SEARCH

As a professional engineer working in the compliance field, I would like draw attention to the importance of the engineering method in compliance. The engineering method is a powerful tool for developing practical solutions to complex problems, making it an essential asset in meeting stakeholder obligations. In this article, we will explore the key differences between the scientific and engineering methods, and explain why the latter is particularly effective in the compliance field. We will discuss the benefits of the engineering method in ensuring safety, security, sustainability, and quality, and examine how it can help meet the diverse goals of stakeholders. Furthermore, we will analyze why there aren't enough engineers working in the compliance field, and explore the potential reasons for this discrepancy. By highlighting the potential of the engineering method and its benefits, we hope to encourage more engineers to consider pursuing careers in compliance. The field of compliance is becoming increasingly important in today's globalized and highly regulated world, and it requires the expertise and skills of a diverse range of professionals to meet stakeholder obligations. The Scientific and Engineering method The scientific method and the engineering method are two distinct approaches to problem-solving, each with their unique set of strengths and limitations. While both methods are valuable in their own right, engineering has a significant edge over science when it comes to addressing the complex societal and world problems specifically with respect to meeting stakeholder obligations. What is the Scientific Method? The scientific method is a structured approach to discovering and understanding the natural world. It is a systematic process of asking questions, gathering data, and formulating and testing hypotheses. The scientific method aims to develop and refine theories that explain natural phenomena by making observations, conducting experiments, and analyzing data. What is the Engineering Method? The engineering method, on the other hand, is a systematic approach to designing, developing, and implementing practical solutions to real-world problems. The engineering method involves identifying a problem or opportunity, generating multiple potential solutions, evaluating those solutions, and selecting the best one. It also involves testing and refining the chosen solution to ensure that it meets the requirements and constraints of the problem. Differences between the Scientific and Engineering Method The primary difference between the scientific method and the engineering method lies in their respective goals. The scientific method aims to develop theoretical models and explanations for natural phenomena, while the engineering method aims to solve real-world problems and improve the human condition. The scientific method is concerned with understanding the natural world, while the engineering method is concerned with applying that understanding to create practical solutions. Another key difference between the two methods is their approach to experimentation. In the scientific method, experiments are designed to test specific hypotheses and theories. In contrast, the engineering method involves designing experiments to test and refine practical solutions to real-world problems. The scientific method seeks to discover general laws and principles that govern the behavior of natural systems, while the engineering method seeks to optimize and improve specific systems and technologies. Why the Engineering Method is Important to Compliance Here are some of the benefits of the engineering method in meeting stakeholder obligations: Systematic approach : The engineering method is a systematic approach to problem-solving that involves defining the problem, gathering information, analyzing data, developing solutions, and testing them. This helps ensure that compliance objectives are met in a thorough and comprehensive way. Safety : The engineering method is particularly effective in ensuring safety. Engineers use risk analysis and other tools to identify potential hazards and develop solutions to minimize or eliminate them. This helps prevent accidents and injuries and ensures compliance with safety regulations. Security : The engineering method can also help meet security objectives by identifying vulnerabilities in systems or processes and developing solutions to address them. This can include physical security measures, cybersecurity protocols, and other strategies to protect against threats. Sustainability : The engineering method is well-suited to meeting sustainability objectives by developing and implementing solutions that minimize environmental impact and conserve resources. This can include designing more efficient systems and processes, reducing waste, and implementing renewable energy sources. Quality : The engineering method can also help ensure quality by developing and implementing quality control measures, testing and validation procedures, and other strategies to ensure products and services meet desired standards. Stakeholder goals : The engineering method is effective in meeting the diverse goals of stakeholders by identifying their needs and developing solutions that address them. This can include engaging with stakeholders throughout the design and implementation process to ensure their concerns and preferences are considered. The engineering method is a powerful tool for meeting compliance objectives. Its systematic approach, risk analysis tools, and problem-solving strategies can help develop effective solutions that meet obligations to address a diverse set of stakeholder needs. Why We Need More of the Engineering Method While the scientific method has contributed enormously to our understanding of the natural world, it has limitations when it comes to solving complex societal and world problems. These problems often require more than just theoretical understanding; they require practical solutions that can be implemented in the real world. This is where the engineering method comes in. By focusing on practical solutions, the engineering method is better equipped to address complex problems such as climate change, resource depletion, and public health crises. The engineering method is goal-oriented, interdisciplinary, and collaborative, making it well-suited to tackle these multifaceted challenges. In addition to its problem-solving capabilities, the engineering method also has the potential to drive economic growth and social development. By designing and implementing new technologies and systems, engineers can create jobs, improve quality of life, and promote sustainable development. Why There are Few Engineers Working in the Compliance There are a few reasons why there may not be as many engineers working in the compliance field: Lack of awareness : Engineers may not be aware of the opportunities that exist in the compliance field, or they may not fully understand the role of compliance in organizations. This lack of understanding may lead them to pursue other career paths. Different skill sets: Compliance professionals often require skills that engineers may not possess. While engineers are trained to solve technical problems, compliance professionals require skills such as communication, regulatory analysis, and policy development. Different career paths : Engineers may choose to pursue career paths in technical roles, such as product development, research and development, or technical consulting. These career paths may be more aligned with their technical skills and interests, and may not require them to shift to a compliance role. Perception of compliance as a non-technical role : There may be a perception that compliance is not a technical field and that it does not require a strong technical background. This perception may dissuade engineers from considering a career in compliance. Perception of compliance as an audit problem: When compliance is left to the audit department it is too late to be proactive and for problem solving, design, and building of solutions to meet stakeholder obligations. These engineering activities need to happen sooner and earlier for organizations to stay ahead for risk. This perception limits the opportunity for engineering to make a difference. However, it is worth noting that many organizations are recognizing the importance of technical expertise in the compliance field, particularly in areas such as data privacy, cybersecurity, and product safety. As a result, we may see more engineers entering the compliance field in the future. Conclusion Engineers are crucial in meeting compliance obligations, yet their presence in the field is not as prevalent as it could be. Lack of awareness, different skill sets, and perceptions of compliance as a non-technical field have contributed to this gap. However, the engineering method offers a systematic approach to problem-solving that can help meet stakeholder obligations comprehensively and effectively. By identifying and addressing potential hazards, optimizing systems and processes, and developing sustainable solutions, engineers can help ensure compliance with safety, security, and sustainability regulations. In addition, the engineering method's interdisciplinary and collaborative nature makes it well-suited to tackle complex societal and world problems, such as climate change and public health crises, and drive economic growth and social development. As more organizations recognize the importance of technical expertise in the compliance field, we can expect to see more engineers entering the field in the future.

Do we now have a burning platform with respect to reactive compliance? On May 16 2018, a report was published following a review led by Dame Judith Hackitt focused on issues related to high-rise residential building in response to the Grenfell Tower (UK) fire in 2017. From the report: The key issues underpinning the system failure include: Ignorance – regulations and guidance are not always read by those who need to, and when they do the guidance is misunderstood and misinterpreted. Indifference – the primary motivation is to do things as quickly and cheaply as possible rather than to deliver quality homes which are safe for people to live in. When concerns are raised, by others involved in building work or by residents, they are often ignored. Some of those undertaking building work fail to prioritise safety, using the ambiguity of regulations and guidance to game the system. Lack of clarity on roles and responsibilities – there is ambiguity over where responsibility lies, exacerbated by a level of fragmentation within the industry, and precluding robust ownership of accountability. Inadequate regulatory oversight and enforcement tools – the size or complexity of a project does not seem to inform the way in which it is overseen by the regulator. Where enforcement is necessary, it is often not pursued. Where it is pursued, the penalties are so small as to be an ineffective deterrent. The above issues have helped to create a cultural issue across the sector, which can be described as a ‘race to the bottom’ caused either through ignorance, indifference, or because the system does not facilitate good practice. There is insufficient focus on delivering the best quality building possible, in order to ensure that residents are safe, and feel safe Hackitt's report calls for an overall shift towards outcome-based compliance and that the development of this guidance be moved to the industry. This aligns with the principle that: risk should be owned by those who create it which was introduced into UK health and safety law in the 1990s. This is also why the first step towards proactive compliance is to take ownership of your obligations. If you don't own your obligations you will not own the risks and treat them with the attention they deserve. Hackitt's report raises several issues and the following is very telling and along with the others is common in other countries and sectors: We must also begin thinking about buildings as a system so that we can consider the different layers of protection that may be required to make that building safe on a case-by-case basis. Some of the social media chatter and correspondence I have read whilst I have been engaged in this review shows how far we need to move in this respect. The debate continues to run about whether or not aluminium cladding is used for thermal insulation, weather proofing, or as an integral part of the fabric, fire safety and integrity of the building. This illustrates the siloed thinking that is part of the problem we must address. It is clear that in this type of debate the basic intent of fire safety has been lost. Hackitt's report contains additional insights and recommendations and can be found here .

Decision makers today are often faced with making decisions that cross multiple dimensions and where uncertainty and risk are present. One of the biggest decisions they make involves the level of commitment to managed quality, safety, environmental or regulatory programs all of which involve contending with uncertainty and risk. "When faced with a set of uncertainties which cover a range of future states, some of which are unfavourable, then the uncertainties constitute a hazard. When we form an intent to act within that hazardous situation we are faced with a risk. The manner in which we deal with that risk will challenge us with an ethical dilemma. In a situation where the risk frame is more complex than a simple good/bad choice and the ethical frame is more complex than a simple right/wrong choice, then we are faced with a need for decision integrity. This is especially so when emergent circumstances present us with incalculable issues and destroy the rule book’s validity. " Cybernetics and Systems Theory in Management: Tools, Views, and Advancement Decision integrity is difficult to achieve when motivations are not aligned. High performing organizations seem to do better at making decisions that align with three motivational factors: is it legal, is it beneficial, and is it ethcial – the right thing to do? Legal Motivation: Here we are looking at what is required or permissible through the eyes of the law. This is usually the first and often the last place that companies look for compliance requirements.  Adhering to these will meet minimum obligations which while reducing the probability of fines and keeping companies out of jail may not go far enough to in making progress towards zero incidents, fatalities, defects, violations and so on. This is why we need to go further. Beneficial Motivation: Here our decision making looks at what is useful to achieving the goals and objectives of the organization. These tend to be voluntary commitments made to best practices, industry standards, strategies, or even optional regulatory requirements. However, to achieve the benefits of these voluntary commitments they need to be perceived as more than just optional; they need to be considered as mandatory obligations. Ownership of obligations is essential. Only then will commitment be sufficient to put in the required work and make the necessary changes to create the desired outcomes. However, when cost pressures mount and production performance falls behind even what is beneficial may not be enough of a motivation. Ethical Motivation: Now we come to deciding what is right or wrong based on such things as values, code of conduct, or standards of behaviors. This can often lead to an ethical dilemma particularly when making risk-based decisions. Deciding not to effectively contend with uncertainty and yet continuing to pursue the goal ends up leaving hazards in the way of achieving outcomes. Hazards extend beyond the physical and include any condition where uncertainty may result in unfavorable effects. Leaving hazards (physical or otherwise) in place is not beneficial to the vision and mission of organization. However, it could also be considered as unethical particularly when risks are not communicated and shared with those who will be facing the hazards. And yet companies, perhaps unknowingly or ill advised, choose to leave hazards in place when they only view compliance through the narrow lens of only doing what is regulated and perhaps only what is enforced.   The purpose of compliance programs is to ensure outcomes by effectively contending with risk. Decision integrity is essential to make certain that commitment is made that aligns with three motivational factors: legal, beneficial, and ethical. To focus on one at the expense of the others is perhaps the greatest hazard in the way of mission success.

GRC is an acronym used to describe three functions: governance, risk, and compliance. The use of GRC originated from the management consulting world to bridge the gap between the board and the CEO to ensure that proper oversight, appropriate risk, and legal and regulatory requirements are properly met as evidenced primarily through audits. The focus of GRC has mostly concerned itself with meeting legal and regulatory requirements applied to finance, ethical code of conduct, and IT. It is not uncommon to have separate company officers each responsible for each of these functions operating independently and in silos. However, GRC is changing and now extends to the operations and management ranks of the organization. One way to think about GRC is that is provides the context by which the "ends" defined by the board are met through the "means" of the organization. The most important part of this context is culture by which the values of the organization are manifested. In recent years, there has been an increasing desire to integrate GRC across its functions and throughout the organization. The non-profit organization OCEG is one of the groups that has worked to advance the area of GRC. Although, other bodies such as COSO (Enterprise Risk Management Framework), ISO, and others are extending their domain to tackle this area. The primary drivers for GRC have come from its roots based on the Department of Justice (DOJ) sentencing guidelines. Fundamentally, GRC started as a way to: Avoid Prosecution, Prevent Loss, and Audit and Control The primary emphasis from a systems and process perspective has been on the audit function to verify that organizations are conforming to legal and regulatory requirements. The focus on audits parallels similar approaches applied to quality, safety and environmental programs. These programs are based on reactive models characterized by: lagging indicators, audit-fix cycles, and management controls. Correcting non-conformance after the fact is better than not addressing them at all. However, these are not enough when there is loss of life, loss of the reputation, loss of stakeholder trust, and more generally where the effects of non-conformance are irreparable. As an example, with quality it is well known that you cannot inspect quality into a product, you must design it in. Therefore to improve quality you need a proactive approach that anticipates, plans, and then acts to embed quality into the product and manufacturing processes. This is why ISO 9001 recently introduced risk-based thinking along with a focus on outcomes to their standards. Risk-based thinking is fundamentally a proactive process which counterbalances the reactive processes implemented by quality control and the audit function. Unfortunately, GRC appears to be preoccupied with this same reactive model correcting things after they have already occurred. There is an increasing emphasis on extending the audit role and driving that further down into the organization. This audit-based approach will exact a heavy burden on organizations. A conservative estimate of the cost of compliance (excluding the other GRC functions) is 10% of a worker’s time and salary just dealing with regulations. In high-risk industries this can easily be between 20%-30% to support all the necessary: quality, safety, regulatory, environmental, and dozens of other programs. It is easy to imagine that If compliance continues on its present course, compliance will require: one person to ensure that compliance is met for every person doing the work. Clearly, this approach is not sustainable or desirable for compliance and neither for GRC as a whole. The reactive model on which GRC is based is not enough to achieve the desired outcomes for GRC never mind the outcomes for the organization. To effectively bridge the gap between the board and the CEO, a holistic approach is needed based on proactive behaviors and practices. A proactive model would function as a regulated system (in the technical sense) focused on outcomes, threats and opportunities, and building in compliance in the same way that quality is designed into products and services. GRC would now serve as a means to improve organizational effectiveness by: Regulating (steer towards) outcomes, Ensuring (make certain) outcomes are achieved, and Assuring (confirm) that outcomes were met. Reportedly, 70% of companies do not measure the effectiveness of their compliance programs which is expected to be same for GRC programs. By following a proactive approach GRC is now able to properly evaluate effectiveness by the progress made towards outcomes and the costs associated to make certain and confirm progress. Having clearly identified goals is essential for management to properly take ownership of its obligations. Proper delegation of accountabilities across the organization prevents GRC from being considered as a tyrannical force by replacing managerial accountability. GRC works better better when seen as a capstone that connects management to the board. Architecturally, capstones connect supporting members that bear the majority of the forces. A capstone does not itself bear the primary load however without it the other members cannot. This same concept can serve as the ideal for how GRC could function. In summary, a proactive approach to GRC allows companies to realize the benefits of GRC rather than only achieving conformance to prescribed rules. It offers a better way of steering (regulating) an organization to improve the probability of achieving its outcomes by connecting risk management to operational objectives and outcomes. Proactive GRC also does not compete with or remove managerial accountability but rather acts as a capstone that connects all aspects of an organization so it can carry the full load necessary to meet all obligations.

Are you someone who believes that taking risks always leads to negative outcomes? Do you think that there's no such thing as positive risk? Well, it's time to challenge that conventional wisdom and take a chance on a new perspective. In the world of risk management, experts often argue that risk is always bad, negative, and leads to loss. But what if we told you that there's more to it than that? What if we told you that that risk can lead to positive outcomes and success? ABBA, the legendary musical group, had it right all along with their song "Take a chance on me." They knew that taking a chance means embracing uncertainty and the possibility of both good and bad outcomes. In addition, the potential for positive outcomes is what makes taking a chance so compelling. Why would anyone take a risk if it only involved the possibility of loss? Rather than framing our decisions as taking risks, we should be thinking of them as taking chances with one extra step. We also make plans to improve the probability of positive outcomes while reducing the probability of the negative ones. That is what effective risk management looks like: Risk adjusted plans improve the probability of success in the presence of uncertainty not in spite of it. ABBA was right about risk, and it's time for us to embrace the power of taking chances. So, are you ready to take a chance instead of just taking a risk?

Erik Hollnagel writes in the book Resilience Engineering (2009) that companies are resilient if they are: able to adjust their functioning prior to, during, or following events to ensure continuation of operations under both expected and unexpected conditions. He defines four essential properties that characterize these organizations: Ability to respond to current challenges Ability to monitor incoming critical situations Ability to anticipate the occurrence of future events Ability to learn from the past These abilities constitute a resilient system when they work together to achieve the emergence of organizational resilience. In light of these four cornerstones, anticipation along with planning may be considered as crucial since they help to envisage the required level of resiliency, performance, and capabilities in response to anticipated events. These will need to be established long before an event occurs. In addition, the performance of the system will be determined more by how each ability functions as a whole rather than separately which requires planning. During the COVID-19 crisis many organizations will find themselves responding (perhaps reacting) to current uncertainties which is necessary. However, it will the ones that have all of the four cornerstones that will be most resilient during the months ahead. Organizations that are missing the four cornerstones should not wait until the crisis is over to make improvements. COVID-19 can become the catalyst to greater resiliency now and for future events. Be Safe.

Earlier this year (May 2020) the International Standards Organization (ISO) published their legal risk management guidelines, ISO 31022:2020, after four years of work. This standard is not industry specific and builds on top of the ISO 31000 risk management framework to address a broad range of areas covering regulatory, third-party, contract and other areas that have a legal implications. One of the most important aspects of this standard is a change in risk definition that has been used in the past which has focused on "loss prevention" to the ISO 31000 definition which focuses on the "effects of uncertainty on objectives." This opens up risk consideration to both negative and positive effects of uncertainty on value creation. The ISO 31022 guidelines are intended to help organizations: achieve the strategic outcomes and objectives of the organization; encourage a more systematic and consistent approach to the management of legal risk, and to identify and analyze a comprehensive range of issues so that legal risks are proactively treated with the appropriate resources and supported by top management and by the right level of expertise; better understand and assess the extent and consequence of legal issues and risk, and to exercise proper due diligence; identify, analyze and evaluate legal risks, and to provide a systematic way to make informed decisions; enhance and encourage the identification of opportunities for continual improvement ISO 31022: provides guidance for the management of legal risk so it aligns with compliance activities and provides the assurance needed to meet the obligations and objectives of the organization; can be used by organizations of all types and sizes to deliver a more structured and consistent approach to the management of legal risk for the benefit of the organization and its stakeholders across all processes; offers an integrated management approach to the identification, anticipation and management of legal risk; supports and complements existing approaches, enhancing them by providing better information and insight on potential issues that the organization could face supports any process of compliance that organizations could have in place, such as a compliance or other management system; supports the compliance function by more broadly identifying the organization’s legal and contract rights and obligations. Although ISO 31022 uses the ISO 31000 definition for risk it does provide the following definition for legal risk to clarify which objectives are within the scope of consideration: "related to legal, regulatory and contractual matters, and from non-contractual rights and obligations." with the following notes: Note 1: Legal matters can have their origin in political decisions, national or international law (3.3), including statute law, case law or common law, administrative acts, regulatory orders, codified law, judgments and awards, procedural rules, memorandum of understanding or contracts. Note 2: Contractual matters relate to situations where an organization (3.4) fails to meet its contractual obligations or to enforce its contractual rights, or enters into contracts with terms and conditions that are onerous, inadequate, unfair and/or unenforceable Note 3 : Risk from non-contractual rights is the risk that an organization fails to assert its non-contractual rights. For example, the failure of an organization to enforce its intellectual property rights, such as its rights related to copyright, trademarks, patents, trade secrets and confidential information against a third party. Note 4 : Risk from non-contractual obligations is the risk that an organization’s behavior and decision-making can result in illegal behavior or a failure in non-legislative duty-of-care (or civil duty) to third parties. For example, an organization’s infringement of third-party intellectual property rights, failure to meet the requisite standards of care due to customers (such as mis-selling), or inappropriate use or management of social media resulting in a third-party claim of defamation or libel and tortuous duty generally. ISO 31022 is applicable to all types and sizes of organizations to deliver a more structured and consistent approach to the management of legal risk for the benefit of both the organization as well as its stakeholders. It is expected that organizations will have already adopted the ISO 31000 processes and will use ISO 31022 to provide additional guidance with respect to managing legal risk. Perhaps, the best way that it does this is by providing a standard method for applying a risk-based lens to the consideration of legal obligations. This will be helpful to provide greater clarity and guidance for other ISO standards where legal risk registers are required such as those connected with environmental and safety objectives. Organizations will now have a common approach to go beyond simply having a legal risk register to managing the risks that are contained within it. While this was always possible organizations can now look to ISO 31022 to better support these efforts and leverage the body of work available within the ISO 31000 family of standards. More information regarding ISO 31022:2020 can be found on ISO's website here .

Compliance is fundamentally about reducing stakeholder risk: risk to quality, risk to safety, risk to the environment, and ultimately risk to trust. Compliance manifests itself as programs within a company often structured by the source of risk such as quality, environmental, mechanical integrity, damage prevention, and so on. These programs ensure that appropriate risk is taken so that business outcomes can be achieved. Making changes is also a significant source of risk for many companies but specifically for those in the oil & gas sector. To ameliorate these risks they follow a management of change (MOC) process to buy down risk. This process follows a series of steps aimed at assessing and managing risk throughout the implementation of the change and typically follow steps outline in the diagram below: By assessing risk before and after the change companies are able to improve the visibility of risk across the entire organization to ensure that the organization is not taking on too much risk. In the following diagram the cumulative risk of proposed changes across business areas is shown. Companies can use this information to see if they are taking on too much operational risk. The data in this chart is taken from an actual facility with the areas obfuscated to ensure confidentiality. Compliance management systems measure such things as the number of: defects, incidents, emissions, violations, and so on. While these are of some help they are lagging indicators only recording what has already happened. However, changes to the level of risk is both a leading indicator and a measure of safety program effectiveness. The level of risk provides a leading indication of the progress made in buying down risk as well as an indication of what may happen which can be used to prevent and avoid the effects connected with the level for risk. Measuring the level of risk is an essential practice of every effective process safety program. However, this practice is not only useful for oil & gas companies and process safety. With the introduction of the ISO 45001:2018 (OHS) requirements for management of change (MOC) the same practices can also be applied to improve the safety of workers. In fact, an effective management of change program is crucial for all companies where the risks introduced by change can affect both safety as well as the mission success of the business.

Risk registers are part of an effective risk program and used by companies to help communicate and manage risk. Spreadsheets are often the primary database for risk registers to store and track risks that need to be: assessed, treated, and monitored. While the use of spreadsheets can help initially support a risk program they can, without additional support, result in: Inconsistent practices using the risk spreadsheet templates Confusion resulting from using different definitions for risk (i.e. hazard, effect, uncertainty, etc.) Application of incorrect risk assessments and treatments due to confusion caused by using different risk frameworks Increased exposure as unmitigated residual risks may not be evaluated and treated An incomplete picture of risk which can lead to an understated or overstated risk profile leading to increased vulnerability or over investment in risk mitigation. Not learning from prior risks analyses and treatments To counter these effects, companies can benefit by advancing their risk programs beyond using simple risk register spreadsheets. Here are 6 steps to an effective risk management program: Use a common risk framework across the organization Capture all risks in a central database Manage entire risk life-cycle with actionable and accountable tasks Monitor and control risks within the management accountability structure Provide visibility to the entire risk profile with periodic review Preserve and learn from prior risk analyses and treatments It is important to start with asking the question, "have we captured all the risk? " This requires having a consistent definition of risk that a risk framework provides such as ISO 31000 and others. Without a common framework each department, discipline, or person will likely have their own idea of what they mean by risk. This can lead to confusion and incomplete risk identification. For many organizations, a significant advancement will come by managing risks that are already contained within the risk registers. Turning risk register spreadsheets into accountable actions is an important step to better risk management. There is little value to having risks assessed and treatments defined if they are not being looked at regularly. Having appropriate controls and monitors in place to elevate risks that require attention is crucial to support management accountability and oversight. Managing all risks in one place makes it easier to learn from prior risk analyses and treatments. Establishing a learning culture will help improve risk management competency and help reduce future risk. Moving beyond the use of risk registers and establishing a consistent risk management system will help to counter the previous effects and produce better risk outcomes. Plan -Do-Check-Act Questions: Which improvement step would help produce better risk outcomes for your organization? What obstacles are hindering the improvement of your risk program? What steps can be taken to remove or reduce these obstacles? What would it look like if risk was managed more effectively?

The A3 Format and DMAIC are structured processes used for LEAN / Six Sigma improvements and problem solving. While these have proven to be very effective for certain processes, when it comes to meeting performance and outcome based compliance obligations, you need a more proactive approach that addresses threats and opportunities. We have created the Lean Compliance A3 format which incorporates the bow-tie analysis along along with measures of effectiveness, performance, and compliance to help you continually advance towards better outcomes using a PDCA cycle. Now you can document each of your obligation improvements using the A3 format. Download the free worksheet here :

In today's complex regulatory environment, compliance has become a key concern for businesses across all industries. While compliance programs are often viewed as a necessary evil, they can also provide significant benefits to organizations that are able to implement them effectively. One of the key decisions that organizations must make when designing their compliance programs is whether to take an integrated or integrative approach. In this article, we will explore the distinction between these two approaches and their respective advantages and disadvantages. We will also consider which one is better to support performance and outcome-based obligations. Let's start with integrated compliance: Integrated Compliance An integrated compliance approach involves incorporating compliance requirements into the day-to-day operations of the business. This approach is often seen as a more traditional approach to compliance, where businesses focus on meeting regulatory requirements and avoiding legal penalties. An integrated compliance program typically involves a set of policies and procedures that are designed to ensure that employees understand their obligations and responsibilities under the law. Advantages of an Integrated Compliance One of the main advantages of an integrated compliance approach is that it helps to ensure that businesses are meeting their legal obligations. By incorporating compliance requirements into the day-to-day operations of the business, organizations are able to ensure that they are meeting their obligations without having to spend significant amounts of time and resources on compliance-related activities. Another advantage of an integrated compliance approach is that it helps to create a culture of compliance within the organization. By emphasizing the importance of compliance and making it a part of the organization's core values, businesses are able to create a sense of shared responsibility among employees for meeting regulatory requirements. Disadvantages of an Integrated Compliance One of the main disadvantages of an integrated compliance approach is that it can sometimes be viewed as a "check-the-box" exercise. In other words, businesses may focus more on meeting regulatory requirements than on actually understanding and managing their compliance risks. Another disadvantage of an integrated compliance approach is that it may not be sufficient for organizations that operate in highly regulated industries. In these industries, businesses may need to take a more proactive approach to compliance in order to stay ahead of emerging regulatory risks. Now let's consider an integrative compliance approach: Integrative Compliance An integrative compliance approach involves embedding compliance into the broader strategic goals and objectives of the business. This approach is often seen as a more forward-looking approach to compliance, where businesses focus on identifying and managing compliance risks in order to achieve their strategic objectives. An integrative compliance program typically involves a more holistic approach to compliance that considers the business's broader risk profile and how compliance risks fit into that profile. Advantages of an Integrative Compliance One of the main advantages of an integrative compliance approach is that it helps businesses to manage their compliance risks in a more proactive manner. By embedding compliance into their strategic goals and objectives, organizations are able to identify and manage compliance risks in a more systematic and strategic way. Another advantage of an integrative compliance approach is that it helps businesses to create a competitive advantage. By managing their compliance risks more effectively, businesses are able to differentiate themselves from their competitors and gain a reputation for being responsible and ethical. Disadvantages of an Integrative Compliance One of the main disadvantages of an integrative compliance approach is that it can be more time-consuming and resource-intensive than an integrated approach. In order to effectively manage compliance risks, organizations may need to invest significant amounts of time and resources into developing and implementing their compliance programs. Another disadvantage of an integrative compliance approach is that it may be more difficult to implement in organizations that have a siloed approach to management. In order to successfully embed compliance into the broader strategic goals and objectives of the business, organizations may need to break down silos and promote greater collaboration and communication across different departments and functions. Summary The choice between an integrated and integrative compliance approach is a critical decision that organizations must make when designing their compliance programs. Both approaches have their advantages and disadvantages, and the decision ultimately depends on the organization's risk profile, industry, and strategic goals. An integrated approach can help ensure legal compliance and create a culture of compliance, but it may not be sufficient for highly regulated industries. On the other hand, an integrative approach can help manage compliance risks more proactively and create a competitive advantage, but it may be more time-consuming and difficult to implement in organizations with a siloed approach to management. Ultimately, a successful compliance program should be tailored to the organization's unique needs and risk profile, and should be regularly reviewed and updated to ensure ongoing effectiveness. ASPECT INTEGRATED COMPLIANCE INTEGRATIVE COMPLIANCE BETTER FOR OUTCOME / PERFORMANCE-BASED OBLIGATIONS? Focus Meeting regulatory requirements and avoiding legal penalties. Embedding compliance into the broader strategic goals and objectives of the business. Integrative Compliance Polices and Procedures Set of policies and procedures designed to ensure that employees understand their obligations and responsibilities under the law. More holistic approach to compliance that considers the business's broader risk profile and how compliance risks fit into that profile. Integrative Compliance Culture of Compliance Emphasizes the importance of compliance and makes it a part of the organization's core values. Helps businesses manage their compliance risks in a more proactive manner. Integrative Compliance Risk Management Focused on meeting regulatory requirements, but may not be sufficient for highly regulated industries. Helps identify and manage compliance risks in a more systematic and strategic way. Integrative Compliance Resource Intensity May not require as much investment of time and resources, but can be viewed as a "check-the-box" exercise. Can be more time-consuming and resource-intensive, but can create a competitive advantage Neither is better, as the optimal approach depends on the organization's needs and risk profile. However, an integrative compliance approach may be better suited for performance and outcome-based obligations. This is because an integrative approach involves embedding compliance into the broader strategic goals and objectives of the business. By doing so, organizations can identify and manage compliance risks in a more systematic and strategic way, which can help ensure that performance and outcome-based obligations are met. Additionally, an integrative approach can help organizations create a competitive advantage by managing their compliance risks more effectively, which can ultimately lead to better performance and outcomes. It is important to note that the choice between an integrated and integrative compliance approach ultimately depends on the organization's risk profile, industry, and strategic goals, and a tailored approach should be taken to ensure ongoing effectiveness.

Meeting performance and outcome-based obligations requires a different set of measures.