncertainty in the effectiveness of replacing old behaviors for new ones to achieve different results. Habits are hard to change particularly when they were once good habits. Strategies to Improve the Probability of Success To help determine which strategies to use to improve the certainty of achieving mission success, we can classify organizational systems across the dimensions of order and chaos, and certainty and uncertainty as shown in the following diagram: Static Zone This a system that is ordered, mostly deterministic, and with predictable causation. This defines normal operations and practices for an organization. Standard practices and procedures are the focus and productivity is the ultimate goal which is constantly measured, assessed, and improved. Conformance to standard is embedded in the culture which by its nature resists variation. The side effect is that is also resists change making improvements slow to implement and uncertain. This requires change management strategies to improve the probability that changes are completed and effective. Lack of improvement is the hazard for organizational systems in the static zone. Variable Zone This is a system that is mostly deterministic but has drifted into disorder. This defines abnormal operations and requires a return to normal practices. Behaviors and practices often focus on what is common but not what is best. Processes are needed to address deviance and variability often achieved through audits, analysis, and remediation. Quality management is used to standardize behaviors and practices and improve consistency. Lack of conformance is the hazard and normalization of deviance must be avoided to prevent a drift to failure. Probabilistic Zone This is a system that is mostly ordered but not as deterministic as had been thought resulting in a variety of outcomes. This describes the result of uncertain operations where companies don't know what the results will be exactly. Variability is a result of a lack of knowledge or associated with chance (random variability). Processes may be defined but tend not to be effective (ordered uncertainty). Focus is usually on "best efforts" not "best outcomes". Improved models are needed to effectively buy-down reducible risk by reducing likelihoods and the consequence of undesirable outcomes. In addition, measures are needed to contend with natural variability. This is the domain of Risk Management and Lean Six-Sigma. Lack of knowledge is the hazard due to a failure to learn. Unpredictable Zone This is a system that is disordered and uncertain and defines unpredictable operations. This is often the case when organizations fail to anticipate and protect. Organizations cannot predict to any level of confidence what the outcomes of their efforts will be. This may be the result of unsafe work practices or conditions increasing the chance for breaches that negatively affect quality, safety, security, reputation or any other objectives. The hazard in this case is a lack of protection. Emergency response and incident management is needed to react, stabilize, and improve levels of protection. If you cannot predict then you need to protect as if it will happen. Summary In practice, organizational maturity and type of business determine the zone where most of an organization's systems and processes exist. Companies in highly-regulated, high-risk sectors will require greater levels of organizational maturity to combat uncertainty and disorder as more is at risk. However, even when organizations are performing well under normal operations they are at risk of drifting to other zones due to a lack of attention, rigor, and pro-activity which are themselves hazards to avoid.

Imagine you're attending a meeting to discuss potential dangers during a company restructuring. You, and everyone else present, understand the importance of identifying and mitigating hazards. But then, a key player storms out, claiming there's nothing to worry about. Confused? Welcome to the world of risk management, where narrow definitions often create blind spots and uncertainty. This is exactly what happened to me. We were discussing operational threats stemming from a reorganization , something particularly critical in high-risk industries. The Process Safety Manager (PSM), responsible for traditional hazard assessments, confidently declared he had no business there – "there are no hazards here," he stated before walking out. He was right, but only from a technical standpoint. In his world, "hazards" have a specific meaning. However, he failed to recognize a crucial point: the reorganization itself posed a risk to his ability to manage those very hazards. Changes in roles, responsibilities, systems, and processes could potentially disrupt his established safety protocols. In short, he was overlooking organizational hazards. This incident highlights a critical challenge in risk management: silos and fragmented definitions. Different domains have their own risk vocabularies, often leaving broader threats unseen. What we need is a more holistic approach, something like Total Risk Management (TRM). TRM would act as an umbrella, encompassing all potential sources of uncertainty that can impact an organization's success. It acknowledges that risks go beyond technical hazards and delve into organizational dynamics, reputational concerns, financial vulnerabilities, and more. ISO 31000 from my perspective, recognizes what is well known to many in high-risk industries which is that uncertainty is the root cause of all risk. Uncertainty creates the opportunity for risk independent of its effects. In fact, several risk-based regulations mandate this approach and further define its natures : aleatory and epistemic uncertainty which help direct what measures to use to handle them. These distinctions have helped manage complexities beyond the de-minimis and provide the foundation for a universal definition. We're attempting to implement this philosophy and it's an uphill battle, but one worth fighting. By adopting a broader perspective on both risk and compliance, we can ensure that even during periods of change, we can effectively safeguard our people, operations, and ultimately, our mission. Let's keep the dialogue going! Share your thoughts and experiences with risk & compliance. Together, we can elevate our understanding and create a safer, more resilient future for our organizations.