SEARCH

When it comes to operations an important goal is to achieve and maintain consistency of work. Standardized work is essential for the creation of value. However, it is also important to protect this value and why compliance needs to be involved. Benefits of Standard Work There is value in doing things the same way each time: increases worker productivity provides structure saves time establishes predictability simplifies training and many others Establishing standard work and performing it without variation is an essential aspect of effective operations. However, establishing standard work can have a downside. It may end up normalizing the absence of other behaviours and practices needed by the organization. Benefits of Standard Values Not only do we need consistency of work we need consistency of values - harmony of parts to one another and the whole organization. This requires aligning operational objectives with organizational values. We know from systems theory that a system designed for productivity will optimize for productivity at the expense or away from everything else. Similarly, if the goal is both productivity and safety then the system will optimize for both. This is one of the reasons why it is essential that organizational values are included as part of operational design. We don’t want systems that are only productive. They need to also be safe, secure, protect privacy and the environment along with other desired outcomes. Another way of saying this is that operations needs both standard work and standard values . If you don’t you will end up with standard work without any values – a consequence of system theory. How to Align Work with Value A good place to start is by identifying and documenting commitments (i.e. promises) to organizational obligations associated with safety, security, privacy, environmental, and so on. These promises can then be embedded into operational systems, processes and procedures. Supporting these promises will help keep operations aligned with organizational values. The Hoshin Kanri Process is helpful here. It provides a means to negotiate operational goals and objectives with organizations counter parts associated with obligations: Instead of a pushing obligations down, this process invites voluntary commitments which encourages ownership – a necessary condition for proactive and risk-based endeavours.

In a recent risk and compliance survey it was reported that the pandemic did not significantly disrupt risk and compliance programs although it did impact priorities. The fact that programs emerged relatively unscathed was interpreted as a good thing which I find difficult to understand and even troubling. The report goes on to say that risk & compliance programs were under-resourced with leadership commitment wavering. Data was also reported as not being effectively utilized to reduce risk and by enlarge risk and compliance was struggling. Now with an increase in risk awareness over the last year we should have seen a corresponding increase in leadership commitment with greater resolve to improve risk and compliance programs. These would have resulted in risk & compliance programs being disrupted although in a positive way rather than remaining the same; relatively “unscathed.” Programs would have increased in capabilities, maturity, and most of all effectiveness – all of this in earnest. However, this kind of disruption was not observed. Only priorities were changed weakened by competing interests. So what happened? Why didn’t risk and compliance change during the pandemic? Perhaps for many organizations the answer was one or more of the following: We don''t believe that risk has changed - the underlying uncertainties and its possible effects have not substantively changed that would warrant changes to the risk and compliance programs. What we are doing is adequate - greater investment in risk and compliance is not needed as existing measures are sufficient to cover any changes to risk. We have not seen any or enough benefit from our existing programs - risk and compliance programs have lacked effectiveness and further investment in measures would most likely be wasted. We don’t know how to improve - there is no process or adequate know-how to advance risk and compliance maturity so we are stuck where we are. Essentially, we are not prepared to expand risk & compliance. We are are too reactive to change - too much time is spent fighting fires to plan and effect needed improvements. Whether the reason was one of the above or something else the end was still the same for many companies – status quo. It appears the only defence was the tactic to change priorities. This may have resulted in minor improvements to programs but these will be short lived subject to further changes when priorities yet shift again. The way forward is to not only change or introduce new tactics as important as this may be. What is missing from many organizations which needs to be addressed is a program to govern risk & compliance effectiveness that includes processes to adapt and improve performance over time. Resiliency is built through continuous improvement not by fixing fires, closing gaps, or changing near-term priorities. Do you agree? What do you think? Reference: https://www.jdsupra.com/legalnews/new-benchmark-report-reveals-key-risk-7967546

On May 12th, the WanaCry (Wana Decrypt0r) worm began affecting computers worldwide. Among the many industries, companies, and individuals affected, the UK National Health Service (NHS) was hardest hit placing patients possibly at risk. This is a wake up call for all organizations. This should increase the level of concern as to an organization's ability to operate safety should a threat materialize. Cyber risk has the potential to affect compliance programs which are intended to keep: people, the environment, and businesses safe. Threats like those similar to the WanaCry worm could disrupt an organization's ability to: Shutdown a process Make safety and security decisions Access critical information and documents such as: safe work practices, shutdown procedures, critical defeats register, and so on. Having an effective cyber security program is an essential part of today's compliance platform. International standards such as: IEC 61511, IEC 61508, ISA S84, and others provide guidance and are considered best practices. However, aligning cyber security with process safety programs continues to be an important challenge for companies to address. Like all best practices they need to be applied, followed, and then continuously monitored as to their effectiveness. In light of recent news, this is the perfect time to review and evaluate the effectiveness of your cyber security, emergency preparedness, and safety management programs. Plan -Do-Check-Act Questions: Which compliance programs, if disrupted, would most hinder your organization's ability to operate safely? What procedures are in place to continue operating safely in case of a cyber attack? Does your cyber risk assessment extend beyond covered processes or high consequence areas? Are there any gaps in coverage? Is the identification of cyber risks part of your overall risk management program? What step can you take to improve the management of cyber risk within your organization?

More than 75% of companies never measure the effectiveness of their risk & compliance programs. As a result they don't now if their efforts are helping or hurting the achievement of mission objectives or the protection of value and reputation. We created the Proactive Certainty Scorecard™ (Version 3) to help organizations quickly assess how well their risk & compliance programs are doing. This evaluation can be completed in 20 minutes and will provide you with valuable insights on how you can: better meet your all obligations, reduce risk, and build greater stakeholder trust. After you complete this scorecard we will schedule a free orientation session with one of our risk & compliance experts to help you quickly identify areas of improvement. You don't need to be part of the 75% that are uncertain. Join the 25% that are by completing the Proactive Certainty Scorecard™ today. The Proactive Certainty Scorecard™ is applicable to all risk & compliance domains including: Quality, Occupational Health and Safety, Environmental, Security, Process & Pipeline Safety, Regulatory, Data Privacy, Ethics and Legal, Financial, Corporate Risk, Supply Chain Risk, and overall Risk and Compliance.

The documented organization is at best a rough facsimile for the actual organization. There is always a gap between what is expressed in job descriptions, policies, and procedures; and the actual organization performing the work. A significant cause for this gap can be attributed to the level of accountability and autonomy given to workers to achieve their objectives. In fact, these are required to enable proactive behaviours that anticipate, plan, and advance objectives and goals. Creating the balance between adherence to standard practices and having adequate room to be proactive is precisely the balance between management systems and programs. Systems achieve consistency by adhering to procedures, resisting change and reacting to variation. While programs anticipate conditions, introduce change, and advance outcomes. Effective compliance (ex. quality, safety, environmental, and regulatory) requires that existing conditions are maintained, and that progress is made towards compliance goals (ex. zero defects, zero fatalities, zero emissions, zero violations). This requires that companies implement appropriate programs to advance these goals along with their management systems to keep the ground they already have.

There might be some who read my posts who are also Doctor Who fans and get the reference to bow ties being cool. However, even if you don't watch Doctor Who, you can still appreciate the benefits from using a bow-tie analysis to help improve the certainty of achieving your goals. Risk management has changed over the years and in many ways has now become an optimization process to increase the certainty of achieving outcomes. And nothing demonstrates this more than using a bow-tie analysis.The first thing that people notice when using a bow-tie analysis is that it looks like an actual bow tie particularly in its simpler form: This provides a great visual when considering how to address risks. However, what makes it so powerful is that it incorporates causal and consequence trees along with control analysis all in one tool. To illustrate how the bow-tie analysis can be used let's consider risks associated with achieving a relatively simple objective of getting to work. We can simplify this even further by only considering a risk scenario that involves getting from the parking lot to the office building. The path has a significant hole in the pavement that developed over the winter and is now a meter wide wide and several meters deep. This hole is referred to as a hazard which threatens the ability to achieve the objective of getting to work. However, it should be noted that not all holes represent threats only the ones that are in the way between us and our objective. As in the words of, Dr. David Hillson (The Risk Doctor), that's how you know which risks really matter. The goal of a bow-tie analysis is to optimize controls addressing both prevention and recovery to reduce the treated risk to below a given risk tolerance. For each cause an evaluation is made of the prevention controls effects on the likelihood of the risk event occurring, which in our example is falling in the hole. In a similar fashion, an evaluation is made of the effects of the recovery controls to reduce the impact of not achieving the objective. The following list contains brief definitions for key elements of our bow-tie example : Objective : This is what is being aimed or sought after (i.e. getting to work) Causes : these are conditions that may result in falling in the hole. In our example, three causes have been identified: walking down the path, running down the path, and walking while being distracted. Each one will have their own likelihood of falling in the hole. Consequences : these are the results of falling in the hole which affect whether or not we get to work. They are uncertain as they depend on the whether or not a person falls in the hole. Three consequences have been identified: cuts and bruises, broken bones, and fatalities. Prevention : these are controls to prevent falling in the hole. Each one has their own level of effectiveness Recovery : these are controls that mitigate the effects of falling in the hole should they happen. Each one has their own level of effectiveness. After optimizing the prevention and recovery controls to reduce residual risk below the risk tolerance, a risk plan can be developed by creating risk statements for the cross product of causes and consequences. Here I am using the risk meta-language proposed by Dr. Hillson and others: A bow-tie analysis is effective not only with qualitative considerations but can be (an often is) extended to include quantitative measures on both causal and prevention logic trees. In addition, by considering both prevention and recovery efficacy in isolation and in relationship with other controls, a preliminary assessment (LOPA) of the layers of defense can be obtained to gauge overall coverage. A bow-tie analysis can also be applied to opportunities where instead of prevention and recovery the focus is on enabling opportunity events and exploiting them should they materialize. By considering both threats and opportunities a holistic approach to addressing uncertainty in the achievement of objectives is possible. Download our free PowerPoint Bow-Tie / ISO 31000 Template here

An Operational Compliance Program is the means used to steer organizations towards meeting all their obligations and keeping all their promises associated with safety, security, sustainability, quality, and other stakeholder outcomes. Operational Compliance Programs are the vehicles to deliver compliance value – better compliance outcomes and increased stakeholder trust in presence of uncertainty. To ensure their effectiveness, Operational Compliance Programs must actively engage in three critical on-going activities: enhancing capabilities, introducing change, and regulating systems. By prioritizing these imperatives, organizations can provide greater assurance that they are able to stay between the lines and ahead of risk today, tomorrow, and everyday into the future. 1. Enhancing Capabilities: Driving Progress Towards Compliance Outcomes The first key imperative for operational compliance programs is to continuously enhance organizational capabilities (people, process, and technology) to meet all their obligations and effectively contend with risk. This involves developing and nurturing a knowledgeable and skilled workforce, equipped to tackle the challenges posed by evolving regulations, industry standards, and promised organizational performance and outcomes. By providing comprehensive training and educational resources, compliance programs empower management and staff to make informed decisions and take appropriate actions within the boundaries of organizational values. Moreover, enhancing capabilities requires establishing robust communication channels and fostering a collaborative environment. This enables the compliance team to proactively engage with other departments, identify potential compliance risks, and devise effective strategies to mitigate them. By strengthening cross-functional collaboration, compliance programs can align business objectives with compliance outcomes, fostering a culture where compliance is not seen as a hindrance but as an enabler of success. Here is a list of essential operational compliance program functions where capabilities need to be continuously enhanced: Managed Obligations Managed Promises Managed Assurance Managed Culture Managed Accountability and Responsibility Managed Organizational Alignment Managed Operations Managed Risk Managed Capabilities Managed Data & Monitoring Managed Improvements Managed Technology 2. Introducing Change: Staying Ahead of Risks The second imperative for operational compliance programs is to embrace change and remain ahead of emerging risks. Regulatory landscapes are constantly evolving, necessitating agility and adaptability from compliance professionals. It is crucial for compliance programs to proactively monitor regulatory developments and assess their impact on the organization's operations. By adopting a forward-thinking approach, operational compliance programs can identify potential gaps in their existing policies and procedures, and implement necessary changes to ensure ongoing compliance. Regular risk assessments and audits become invaluable tools in detecting vulnerabilities and implementing effective controls. Embracing change allows compliance programs to anticipate potential disruptions, minimize compliance breaches, and maintain a competitive edge in an ever-changing business environment. 3. Regulating Systems: Achieving Performance Targets The third imperative for operational compliance programs is to regulate compliance systems and processes to achieve risk and compliance performance targets. This involves implementing robust monitoring mechanisms and utilizing technology to enhance compliance oversight. By leveraging data analytics and automation tools, compliance programs can efficiently monitor compliance-related activities, identify patterns, and detect any anomalies that require immediate attention. Furthermore, compliance programs must establish clear performance targets and key performance indicators (KPIs) to gauge the effectiveness of their initiatives. Regular assessments and reporting enable organizations to measure progress, identify areas for improvement, and make data-driven decisions to optimize compliance efforts. Summary: Operational Compliance Programs steer organizations towards compliance outcomes as well as the vehicles to deliver value – better compliance outcomes and greater stakeholder trust in an ever-evolving business landscape. By prioritizing three imperatives — enhancing capabilities, introducing change, and regulating systems — operational compliance programs can establish a robust framework that ensures sustainable compliance outcomes in the presence of uncertainty. If you are interested in establishing an Operational Compliance program for your safety, security, sustainability, quality, ethical or regulatory compliance consider becoming a member of the – The Proactive Certainty Program™ ,

When we think about compliance we should also think about the goals we want to achieve. An important distinction we can make is between " terminal " and " instrumental " goals. Terminal goals are the highest level objective that we want to reach. They define the "ends" of our compliance programs, for example: zero defects, zero fatalities, zero violations, zero releases, zero fines, and others. Instrumental goals are intermediate outcomes or results that are critical or that must occur in order to achieve the higher-level outcome. These are often used to define measures of effectiveness (MoE) for compliance programs as they provide clear indication of progress towards terminal goals. What goals have you set for your compliance programs?

When companies decide to improve their compliance they soon realize that their good intentions are often thwarted by their own organizational culture. This may take on various forms but in the end the root cause is always the same – excessive reactivity. A predominately reactive culture is one that has been reinforced by years of following an audit/fix cycle where companies wait for something bad to happen, gaps to be found, or incidents to occur before any meaningful improvement is made to their compliance. These organizations may even take on the mantra of continuous improvement in hopes of breaking free from this trap and finally get on top of all their obligations. However, just like financial debt, the higher the principal and the greater the interest rate the worse things get and the faster things get worse. No matter how many payments are made by closing gaps this strategy is far too slow and too late to keep up with the speed of risk both for financial as well as compliance debt. To escape this trap organizations need to address the root cause and change their behaviour from being predominately reactive to one that is proactive. A culture that is proactive anticipates, plans, and strives to make an impact which for compliance is the reduction of risk. For compliance to be effective it must at its core be driven by risk-based principles reinforced by proactive behaviours. This is the only way for companies to achieve greater resiliency, reduce the risks that really matter and meet all their stakeholder obligations. Effective Compliance A video recording of a webinar is available on our website dives deeper into how the compliance landscape has changed and 10 principles you can use in your organization to escape the reactive compliance trap and finally get on top of all your obligations. More articles on the topic of effective compliance can be found here .

Many of you will know how important it is to keep your promises. It's a measure of the worth of a person and of an organization.   Striving to keep your promises improves both personal and corporate integrity without which organizations cannot behave ethically. That is why building a promise culture is at the heart of effective compliance programs. This involves building habits that reinforce the act of promise keeping. A habit worth considering is to evaluate promises before they are made. The following questions will help assess a promise and improve the probability of keeping it: Is the obligation and commitment clear? Do you have a plan on how we will keep this promise? Do you understand the risks; what threats and opportunities will you encounter in keeping this promise? Do you have everything you need to keep this promise? Do you know when this promise has been met; how will you measure progress or status? How will you hold yourself accountable? Building these questions into your compliance program will improve organizational integrity and reinforce a culture of promise keeping. However, you don't need to wait for that to happen. Compliance leadership can begin with you. Establishing this habit can start today by incorporating these questions as part of the way you contend with personal obligations. Who knows what might happen when others follow your example. Wouldn't that be something.

In a recent article I introduced Promise Theory and its application with respect to compliance. At a high level, Promise Theory puts forward the idea that obligations are an imposition with a cost or penalty for non-compliance. For every obligation there must be a corresponding promise to satisfy it. A promise is more than a desire, it is a publicly declared intention. Saying this in terms of compliance, promises are requirements imposed on an organization which are met by corresponding commitments called promises. Promises are the specifications for how compliance will be delivered supported by management and technical systems and of course people and culture. In this article we explore the concept of promises as business assets similar to equipment, buildings, or even intellectual property. Organizations use assets to generate value for stakeholders by the creation of products and services. In a similar way, organizations make and keep promises to generate stakeholder value through the creation of compliance. Can viewing promises as assets help organizations create better outcomes from their compliance efforts? Let's find out. Asset/Promise Valuation The value of an organization can be determined by taking inventory of its assets and subtracting its total liabilities. This is a good indicator of a company’s net worth. In the same way, a compliance valuation can be conducted by taking an inventory of all the promises an organization has made and subtracting its total obligation debt (i.e. liabilities). This is a measure of a company’s compliance strength or in other words its ability to meet all of its obligations. Servicing obligation debt is important but just like business assets we need a return on that investment that exceeds just paying off the liability. Asset/Promise Lifecycle Promises also follow a life-cycle similar to assets simplified here as four-stages: Creation - promises are specified, designed, implemented, and made operational Utilization - promises are kept while the obligation persists Maintenance - preventive, proactive, routine, and emergency work is performed to sustain promises (ex. maintain control effectiveness). Re-commitment / Retirement - new commitments are made to meet changed obligations or promise is no longer needed. Over time assets and promises tend to grow in complexity and cost. Life-cycle Management is an important capability to ensure that underlying systems and controls perform as required to meet stakeholder obligations and create desired value. Lean and risk management practices are helpful to reduce waste and improve efficiencies not only for assets but also for systems that implement promises. Asset/Promise Principles We can adapt principles of asset management and apply them to the management of promises: Promises exist to deliver value for stakeholders. People keep promises - so an effective promise management system will rely on people’s knowledge of obligations, compliance expertise, motivation and teamwork. Promises must be managed for the life of the obligation. Promise keeping should be risk and evidence-based. Compliance should be delivered in terms of clearly defined measures of effectiveness, performance, and conformance. Promise Management is on-going and requires continuous improvement. Promise Management is multidisciplinary and cross functional. Promise Management requires significant stakeholder involvement. Asset Valuation for Promises When promises are viewed as assets different questions become available that may uncover areas of improvement that might otherwise been overlooked: Do you know the size and nature of your obligation debt - liabilities? Do you have a complete list of all your commitments associated with both mandatory and voluntary obligations - have you assessed your assets? Are your investments in programs, systems and controls generating sufficient compliance value for your organization - are your assets producing a return? Do you know what your overall compliance risk is - are your assets more than your liabilities? If you are unsure of your answers to these questions the following steps can be followed to conduct an asset valuation for compliance of your organization: Take an inventory of all active promises (compliance commitments) including supporting policies, programs, systems, and controls. Take an inventory of all compliance debt (compliance obligations) Calculate obligation exposure by matching your promises with your obligations (do promises cover all obligations?) Calculate compliance strength by evaluating the effectiveness of policies, programs and systems to meet promise objectives. This will include operational risk. Gather and analyze the voice of the stakeholder to validate value creation. Considering promises as assets may be useful in helping organizations visualize compliance as a necessary good (just like assets) rather than a necessary evil. This will bring with it all the best practices and corresponding benefits of asset management to the domain of compliance.

Proactivity is a powerful tool that can help you achieve your desired outcomes. Proactivity is more than a mindset or an attitude. It's also a process that can be applied to any set of actions through anticipating, planning, and striving to have an impact [1]. In this article, we consider what motivates proactive behaviour and how proactivity can be applied to goals including those to meet all your obligations. Proactive Motivations There are four key factors that encourage proactivity when applied to meeting goals: the obligation, ambiguity, accountability, and autonomy [1], [2]. Obligation refers to the goals associated with an outcome that you want to advance. It is the desired result that you are working towards. Considering goals as obligations creates an impetus for proactive behaviour. Obligations can be short-term or long-term, and they can be personal or corporate. Examples of obligations include losing weight, delivering a project, or making progress towards net zero emissions. Risk refers to the uncertainty (ambiguity) with respect to reaching the goal. It is the possibility that you may not meet your obligation. Uncertainty provides a motivation to be proactive - to improve the probability of success. Risks are the effects of uncertainty on our objectives which can be controllable or uncontrollable. Examples of risks include decreased health, unrealized project benefits, or negative impacts on the environment. Incentive refers to the accountability for the results. It is another motivation that drives you to achieve your obligation. Incentives can be intrinsic or extrinsic, and they can be positive or negative. Examples of incentives include realized benefits, financial rewards, or social recognition (i.e. reputation). Promise refers to the autonomy and agency to develop and work the plan. It is the commitment that you make to yourself to achieve your obligation. Making and keeping promises provide moral motivation to satisfy the obligation. Promises can be personal or corporate, and they can be explicit or implicit. However, to be effective they need to be declared and documented. Examples of promises include meeting deadlines, targets, or following rules. Proactive Goal Setting These factors can be applied to the process of goal setting to maximize proactivity in the following way: Identify Obligations: start by setting clear and realistic goals that are aligned with your values, priorities, and commitments. Identify what you want to achieve and why it matters to you. This will help you stay focused and motivated. Evaluate Risk : these are potential obstacles and challenges that may prevent you from achieving your goals. Assess the likelihood and impact of each risk and develop contingency plans to mitigate them. This will help you stay prepared and resilient. Establish Incentives : create a system of rewards and consequences that will hold you accountable for your results. Celebrate your successes and learn from your failures. This will help you stay motivated and committed. Make and Keep Promises : develop a plan of action that is tailored to your needs and preferences. Break down your goals into smaller, manageable tasks and set deadlines for each one. This will help you stay organized and on track. Conclusion Being proactive is a strong tool that goes beyond just a mindset, evolving into a dynamic process applicable to various actions through anticipation, planning, and active impact. We explored four key motivators for proactive behaviour: obligation, risk, incentive, and promise. Obligations drive proactive behavior by linking goals to desired outcomes, whether short-term or long-term, personal or corporate. Risks, as uncertainties related to goal attainment, push for proactivity to increase the probability of success. Incentives, whether intrinsic or extrinsic, positive or negative, help make individuals accountable for results. Promises, involving autonomy and agency, provide moral motivation for meeting obligations. Combining these motivations, a proactive goal-setting process involves identifying obligations, evaluating risks, establishing incentives, and making and keeping promises. This approach ensures clarity, resilience, accountability, and structure, fostering proactive behaviours toward achieving meaningful outcomes. [1] "The dynamics of proactivity at work", Adam M. Grant, Susan J. Ashford, 2008 [2] "Promise Theory", Mark Burgess