SEARCH

As with many things in life there are more than one side to every story. The same is true when it comes to compliance. There is the act of conforming and the thing we are conforming to. When we set high standards that create a better version of ourselves, our products, or the world around us, compliance is usually not a problem. We may not have the capabilities to achieve the standard so we improve our performance, adhere to the rules, and stay between the lines because we know that by doing so we will achieve the desired results. However, when standards are low or malicious, compliance becomes a problem, and rightly so. Conformance with practices, rules and behaviours that create unfavourable results that makes things worse should be challenged and when necessary avoided. As Gandalf from the Lord of the Rings said, "Even the very wise cannot see all ends." So we need to be mindful that we cannot know the true end to everything we do. However, blind conformance is never a good idea and has led to unintended consequences and in some cases atrocities that should never have happened. Compliance can be a problem, but it's not usually the act of conformance which bothers most people. It is what we are complying to which is what causes the most heart burn. What do you think?

Audits have been used for many years to confirm the integrity of financial statements and that proper accounting procedures have been used. In recent decades auditing has also become table stakes not only for finance, but also quality, safety, environmental and regulatory management systems. As with accountancy, the auditing function does not evaluate the effectiveness of your financial system, nor does it do so for quality, safety, or environmental systems. Auditing only confirms that you are following acceptable practices (usually defined by a standard) and the outputs of the system have not been interfered or tampered with. The evaluation and auditing of system effectiveness is not part of the auditing or the compliance function, so which function is it a part of and what should it be auditing? Auditing as Quality Control / Assurance Auditing has become the core function across almost all compliance domains similar to what quality control and assurance functions have done for quality management. The American Society for Quality (ASQ) defines quality control as follows: Quality Control – can be defined as "part of quality management focused on fulfilling  quality requirements ." Quality Assurance – can be defined as "part of quality management focused on providing confidence that quality requirements will be fulfilled." Quality control is more the inspection aspect of quality management. It answers the question of are we following the right steps the right way? Whereas, quality assurance on the other hand relates more to quality outcomes. The confidence provided by quality assurance is twofold — internally to management and externally to: customers, government agencies, regulators, certifiers, and third parties. Assurance is demonstrated when "all the planned and systematic activities implemented within the quality system can be demonstrated to provide confidence that a product or service will fulfill requirements for quality." However, even assurance that the right steps have been done the right way is not enough to ensure compliance outcomes. Something else is needed. A Shift that Shouldn't be Ignored Before we look at the answer to these questions, we first need to recognize a shift that is happening with respect to regulatory designs. Increasingly, regulatory and standards bodies are transforming their operations, taking on a more risk-based approach focused on outcomes and continuous improvement. This has resulted in the introduction of regulations and standards that are moving away from prescriptive to performance and risk-based requirements. Organizations are expected to establish their own means (the how) by which they will achieve targeted goals and objectives. This affords greater latitude for organizations to better address complex and systemic problems. It also holds them accountable for the outcomes of their systems, where in the past they have only been responsible for the outputs of prescriptive requirements. This shift has in many cases come with much confusion. It is not uncommon to find performance-based frameworks including prescriptive "shall" statements related to "how" it should be done. After years under the tutelage of prescriptive regulation the pull towards having something to audit is very strong which while understandable creates confusion for those adopting new and updated regulations and standards. What Then Should Be Audited? Increasingly, obligations that arise from regulation along with industry standards are requiring that organizations make progress towards what is often called, Vision Zero targets. These include zero harm, zero fatalities, zero incidents, zero emissions, zero violations and so on. Advancing these goals requires risk-based approaches and the continuous improvement of capabilities to generate appropriate levels of performance for progress to be made. When we now think about compliance we should be considering the goals that are being targeted. An important distinction that can made is between " terminal " and " instrumental " goals. Terminal goals are the highest level objective that we want to reach. They define the "ends" of our compliance programs, for example: zero defects, zero fatalities, zero violations, zero releases, zero fines, and others. Instrumental goals are intermediate outcomes or results that are critical or that must occur in order to achieve the higher-level outcome. These are often used to define Measures of Effectiveness (MoE) for compliance programs as they provide clear indication of progress towards terminal goals. Measures of Effectiveness can be used to validate compliance programs to ensure that they are fit for the purpose of advancing outcomes. The following are Measures of Success for compliance frameworks that support performance and outcome-based obligations (see previous figure): Measures of Effectiveness (MoE) – critical to program success, independent of any technical implementation (i.e. the how). Focuses on the ends not the means. Measures of Performance (MoP) – measures that relate to the operations of the compliance program, systems, and processes. These are the measures of capabilities needed to be effective. Measures of Conformance (MoC) – critical to compliance, where failure maybe cause for reassessment of the program. These tend to be prescriptive legal requirements but may include voluntary practices. Auditing has traditionally been helpful to verify Measures of Conformance but now needs to support Measures of Performance and Effectiveness . The latter is the task of governance and program management. Together they identify the destination and then steer the organization towards it. To be effective they need compelling answers to these questions: Where should we be heading? How will we get there? What is our strategy? What capabilities and resources do we need to get there? What obstacles are in the way? How will we measure our progress? The audit function now forms a validation function connected with progress towards targeted outcomes rather than only conformance to shall statements. Those in the pharma and medical device industry will recognize this distinction between verification and validation . You can build a pacemaker that meets all design specifications (which you can verify) and yet fails to keep your heart pumping. This is precisely the shift that is happening with safety, environmental and regulatory objectives. You can build a system that conforms to all the standards and yet fails to make any progress on outcomes. This is why compliance now should audit outcomes over outputs. Additional Reading: https://www.leancompliance.ca/post/four-misuses-of-audits https://www.leancompliance.ca/post/four-steps-to-proactive-compliance

When it comes to implementing systems, or achieving anything of significant scope, size, or complexity we will at some point be advised to pursue low hanging fruit and easy wins as a place start. This advice is usually well intended and at some level of analysis makes sense. It can help get things started while not getting bogged down with the hard stuff. It also doesn’t cost very much to make progress, at least at first. This will help concerned parties (i.e. upper management) feel better about our project when achievements are reported early and often. So what's the problem? The problem with fruit The reason why we want to pick low hanging fruit first is that they are already ripe. They also are at risk of falling on the ground or rotting on the vine. However, what is most important is that they are ready to be picked – we don't have to wait, just grab a basket and start picking. When it comes to projects beyond the simple ones the fruit analogy breaks down. To start with we are often not picking from only one tree or the same fruit. In fact we may not even have orchards growing any fruit at all. We need to build the orchard first and cultivate it so it will grow the fruit we need. The biggest problem with the fruit analogy and particular low hanging fruit is that it leads to working on the easiest things first and leaves what is most at risk and what really matters to the end. This is when budgets are less, options are few, and there is very little patience to deal with things as we often will hear “just get it done.” Those that manage project risk will know that it is best to front load efforts with the hard things, deliverables that are most uncertain, and particularly the tasks that will generate the greatest impact – the things that really matter. Projects need to drive down uncertainty hard, fast, and first while focusing on those things that create the greatest value. This is where real progress needs to be made. Compliance is fond of picking low hanging fruit Unfortunately, when it comes to compliance, we like low hanging fruit and far too much. Compliance often imagines non-conformance or audit findings as low hanging fruit or more specifically bad fruit. We look for them using audits, we pick them from the ground and take corrective action to pick them from the tree next year. We then rinse and repeat in the name of continuous improvement. At the end of the year we pat ourselves on the back for having picked so many bad fruit. This reactive and reductive mindset is so prevalent that it is evidenced across almost every dimension of compliance when organizations concentrate their efforts on: Addressing elements rather than the principles of a standard or regulation Closing gaps rather than addressing root causes Meeting mandatory requirements rather than all commitments Relying on best efforts rather than best results Focusing on Inspection / auditing rather than capabilities / performance Achieving certification rather than better outcomes Waiting (being reactive) rather than anticipating (being proactive) These practices always leave the hard stuff to later and often for someone else to take care of. As a result, risks are never properly dealt with and the outcomes of compliance are never realized. It is no wonder why compliance programs are seldom effective. Compliance is too busy picking bad fruit that it never gets around to preventing the fruit from getting bad in the first place. We need a better analogy and a better approach. Compliance needs to leave low hanging fruit to the end. In fact, It should abandon the fruit analogy all together. Compliance is better imagined as treating a disease rather than picking fruit. The prognosis of poor compliance if left untreated is the loss of a business and perhaps even the loss of life. We are better off to treat the disease not the symptoms. In fact, we are better off to prevent the disease in the first place. Maintaining the health of an organization and its stakeholders should be the goal of effective compliance. This mindset will lead to a focus on anticipation, contending with risk, practising healthy behaviours, and treating illnesses over just focusing on symptoms (or once again picking fruit). If followed, this holistic approach will increase the probability of the organization being around for years to come. It will mean doing the hard things first as we all know when we are trying to improve our own health. For starters, we have to exercise and eat well. Not easy, but necessary if we want to improve our health and also experience the benefits of a healthier life style. The same is true for compliance. We need to do the hard things first. We need to exercise the behaviours and practices that produce better outcomes so that organizations can finally realize the benefits of their compliance efforts. Time to leave the low hanging fruit and easy wins aside. It's time to do the hard stuff. Not easy, but necessary.

Audits were first adopted by financial institutions to identify and prevent fraud. Their focus was to test the integrity of accounting procedures and financial data. Since then, audit practices have developed alongside of changes to standardized accountancy to become a crucial role in governance, risk, and compliance activities. At the same time, the audit function has grown beyond the financial function to cover other compliance programs such as: occupational health and safety, process safety management, environmental, quality, security, and so on. However, there are important differences between auditing financial statements and ensuring compliance outcomes particularly when it involves safety. Not understanding these differences has resulted in the misapplication of audits as outlined in the following four misuses: 1. Audits go beyond the "what" and provide remedies for the "how" Auditing should verify the integrity of reports and the processes used to create them. However, all too often, audits are used to prescribe "how" compliance should be met. Providing remedies happens all too frequently with external but also with internal auditors that have their own view of how compliance should be done. This practice was rightly stopped in the financial sector as audit firms cannot provide advice of this kind. Unfortunately, this correction has not yet taken hold across many regulatory, standards and certification organizations supporting quality, safety, security, sustainability, and other compliance objectives. 2. Audit findings are used to set compliance obligations Audit findings produce a list of corrective actions that are often used directly by compliance managers to establish what the obligations should be. This poses several problems particularly when the audit findings inappropriately prescribe remedies as discussed earlier. Another problem is that findings can be based on an auditor's interpretation of a standard or regulation, This leaves companies struggling to revise their approaches only to have them change again the following year when a different auditor conducts the audit. Companies should not immediately accept remedies or an auditor's particular interpretation. Instead, companies should decide for themselves the level of commitment for each obligation and hold management accountable for the means by which they are met. Compliance accountability is a managerial role and not that of an audit committee or auditor. 3. Audit findings are used as the only source for compliance improvement Many companies only use audit findings to drive change to their compliance programs. These findings can be helpful but are not enough as audit findings are too slow to provide feedback, and are too late to prevent risk from becoming a reality. Relying only on audits doesn't make sense when it comes to safety, quality or dealing with the environment. This is like waiting until you hit the guard rail before you realize that you were driving outside the lines. Companies need to use leading indicators and actions instead of waiting for an audit to tell them when they are off side. Also, findings never consider stakeholder or voluntary goals that companies may choose to pursue. Standards along with regulations are at best minimum specifications and companies may choose to go above and beyond them and often do. It is observed that over 50% of obligations are driven by stakeholder expectations not regulatory requirements. This is expected to increase with further adoption of ESG objectives. Including the entire scope of obligations would help promote trust, strengthen a company's social license and demonstrate that compliance is valued. Doing the minimum that regulation demands is a weak position especially when it comes to safety. 4. The audit function inappropriately assumes managerial accountability for compliance The lack of clear accountability for compliance obligations often results in the audit function taking on this role and determining how compliance should be met and what the obligations should be. This diminishes the responsibility of managers who have the compliance role and should be the ones who are accountable. In addition, the audit function requires significant resources to fill in the accountability gap which they are unable to do. This results in many companies being uncertain of where the goal line is and where they are in relationship to it. As a result, they spend tremendous effort in preparing for and conducting audits every year to discover the status of their compliance. Companies are now conducting pre-audits to get ready for internal audits to get ready for external audits. All of these in hopes that they satisfy a benchmark specified by an external auditor or regulator which is something that companies should already know and be certain of. When it comes to safety or cybersecurity, waiting for an audit every year (or every other year) is far too late to find this out and creates unnecessary risk for employees and stakeholders. All of these audit misuses result in significant waste and more importantly the lack of compliance assurance, the very thing that organizations (inappropriately) look to audit to provide. Companies should take ownership of their compliance obligations and execute proactive steps to ensure they are met. They should not defer or wait for an external auditor to tell them if they have achieved their own compliance obligations. Meeting compliance obligations is a performance process just like anything else a company does and it is time to bring it back inside and in front where it belongs.

There are many places in business where performance is critical and the drive to excel pushes organizations beyond their current limits to achieve remarkable outcomes and we call this the pursuit of excellence. However, when it comes to compliance this pursuit is one that few companies take. Compliance excellence is something that companies rarely discuss let alone put on their list of strategic priorities. And yet, it is a lack of effective compliance that contributes significantly to why many are often only one recall, one explosion, one violation, or one mishap away from losing their regulator license and what is becoming as important their social license to operate. While there are many volumes of books, papers, legal briefs, and other documents concerning compliance many of them focus on complying with prescriptive obligations mostly through the narrow lens of legal affairs. In the rare cases where the lens is broadened it results in a stack of separate departments each addressing a different obligation source; one for safety, quality, environmental, cybersecurity, and so on. Each function having their own resources, systems, processes, and practices, and even its own culture. Although implemented separately, what they do have in common is the same reactive strategy reinforced by an audit / fix cycle. This approach is characterized by looking at what has already happened, correcting non-conformance, and then determining how to prevent them in the future. Not only is this expensive (at least three times), it is too slow and too late to make any real and significant difference in outcomes. A reactive strategy is like steering your car by looking through the rear view mirror. You only see things through the lens of past performance, and often after you hit the guard rail; hoping that it has stopped you from going over the cliff. Compliance needs to change from looking at where it has travelled to where it is going. This provides a better outlook and affords the opportunity to better stay between the lines and prevent risks that might otherwise diminish or possibly destroy value creation. While this is a road less travelled it is the road to effective compliance and one that leads to better outcomes.

It is common nowadays to come across articles that claim that robots and AI will take over people's jobs. Some might even argue that this is already happening and will continue to increase with advancements in artificial intelligence (AI). In fact, if things continue on this course, all our jobs will be at risk. It is always difficult to predict the impact of new technologies. However, we don’t need to look very far in the past to see that automation of various kinds has already disrupted the workforce. There are numerous examples of this, such as: factory automation, large-scale machinery, and even computing itself that have significantly changed the way we live and work. Many of these changes have made both the workplace and the work itself better. We no longer need thousands of workers doing back-breaking work using shovels to mine for the raw materials that fuel our businesses, as an example. Nevertheless, these kinds of claims stir up uncertainty and fear for those that are dependent on jobs that might be displaced. This begs the question as to what should we do about all this? A question from the past When I first started my career, I worked for a semiconductor manufacturer and was responsible for computing and information technology. At that time, enterprise computing was going through its second iteration with the introduction of ERP, CRM, and other company-wide applications. The possibility that certain jobs would no longer be needed was significant and this required careful consideration. And so I met with the president of the company to discuss how to proceed. He asked me a question that I have not forgotten. He said to me, “to understand how to deal with this challenge, you first need to answer the question, “what will people be doing 20 years from now?”" This at the time did not seem like a practical question to be asking but in hindsight was exactly the right question. Why do we work at all? If you have teenage or even college age children you may have heard them ask similar questions, "why do I have to get a job and why do I have to work?" Perhaps, their motives for asking are less than noble. However, as parents we try to come up with a suitable answer to persuade them to get a job. There are many arguments one could use as to why work is important and why we are meant to work. However, the most relevant, specifically when it concerns the accelerated advancement of robotics and AI, is appealing to human potential. When we look at people (particularly younger ones) what we see in them is mostly raw potential. They have most of their life ahead of them and can become anything they want (more or less). Their potential has the ability to move themselves and society forward towards greater things. That is why we are saddened when people do not live up to their potential and why we celebrate, particularly when it is for good, when they do. However, to live up to one’s potential requires work and lots of it. My parents worked very hard lives so that I and my other siblings could have a better life and for that I am very grateful. Given the chance my parents could have been so many other things. However, they took the potential they had and turned that into something tangible. All their hard work provided for our family so that we could have opportunities they did not. You could say they were passing their potential forward through their hard work. Humans have been doing this for as long as humans have been around. Deep down we know that our potential is not effective unless it is converted to something real and this always requires substantial amount of work. In fact, quite often it requires a life time’s worth and only manifests itself in future generations. Back to the future So back to the question that was posed to me years ago and I believe is still relevant today, “What will people be doing 20 years from now?” Here is my answer. We will always find ways to make work more efficient, robotics and AI are just recent examples. However, what is also in our DNA is our ability to take human potential and turn it into something great. Robots and AI may improve efficiency and this will no doubt displace workers. When this happens, we need to show dignity and respect for the hard work these workers have done. Who knows when we might be on the other side and told that our job is no longer needed. In fact, it is very likely that one day this will happen, if it hasn’t already. At the same time, there is still room for hope. There will always be a need for humans to work as long as there is potential, and there is no sign that this is in short supply. An organization's purpose will include the making of profit. However, companies can exist for a greater purpose. They can exist to create opportunities for people to work so that their potential can be realized to some degree. The greater the degree, the more humanized the workplace becomes. At the same time, when workers are used like “machinery” the work becomes dehumanizing. Perhaps, this is where robotics and AI can help the most, by replacing work that is inherently dehumanizing and replacing it with what we do best - doing the work to turn potential into something great.

The scientific method and engineering method are two approaches that are frequently used to develop technology and solve real-world problems. While these two methods share some similarities, they have significant differences in their goals, processes, and outcomes. In the context of public safety, the differences between these two methods can have far-reaching implications for society. In this article, we consider the role that each has on protecting the public from harm and steps that can be taken to improve the responsible use of technology. Separation of Concerns The scientific method is a process that involves observing natural phenomena, developing hypotheses, testing those hypotheses through experiments, and drawing conclusions based on the results. The scientific method is primarily focused on understanding the underlying principles of phenomena and uncovering new knowledge. Scientists are responsible for adhering to ethical guidelines and minimizing the risks of their experiments. They are also expected to communicate their findings to the broader scientific community and the public. On the other hand, the engineering method is focused on using scientific knowledge to solve practical problems and develop new technologies. Engineers use the principles and theories developed by scientists to design, build, and test new products or systems. The engineering method involves a range of activities, including research and development, prototyping, testing, and refining designs. Engineers are responsible for ensuring that their designs are safe, reliable, and effective. They must also consider the ethical and social implications of their designs and take steps to mitigate any potential risks. Who is Responsible for Public Safety? Both disciplines are involved in innovation and both are responsible for public safety. However, when it comes to ensuring public safety, the engineering method is seen as the primary protection against public harm. The reason for this is simple: Engineers are accountable and must answer for the safety of their designs. This is the duty of all engineers: Hold paramount the safety, health, and welfare of the public. When these responsibilities are ignored, engineers are in possible violation of legal and social contracts but also moral imperatives. As a result, engineers prove the technology first before it is used to solve real-world problems. The pharma and medical device industries provide excellent examples of how this works. Before a new drug or medical device is approved for use by the public, it must undergo rigorous testing and evaluation. This process involves multiple phases of clinical trials, during which the safety and effectiveness of the drug or device are carefully monitored. Only after this testing is complete and the risks and benefits are well understood can the drug or device be made available to the public. This is consistent with the engineering method. However, we don't seem to be following this approach across all domains particularly those connected with social media and AI. When it comes to those, we seem to be conducting experiments involving the public at scale without concern for public safety, mitigating the harms, or taking responsibility for the results. Ethical Failure? As previously mentioned, when it comes to public safety, those using the scientific method must ensure safe experimentation and take necessary precautions. In addition, those using the engineering method are responsible for the safe development and use of technologies in the public arena. The responsibility for ensuring public safety falls more heavily on engineers, who play a crucial role in the design and development of technology, infrastructure, and products. For this reason, engineering involves testing and evaluating new technologies before they are made available to the public. This is particularly important in fields such as pharma and medical devices. and should be for other fields including social media and AI. Whether the latter is a science experiment gone wild, or an engineering prototype rolled out to the public before it is ready, the violation of ethical obligations is clear. There is a common belief that technology, particularly information technology, is neutral, and that the responsibility for how people use the technology lies solely with the individuals who use it. However, this view overlooks the fact that technology is created by people who make deliberate decisions about its design, development, and implementation. In my first year of engineering design we were taught that engineering is never neutral. For example, sometimes it is better to build a better shovel than introduce massive combines to improve agricultural productivity. The former improves productivity while maintaining livelihoods and communities. The other improves productivity but often destroys livelihoods, communities, and most likely the environment as well. Social impacts are necessary design considerations for all who practise engineering. While experimenting or testing out new technologies where there is the possibility of significant risk to the public may not be illegal in every field it is questionable as it violates ethical obligations to hold the safety, health, and welfare of the public paramount. Some people argue that regulations aren't needed because they can stifle innovation and creativity. However, satisfying safety, social, and sustainability requirements may initially seem like a challenge, but they actually encourage more innovation rather than less. There may be individuals or companies who believe that they don't need to employ scientists or engineers in order to produce their products or services. This may lead to the belief that they have no professional obligations towards public safety. This view is misguided. Even if a company doesn't employ scientists or engineers, they still have a responsibility to ensure that their products or services are safe for public use if not on legal but ethical grounds. Ethical Line of Defence The pursuit of technological advancement often comes at the expense of public well-being, with negative impacts on society and the environment being overlooked or deferred to a later time. The mode of operation can be well stated as: Play now, pay later And yes we will all be paying for it later. While the dilemma between innovation and responsibility is not new there is an immediate cause for concern when it comes to the use of technology in the public arena at the scale, and acceleration we have seen in recent decades. Governments will in due course enact legislation and design regulations to contend with public risk including those associated with social media, and AI. In the meantime, this should not give free license to scientists or engineers to ignore their ethical responsibilities. Scientists and engineers should not hide behind a technical shield. They have a duty and responsibility to the public. They must individually and together form an ethical line of defence by: Taking ownership of all their obligations with respect to legal, regulatory and also ethical responsibilities. Being transparent concerning the communication of risks when engaging the public. Speaking up on issues concerning technical and public risk. Advocating for the safety, health, and welfare of the public. For those that choose to act responsibly they will face many challenges and pressures to conform not to moral imperatives but to other less noble ones. This kind of compliance is a waste and a tax, not on production, but on the public who will ultimately pay for earlier decisions to tolerate risk – the good with the bad. We can do better. We must do better.

Process safety refers to a systematic approach within industries to prevent and mitigate the occurrence of hazardous incidents and accidents during the operation of chemical, petrochemical, food production, pharmaceutical, and other similar processes. The primary goal of process safety is to ensure the protection of personnel, the environment, and assets while maintaining the efficiency and productivity of operations. To minimize the likelihood and consequence of accidents, safety barriers (i.e. guardrails) are put in place as a layer of protection. It is often necessary to isolate, bypass, or remove components of this critical protection to allow for maintenance and other activities to be conducted. These components are often called, " Safety Critical Equipment" and the process to bypass them is called, "Critical Defeats." While defeating safety critical equipment is necessary it needs to be done in a controlled and safe manner. Examples of safety critical equipment include: Safety instrumented systems DCS or PLC shutdowns and interlocks Emergency shutdown valves PSVs Car seals Fire and Gas detection systems Mechanical shutdowns and so on Digital shutdowns may be also be necessary with respect to the implementation of AI systems and "human-in-the-loop" safety barriers. Critical defeats are most often temporary and short in duration measured in shifts and do not typically extend beyond 7 days. Longer duration and non-routine defeats are usually handled through the facility or asset Management of Change ( MOC ) process. To maintain safety a clear and robust approach is needed to cover the approval and execution of critical defeats. At a minimum the documentation for authorizing a critical defeat should include: What is being defeated The reason the defeat is being applied What risks are created or exposed by the defeat What alternate protection is available What precautions are required to mitigate the risks How long the defeat is to be applied What level it needed to authorize the defeat As with Management of Change, a process approach helps to reduce risk by ensuring that all steps involved including approvals are executed and done in the correct sequence. An example process for Critical Defeats is shown below: After the defeat is approved, it should be communicated to operators and all other people who work on the equipment or process. It is common practice to include this information in shift logs or on display boards and discussed during handovers. In addition, the following activities are helpful to further manage risk: Clearly define roles and properly train personnel to the appropriate level of competency Ensure that there is an alternate layer of protection in place Limit the number of active defeats allowed at any given time Limit the duration for how long a defeat can remain active Tag by-passed devices Monitor active defeats on a daily basis Conduct weekly audits to ensure the proper reinstatement of the defeated devices or systems. Establishing a robust process to manage the defeat of critical protection is essential to maintaining safety. If you have an existing process, now is a good time to look at how it is performing to identify areas that can be improved. An important first step is to map the actual process and compare that to written procedures. Look at gaps in the process and where waste exists such as waiting for approvals, incomplete information, over processing, and so on. The critical defeat process should be viewed as a resource to keep everyone safe and not as an obstacle to getting work done. Short cuts done here expose workers and the organization to unnecessary and avoidable risk. Questions for Improvement What gaps exists between your current critical defeats procedure and how defeats are actually approved and implemented? What safety critical equipment is missing from the procedure? Who should be and is currently not being notified when critical defeats are approved and become active? What steps are being taken to ensure the reinstatement of defeated equipment? What steps can be taken to improve how risks are identified, mitigated and managed? How can you help to improve the way critical defeats are handled?

When it comes to performance-based compliance you need to manage both compliance and obligation risk. Compliance risk are the effects of uncertainty of non-conformance. These impede outcomes. Obligation risk (i.e. opportunities) are the effects of uncertainty of conformance. These advance outcomes. To manage both the following are helpful tools, and systems: Bow-Tie Analysis - evaluate risk and controls to optimize risk buy-down and opportunity invest-up plans ISO 31000 Risk Management System - provides a framework to manage risks and opportunities across their life-cycle. Don't create an opportunity for threats to penetrate your defenses or opportunities to be missed by missing a step. ISO 19600 Compliance Management System - provides a framework to manage all your obligations under one governance system. It does this by establishing processes to identify, implement, evaluate, and maintain all mandatory and voluntary obligations covering: quality, safety, environment, security, regulatory, and other risk-based obligations. The goal of ISO 19600 is to ensure effectiveness. When obligation risk is addressed ahead of time it reduces the probability of compliance risk. Not only will you protect against loss but you also advance outcomes at the same time. It pays to be proactive.

As a professional engineer working in the compliance field, I would like draw attention to the importance of the engineering method in compliance. The engineering method is a powerful tool for developing practical solutions to complex problems, making it an essential asset in meeting stakeholder obligations. In this article, we will explore the key differences between the scientific and engineering methods, and explain why the latter is particularly effective in the compliance field. We will discuss the benefits of the engineering method in ensuring safety, security, sustainability, and quality, and examine how it can help meet the diverse goals of stakeholders. Furthermore, we will analyze why there aren't enough engineers working in the compliance field, and explore the potential reasons for this discrepancy. By highlighting the potential of the engineering method and its benefits, we hope to encourage more engineers to consider pursuing careers in compliance. The field of compliance is becoming increasingly important in today's globalized and highly regulated world, and it requires the expertise and skills of a diverse range of professionals to meet stakeholder obligations. The Scientific and Engineering method The scientific method and the engineering method are two distinct approaches to problem-solving, each with their unique set of strengths and limitations. While both methods are valuable in their own right, engineering has a significant edge over science when it comes to addressing the complex societal and world problems specifically with respect to meeting stakeholder obligations. What is the Scientific Method? The scientific method is a structured approach to discovering and understanding the natural world. It is a systematic process of asking questions, gathering data, and formulating and testing hypotheses. The scientific method aims to develop and refine theories that explain natural phenomena by making observations, conducting experiments, and analyzing data. What is the Engineering Method? The engineering method, on the other hand, is a systematic approach to designing, developing, and implementing practical solutions to real-world problems. The engineering method involves identifying a problem or opportunity, generating multiple potential solutions, evaluating those solutions, and selecting the best one. It also involves testing and refining the chosen solution to ensure that it meets the requirements and constraints of the problem. Differences between the Scientific and Engineering Method The primary difference between the scientific method and the engineering method lies in their respective goals. The scientific method aims to develop theoretical models and explanations for natural phenomena, while the engineering method aims to solve real-world problems and improve the human condition. The scientific method is concerned with understanding the natural world, while the engineering method is concerned with applying that understanding to create practical solutions. Another key difference between the two methods is their approach to experimentation. In the scientific method, experiments are designed to test specific hypotheses and theories. In contrast, the engineering method involves designing experiments to test and refine practical solutions to real-world problems. The scientific method seeks to discover general laws and principles that govern the behavior of natural systems, while the engineering method seeks to optimize and improve specific systems and technologies. Why the Engineering Method is Important to Compliance Here are some of the benefits of the engineering method in meeting stakeholder obligations: Systematic approach : The engineering method is a systematic approach to problem-solving that involves defining the problem, gathering information, analyzing data, developing solutions, and testing them. This helps ensure that compliance objectives are met in a thorough and comprehensive way. Safety : The engineering method is particularly effective in ensuring safety. Engineers use risk analysis and other tools to identify potential hazards and develop solutions to minimize or eliminate them. This helps prevent accidents and injuries and ensures compliance with safety regulations. Security : The engineering method can also help meet security objectives by identifying vulnerabilities in systems or processes and developing solutions to address them. This can include physical security measures, cybersecurity protocols, and other strategies to protect against threats. Sustainability : The engineering method is well-suited to meeting sustainability objectives by developing and implementing solutions that minimize environmental impact and conserve resources. This can include designing more efficient systems and processes, reducing waste, and implementing renewable energy sources. Quality : The engineering method can also help ensure quality by developing and implementing quality control measures, testing and validation procedures, and other strategies to ensure products and services meet desired standards. Stakeholder goals : The engineering method is effective in meeting the diverse goals of stakeholders by identifying their needs and developing solutions that address them. This can include engaging with stakeholders throughout the design and implementation process to ensure their concerns and preferences are considered. The engineering method is a powerful tool for meeting compliance objectives. Its systematic approach, risk analysis tools, and problem-solving strategies can help develop effective solutions that meet obligations to address a diverse set of stakeholder needs. Why We Need More of the Engineering Method While the scientific method has contributed enormously to our understanding of the natural world, it has limitations when it comes to solving complex societal and world problems. These problems often require more than just theoretical understanding; they require practical solutions that can be implemented in the real world. This is where the engineering method comes in. By focusing on practical solutions, the engineering method is better equipped to address complex problems such as climate change, resource depletion, and public health crises. The engineering method is goal-oriented, interdisciplinary, and collaborative, making it well-suited to tackle these multifaceted challenges. In addition to its problem-solving capabilities, the engineering method also has the potential to drive economic growth and social development. By designing and implementing new technologies and systems, engineers can create jobs, improve quality of life, and promote sustainable development. Why There are Few Engineers Working in the Compliance There are a few reasons why there may not be as many engineers working in the compliance field: Lack of awareness : Engineers may not be aware of the opportunities that exist in the compliance field, or they may not fully understand the role of compliance in organizations. This lack of understanding may lead them to pursue other career paths. Different skill sets: Compliance professionals often require skills that engineers may not possess. While engineers are trained to solve technical problems, compliance professionals require skills such as communication, regulatory analysis, and policy development. Different career paths : Engineers may choose to pursue career paths in technical roles, such as product development, research and development, or technical consulting. These career paths may be more aligned with their technical skills and interests, and may not require them to shift to a compliance role. Perception of compliance as a non-technical role : There may be a perception that compliance is not a technical field and that it does not require a strong technical background. This perception may dissuade engineers from considering a career in compliance. Perception of compliance as an audit problem: When compliance is left to the audit department it is too late to be proactive and for problem solving, design, and building of solutions to meet stakeholder obligations. These engineering activities need to happen sooner and earlier for organizations to stay ahead for risk. This perception limits the opportunity for engineering to make a difference. However, it is worth noting that many organizations are recognizing the importance of technical expertise in the compliance field, particularly in areas such as data privacy, cybersecurity, and product safety. As a result, we may see more engineers entering the compliance field in the future. Conclusion Engineers are crucial in meeting compliance obligations, yet their presence in the field is not as prevalent as it could be. Lack of awareness, different skill sets, and perceptions of compliance as a non-technical field have contributed to this gap. However, the engineering method offers a systematic approach to problem-solving that can help meet stakeholder obligations comprehensively and effectively. By identifying and addressing potential hazards, optimizing systems and processes, and developing sustainable solutions, engineers can help ensure compliance with safety, security, and sustainability regulations. In addition, the engineering method's interdisciplinary and collaborative nature makes it well-suited to tackle complex societal and world problems, such as climate change and public health crises, and drive economic growth and social development. As more organizations recognize the importance of technical expertise in the compliance field, we can expect to see more engineers entering the field in the future.

Do we now have a burning platform with respect to reactive compliance? On May 16 2018, a report was published following a review led by Dame Judith Hackitt focused on issues related to high-rise residential building in response to the Grenfell Tower (UK) fire in 2017. From the report: The key issues underpinning the system failure include: Ignorance – regulations and guidance are not always read by those who need to, and when they do the guidance is misunderstood and misinterpreted. Indifference – the primary motivation is to do things as quickly and cheaply as possible rather than to deliver quality homes which are safe for people to live in. When concerns are raised, by others involved in building work or by residents, they are often ignored. Some of those undertaking building work fail to prioritise safety, using the ambiguity of regulations and guidance to game the system. Lack of clarity on roles and responsibilities – there is ambiguity over where responsibility lies, exacerbated by a level of fragmentation within the industry, and precluding robust ownership of accountability. Inadequate regulatory oversight and enforcement tools – the size or complexity of a project does not seem to inform the way in which it is overseen by the regulator. Where enforcement is necessary, it is often not pursued. Where it is pursued, the penalties are so small as to be an ineffective deterrent. The above issues have helped to create a cultural issue across the sector, which can be described as a ‘race to the bottom’ caused either through ignorance, indifference, or because the system does not facilitate good practice. There is insufficient focus on delivering the best quality building possible, in order to ensure that residents are safe, and feel safe Hackitt's report calls for an overall shift towards outcome-based compliance and that the development of this guidance be moved to the industry. This aligns with the principle that: risk should be owned by those who create it which was introduced into UK health and safety law in the 1990s. This is also why the first step towards proactive compliance is to take ownership of your obligations. If you don't own your obligations you will not own the risks and treat them with the attention they deserve. Hackitt's report raises several issues and the following is very telling and along with the others is common in other countries and sectors: We must also begin thinking about buildings as a system so that we can consider the different layers of protection that may be required to make that building safe on a case-by-case basis. Some of the social media chatter and correspondence I have read whilst I have been engaged in this review shows how far we need to move in this respect. The debate continues to run about whether or not aluminium cladding is used for thermal insulation, weather proofing, or as an integral part of the fabric, fire safety and integrity of the building. This illustrates the siloed thinking that is part of the problem we must address. It is clear that in this type of debate the basic intent of fire safety has been lost. Hackitt's report contains additional insights and recommendations and can be found here .

Decision makers today are often faced with making decisions that cross multiple dimensions and where uncertainty and risk are present. One of the biggest decisions they make involves the level of commitment to managed quality, safety, environmental or regulatory programs all of which involve contending with uncertainty and risk. "When faced with a set of uncertainties which cover a range of future states, some of which are unfavourable, then the uncertainties constitute a hazard. When we form an intent to act within that hazardous situation we are faced with a risk. The manner in which we deal with that risk will challenge us with an ethical dilemma. In a situation where the risk frame is more complex than a simple good/bad choice and the ethical frame is more complex than a simple right/wrong choice, then we are faced with a need for decision integrity. This is especially so when emergent circumstances present us with incalculable issues and destroy the rule book’s validity. " Cybernetics and Systems Theory in Management: Tools, Views, and Advancement Decision integrity is difficult to achieve when motivations are not aligned. High performing organizations seem to do better at making decisions that align with three motivational factors: is it legal, is it beneficial, and is it ethcial – the right thing to do? Legal Motivation: Here we are looking at what is required or permissible through the eyes of the law. This is usually the first and often the last place that companies look for compliance requirements.  Adhering to these will meet minimum obligations which while reducing the probability of fines and keeping companies out of jail may not go far enough to in making progress towards zero incidents, fatalities, defects, violations and so on. This is why we need to go further. Beneficial Motivation: Here our decision making looks at what is useful to achieving the goals and objectives of the organization. These tend to be voluntary commitments made to best practices, industry standards, strategies, or even optional regulatory requirements. However, to achieve the benefits of these voluntary commitments they need to be perceived as more than just optional; they need to be considered as mandatory obligations. Ownership of obligations is essential. Only then will commitment be sufficient to put in the required work and make the necessary changes to create the desired outcomes. However, when cost pressures mount and production performance falls behind even what is beneficial may not be enough of a motivation. Ethical Motivation: Now we come to deciding what is right or wrong based on such things as values, code of conduct, or standards of behaviors. This can often lead to an ethical dilemma particularly when making risk-based decisions. Deciding not to effectively contend with uncertainty and yet continuing to pursue the goal ends up leaving hazards in the way of achieving outcomes. Hazards extend beyond the physical and include any condition where uncertainty may result in unfavorable effects. Leaving hazards (physical or otherwise) in place is not beneficial to the vision and mission of organization. However, it could also be considered as unethical particularly when risks are not communicated and shared with those who will be facing the hazards. And yet companies, perhaps unknowingly or ill advised, choose to leave hazards in place when they only view compliance through the narrow lens of only doing what is regulated and perhaps only what is enforced.   The purpose of compliance programs is to ensure outcomes by effectively contending with risk. Decision integrity is essential to make certain that commitment is made that aligns with three motivational factors: legal, beneficial, and ethical. To focus on one at the expense of the others is perhaps the greatest hazard in the way of mission success.