SEARCH

Over the years I learned that many organizations increasingly find they are not able to keep up with all their compliance obligations. On paper they are fine, but in practice is another story altogether. The cause can be attributed partly to the expansion of regulatory requirements. To stay between-the-lines many choose to double down on audits and inspections. However, this often proves to be too slow and too late to drive needed improvements, let alone keep up with the speed of risk. The traditional approach to compliance characterized by reactive, siloed, and reductive practices is unable to deliver what organizations need to meet all their obligations associated with safety, security, sustainability, environmental, quality, regulatory, fraud, and other compliance objectives. Working hard at following rules and procedures is not working or enough to realize the benefits of their efforts. Organizations are still unable to answer questions such as: Are they any safer? Is their quality better? Does their security provide adequate protection? Is fraud reduced? These have more to with outcomes of compliance rather than adherence to prescriptive rules. In many ways, organizations are caught in a trap of working hard and hoping for the best not knowing if their efforts will be effective in any unit of measure. As a result, these organizations are vulnerable and perhaps only one mishap, one non-conformance, one violation, one breach, or one explosion away from mission failure. An Old Sign On The Door How can organizations escape this trap when the sign on the compliance door reads: “We are in compliance with all applicable rules, laws and regulations as far we know. Will be back after our next incident." When there is nothing to improve, there is no need of escape. However, there are important reasons to escape this trap. Over the last decade regulators have started to modernize their programs to become more risk-based; moving away from rules towards performance and outcome-based designs. The intended impact is to enhance public safety beyond what prescription alone could provide. This means that regulators are now more focused on risk mitigation rather than adherence to rules. Also, in recent years the number and nature of obligations has increased coming from industry, stakeholders, and the investment community connected with ESG, climate change, carbon neutrality, environmental sustainability, cyber security, and many other objectives. We have reached a tipping point where there are just as many non-regulatory as regulatory requirements that need to be managed. Compliance needs a new sign. A Better Sign And A New Hope For Compliance Operationalizing obligations requires more than training, following procedures, completing checklists and conducting audits. Organizations must learn how to advance towards targets, handle risk, and continual improve their performance. This requires that organizations adopt an operational approach: one that is proactive, integrative, and holistic. A program that reduces waste, handles risk, and delivers compliance outcomes rather than only audit reports. Compliance must become an operational function not just an administrative expense. Organizations that have implemented an operational program for their compliance, have a new sign on their door: “We are experiencing the benefits of our compliance and improving our effectiveness with confidence every day. Meet you up ahead, already there." That's a better sign and a better way to do compliance.

A proactive and integrative approach to improve compliance effectiveness. Over the years working for companies in highly-regulated high-risk industries I learned that many were not able to advance or sustain continuous improvement of their risk & compliance programs. The challenges were numerous and multi-faceted dealing with such things as values, culture, behaviours, policies, goals, objectives, standards, processes, technology, resources and the like. However, these were only the downstream impacts triggered by something else. The compliance landscape had changed and the traditional approach to compliance was not able to keep up and this affected everything. A Changing Landscape Over the last decade regulators have started to modernize their programs to become more risk-based; moving towards performance and outcome based designs. The intended impact of this transformation was to achieve better outcomes rather than a doubling down of prescriptive obligations. The goal was to improve public safety beyond what prescription could provide. To accomplish this, regulators started to focus more on the risks rather than the rules. This would result in regulatory designs moving away from rules-based requirements towards performance, and outcome based specifications. Adopting these new obligations would come at a cost and would take time. Organizations under regulation would need to adopt a different mindset, skills, and practices which many did not have or have the time to learn. At a fundamental level organizations would need to become more proactive with their compliance. They would have to anticipate rather than merely react. This new mindset would be closer to managing risks rather than managing audits. Instead of inspection and audits as the trigger for change, organizations would now be expected to set their own compliance goals and objectives, establish risk measures, and measure progress towards targeted outcomes. The role of regulators would also change as they would now need to validate outcomes instead of conformance to procedures. However, more importantly, they would need to take on a different role to help establish targets and foster industry support. Regulators would be, in a manner of speaking, more concerned about the "ends" rather than prescribing the "means". The Effects Of Reactivity The downstream effect of changes in regulatory designs would catch many organizations off guard and too busy fighting fires for them to have any time to be proactive and adopt to the risk-based approaches. However, even if they wanted to, they did not know what being proactive looks like. Compliance for many had focused on managing actions coming from audits rather than proactively preventing non-conformance or pursuing targeted outcomes. Even still, given that it is impossible to inspect everything, management in most organizations would prioritize efforts on only a portion of their mandatory requirements and ignoring most if not all voluntary commitments. This left a significant number of obligations unaccounted for and mostly hidden. Reactivity was not working and being proactive appeared not to be an option. The Need For A Different Kind Of Change To adapt to modern regulatory frameworks organizations would require a transformational change in how they approached compliance. However, the constraint for many organizations was that any improvements would need to be funded from existing budgets. These improvements were not considered as investments but rather as stop gaps. Not the best conditions for a successful transformation. Fortunately, LEAN has for years helped industries such as automotive and health care and is starting to gain traction in construction, oil&gas, and other segments, to change from a reactive to a proactive culture. Could LEAN also work to transform compliance? A Case For LEAN To better understand how LEAN could help with compliance we need to go back to the early days of LEAN when it was first introduced by Taiichii Ohno at Toyota in the1950s. Taiichi Ohno, the father of LEAN, taught about the removal of waste, standard work, and continuous flow. However, that is only part of his story. Ohno also taught that the production leader is the one who "breaks" the standard. When you make an improvement, you take out your very best person from the line. It is what that person did next that is transformational. The freed up resources would work on further improvements, that resulted in even more people removed from the line. In the end, Ohno would have enough people to start an entire second production line. Instead of fractional improvements he was able to double his capacity. “Making an improvement that can take one person out results in just one person's cost being saved. If you take that person and have her make improvements, you start getting savings of two, three, four, and five people and so forth. Taking out the best person and making her improve the rest is really effective." Now, imagine if organizations followed the same process for compliance. They would still reduce waste, standardize work, and streamline the work flow. However, that too would only be part of what is possible. Freed-up resources from the reactive side of compliance could be moved over to the proactive side. They could anticipate changes, address root causes, and introduce new capabilities to always stay in compliance. If organizations did this they could also double their capacity to meet compliance obligations. This is exactly what compliance now needs, but not without first addressing LEAN’s blind-spot. LEAN's Blind Spot LEAN is well known for improving productivity. However, when it comes to compliance and such things as inspections and audits these are seen as waste and something to be eliminated. For LEAN to have a transformational effect on compliance it needed to understand that compliance and production have more in common than most realize. LEAN fundamentally is concerned with removing variation from processes. Compliance is also concerned with this but calls in uncertainty. Instead of defects (or poor quality) as the effects of variation, compliance focuses on non-conformance (or risk) as the effects of uncertainty. Variation and uncertainty are really two sides of the same coin. Instead of eliminating waste by contending with variation, compliance eliminates risk by contending with uncertainty. In fact, we can say that waste is the outcome of ineffective compliance and is indeed something to eliminate. Adding Risk Management To LEAN Reducing these wastes (i.e. risk) now becomes the mandate for lean practitioners working in compliance domains including environmental, safety, security, quality, ethics and regulatory programs. ISO 31000 defines risk as the uncertainty on objectives. Broadly speaking, uncertainty takes the form of epistemic (lack of knowledge) which you buy down and aleatory uncertainty (having to do with chance and variability) which you treat with margins. This differentiation can be visualized using a modified version of Michael Porter's Value Chain Analysis (VCA). LEAN applied across the organization helps improve efficiencies which improves margins which buffers or guards against aleatory uncertainty – the outcomes it doesn’t want. This buffer can be used to fund proactive, risk-based compliance to drive down risk by improving the certainty of meeting obligations. In other words, it helps organization stay between the lines and achieve the outcomes it does want. To realize these benefits we need to operationalize compliance which starts with making compliance operational. Operational Compliance For compliance to be operational it must be more than a disparate set of practices or something tacked onto the end of a process. Instead, it must be a system of processes that work together to increase the certainty of achieving compliance objectives and outcomes. To do this compliance must implement all essential behaviours and properties of a goal-driven system. Compliance needs to encompass feed-forward processes that steer towards goals and objectives. It must also have feed-back processes to correct for deviations from planned targets. It must be capable of meeting obligations at the necessary performance levels to achieve the intended outcomes. It must also be continuously improved across all levels. If this looks like a production system you are getting the idea. Operational Readiness When compliance is trying to achieve operational readiness many take a phased: element first-approach. This comes from years of prescriptive obligations and a focus on implementing "shall statements" in order to pass certifications and audits. When the focus is on meeting "shall statements" rather than improving outcomes we find these familiar steps: Understand the elements of the regulation or standard. Map existing practices to the elements. Identify where current practices do not meet the standard. Engage these deficiencies in a Plan-Do-Check-Act (PDCA) cycle. Target these deficiencies for compliance with the standard. This approach is not without its limitations the most significant being that it often fails to deliver operational systems fast enough or at all. Organizations usually run out time, money, and motivation to move beyond the parts of a system to implementing the interactions which are essential for a system is to be considered operational. For compliance to be effective in the new landscape another strategy is needed that: Achieves operational status sooner, Creates and sustains system properties over time, Provides a platform to build-measure-learn with the least cost Another way of saying this is that you cannot implement a holistic system partially. We know from systems theory that systems are never the sum of its parts but rather the product of its interactions. It is these interactions that cause emergent properties to be produced. For compliance systems these are the outcomes we are targeting: zero incidents, zero violations, zero fatalities, zero emissions, and so on. Lean Compliance's approach builds on the work by Eric Reis (Lean Startup) that emphasizes system interactions to achieve operational status sooner than traditional approaches. This approach includes the following activities: Identify and evaluate mandatory and voluntary: prescriptive, performance, and outcome-based obligations. Map obligations to existing governance, programs, systems, and processes. Identify and evaluate measures of conformance, performance, and effectiveness. Identify and evaluate uncertainties to meeting targeted goals and objectives. Identify and evaluate capabilities, capacity, and performance to meet and sustain obligations. Implement minimal viable compliance (MVC) based on essential behaviours and properties that can be improved on over time. Elevate compliance effectiveness by improving the MVC using a build-measure-learn process. This produces a compliance system that might start off looking like a bicycle but will soon look like a motorcycle, and then a car, and so on. What you will not have is an assortment of disparate compliance parts that are not working together that maybe some day will deliver. Summary Organizations of all shapes and sizes are struggling to meet all their regulatory and stakeholder obligations. Traditional approaches to compliance have not delivered or kept up with changes to regulation or the adoption of stakeholder obligations. This exposes organizations to significant non-conformance risk but more importantly reduces the probably of mission success. A different approach is needed that is able to protect value but also helps to create it. The application of LEAN has produced transformational results for many organizations in the manufacturing sector. These same principles and practices can be used to free up resources to implement proactive compliance programs to help organizations keep up with the speed of risk. LEAN can improve efficiency and with a new focus on risk can also improve the chances that organizations meet all their obligations in the presence of uncertainty. Getting started If your current approaches have not worked and you are falling behind on your obligations we encourage you to join The Proactive Certainty Program™ – A proactive and integrative approach to improve compliance effectiveness. We are always looking to work with ethical and ambitious organizations who are future-oriented and strive to always improve their performance. If this sounds like your organization, you may be interested in joining our program. We offer the first step at no cost. During this hands-on, working session we help you assess your current situation and identify areas to quickly improve your compliance.

“Not all those who wander are lost” - Gandalf, LOTR We cannot always know what a thing is without first knowing how it relates to our purpose and goals. Let’s imagine we are walking on a path on the way home. We notice a huge boulder up ahead. How would you perceive this boulder? Psychologists say we don’t see objects only as things. In fact, we see them also as something that is useful (an opportunity) or as or something that is not useful (an obstacle). We see things through the lens of our goals: If we have no goal, the boulder is just a rock. If we want to get home, the boulder is an obstacle preventing us from getting home. If we are tired, the boulder is a chair; a place to sit down and rest so we can make it the rest of the way home. If we are in need of safety, the boulder protects us from walking into a sink hole to ensure that we make it home. What we perceive is based on what we are trying to achieve or what we need. What this means for risk This is why risk should not be evaluated in isolation. Risk must be considered in connection with objectives. Whether something is a threat or an opportunity depends very much on what we are trying to accomplish. Sometimes a risk is just a thing. It isn't connected with any goals and therefore doesn't affect what we are doing. Too often these are the majority of what is contained in risk registers – they are unconnected things on a list. Other times risk look like obstacles. They hinder or are in the way of meeting our business goals. These obstacles need to be avoided or handled to improve the probability of achieving our goals. In the words of Gandalf from LOTR, "Not all those who wander are lost." In the same way, not all rocks are obstacles and not all risks are threats. Sometimes, they are opportunities to help us achieve our goals and need to be exploited. These are rocks that can be used as chairs to sit on, barriers to protect us from harm, or some other use that will improve our chances of success. What this means for compliance For compliance to improve its risk perception it needs to look through the lens of its goals connected with: Obligations - this will help to see obstacles and opportunities associated with meeting obligations (Compliance Risk). Objectives - this will help to see obstacles and opportunities associated with keeping commitments (i.e. promises) associated with obligations (Operational Risk). Doing this will create better risk registers but more importantly provide better measures to improve the probability of achieving compliance and realizing its benefits. It also will avoid wasting time cataloguing rocks that don't matter, no offence to geologists.

When it comes to compliance, there are numerous obstacles that can hinder success, and it is vital to avoid or eliminate them. However, it's not the obstacles that appear to be the primary issue. Many people often express something crucial is absent—something that should be present but isn't. This is the point at which discussions about gaps come into play creating a list that includes gaps in training, procedures, processes, cultural aspects, and more—the usual suspects. But there is something else, something between the findings from the last audit and the preparations for the next one. Something they can't quite put their finger on. This invariably leads to the next question: "Can you assist us?" The answer is yes, but merely filling in the gaps won't be enough. To truly address the situation, we must first tackle the root cause that has led to your current situation. It’s what you are really missing, but up until now have never addressed. What many companies in your situation lack is: the opportunity to make things better, to be proactive rather than reactive. There are often reasons given for this lack of proactivity, such as budget constraints, resource shortages, and a constant barrage of urgent issues. These factors have trapped many in what seems to be an inescapable cycle. Breaking free from this trap is possible, and necessary. Although, it may require taking a leap of faith. Not a blind faith, but a faith grounded in the knowledge that being proactive can and will enhance compliance. Instead of waiting for something bad to happen, you can anticipate something good. Instead of dealing with symptoms, you can address the root cause and prevent symptoms ever happening. Instead of being uncertain and unsure, you can have confidence in your ability to meet all your obligations. The most significant risk to compliance isn't the obstacles that may hinder it, but the opportunities that are never taken to improve it. That's what compliance is truly missing, and the gap that needs to be closed. And yes, we can help you with that.

Over the years I have observed that there is one reason that stands above all others as to why compliance programs fail and why they are never effective. This reason has nothing to do with what should be done but rather in how it should be done. It has everything to do with the means rather than the ends. Traditional road maps to implement compliance programs focus on steps that start with low hanging fruit and often the closing of procedural gaps. The premise is that you need to address these basic steps before you can effect real change. It is only in the last step where real transformation begins when optimization and continuous improvement processes are introduced. This is where effectiveness is finally the focus. However, most never get there. Is there a better way? Let's find out. The Traditional Approach This traditional approach, which some may notice is similar to the waterfall approach in project management, almost always takes too long to reach the end. This results in fatigue setting in, funds running out, and leadership losing interest. Rarely do companies ever reach the last step where effectiveness is finally evaluated and improved. These compliance programs never reach operational status let alone effectiveness. Organizations have parts of a system but never a system that actually works. At this point companies start over again having never gained ground of any significance. A Better Way Instead, a capabilities improvement approach such as Lean Startup evaluates effectiveness at each stage of implementation defined by successive Minimal Viable Performance (MVPs). This approach ensures that you have all the essential behaviours and capabilities in place to be operational while you ramp up performance over time. This is more akin to an agile approach where you always have working code. The same is true here, you always have an operational compliance system – a compliance system that works. Perhaps at the beginning it looks more like a bicycle but over time it becomes a motorcycle, car, a train, and perhaps even a plane. You always have more than just parts – you always have something that can get you from here to there. However, many companies still create their compliance road maps based on building more parts rather than on building a system that can be improved over time. That is why these companies will never have an effective compliance system. In fact, many will never have a compliance system that works and that can get them to better outcomes.

In recent months there's a buzzword that has been circulating: "Proactive Risk Management." While it may seem like a term that denotes a forward-thinking approach to mitigating risks, it is essential to pause and reflect on whether this phrase is truly meaningful. In this article, we delve into the topic of risk management and why the term "Proactive Risk Management" might not be as relevant or necessary as it seems. The Essence of Risk Management Before we explore the idea further, let's establish the fundamental principles of risk management. At its core, risk management is a proactive endeavour, characterized by anticipating, planning, and acting to create an impact. In essence, the very definition of risk management embodies this concept of proactivity. After all, its primary goal is to identify, assess, and handle risks before they materialize into issues or incidents. Risk Management vs. Issue Management A crucial point of contention arises when people confuse risk management with issue management. The two are distinct concepts and should not be conflated. Issue management typically occurs in response to non-conformance, problems, or incidents that have already happened. This process involves corrective and preventive actions aimed at rectifying the situation and preventing its recurrence. Issue management is inherently reactive, addressing events that are in the past. On the other hand, risk management is forward-looking. It deals with uncertainty and aims to identify potential risks and their consequences before they come to fruition. In this context, there is no such thing as "reactive risk management" because by definition, risk management focuses on what might happen in the future, not what has already occurred. The Fallacy of "Proactive Risk Management" Now, let's return to the crux of the matter – the term "Proactive Risk Management." The inherent problem with this terminology is that it adds an unnecessary layer of redundancy. As we've established, risk management is inherently proactive, and there is no need to qualify it as such. To label it as "proactive" is, in fact, tautological and can lead to confusion. Furthermore, by using the phrase "Proactive Risk Management," we risk perpetuating the misconception that risk management, as traditionally understood, is also a reactive process. This misconception undermines the crucial role of risk management in various industries, including safety, security, sustainability, quality and other compliance domains. The Importance of Clarity Clarity of terminology is essential in professional domains. When we use terms like "Proactive Risk Management," we risk diluting the significance and distinctiveness of risk management as a proactive discipline. It is crucial to differentiate between risk management and issue management to maintain the integrity of these processes. While the intent behind the term "Proactive Risk Management" may be to emphasize the forward-thinking nature of risk management, it inadvertently muddles the understanding of this essential discipline. Risk management, by its very nature, is proactive, and there is no need to qualify it as such. It is crucial to use precise terminology to ensure that risk management retains its distinctiveness and fulfills its role in contending with uncertainties and potential threats. As professionals in the field of risk management, let's strive for clarity and precision in our terminology, avoiding the unnecessary redundancy of "Proactive Risk Management."

– G.K. Chesterton. When I founded Lean Compliance in 2017 I was encouraged to write blog posts to help draw attention to our website. What I did not realize until much later was how much this weekly habit would generate far more than just clicks on a web page. It became a way of making progress in the presence of uncertainty. Starting to write As an engineer and a visual learner writing did not come easy. I was better at diagrams and using them to understand as well as communicate ideas and concepts. This of course is helpful as an electrical/computer engineer where schematics, block diagrams, and flowcharts were the currency for my work and my career. Those who are engineers will know that most of the writing we do is in point form and technical. The thought of having to communicate using full sentences was certainly intimidating. However, I felt that important things needed to be said so I started to write. I took to heart the quote by G.K. Chesterton " If a thing is worth doing, it is worth doing badly ." Some of my first blog posts where just a diagram with a paragraph explanation. Others were longer, some (perhaps most) needed more editing, more thought, and some needed to put in the bin.  However, on a few occasions something good came through which resonated with the audience I wanted to communicate with and those who were following me on this journey something that I had never imagined. A weekly habit with compounding benefits Writing started in fits and starts but in time became a weekly habit. I have now written hundreds of articles over the course of 5 years. Some of these have been published and some will become content in my upcoming book. However, all of the blog posts were me thinking out loud which is scary but necessary to do. Writing allowed me to test ideas and better conceptualize the challenges facing compliance and how best to address them. Through writing I have made connections and had conversations with amazing people who are on similar journeys across the diverse domains and industries were compliance finds itself. Some of these interactions have led to meaningful engagements becoming clients of Lean Compliance. All of this happened because I started writing blog articles to attract people to a web site. This did happened but the other benefits were the real lesson of the story. A quote and a process worth repeating We are never good at anything at the beginning. It takes time to master a topic, learn a skill, write blog posts or even achieve compliance effectiveness. In the spirit of C.K. Chesterton we can write: Improving compliance effectiveness is something that is worth doing and worth doing badly. The most important step is to get started. For me it was to start writing. Poorly at first, but improving over time. For compliance, it starts with being proactive – to anticipate, plan, and act to make certain that all your promises are kept. At first this will be scary, forced, and frustrating at times. You may want to give up and go back to the old way of doing things (i.e. the audit-fix cycle). However, if you endure you will get better and things will be easier for you. You will also start to see benefits of the kind that compound over time. As you continue you may even find that being proactive is no longer the struggle it once was. You will find it second nature as writing now is for me. Establishing the habit of pro-activity will improve your compliance but even better you will experience the benefits of always being in compliance – the true lesson of the story. Remember, “If a thing is worth doing, it is worth doing badly.” You just need to start. So what are you waiting for?

Over the years I have heard many voice their concerns about using zero as a goal or target. This voice seems loudest in the safety field. In a recent article from Energy Safety Canada, The National Safety Association’s for Canada’s Oil and Gas Industry, Murray Elliott (CEO) outlines their move away from using zero harm messaging. In this article he writes, “Zero harm concepts are a mindset in which all accidents and injuries are avoidable. These are often referred to as target zero, mission zero, beyond zero, or similar, with a common belief: if you’re not aiming for zero, you’re not making your best effort. At what point does striving to reach an improbable goal become more important than what’s actually happening?” He further writes: “Zero harm is a mindset in which all accidents and injuries are avoidable. The next step in the evolution of safety is to shift our view and create capacity in a system so that when humans make mistakes — and they will— the system can accommodate them.” For Elliott, safety is foremost about reducing risk and and increasing worker engagement: the foundation for continuous improvement. While I don’t disagree that safety is about risk and that continuous improvement involving workers is important I want to discuss the movement away from zero harm messaging. Lessons from Quality When quality started to gain traction the focus was on zero defects which created similar challenges to what we are experiencing with safety. Zero defects was the slogan and eliminating defects was the modus operandi. Was the focus on zero defects misguided? The problem was not so much with zero defects as a goal but rather it being the terminal or end goal. Zero defects was an instrumental goal towards achieving something better. What it did expose was that Inspections and audits were insufficient to drive down defects or improve quality. You can't inspect quality into your process! As a result organizations looked upstream to improving process capabilities specifically by reducing variation (a source of uncertainty and risk). The better the capabilities the better the output and the lower the defects. This moved management’s attention away from zero defects to contending with process variation with six sigma as the gold standard. Striving towards six sigma was now the modus operandi. However, this too was an instrumental goal and not the end goal. Contending with uncertainty at all levels of the organization would become the next challenge as part of Total Quality Management (TQM). The goal had changed from zero defects, to six-sigma, to delighting customers (the outcome of quality). To achieve this a holistic approach would be needed following these 8 principles (some of these are not very different from what Elliott is suggesting): Customer focused Total employee involvement Process centred Integrated system Strategic and systematic approach Continual improvement Fact-based decision making Communications Is striving towards zero defects still important? Yes. Is striving towards six sigma capabilities still important? Yes. However, what is also important is delighting customers — the actual test of quality and this required a holistic and integrated approach. Something that Safety is also noticing. What quality learned was striving towards instrumental goals (continuous improvement) was the secret sauce by which quality would be improved. The targets as important as there were are not the end but the way to the end — something that would never be fully reached but worthwhile nevertheless. Something that Safety is also realizing. Application for Safety In many ways, what Elliott along with others in the safety field have written aligns with the trajectory that quality followed. Is striving towards zero incidents important? Yes. But this is not the end goal. In the same way as quality, we need to look beyond and behind the numbers at sources of uncertainty and improve our capabilities to contend with them. Process safety management, functional safety, and occupational safety are becoming more risk-based and performance oriented. Perhaps, six-sigma process capabilities may not be possible but striving towards reduced variation (i.e. reduced uncertainty) is an important goal for safety as it is for quality. Elliott, is right on the nose with this. Elliott says that “Safety should not be about the number of incidents, but about outcomes and what we can learn from them.” I would argue that safety is still about the number of incidents but not only that. The goal should not be only about learning either. Safety must have a qualitative effect on actual safety in the workplace and zero harm while problematic for some is the best measure we have. What some are suggesting is something similar to TQM for safety – Total Safety Management (TSM). TSM could provide a holistic approach that might bring together both behaviors (Safety 1) and systems (Safety 2) to transform our approaches from safety management to actually managing safety. The outcome would be a safe environment for our workers, communities, and the environment. Who knows, this might delight as well. Is this realistic? Perhaps not. Is it worthwhile to strive for? Absolutely. That is worth restating. It is in striving towards ambitious targets that creates the motivation and the capabilities to achieve something better. That was and is true for quality and will also be true for safety. In the End If we move away from zero harm as some are suggesting we may end up making similar mistakes as some have made with quality. If you make process capability maturity (i.e. six-sigma) your goal that is what you will get. You will make products that are defect free but may not delight the customer (making the wrong product the right way). That doesn't mean you don't have it as a goal. It means it's not your only goal. In the same way, if Safety makes continuous improvement or work engagement its goal you will get just that. You will may end up with change for the sake of change and not experience the safety you need. You still need to have other goals. And that's the point. If zero harm is not your goal than you will not achieve it. You can hope for the best. You might be lucky. But that is not a strategy for risk. Is striving towards Zero Harm misguided? I think moving away from it is. What do you think?

In today's business environment, companies face a wide range of legal, regulatory, and stakeholder obligations. These obligations will fall into four primary categories : rules, prescriptive, performance and outcome-based specifications. Meeting these obligations can be a complex and challenging task. One way organizations can ensure they are complying with these obligations is through the adoption of procedural and programmatic compliance approaches. In this article, we will discuss the differences between these two approaches and explore which one is better suited to meeting each type of obligation. Procedural Compliance (Compliance 1) Procedural compliance refers to the processes, and procedures that a company puts in place to meet its compliance obligations. It provides assurance that the organization's is able to meet prescriptive aspects of obligations, focusing more on activities rather than the result. Procedural compliance typically involves documenting "as-is" processes and policies and ensuring employees follow them. This approach is often seen as a top-down approach, with management setting the rules and employees following them. The benefits of procedural compliance are that it establishes a clear framework for compliance and provides a record of compliance efforts which aids the audit function. This can be useful in demonstrating compliance to regulators or stakeholders. Additionally, it ensures that everyone within the organization is working towards the same goals. However, the downside of procedural compliance is that it can be inflexible and bureaucratic, leading to a lack of engagement and commitment among employees to meet the desired outcomes. Programmatic Compliance (Compliance 2) Programmatic compliance, on the other hand, focuses on outcomes and policies rather than activities. This approach involves setting goals and objectives for compliance and measuring progress towards these goals. It is more about ensuring capabilities are in place to meet desired outcomes and avoiding undesirable ones. Programmatic compliance is often seen as a bottom-up, or better, a participatory approach, with employees taking greater responsibility of compliance efforts along with the intended results through program and obligation ownership. The benefits of programmatic compliance are that it encourages agency, innovation and flexibility. Employees are empowered to find new and creative ways to meet compliance obligations, which can lead to better outcomes. Programmatic compliance also fosters a culture of compliance, where employees understand the importance of compliance and are committed to achieving compliance goals. However, the downside of programmatic compliance is that it can be more difficult to demonstrate compliance to regulators or stakeholders. It is easier to observe evidence of conformance rather then evaluate capabilities to effectively contend with uncertainty and risk. Which Approach is Better? So, which approach is better suited for each type of obligation? Procedural compliance can help assure that the organizations are following established processes and procedures to meet compliance obligations. This approach is particularly useful in industries where regulation is mostly prescriptive and rule-based. In such industries, procedural compliance can help ensure that all legal and regulatory requirements are met, and the organization can avoid the severe consequences of non-compliance such as the loss of their operating license. On the other hand, programmatic compliance may be more effective in industries where compliance obligations are focused on stakeholder expectations associated with outcomes such as customer privacy, security, sustainability, along with others. In these industries, a participatory approach that encourages innovation and flexibility may be more appropriate. Programmatic compliance allows employees to take ownership of compliance efforts and the results, which can lead to a more engaged and committed workforce. It also helps establish a social license by promoting a greater degree of loyalty, reputation, and trust . Summary Both procedural and programmatic compliance have their strengths and weaknesses, and the best approach will depend on the organization and its specific compliance obligations. While procedural compliance provides assurance that the organization is following compliance rules associated with obligations, it focuses more on activities rather than the result. Whereas, programmatic compliance provides assurance that the organizations is meeting its obligations to achieve performance targets and advancing stakeholder outcomes. Regardless of the approach or approaches taken, it is essential that organizations prioritize compliance and regularly assess their compliance efforts along with results to ensure they are meeting their obligations and contending with uncertainty. By doing so, organizations can minimize the risks associated with non-compliance and build a culture of compliance that promotes long-term success and greater stakeholder value.

In a world of constant change and unpredictability, our conventional understanding of risk management falls short of addressing the complex challenges that organizations face today. The old model of risk assessment, primarily focused on mitigating the consequences, no longer serves as a sufficient framework. Instead, a paradigm shift is required, one that emphasizes understanding and adapting to the root causes of risk: uncertainty. Traditionally, risk management was synonymous with damage control – identifying potential threats and minimizing their impact. However, this approach fails to consider that risks are deeply rooted in uncertainty. Today's risk management demands a shift from reacting to consequences to anticipating causes. This new perspective acknowledges that uncertainty is not just a factor to consider, but the very essence of risk itself. Types of Uncertainty: The Root Cause of All Risk Uncertainty is not something to be avoided or eliminated; it's a fundamental aspect of operating in a dynamic and interconnected world. Modern risk management entails learning to navigate this uncertainty rather than trying to eliminate it entirely. Uncertainty is not inherently negative; it also brings opportunities for growth, innovation, and competitive advantage. Organizations must shift their mindset from risk avoidance to risk optimization. To effectively manage risk arising from uncertainty, it's crucial to delve into its various types: Aleatory Uncertainty : This refers to inherent randomness or variability, often associated with natural events like earthquakes or market fluctuations. While not entirely controllable, these uncertainties can be better understood and factored into decision-making processes. Epistemic Uncertainty: This stems from lack of knowledge or information. Epistemic uncertainties can be addressed through research, analysis, and learning. As we gain more insight, they become less uncertain. Model Uncertainty : Often, risks are assessed using models that may not accurately reflect reality. Model uncertainty recognizes the limitations of these models and their potential deviations from actual events. Managing Uncertainty: Irreducible and Reducible Risks Uncertainty can manifest in both positive and negative ways, leading to either opportunities or threats. These can be broadly categorized into irreducible and reducible risks: Irreducible Risks: Some uncertainties are inherent and cannot be prevented. For these, organizations rely on margins, insurance and contingency reserves to buffer against potential losses (threats) and leveraged to pursue gains (opportunities). Reducible Risks: Other uncertainties can be handled through risk measures and controls. By actively seeking to reduce these uncertainties, organizations can lower the likelihood and impact of adverse events or improve the likelihood and impact of favourable events. Sources of Risk The effects of uncertainty may present themselves from a variety of sources that can be classified into three categories: Extrinsic Risk: These originate from external factors like economic shifts, geopolitical events, or technological advancements. Organizations must develop strategies to adapt to changes beyond their control. Intrinsic Risk: Internally generated uncertainties arise from variability within an organization's operations, systems, and processes. Addressing these requires building resilience and flexibility into the core of the organization. Emerging Risk : Complex systems and organizations are inherently dynamic, leading to uncertainties that emerge over time. Staying agile and ready to pivot is key to managing these emerging risks. Thriving in the Presence of Uncertainty Risk management is not about eliminating uncertainty but about embracing it as a fundamental reality. Organizations that excel in risk management understand that they always operate in the presence of uncertainty. By shifting the focus from only handling consequences to a focus on root causes organizations position themselves not only to survive but to thrive in dynamic and changing environments. It's time to rewrite the playbook of risk management and learn what it means to improve the probability of mission success in the presence of uncertainty.

Organizations are constantly seeking ways to eliminate waste and optimize their operations. One often overlooked source of waste is the untapped talent within their workforce. A key contributor to this waste is structuring roles around specialized activities, which inadvertently restricts the extent of contributions towards overall goals and outcomes. This issue becomes particularly evident when it comes to meeting compliance obligations. Despite assembling teams of specialists to address various aspects of compliance, organizations often struggle to achieve the desired outcomes. The root of the problem lies in managing individual tasks instead of focusing on the holistic success of compliance programs and systems. It is not a lack of talent that hinders progress; rather, it is the under-utilization of existing talent in key areas that hinders efforts to achieve better outcomes. Compliance efforts require a multifaceted approach that goes beyond individual tasks. While specialization has its advantages, such as developing expertise in specific areas, it can create silos that prevent collaboration and limit the impact of individual contributions. By broadening the scope of employee roles and encouraging cross-functional collaboration, organizations can tap into the diverse talents of their workforce. Breaking down the barriers of specialization allows for a broader understanding of compliance obligations and fosters collaboration towards achieving desired outcomes not just specific objectives. The following measures will help unlock available talent and help improve overall compliance effectiveness: 1. Aligning Talent with Compliance Programs: Organizations should align talent more effectively with compliance programs and systems. This involves identifying individuals and teams with the right skills and knowledge to contribute to compliance initiatives beyond their specialized areas. By actively involving these individuals in the design, implementation, and evaluation of compliance programs, organizations can leverage their collective expertise and experience. This approach ensures that compliance efforts are not fragmented but rather driven by a comprehensive understanding of the broader objectives. 2. Developing Integrative Compliance Strategies: Instead of solely focusing on managing individual tasks, organizations need to develop integrative compliance strategies. This entails considering the interconnectedness of compliance efforts and understanding how each task contributes to the overall success of the program. By taking a systems thinking approach, organizations can identify areas where the collective talent of their workforce can be harnessed to optimize compliance outcomes. This may involve restructuring roles or creating cross-functional teams dedicated to compliance, ensuring that the right talent is deployed where it can make the most impact. 3. Embracing Technology and Automation: Another way to unlock unused talent is through the strategic use of technology and automation. Routine and repetitive tasks can be automated, freeing up valuable human resources to focus on higher-value activities. By streamlining compliance processes through technology, organizations can optimize the utilization of their talent, enabling them to contribute meaningfully to more strategic aspects of compliance. This shift allows employees to apply their skills, knowledge, and critical thinking to address complex challenges and drive positive outcomes. 4. Fostering a Culture of Continuous Improvement: To fully leverage unused talent, organizations must foster a culture of continuous learning and improvement. This involves creating an environment where employees feel empowered to voice their ideas and suggestions for enhancing compliance efforts. Encouraging innovation, providing opportunities for professional development, and recognizing and rewarding collaborative achievements will motivate employees to actively contribute their talents towards maximizing compliance outcomes. Next Steps Underused talent is a waste and when comes to compliance this waste hinders staying between the lines and ahead of risk which leads to possible loss and missed opportunities. In the pursuit of effective compliance, organizations must recognize the importance of utilizing their existing talent. By moving beyond specialization, aligning talent with compliance programs, and adopting integrative strategies, organizations can unlock the potential of their workforce. Embracing technology and automation, along with fostering a culture of continuous improvement, are essential to create capacity and the opportunity for talent to be leveraged.

The value stream is where value is created but also waste which erodes the value of the products and services we are delivering. At a fundamental level, LEAN is about satisfying customer requirements with the least amount of waste as possible. By applying LEAN principles and practices organizations protect value by reducing or eliminating this waste. There are many forms that waste manifests itself within a value stream. The most common include: Overproduction – production that is more than needed or before it is needed Inefficient processes – more work (or quality) required by the customer Mistakes / rework – efforts caused by rework, scrap, or incorrect information Waiting – wasted time waiting for the next step in the process Inventory – excess products and materials not being processed Transport – unnecessary movements of products and materials Motion – unnecessary movements by people Creativity – non-utilized talent However, this list doesn't end there. We know that customers are only willing to pay for the work that directly contributes to the creation of value. This is why many companies view compliance, particularly in the form of inspection, as a form of waste because it is seen as not directly contributing to satisfying customer requirements. Specifically, compliance adds to waiting, unnecessary movements, and to inefficient processes. These are indeed wastes when looked at in this way. But is this the best way to think about compliance – as a waste? Customers do expect that companies build their products in accordance with regulations and standards. They expect that the environment will not be harmed, employees not injured, and that companies operate according to the rule of law and within ethical guidelines. If you don't believe this then eliminate risk & compliance functions from your organization and see what happens. These expectations are as much customer requirements as are product or service requirements. Meeting compliance expectations creates legitimacy, trust and ultimately customer loyalty. These create value and without them it does not matter if you eliminate all the other forms of waste or reduce your cycle times to the lowest that they can possible go. As we know customers will only pay for those things that contribute to value and that includes the outcomes of compliance: safety, quality, environmental, privacy and other stakeholder expectations. Customers refuse to buy products or services or even work for companies that choose not to meet their compliance obligations. In fact, they value companies with higher standards over those that only conform to the minimum from a legal perspective. When companies consider compliance as a necessary evil they tend to use mostly inspections and audits which can contribute to waste in the value stream. However, when compliance is seen as a necessary good, it is included as part of customer requirements. When this happens companies design compliance into their products and services as well as the processes that create them. This not only eliminates "waste" but also creates added value that results in reduced risk, increased trust, and sustainable growth through increased customer loyalty.