SEARCH

When it comes to performance-based compliance required by organizations where compliance failure means mission failure we need more than working systems – we need systems that work. For compliance systems to work they must be operational. They must achieve a minimum level of compliance defined as Minimum Viable Compliance (MVC). MVC is achieved when essential functions, behaviours, and interactions work together at levels sufficient to create compliance benefits (the outcome of compliance.)

Professor Andrew Hopkins shares his insights on how organizational structure, communication, and habitual practices advance safety culture from his recent book: Organizing for Safety – How structure creates culture. Hopkins is the author of well known books such as: Lessons from Longford, Failure to Learn, Disastrous Decision, Nightmare Pipeline Failures, and others. In this video, Hopkins outlines how organizational structures contribute (negatively and positively) to overall safety performance. This video was shown during of the Oil and Gas Denmark – Task Force Zero 2019 safety conference.

The very culture that keeps companies in highly-regulated, high-risk industries safe may be the very thing that is holding them back from making improvements and advancing overall compliance outcomes. Companies in this space tend to be hierarchical with respect to their organizational structure which often closely aligns with the asset structures they are operating. This provides clear lines of accountability, better consistency of behaviors and practices, and greater conformance to procedures and standards. Efficiency and reliability are their by-words. You don't want workers to "innovate" when they are doing their job. You want them to follow safe-work practices and life-saving rules so that people and businesses are kept safe. However, increasingly these same companies are being asked (regulated) to improve, to innovate, and to make progress on their compliance objectives not just perform at existing levels. This requires a different culture that is more proactive, goal-directed, and risk-taking. This culture is opposed to the very one that that keeps them in business today. Instead of one culture to govern them all, companies may benefit from a diversity of cultures specific to the task at hand. Geoffrey Moore's book Zone to Win does a great job at outlining the activities of a business and what characterizes each part (or zone). Each zone has its own management, behaviors, and practices specific to what is needed to accomplish the objectives for each zone. Each zone effectively has its own culture. The Competing Value Framework developed by Cameron and Quinn (2006) provides additional insights into organizational cultures based on four classifications: CLAN, ADHOCRACY, HIERARCHY, and MARKET cultures as shown in the following figure: This framework has been used extensively by organizations to help them navigate their cultures and make necessary adjustments. For compliance to be effective it is helpful to consider which culture is best across governance, program, system, and process layers. For example, a proactive approach may benefit from a culture that values creativity and collaboration to identify strategies to better achieve outcomes. However, when these strategies have been decided what is more important is consistency and conformance which benefits from a culture that is more controlling oriented.

We have all heard that culture eats strategy for breakfast (Peter Drucker). What we may not have heard is that the same holds true when it comes to compliance tools and measures. Organizational culture also determines which tools and measures will work and which ones won’t. In fact, without the right culture you will never be able to benefit from the tools you need most to meet all your obligations and keep all your promises. Let’s take a closer look. In a study published by The International Association of Oil and Gas Producers (OGP) in 2010 an evaluation was conducted of 53 Health, Safety, and Environmental (HSE) tools against organizational culture. In this study HSE tools range from processes (i.e. measures) to commercial products across the following 15 categories: Reporting and Recording Incident Investigation and Analysis Auditing Human Factors In Design Work Practices and Procedures HSE Risk Management HSE Management Systems HSE Training and Competence HSE Appraisals Situation Awareness Questionnaires and Surveys Observation / Intervention Incentive Schemes HSE Communications Other Organizational culture was assessed using these classifications: Pathological - Who cares as long as we’re not caught Reactive - Safety is important; we do it along every time we have an accident Calculative - We have systems in place to manage hazards Proactive - Safety leadership and values drive continuous improvement Generative - HSE is how we do business around here Each tool was judged as appropriate for the level of organizational culture when it meets these criteria: It is likely to be accepted and actively used; Its use serves a required purpose; and It should improve HSE performance. An excerpt from the study is shown below (see link at the end of this post to download the full study): According to the study, a tool no matter how good it is will not provide the intended improvement unless an organization is ready for it. As a result, this study shows that the majority of HSE tools needed for an effective HSE program will not be helpful without higher levels of cultural maturity. For example, risk management tools will not be effective unless a culture is proactive. Another insight can be inferred from the study by considering organizational coupling. When this is considered we noticed that many HSE tools require higher levels of integration to be effective. For example, Management of Change (MoC) processes require engagement across multiple areas of responsibility to effectively contend with risk due to planned changes. In other words, MoC is not effective as a stand alone tool conducted by one person – an example of low coupling. The following chart combines these two insights: What Does This All Mean? The majority of tools needed by a compliance program cannot be used without sufficient pro-activity and organizational coupling. This is a big deal for organizations trying to improve HSE performance that are mostly reactive and operate in functional siloes. They will face an up hill battle which will be the case for many, perhaps the majority, of organizations. What do you do when your organization is not ready to benefit from tools that you need to achieve program performance goals and advance outcomes? Let's consider three options: No Transformation Big Bang Transformation Progressive Transformation 1. No Transformation This option recognizes that the organization is not ready to take advantage of the majority of tools needed by a program. It accepts the culture that exists and uses it as a place to start. Understanding that it will not be enough to meet performance objectives or advance program outcomes. The outcome of this approach is a partial, and most likely not operational, program managed by a few resources working independently, mostly reactive, and focused on reporting. Engagement with internal stakeholders will be limited to collecting data needed to feed basic tools of the program. Taking the program to the next level will require organizational transformation. However, many that start here never transition to the next level – their culture prevents them from doing so. 2. Big Bang Transformation This option recognizes that becoming more proactive and integrative is necessary and fundamentally a change management problem requiring strong leadership and stakeholder support. Change management will among other things introduce proactive behaviours along side of greater levels of stakeholder engagement needed to drive organizational coupling. This if successful should enable a larger set of program tools (perhaps 3 times) to better meet program objectives and realize benefits. Transforming culture and implementing new technology all at once is a high-stakes, high-risk endeavour. Sustaining focus and effort across multiple years is possible but very organizations have the patience. It usually takes new leadership or a serious incident for those organizations to change. Organizations, that do not sustain their efforts using this approach will end up with partial and non-operational programs and often end up starting over. 3. Progressive Transformation The previous option is similar to a "waterfall" approach where benefits are realized only at the very end. This approach makes sense when: The organization has had prior success with this kind of transformation in the past, A high degree of certainty exists with what and how things need to be done, All program capabilities (behaviours, skills, tools, capacity, etc.) need to be present to realize the majority of the benefits. However, when these conditions do not exist the organization will need to learn new behaviours as they implement technology. This requires a change management approach of a different kind. An approach designed to do this is, "Lean Startup." This methodology uses a BUILD-MEASURE-LEARN cycle to achieve greater levels of program capabilities.This is different than phased implementations or continuous improvement strategies. Not all behaviours and not all parts of the organization need to be integrated at the onset or all at once. Instead, what is needed is for every version of the program (minimal viable program) to have essential behaviours and properties operational for a targeted level of effectiveness (measure of progress). Lean Startup takes advantage of this and provides organizations the opportunity to learn new behaviours over time while improving program performance and effectiveness at every stage of system development. Lean Startup aligns change management with implementation to produce intermediate / instrumental transformations in culture, coupling, and program effectiveness. This approach is still high-stakes but a lower-risk endeavour. If and when priorities change, organizations are left with a program that is operational but may not be fully effective. This is better than nothing, or a partial inoperable system, or having to start over in the future. As benefits are realized at every iteration rather than at the end they can help fund further program development. In essence, every iteration of the program generates a return on investment (ROI). Summary Many organizations invest significant amounts in tools and technologies to support compliance programs. These have the potential to improve program performance and outcomes but only when reinforced by particular levels of organizational maturity specifically associated with culture and coupling. When organizations are not ready for the tools they need organizational transformation must occur which is a risky endeavour. However, this is not as risky as implementing tools that will never realize the intended benefits. Effective change management is critical to address the people-side of change. This can be improved further by implementing technology in ways that reinforce learning of new behaviours and integrative practices. References: 1. "A guide to selecting appropriate tools to improve HSE Culture (2010)", OGP:

Organizations and individuals make promises to meet obligations of all kinds. These might be in the form of duties, commitments, responsibilities, or customs connecting with such things as: a license to operate a business, a license to practice a profession, a license to drive a vehicle, becoming a citizen of a country, becoming a member of an association, getting married, being part of community, signing a contract, and so on. When we enter into these arrangements we accept the conditions to meet the specified obligations. This is a promise we make not under compulsion, but voluntarily and usually with good intentions. However, over time and for a variety of reasons, we may find that the promises we have made are not being kept. The gap between the promises we have made and those we no longer keep is a measure of integrity. Measures of integrity do not only apply to people. They also apply to such things as engineering systems and processes that we use to operate our businesses. For example, when mechanical integrity has been compromised the equipment or process in use is no longer able to perform according to its design specifications. In a manner of speaking it can no longer keep its promise to perform. As engineers we attempt to compensate for this loss by including safeguards in our designs in addition to continually monitoring any gaps in performance during operations. These gaps are also a measure of integrity and keeping them in check is necessary to keep trouble at bay and sustain safe operations. When integrity, personal or otherwise, is lost or diminished we start on a path that leads to all kinds of trouble that usually ends with disruption. We start to observe an increase in the number of problems and issues often accompanied by the presence of inspectors, auditors, and lawyers. We end up on a path that we did not choose (at least directly) or want, but one that we are now compelled to follow. This disruption comes at a cost, over and above any fines we might pay. We can avoid these troubles and the disruptions that ensue by maintaining integrity which requires that we have a measure of integrity . When it comes to risk and compliance programs a good place to start is by having clear and concise compliance specifications that describe what the obligations are, how they will be met, and key results and objectives by which performance and outcomes can be measured, Companies that have these in place will know their level of integrity. If you are unsure of your obligations or if your plans to meet them are able to perform to achieve your targeted outcomes please contact us to learn how our programs can help.

To meet the challenges of environment-first future organizations will need to establish modern compliance systems to assure environmental policies are implemented across all their operational business units, divisions, and departments. In this post we outline a policy management approach based on ISO 14000 that provides the means to align and coordinate environmental commitments flowing from an organization's environmental policy across all of its operations. This framework consists of three primary functions: Policy Development Policy Deployment Policy Implementation 1. Policy Development The purpose of policy development is to create and maintain an overarching operational environmental policy to direct and govern environmental performance across the enterprise. This begins by taking inventory of both regulatory requirements along with voluntary commitments. These obligations provide overall direction, industry and regulatory targets, and objectives covering aspects associated with: Board Priorities Strategy and Plans Laws and Regulations Assets / Operations Stakeholder Concerns Using this information organizations are then able to set appropriate organizational outcomes, direction, and goals commensurate with the level of commitment and operational risk, all of which are used to establish an overarching policy. This policy is "operational" in nature as it defines specific commitments for the organization bridging the gap between intention and action. 2. Policy Deployment Once an operational environmental policy is created it will need to be deployed across existing operations, departments, and services. Policy deployment keeps the organization on track and from drifting away from its environmental obligations. To be effective policy commitments must be operationalized into internal systems, processes, and procedures. This is assurance-by-design which when done well decreases the need for excessive inspections and audits. It also holds operations accountable for its environmental performance. The operationalization of environmental commitments is captured in individual deployment plans for each divisions, department and service. 3. Policy Implementation Each business unit, division or department will implement their individual environmental policy deployment plan and evaluate their progress. Assurance is improved by evaluating performance and engaging in continual improvement which although required more with voluntary obligations is increasingly becoming the norm for regulatory requirements. Establishing a modern environmental assurance framework will help organizations do what they say and say what they do when it comes to meeting their environmental, social, and governance obligations (ESG).

Over the last several years what is traditionally called risk management has undergone significant criticism from professionals, practitioners and benefactors of its practices and principles. For the most part these criticisms are justified. Up until now risk management has been practiced across disparate domains each having their own definition of risk, taxonomy, rigor, and practices for amelioration (some do not even have that as an objective). One risk domain might focus on better decision making informed by quantifying the value at risk usually in financial terms. Another domain might direct its attention to preventing risk from becoming a reality by implementing controls and measures. Some will talk about hazards and obstacles while others will speak of threats and events. Most will focus on negative outcomes and fewer the positive side of risk. Some will deny that positive outcomes are risks at all and others will espouse that using heat maps is pseudo science, and if you are not using Monte Carlos you are not doing risk management. Some are trying to find the elusive black swan and most are trying to realize the benefits from risk management in a world that is calibrated to measure things that happened rather than things that may or may not. As companies have continued to elevate the role of risk management further up in their organization the lack of consistency and coherency has become more prevalent driving much of the criticisms we now observe and for the conclusion by some that r isk management as a whole is broken which is something I agree with. What the risk profession needs more than ever is a conceptual frame that is comprehensive enough to properly incorporate the way that risk manifests itself in reality as a whole not only in particular categories. The Game of Snakes and Ladders Risk as we now understand it is a manifestation of uncertainty which has been described as the fabric of reality found all the way down to quantum level. It should therefore come as no surprise that this reality has been present since the beginning of time and of course in the game of “Snakes and Ladders.” This is an old game but has important lessons to teach us about how risk manifests itself in reality. “Snakes and Ladders” captures a reality of life that for every path you take there will always be the possibility of snakes waiting to take you down. However there is also the possibility of ladders to rise above them. The International Standard Organization’s ISO 31000 guidelines defines risk (and rightly so) as the effect of uncertainty on objectives. As an aside, this definition has perhaps had the most impact in recent years to advancing the domain of risk management. In the game, uncertainty is represented by the roll of the dice which serves to turn possibilities into reality, the effects of which can be both negative or positive. You can be bitten by the snake and sent back down or find yourself climbing a ladder towards your objective. The presence of uncertainty affects everything. Contending with Snakes (managing threats) Snakes hinder getting to where you want to go or what you are trying to achieve. They take you down in the game, in business and in life. However, not all snakes matter. The snakes that matter are the ones in your path. These snakes can sometimes be avoided, or their effects minimized but they can never truly be eliminated. Snakes can be active as in the case of bad actors who want to take you down. Snakes can also be passive, holes in your defences that wait to be exploited. All snakes contribute to the uncertainty of winning the game. In business this uncertainty is manifested in the form of institutional or operational risk; the effects of uncertainty on mission objectives. You can wait for snakes to come or you can take advantage of ladders to stay above them. However, what the game teaches us is there will always be snakes. Climbing Ladders (exploiting opportunities) Ladders are the opposite of snakes. Instead of taking you down they take you up. Ladders help to advance your progress towards what you are trying to achieve. As with snakes, not all ladders matter; some are more useful than others. Ladders can help to avoid snakes which is what traditional risk management focuses on. Ladders can also represent opportunities to get ahead. Winning strategies not only build defences against snakes, they also include measures to exploit opportunities to win the game. Deciding which Game to Play (evaluating value at risk) The game of snakes and ladders is a game of chance. However, in life and in business winning strategies must also consider the effects of choice which have their own snakes to contend with. You can choose to avoid as many snakes as possible or decide to build more ladders to improve your chances of winning, or any combination of both. Which option do you pick? To decide which is best you need a way of determining which strategy among alternatives is most likely to succeed. In many cases you can calculate the probabilities and the cost of one strategy over another. However, even when you can't you still need a way to choose which game to play and what strategy to use to win. A New Risk Management Framework Although the game of “Snakes and Ladders” is a simple one created years ago it is based on observing how risk manifests it self in the world over hundreds of years. The following principles derived from the game have past the test of time:" Chance (uncertainty) affects everything. There will always be snakes (threats) to contend with. Ladders (opportunities) are necessary to overcome snakes and win the game. You need a way to decide which game to play and how to succeed. It is disconcerting that many risk managers are not aware of these basic principles and how to use them to advance mission success. All too often only one aspect of risk is considered usually driven by a particular set of analysis tools or definition of risk. A few years ago I conducted a risk workshop with a group of managers who were considering structural changes to their organization. During this meeting one of the managers commented that there were no risks since there were no hazards. This was coming from an approach to risk that is common in safety; when you eliminate the hazard you eliminate the risk. In other words, no hazard no risk. This was technically true since of course there were no physical hazards. However, there were organizational hazards, uncertainties, and associated risk. There were options that needed to be evaluated and opportunities to exploit to improve the probability that intended outcomes would be achieved and negative ones might be minimized. Unfortunately, there was no framework that everyone understood for effective discourse to occur. The effects of this problem surface throughout organizations across every sector. When we talk about risk we are seldom talking about the same thing. Risk management must move beyond individual risk domains, tools and approaches if it is to have the role that it should have in an organization. Of course it will always be necessary for specialized research and practices to support individual risk categories. However, the way we talk about risk should be the same across all of them. Until that happens risk management will not be as effective as it could or needs to be. Confusion rather than certainty will prevail and we all know where that leads. The current frames to describe risk are overly reductive lacking the scope to properly describe and effectively contend with uncertainty. In other words, how we frame risk has become more important than what is inside the frame. As we transition into a new year, my hope is that we continue the transition towards a coherent and comprehensive risk framework. The work that ISO has done is a good start. However, we need to continue to build ladders that will help risk management move up in organizations and be effective in the role that it needs to have.

In recent years, standards and regulations have specified the need for companies to adopt improvement models or frameworks for their risk and compliance programs. The need for maturing systems is not new and there are many: methods, frameworks, and models that can be applied to improve business and compliance processes. Frequently, I come across those who promote approaches based on the CMMI framework along with those who suggest using the Plan Do Check Act ( PDCA ) cycle and everything in between. At a high level, CMMI takes a capabilities and systems perspective to improvement and has been used successfully for years. What makes the CMMI framework so compelling is that it provides a way to assess process maturity. You can identify where you are and what the next step should be. Likewise, the PDCA cycle has also garnered much attention due its success in improving quality. One of the ways that the PDCA cycle helps is when you know where you want to go but not sure exactly how to get there. It provides a way to take incremental steps, validate the results, and then advance further to the next objective. The LEAN Improvement Kata (IK) also referred to as "Toyota Kata" goes even further. This is a coaching approach where the best coaches help the learner to learn to improve. It is more of a meta approach and Toyota Kata is an excellent example of how this is done. The improvement Kata incorporates the scientific method to discover a path forward towards an overall direction instead of just a point improvement. In my experience, the CMMI approach is well suited to program level objectives and initiatives. Whereas, the PDCA cycle provides an accessible approach for front line workers to identify and implement incremental and equally valuable improvements to existing processes. The Improvement Kata (IK) with its focus on direction can help to align processes to overall system and sometimes even program objectives. Choosing a continuous improvement approach is important and you may need more than one. A common and unfortunate tendency is to use a "one size fits all" approach when making these kinds of decisions. Whatever approach you take, the important decision is to make continuous improvement part of your process at the onset. Don't wait until the last step in your implementation plan for this to happen. What is even better is when continuous improvement becomes part of your culture and practices at all levels of the organization.

GRC is an acronym for: governance, risk, and compliance which originated from the management consulting world to describe processes needed to bridge the gap between a board and the CEO. GRC establishes the context by which the "ends" defined by the board are met through the "means" of an organization. The primary drivers for GRC originally stem from the United States of America’s Department of Justice (DOJ) sentencing guidelines as a way to: Avoid prosecution, Prevent loss, and Demonstrate compliance The purpose of GRC is to provide oversight, manage risk, and assure that legal and regulatory requirements are met. Evidence of these processes is demonstrated by audits conducted by internal functions which may include third parties. GRC has mostly concerned itself with meeting prescriptive regulation applied to finance, code of conduct, and more recently data privacy (IT). The primary mechanism by which this is done is through the audit function. In fact, for many companies, the words compliance audit, and even GRC are used interchangeably. This is indicative of companies that use an audit-fix cycle as the means of steering their organizations. This method of governance has been used for years for assuring the integrity of financial statements and correcting non-compliant processes. However, it is too slow and too late to address the effects of non-conformance leading to loss of life, reputation, stakeholder trust, and more generally where the effects are irreparable. Unfortunately, when compliance only has an audit “hammer” everything looks like a nail which increases the tendency to "double down" on audits. This creates the side effect of reinforcing reactive behaviours that contributed to the need for doing more audits in the first place. As one board member asked, “how do we get ahead of all this?” This is the question that GRC is fundamentally trying to answer. In addition to a compliance role, companies may also have a risk management function. This is gaining more support but suffers from a lack of effectiveness. Risk management at the corporate level has more to do with decision making regarding investments rather than buying down risk to ensure that the outcomes for decisions that have been made are achieved by the organization. The latter requires risk management approaches more aligned with improving safety than it does calculating value at risk. In recent years, there has been an increased desire to integrate GRC across its functions (G, R, and C) and throughout the organization. The non-profit organization, OCEG, is well known in the industry as leaders in the advancement of this direction. Although, there are other standards and regulatory bodies such as COSO (Enterprise Risk Management Framework) and ISO who are also extending their body of knowledge to create a more integrated framework. However, most the work to-date has focused on improving audit efficiency and consolidating existing practices. Very little has been done to improve effectiveness. To effectively bridge the gap between the board and the CEO, GRC must go beyond simply integrating disparate processes and improving efficiencies. A more holistic approach is needed based on proactive behaviours and practices. One way to accomplish this is by viewing GRC as a capstone that connects management to the board rather than as isolated functions that sit outside the board and organizational structures. Architecturally, capstones connect supporting members so that together they are able to carry all the weight. Although, and this is critical, capstones do not bear the primary load, however, without them the other members cannot bear their forces. This approach can serve as an overarching framework and as an ideal for how GRC could be more effective. GRC would not bear the primary weight for governance, risk and compliance, but would connect the board and organizational structures so that they can. GRC would become a form of self-regulation which is another way of describing the purpose behind GRC. In this context, GRC provides the processes to advance outcomes, address threats that hinder or opportunities that help to achieve those outcomes, and embed conformance in the same way that quality and safety are designed into products and services. The purpose of each function would now be to: Regulate (steer towards) outcomes, Ensure (make certain) outcomes are achieved, and Assure (confirm) that outcomes were met. GRC implemented in this fashion could better address all compliance objectives including: quality, safety, security, environmental, and regulatory objectives by reducing overall risk which would increase the certainty that progress is made by the organization towards its desired "ends." And this progress defines the measure of effectiveness not only for GRC, but also for the organization.

Compliance is all about staying between the lines and ahead of risk. This requires organizations be proactive and integrative with their compliance. This is best accomplished by having effective Operational Governance – the proactive side of compliance. In this blog post, we explore three essential functions of Operational Governance that will enable organizations to stay on mission, on budget, and on-side. Provide Vision and Direction: At the heart of effective Operational Governance lies a clear vision and direction. By defining where we are going and the path we are taking, we can set the destination that will guide our every decision and action. A compelling vision not only inspires and motivates employees but also provides a shared purpose that aligns their efforts towards a common goal. Effective leaders must communicate this vision consistently and ensure it resonates throughout the organization, empowering teams to make decisions that steer them towards the desired future. Align Operational Objectives with Organizational Values: To stay between the lines and avoid straying off course, operational objectives must be closely aligned with the core values and principles that define the organization. This alignment acts as a compass, guiding decision-making processes and ensuring that every action taken is consistent with the overall mission and vision. By integrating values into operational strategies, organizations can create a strong ethical foundation that not only mitigates risks but also strengthens trust among stakeholders. An unwavering commitment to organizational values cultivates a culture of integrity, excellence, and accountability. Regulate Organizational Capabilities, Behaviours, and Practices to Deliver Value: The pursuit of protecting and ensuring value necessitates a vigilant focus on continuously regulating and refining capabilities, behaviours, and practices. By proactively identifying gaps and shortcomings, organizations can implement targeted measures to enhance their performance and deliver sustainable value. Effective Operational Governance demands a systematic evaluation of internal processes, the establishment of robust controls, and the development of best practices that streamline operations and maximize efficiency. By fostering a culture of continuous improvement, organizations can proactively adapt to emerging challenges and seize opportunities that propel them closer to their defined destination. Summary In a rapidly changing business environment, Operational Governance is not a luxury but a necessity. By providing vision and direction, aligning operational objectives with values, and regulating capabilities and practices, organizations can stay between the lines and mitigate risks that may jeopardize their success. It is through these deliberate actions that organizations can forge a path towards sustained growth, cultivate a culture of excellence, and secure their position as leaders in their respective industries. Embrace the power of Operational Governance , and watch your organization flourish as you confidently navigate the journey ahead.

Compliance can either be a " necessary evil" or a " necessary good ". The path you choose will determine: whether you are reactive or proactive , your approach to risk , and the effectiveness of achieving your outcomes. The path of " necessary evil " is fraught with uncertainty and is driven by inspections and audits. You are always behind and always catching up. Even with the multitude of action items that come from these audits, you cannot "react" your way to better outcomes in the same way that you cannot inspect your way to better quality. The path of " necessary good" is one that not everyone takes. It is based on: anticipating, planning, and acting to be more certain about meeting compliance obligations. It is a road less traveled because it requires a desire for better outcomes, instead of maintaining the status quo. This is the difference between leading and managing compliance and leadership is in short supply. Not choosing is also a choice. It's a decision to "just see what happens" and hope that everything will turn out alright. Unfortunately, this also leads to reactive compliance. In fact, it is far worse than the path of "necessary evil" as nothing is done even to mitigate the effects of non-compliance. When it comes to compliance, you must choose a path to take. You can take the highway that is frequently traveled by those who believe compliance is a "necessary evil." Here you may find comfort at least in knowing that many others are taking this path too. Or, you can take the road less traveled, and be in the company of those that want more than just to pass an audit. You will be with those that want to see: better outcomes, improved safety, increased quality, appropriate risk, less environmental damage, and more meaningful work, and through it all earn the trust from their stakeholders. It's up to you. Which path will you take?

Over the last several years I have written, along with others, concerning the need for compliance to be more proactive. This is set against a prevailing reactive approach characterized by waiting until something bad happens or compelled by laws, or pressured by stakeholders to improve compliance particularly with respect to safety, security, sustainability, environmental, and other high-risk objectives. Reactivity, in these contexts is not desirable or the best behaviour for organizations that want to stay between the lines and ahead of risk. However, reactivity is not on its own negative. There are many cases where reacting to past events is exactly what's needed. One such place, critical to compliance, is to adapt to variations in systems and processes to ensure systems perform within specified boundaries. This is accomplished by measuring outputs and comparing them to a defined standard. Deviation from standard results in corrective actions to eliminate the gap and return back to normal operations. This reactive process is foundational for regulating processes of all kinds including those used in compliance. It's found everywhere within organizations and contributes to shaping overall corporate culture. In this article we consider how to exploit the power of reactivity to achieve more than just staying between the lines. We will explore how to hack reactivity in pursuit of future goals, so that we can also stay ahead of risk. The Power of Systems - Resisting Change Compliance systems are used to meet procedural obligations such as adherence to standard operating procedures, controls, measurements, management review, audits, and so on. In addition, compliance will also have performance obligations associated with goals and targets connected with commitments. These will include, for example, targets connected with zero emissions, zero violations, zero defects, zero breaches, and other vision zero initiatives. In both cases, processes are established to measure change from conformance or performance standards. Any change from standard (called a deviation) is then eliminated. The presence of deviation initiates corrective actions in the form of a CAPA (Corrective Action and Preventive Action). Corrective actions may arise from audits or inspections but also as part of system level monitoring. To address a deviation, an iterative process such as a Plan-Do-Check-Act cycle may be conducted and repeated until the deviation is minimized or eliminated. While this process is reactive since corrective actions are triggered by past events, it's possible to harness this reactivity to meet future goals. The key to leveraging reactivity for proactive ends lies in bringing the future into the present, by making anticipated goals into actual goals and raising standards to meet future needs. Changing Goals When embracing a new goal, a gap emerges between the current and desired system states. This gap shares similarities with deviations that are addressed by means of corrective actions. Since this gap has not yet happened, instead of executing corrective actions in response to actual performance, improvement actions are conducted in anticipation of future levels of performance. An example of this approach is the Toyota Kata, a process associated with the Toyota Production System. It involves: The Improvement Kata, a four-step routine focused on setting challenging objectives, understanding the current situation, defining the next target, and experimenting toward that target. The Coaching Kata represents leadership's role in guiding individuals or teams through this improvement process, fostering continuous learning and problem-solving. Toyota Kata can be viewed as an adaptive process that integrates both proactive and reactive behaviours to pursue a better future state. Defining future objectives and targets is proactive while experimenting towards successive targets is reactive. Raising Standards Improvement methodologies such as Toyota Kata are not the only way that we can harness reactive behaviours to achieve proactive ends. Another approach is to leverage the system itself to improve. Raising standards induces the affected system in the present to adapt to new levels of performance targets by invoking reactive behaviours. The system will initiate corrective actions to achieve and sustain the new level of performance. In this case, corrective actions are used as improvement actions triggered by the adoption of higher standards. This approach is considered proactive in terms of the future state of the system but reactive concerning addressing the gap between the old and new standard. An Integrative Approach The cases we have considered share similarities. They both change system performance triggered by either past or future events which create: corrective or improvement actions respectively. When combined together they form an adaptive system: Adaptive systems refer to systems that have the ability to adjust and modify themselves in response to changes in their environment or in accordance with specified goals. These systems are designed to be flexible and responsive, allowing them to thrive in dynamic and evolving conditions. Adaptability, is one of the properties of the Operational Compliance Model we introduced in previous articles: Instead of building compliance systems that react only to past events, we design them to respond to anticipated future events. This is accomplished by introducing feed-forward processes and behaviours that when combined with feed-back processes and behaviours create adaptive cycles of change across three critical aspects: conformance, performance, and effectiveness. Creating an adaptive system harnesses the power of reactivity to achieve proactive ends. When it comes to compliance, proactivity is needed to stay ahead of risk, and reactivity to stay between the lines. However, together they provide a powerful means for compliance to continuously adapt in the midst of changing obligations and uncertainties. This ensures that organizations always stay between the lines and ahead of risk. Not a luxury, but a necessity for mission success.