SEARCH

The notion of debt or more specifically technical debt has proven to be a helpful metaphor when discussing financial costs with respect to short term payoffs versus the delaying of technical capabilities that bring with it long-term impacts. In this blog post we explore how the notion of debt can be applied to compliance to help organizations better address their compliance obligations. An Example from Software Development When it comes to building software applications and systems technical debt has been used to refer to short cuts that developers take in order to meet urgent and usually time sensitive timelines.  These short cuts will in turn incur future costs that include: Addressing the effects of partially completed code Developing the parts that were not completed Managing the effects of changing the codebase (i.e. costs of regression testing). Other activities At a basic level technical debt can be estimated by adding up the costs associated with these activities as well as the costs connected with the debt management process itself. Obligation Debt In many ways, taking short cuts is not unique to software development as this practice is observed in other endeavours including compliance. Companies may elect to delay activities associated with meeting certain or parts of obligations and leave others until some time in the future. This may be deliberate or a result of a lack of knowledge or expertise in identifying what their obligations are. Just as in software, taking short cuts when meeting obligations comes at a cost which not only includes the future cost of meeting the obligation but also the risks associated by not having met them.  When it comes to safety and environmental obligations these risks may result in much more than just a bug in an application but a loss of life. The Nature of Obligation Debt When we consider obligation debt we need to estimate: Principal : what is the cost required to meet this obligation? Interest Rate : What is the extra cost in the future if this obligation is not met now. Interest Rate Probability: How likely is it that this obligation, if not met now, will cause extra cost in the future. The problem with obligation debt is that the principal and its interest grow over time if not addressed. This has much to do with entropy, increasing regulations, as well as the nature of risks associated with obligations themselves. The interest rate combined with its probability can be considered as a proxy for compliance risk. The resultant interest can significantly outweigh the cost of meeting the obligation in the first place, particularly when the consequences of non-conformance are severe. The level of reactivity that a company experiences with respect to its obligations is also a measure of risk and a proxy for interest rate. This can manifest as the number of complaints, issues, injuries, reportable emissions, or other ways in which non-conformance is observed.  Not only will companies have paid for the partial conformance (i.e. the short cuts), they will now pay for the effects of non-conformance and the costs of preventing them from occurring in the future. When combined these costs can be two to three times the original cost. This is similar to taking on a debt with a yearly interest rate of 200%. The only reason why we would do such a thing is if we believed that the probability of paying any interest is low.  In other words, we never expect to pay any additional cost for taking short cuts now or perhaps someone else will be responsible for doing so. What You Need To Know For companies to get on top of their obligation debt they need to know: What the total obligations are? What the cost is to meet and maintain these obligations? Which obligations are not being met now and when will they be met in the future? What the risk is in not meeting these obligations? What the cost is to service or buy down the organization's obligation debt? Unfortunately, answers to these questions are in short supply starting with the first, knowing what obligations a company is responsible for. The good news is that it doesn't have to be that way and it isn't for companies that take ownership of all their obligations. They will make sure that they take on only the obligations they can afford to keep and over time enhance their capabilities to take on more.

Process automation tends to only focus on managing responsibilities that are involved in the completion of activity. As a result many business process modelling and execution systems offer very limited support for other kinds of responsibilities that are required and documented in responsibilities assignment matrices (RAM) within existing policies and procedures. Example Responsibility Assignment Matrix (RAM) using modified RACI model: This often leads to significant gaps in compliance as only a fraction of the required responsibilities are implemented in the automation systems used to support compliance. To improve the effectiveness of critical processes that support safety, security, quality, and environmental programs it is necessary to model and automate the entire responsibility assignment matrix. This may require updating or replacing tools and platforms to those that fully support the management of responsibilities. The requirements for these tools may include: Representing the entire RACI model along with its variations Automated mapping to BPMN models to support execution platforms Implementation mapping for each type of responsibility and their interactions (i.e. RACI) Support for early and late binding of responsibilities during execution Audit of design, model, and automation rules to verify compliance Process automation to be effective needs to consider not only getting the work done but also how the work gets done in compliance with corporate policies and procedures.

Process modeling is necessary to design, implement, and improve compliance. Many of the techniques and approaches used today are based on flow charting process activity. Activity models focus on diagramming how work moves from person to person to achieve the desired output and for this reason is well suited for prescriptive processes. However, in today's climate of performance based compliance is this still the best choice? In this blog, I will look at how the Activity Model compares with the Phase-Gate Model which is used extensively for capital projects and new product development. Activity Model Activity based models typically diagram the process using flow charts containing: boxes, diamonds and arrows. Swim lanes are often added to represent activity performed by different roles. Flow charts are great at detailing how a process flows and useful for prescriptive work. This lends itself to mapping easily to workflow engines which are usually designed to support activity based processes. The flip side of using activity based workflows is that it is difficult to implement processes that require greater facilitation, descriptive procedures, and activity that is not known in advance such as risk mitigations. Once you select this approach you have to make it work for your entire process which may not always be the right fit. Phased-Gate Model This modeling technique is based on a state driven approach depicting the life cycle of a project, product, asset, or some other thing that goes through a series of phases or steps. This approach is used extensively for value creation and is the preferred approach for new development and capital projects. A popular and successful representative of this approach is Stage-Gate(r) model which is a trademark of R.G. Cooper & Associates Consultants . The phase-gate approach includes: Phases - these follow the state of the process focused on the development of intended outcome. Gates - provides a control point where quality is assessed, deliverables are reviewed, and decisions are made to proceed or not. One of the key strengths of this approach is that it affords a rigid structure to govern the overall process while at the same time allowing for flexibility in how the work gets done between gates. This flexibility provides a method for balancing prescription and descriptive parts of the process. In addition, the sequencing nature of this model offers the same kind of benefits as cellular manufacturing does on the shop floor. If implemented appropriately these are the benefits that can be expected: Reduced Work In Process (WIP) Better use of resources Better scheduling Better control Easier automation Increased quality A downside of using this model is that it may lack the appropriate level of detail and prescription for parts of the process that require it. The inherent flexibility can be abused and allow situations where appropriate program and system governance is not being followed. Hybrid Model This approach combines the best from both worlds. It is easier to add prescription to the phase-gate approach due to its flexibility. An example life cycle that combines the phase-gate and activity models is shown in the following diagram: In this scenario, prescriptive workflows have been added to the approval and verification phases of the life cycle. The other phases follow a facilitated process to produce deliverables which are then reviewed using a checklist. By combining both approaches, the hybrid model overcomes the lack of prescription while gaining all the benefits of the using the phase-gate model. The benefits of using this approach include: Increases overall process visualization - you know where you are in the process instead of just knowing what activity you are at within a work flow Identifies more easily where program compliance directives are done - ex: approvals, verification, quality review, and so on Embeds quality control throughout the process using gates Bottlenecks are easier to discover and alleviate Supports a continuum of prescriptive and descriptive process steps In order to adapt, to changes in the compliance landscape, it is necessary to evaluate the effectiveness of existing tools and techniques. Considering approaches found in other domains provides companies additional options to better meet compliance challenges. The Hybrid Model has been used effectively to support risk based compliance processes for several years across diverse industries. To find out more, visit our website at www.leancompliance.ca

After years under the tutelage of prescriptive rules and audits it is no wonder that the question of what and how to improve compliance is met with: we are fully compliant, there is nothing to improve, and we have someone that does that. However, to meet performance and outcome-based obligations this question is met with a different answer: we are making progress towards targeted outcomes, we are continuously advancing our capabilities to reduce risk, and our entire company is committed to and engaged in this process. It's time for a new mindset if compliance wants to see new and better results.

Organizations of all shapes and sizes utilize systems to ensure that the right work gets done at the right time in the right way. In fact many will have a system of systems to manage them all.  However, over the years what I have noticed is many of these systems end up as little more (and far less) than the sum of their parts: processes, activities, tasks, etc. Systems rarely do or ever create the intended outcomes at the levels needed by the organization.  There are many reasons for why this is the case. One of these reasons, which I have discussed before, has to do with the approach chosen for system implementation. Many implementations use a component-first approach using phases to build out capabilities over time to finally reach a system that is "effective."  Unfortunately, the final state of "effective" is seldom reached. As a result companies end up with systems that do not fulfill their purpose and in many cases are barely operational. You might say that a component-first approach is the equivalent of the "waterfall" project methodology where benefits are realized only at the very end. This approach makes sense when you have a a high degree of certainty in both the ends and the means of what you are building. However, what if you needed to learn both what the ends are and the means to get there as you went along. Is this not what advancing capability maturity looks like? This kind of implementation requires a different approach. You would need a working system (i.e. operational) right at the start in the same way that "agile" focuses on having working software right at the start. In fact, this strategy is referred to as, "Lean Startup" which focuses no on having working code but having a working system or better – always having a system that works . This approach affords companies the opportunity to learn on an operational system to improve performance and effectiveness at every stage of system development. Benefits can be realized early rather than later and this is critical when it comes to advancing quality, safety, environmental and regulatory outcomes where the risks are high. Agile and Lean Startup are examples of system-thinking used in software development but also compliance solutions. The key is to take a holistic rather than reductive perspective when it comes to building a system. You can read more about the Lean Startup / Agile approach here . Members of The Proactive Certainty Program™ learn and use systems-thinking to reach operational and effective compliance faster and with high degree of certainty than traditional approaches. Find out more here .

Over the last several years I have endeavoured to change the way we think and do compliance. Perhaps, a big hairy audacious goal (BHAG) as some might say. Others might even call it a fools errand. To be honest, it is hasn't been easy and it continues to be an uphill battle. As essential as compliance is, it is not the number one priority of things to improve or excel at for that matter. What has helped is knowing that I am not alone. There are others who are doing amazing things to help transform compliance. I have had the good fortune to connect with and work with some of you and look forward to meeting more in the months and years to come. What has amazed me is when I hear from someone who tells me that they have followed me on social media for a while, loved what we do, and have put the principles of lean compliance into practice to improve compliance in their organization. All I can say is, WOW. This is not an isolated case. I found your posts and the breadth of information you provide on compliance and risk topics to be particularly helpful in expanding my personal knowledge, as I am relatively early in my career and doing my best to learn on my own. I look forward to learning more from the generous amount of information you share freely on this platform. Grateful is an understatement. – Venessa Beunrostro (Compliance Analyst) It's not always possible to know how much we impact other people. However, sometimes you do hear and it reminds you why you work so hard to make a difference. Don’t underestimate the impact you are making. Good things take time, Great things take a little longer. Don’t give up. I am grateful to all those that have written to us and those who have not but have found our work helpful in supporting their compliance journey. Thank you for helping make our journey worthwhile.

In response to the Grenfell Tower Fire, the UK government recently introduced new regulations and a new regulator to address shortcomings in building safety. This new safety regime is intended to prevent the occurrence of incidents similar to the Grenfell Tower disaster that resulted in 72 deaths in 2017. Among the measures that this regulation introduces is what is being called, "A Golden Thread." This is in fact a "Digital Thread" the first of its kind to be used by regulators to improve compliance. The future of compliance looks like it is here so let's find out what digital threads are all about and why it is so important for compliance. What is a Digital Thread? To understand digital threads we first need to understand digital twins. The concept of digital twins is attributed to Michael Grieves based on a presentation he made in 2002 at the University of Michigan. In this presentation he proposed the digital twin as a conceptual model underlying a product life-cycle with three components: real space, virtual space, and the data between and about them. However, the idea of modelling the real-world with computer simulation is not new and can go back to as early as1960s when NASA used basic concepts of twinning in the development of its space program. What makes digital twins different from computer-based modelling are the connections between the real and virtual worlds. In essence, a model becomes a digital twin when it connected with its real life counterpart. This connection closes the loop and is referred to as the digital thread. How are digital twins and threads defined today? Digital Twin The definition commonly used in defence, aerospace and related industries in the US is: “an integrated multiphysics, multiscale, probabilistic simulation of an as-built system, enabled by Digital Thread, that uses the best available models, sensor information, and input data to mirror and predict activities/performance over the life of its corresponding physical twin.” A digital twin is a virtual representation of real-world entities and processes, synchronized at a specified frequency and fidelity. This synchronization is enabled by a digital thread infrastructure or framework. Digital Thread The digital thread is used to refer to the lowest level design specification for a digital representation of a physical item. The digital thread is a critical capability in model-based systems engineering (MBSE) and the foundation for a digital twin. However, the term digital thread is also used to describe the traceability of the digital twin back to the requirements, parts and control systems that make up the physical asset. It is this latter aspect which is of significance for compliance specifically where traceability and accountability are regulated. Regulatory Use of Digital Threads: UK Building Safety In 2021 the UK Parliament introduced the Building Safety Bill to address shortfalls in building safety not limited to but largely in response to the Grenfall Tower Fire in 2017. This bill introduces a new regulator and regulation with the purpose that safety is ensured throughout every stage of a building's life. It also addresses specific failures with the lack of accountability and compliance throughout design, construction, and operations. The concept of a digital thread will now be part of this regulatory regime to provide traceability of information so that nothing falls between the cracks. This digital thread is not necessarily part of a digital twin but will instead become a measure of compliance and a critical one. Using the name "Golden Thread" to describe this particular application makes sense. It is an idea or feature that is present in all parts of something, holds it together and gives it value (Oxford's Learner's Dictionary); and in this case the value is improved safety. The Building Safety Bill further defines The Golden Thread: Full Definition: The golden thread is both the information that allows you to understand a building and the steps needed to keep both the building and people safe, now and in the future. The golden thread will hold the information that those responsible for the building require to: (a) how that the building was compliant with applicable building regulations during its construction and provide evidence of meeting the requirements of the new building control route throughout the design and construction and refurbishment of a building (b) Identify, understand, manage, and mitigate building safety risks in order to prevent or reduce the severity of the consequences of fire spread or structural collapse throughout the life cycle of a building The information stored in the golden thread will be reviewed and managed so that the information retained, at all times, achieves these purposes. The golden thread covers both the information and documents, and the information management processes (or steps) used to support building safety. The golden thread information should be stored as structured digital information. It will be stored, managed, maintained, and retained in line with the golden thread principles (see below). The government will specify digital standards which will provide guidance on how the principles can be met. The golden thread information management approach will apply through design, construction, occupation, refurbishment, and ongoing management of buildings. It supports the wider changes in the regime to promote a culture of building safety. Building safety should be taken to include the fire and structural safety of a building and the safety of all the people in or in the vicinity of a building (including emergency responders). Many people will need to access the golden thread to update and share golden thread information throughout a building’s lifecycle, including but not limited to building managers, architects, contractors, and many others. Information from the golden thread will also need to be shared by the Accountable Person with other relevant people including residents and emergency responders. The Golden Thread is based on the following principles which you could also consider as system properties: Principles: Accurate and Trusted: the dutyholder/Accountable Person/Building Safety Managers and other relevant persons (e.g. contractors) must be able to use the golden thread to maintain and manage building safety and ensure compliance with building regulations. The Regulator should also be able to use this information as part of their work to assess the compliance with building regulations, the safety of the building and the operator’s safety case report, including supportive evidence, and to hold people to account. The golden thread will be a source of evidence to show how building safety risks are understood and how they are being managed on an ongoing basis. The golden thread must be accurate and trusted so that relevant people use it. The information produced will therefore have to be accurate, structured, and verified, requiring a clear change control process that sets out how and when information is updated and who should update and check the information. Residents feeling secure in their homes : residents will be provided information from the golden thread – so that they have accurate and trusted information about their home. This will also support residents in holding Accountable Persons and Building Safety Managers to account for building safety. A properly maintained golden thread should support Accountable Persons in providing residents the assurance that their building is being managed safely. Culture change : the golden thread will support culture change within the industry as it will require increased competence and capability, different working practices, updated processes and a focus on information management and control. The golden thread should be considered an enabler for better and more collaborative working. Single source of truth: the golden thread will bring all information together in a single place meaning there is always a ‘single source of truth’. It will record changes (i.e. updates, additions or deletions to information, data, documents and plans), including the reason for change, evaluation of change, date of change, and the decision-making process. This will reduce the duplication of information (email updates and multiple documents) and help drive improved accountability, responsibility and a new working culture. Persons responsible for a building are encouraged to use common data environments to ensure there is controlled access to a single source of truth. Secure: the golden thread must be secure, with sufficient protocols in place to protect personal information and control access to maintain the security of the building or residents. It should also comply with current GDPR legislation where required. Accountable: the golden thread will record changes (i.e. updates, additions or deletions to information, data, documents and plans), when these changes were made, and by who. This will help drive improved accountability. The new regime is setting out clear duties for dutyholders and Accountable Person for maintaining the golden thread information to meet the required standards. Therefore, there is accountability at every level – from the Client/Accountable Person to those designing, building or maintaining a building. Understandable/consistent: the golden thread needs to support the user in their task of managing building safety and compliance with building regulations. The information in the golden thread must be clear, understandable and focused on the needs of the user. It should be presented in a way that can be understood, and used by, users. To support this, dutyholders/Accountable person should where possible make sure the golden thread uses standard methods, processes and consistent terminology so that those working with multiple buildings can more easily understand and use the information consistently and effectively. Simple to access (accessible) : the golden thread needs to support the user in their task of managing building safety and therefore the information in the golden thread must be accessible so that people can easily find the right information at the right time. This means that the information needs to be stored in a structured way (like a library) so people can easily find, update and extract the right information. To support this the government will set out guidance on how people can apply digital standards to ensure their golden thread meets these principles. Longevity/durability and shareability of information: the golden thread information needs to be formatted in a way that can be easily handed over and maintained over the entire lifetime of a building. In practical terms, this is likely to mean that it needs to align with the rules around open data and the principles of interoperability – so that information can be handed over in the future and still be accessed. Information should be able to be shared and accessed by contractors who use different software and if the building is sold the golden thread information must be accessible to the new owner. This does not mean everything about a building and its history needs to be kept, the golden thread must be reviewed to ensure that the information within it is still relevant and useful. Relevant/proportionate : preserving the golden thread does not mean everything about a building and its history needs to be kept and updated from inception to disposal. The objective of the golden thread is building safety and therefore if information is no longer relevant to building safety it does not need to be kept. The golden thread, the changes to it and processes related to it must be reviewed periodically to ensure that the information comprising it remains relevant and useful. These definitions and principles will help set the direction for how digital threads will be built in the compliance domain not only within the UK but also other jurisdictions. What Digital Threads Mean For Compliance Evidence of compliance has always been needed and this means more than attestations as the way to verify that what should have been done was actually done. This approach was always to slow, too late and not always accurate. And that is why the concept of a Golden Thread as a means t o provide evidence and assurance of compliance throughout the design, building and maintenance of buildings is a game changer. However, it will still take time for digital thread infrastructures to be established particularly those that meet the properties outlined for the UK's Golden Thread. At one level digital threads are still retrospective and on the lagging side of risk events. However, they could become more than feed-back processes particularly for downstream activities. When combined with digital twins they could become feed-forward and provide predictive utility particularly when to improve and validate design models. At a minimum digital threads will provide more up-to-date and reliable information for all stakeholders during every stage of building's life cycle. Now that we have defined purpose and properties for digital threads in the compliance domain it is likely that "Golden Threads" will become part of other regulator regimes. Medical device manufacturers are already using digital threads to provide traceability across DHF, DMR, and DHRs. There are also examples of digital threads in Oil & Gas and other regulated industries with respect to safety-critical data. In addition, using digital threads as part of Management of Change (MOC) process may help ensure design integrity as a result of planned changes. Instead of trying to integrate systems together, digital threads may provide a more effective means for compliance critical information to be made available not only as evidence of compliance but as a proactive measure to prevent risk. Proactive organizations should begin to plan pilot projects to explore how digital threads would be used in response to regulatory reforms but also as part of their own internal compliance efforts. If you are interested in developing and implementing digital thread strategies please contact our project management office to learn how Lean Compliance can help. References: GoldenThread.co.uk Developing a Digital Twin and Digital Thread Framework for an ‘Industry 4.0’ Shipyard What Are Digital Twins and Digital Threads? Industry 4.0 How to navigate digitization of the manufacturing sector

Business processes require information to produce the desired outcomes. This information comes in various forms and is used in a variety of ways which cannot always be known in advance. However, there is a class of documents where it is necessary to control the format and its use in order to meet compliance requirements. Capabilities to manage these types of documents are needed today just as they were a few decades ago. However, in today's world of big data and artificial intelligence (AI) managing documents is not seen as important and some would even say no longer necessary. In fact, recently, some technology enthusiasts are proclaiming that electronic/enterprise document management (EDM) is dead or will be in the near future. The approaches and technologies used in the past no longer (if at all) work and should be abandoned in favor of newer technologies. There are many reasons that are typically given (several of which are well justified) as to why EDM has not provided the promised benefits. One key reason is that users still cannot find the documents they need even using EDM technology. EDM has traditionally relied on indexing documents using a classification scheme to locate documents. Developing and managing classification schemes is considered to be too costly, error prone, and not needed as you can just search the content within the documents directly. In Part 1, of this blog post we will look at this assertion, the state of EDM and reasons why it has not delivered on its objectives. In, Part 2, we will consider how to address these shortcomings and outline how EDM can be successfully implemented using existing technologies. HISTORICAL LESSONS To start, it is helpful to remind ourselves that similar statements about EDM have been made before. This tends to happen whenever newer technologies enter the marketplace. This was the case when full text was first introduced in the 90s. Leading vendors at that time advocated doing away with classification schemes. Forget about trying to manage data because we can find the data for you using our search technology. Today we hear the same argument from those that promote big data and artificial intelligence. Using full text search to discover information is useful and needed when looking for information stored in vast amounts of content. However, a critical problem with using these technologies is that they assume that the data is self-describing which means that data about the data (which we call metadata) is contained within the object we are looking for. If this is not the case then it becomes almost impossible to locate relevant information. It is worth noting that after many years of using the web and searching using the content alone we are now investing significant amount of time and money doing Search Engine Optimization (SEO) to improve search results. There are still problems with false positives and search accuracy. We are now inserting classification (i.e. metadata) back into documents in the form of keywords and tags so that the content we are looking for can be found. Google will get you close but not close enough which is a serious risk to compliance based processes. You can just imagine the consequences of retrieving and using the wrong procedure because the search engine returned a list of close but not exact matches to your query. Managing document classifications is necessary when the purpose is to deliver exactly the correct document to the correct person at the correct time. This is still something that search engines alone cannot provide and one of the key reasons why you still need EDM. WHAT IS EDM? EDM is simply a system to manage documents and is considered part of the overall domain of Enterprise Content Management (ECM). EDM manages the class of documents that need to be controlled because they are inputs to critical business processes in the same way that raw materials are controlled in manufacturing processes. We find that these documents are still mostly unstructured requiring data describing them to be controlled and managed outside the document itself. EDM also provides other capabilities to manage important aspects that are critical to compliance which have largely been forgotten. It is common when talking about documents to take a reductionist view and lump them in the general bucket of data. This perspective unfortunately removes important distinctions that characterize the nature of documents which can be seen when considering the following definition for a document: "Something tangible that records communication or facts with the help of marks, words, or symbols. A document serves to establish one or several facts, and can be relied upon as a proof thereof. Generally speaking, documents function as evidence of intentions, whereas records function as evidence of activities" This definition suggests several characteristics that a document must have in order to be considered as evidence or as a record. These include: Unalterable Bi-temporal Structured Intentional And so on What is very common these days is to hear companies use the concept of a "living" document to describe their documents. These documents are constantly changing, edited in place, and where only the latest version should be used. This description defines a particularly use case for how documents are edited and retrieved. However, the notion of living documents is seldom if ever used in compliance processes were what is critical is that the user use the "latest approved" version and more correctly the one that he/she was trained on. The use cases for which version should be used is more nuanced, for example: The latest official release The latest approved version The latest approved version in the training system The latest work in progress version To effectively manage documents it is necessary to first understand what a document will be used for. It is in managing these intentions where EDM shines. This is very different from how content on the web is used. Content on the web typically is for a single use case and seldom has support for different uses of a document. EDM systems will have many more capabilities to support what is needed to preserve the integrity of documents across various uses to satisfy business and compliance requirements. These will include: Life Cycle Management (or workflow) Metadata Management Versioning Electronic Signatures Markup / Annotations Multiple Formats Office Integration Relationship Management Release Management Digital Rights Management Navigation / Search The power of EDM comes from managing all the dependent relationships with related information. In this way, EDM is more like a database than it is a file server. These relationships describe the intention for each document and therefore essential from a compliance perspective. For example, a document is: A Work Instruction, or Policy, or Standard Effective for the next 24 hours Superseded by the current version Controlled or Uncontrolled The latest approved version THE STATE OF EDM EDM has always suffered from an identity crisis. EDM started out as purpose built applications that utilized a relational database back end with an attached file store. This evolved to be more object oriented and over time transitioned to a platform offering in an attempt to become a "content" version of traditional database systems. API standards were developed to address proprietary interfaces and implementations. However, before these could gain traction the web took over. This would in many ways diminish the advances that EDM had up until then provided. It was very much three step forwards and two steps back. The introduction of the web and later content management did furnish a needed level of standardization along with enabling the shift from client/server technologies to web based architectures. While this was good it sacrificed functionality specific to managing documents in doing so. After many years of using HTML, creating web pages, and managing web content, most people consider managing content as synonymous with managing documents. Intranet platforms have for the most part replaced document management systems not in terms of capability but in terms of mind share. Many EDM vendors have been sidelined or have pivoted to content management providers. Some of them are doing both. One of these vendors is Microsoft with their SharePoint platform which is used in many organizations. SharePoint is an intranet platform that has over time added document and record management capabilities. SharePoint is worth mentioning because it has also become the defacto repository for documents in many companies. However, instead of controlling documents using EDM paradigms, instead we find that: 1. Documents are managed as files Metadata is not used, managed, or controlled New documents are created for every version Life cycles are implemented as folders were files are duplicated 2. Documents are managed as web content Minimal life cycle management Minimal relationship or Link management Minimal release management Minimal security 3. Document management is left to each business process owner IT is not involved Lack of consistent practices Lack of expertise and best practices 4. Documents are stored in communication channels E-mail Messaging 5. Documents are stored in collaboration platforms: File servers Intranets Cloud Applications While data awareness and capabilities have to some degree improved over the years these have been limited to what can be done using spreadsheets and what can be done using content management on intranets. Unfortunately, both of these tools are inadequate to effectively control and manage data and documents. The hope that content management would catch up to EDM still has not materialized. Many have waited for approaches such as the semantic web and RDF to create self-describing data however these have not advanced far enough to fill in the gaps. In the meantime, information technology has moved on. Enterprise IT is now preoccupied with moving to the cloud. Application developers are deconstructing workflows and redoing them for mobile. Cloud providers are racing to become the preferred repository for all your data but mostly agnostic to how you use this information. Information technology for all intents and purposes has abandoned the domain of controlled documents and EDM. WHAT CAN BE DONE? Given the limited resources available to companies, many are struggling to manage documents needed to support their business processes. Many technologies exist to help but have been largely forgotten, misunderstood, or otherwise neglected. The good news is that the steps to improve the management of documents have largely stayed the same and include: Identify which documents are critical for compliance. Conduct a document inventory to locate each document, and how they are used. Establish a standardized approach to managing these documents. Leverage existing technologies to manage the document life-cycle Automate management processes to embed evidence of compliance, streamline approvals, and manage document security.

When it comes to management-based standards and regulations they almost all include a requirement for Management Review. The purpose of a management review has traditionally been to look at what has been accomplished and make necessary corrections to maintain targeted levels of performance applied to quality, safety & security, environmental and regulatory objectives. In recent years requirements have been expanded to consider strategic alignment and overall effectiveness, which requires a different point of view. The prevailing perspective to Management Review is looking at a rear-view mirror of past performance and using lagging indicators to make adjustments that improve consistency. This is necessary but limited in terms of contending with what's coming ahead and often very soon. A proactive approach to Management Review, let's call it, Management Preview adds another perspective by looking at what's ahead and using leading indicators to make course corrections that improve effectiveness. The purpose of systems is to achieve consistency by adhering to procedures, resisting change and reacting to variation. While programs anticipate conditions, introduce change, and advance outcomes. While this distinction is conflated in many management-based standards and regulations it helps to better understand the difference between governance, the process of steering; and managing, the process of controlling. Using this distinction we can say that Management Review is a function of systems that control processes whereas Management Preview is a function of programs which govern systems. Management Previews are essential for all purposeful endeavors where outcomes are being advanced and improvement in performance is needed not only to maintain consistency but to improve outcomes.

Recently, I spoke with a client who answered this question by saying that technology can, when introduced too soon, short circuit the learning process. People can lean too much on the technology without fully understanding what the process and tools are really trying to do. This can work against trying to establish new behaviors and practices. In a fashion, my client's response speaks against today's widespread perspective that technology is the answer to many of our problems. For some, the introduction and use of technology is necessary to achieve the outcomes we want. However, is there a point where technology can actually get in the way from achieving these outcomes. And if so, how do you know when you have reached that point? This perspective that technology is the answer to our problems partly comes from a mindset of what is called technology determinism also referred to as technology-push. This view suggests that technology drives the solution instead of the business shaping what is needed. In many ways technology is the key enabler to change. However, technology-push can cause issues when the technology runs ahead of the business need. In this case, you end up with a solution looking for a problem rather than the other way around. This is where the rub is and the heart of where my client was coming from. Technology is often needed to support change but without the right balance it can "push" beyond what is needed and cause issues that can work against achieving the desired outcomes. Keeping the tension between the business demand and technology push is difficult. Here are a few things that can help: Keep the overall outcomes in mind. Don't forget what the technology is for. Keep the business need and the technology capabilities in sync. Don't let either get too far ahead of the other (i.e. don't over or under invest). Keep measuring and monitoring your outcomes and adjust capabilities when necessary. It is possible to slow or speed up adoption to stay in sync with technology introduction. Remember this is more like dancing than racing. Plan -Do-Check-Act Questions: What ways have you observed technology hindering or advancing your program outcomes? What needs to happen to keep the business need and the technology capabilities in sync? What would it look like if technology was at the right level? What step can you take to adjust your use of technology to match your business need?

Navigating the constantly evolving landscape of compliance can be a challenging task for organizations, as it involves adhering to various regulations and stakeholder obligations across industries and countries. A comprehensive compliance program that covers all applicable laws and stakeholder requirements is crucial for every business to stay on top of their compliance obligations. At Lean Compliance , we specialize in helping organizations stay between the lines and head of risk. Through the lens of our proactive integrative approach we help organizations evaluate and improve existing compliance programs, systems, and technologies used to address both management and technical aspects of compliance. In this series we explore the technology side of compliance which we have categorized into the following solution categories: Regulatory Compliance solutions - these solutions are designed specifically to help organizations comply with regulations and laws. This can include tools for monitoring regulatory changes, automating compliance tasks, and managing compliance documentation. Risk Management solutions - these solutions help organizations identify, assess, and mitigate compliance risks. This can include tools for conducting risk assessments, implementing internal controls, and monitoring compliance metrics. Environmental, Health, and Safety (EHS) solutions - these solutions are designed to help organizations manage compliance with environmental, health, and safety regulations. This can include tools for managing hazardous materials, tracking safety incidents, and monitoring compliance with OSHA regulations. Governance, Risk, and Compliance (GRC) solutions - these solutions provide a holistic approach to managing compliance, risk, and governance issues. This can include tools for managing policies and procedures, conducting risk assessments, and monitoring compliance metrics across the organization. Compliance Management software - this category includes software solutions that help organizations manage their compliance programs. This can include tools for tracking compliance obligations, managing audits and inspections, and monitoring compliance metrics. In this first article we look at four vendors that specialize in the Regulatory Compliance solutions category: Enhensa , Nimonik , RegScan , and STP Publishing : ENHESA is a consulting firm that specializes in providing EHS regulatory compliance services to multinational companies. They provide expert guidance on regulatory compliance issues, helping organizations to identify and mitigate risks, develop compliance strategies, and stay up-to-date with the latest regulatory changes. Nimonik is a compliance software company that provides environmental, health, and safety compliance auditing and monitoring solutions. They offer a web-based platform that helps organizations manage their regulatory compliance obligations through automated audits, corrective actions, and tracking of regulatory changes. RegScan is a company that provides compliance solutions to help businesses manage their environmental, health, and safety (EHS) regulations. They offer a web-based platform that provides access to regulatory data, analysis tools, and compliance management systems to help organizations stay up-to-date with regulatory changes and ensure compliance. STP Publishers is a publishing company that provides regulatory compliance information in various formats, including online, print, and mobile applications. They offer a range of products, such as guides, handbooks, and manuals, covering various EHS regulatory topics, including OSHA, EPA, and DOT regulations. These companies provide various solutions to help organizations stay compliant with obligations that include (but not limited to): environmental, health, and safety requirements. They all offer expertise, software solutions, and regulatory information to assist businesses better meet their compliance obligations. Where do ENHESA, Nimonik, Regscan and STP Publishers map to the solutions categories? There is often significant overlap with technology solutions, and this is no different when it comes to compliance. Solutions offered by each company may vary depending on the specific package or plan that an organization chooses to subscribe to, and the categories listed above are not exhaustive. However, based on their websites and marketing materials, here's how the solutions compare to the compliance solution categories: Regulatory compliance solutions : All four companies offer regulatory compliance solutions that help organizations comply with laws and regulations. These solutions can include tools for monitoring regulatory changes, automating compliance tasks, and managing compliance documentation. Risk management solutions : all four companies offer partial risk management solutions to help organizations identify, assess, and mitigate compliance risks with support for conducting risk assessments and capturing risk metrics. Environmental, health, and safety (EHS) solutions : Nimonik, ENHESA, EHS solutions to help organizations manage compliance with environmental, health, and safety regulations. Governance, risk, and compliance (GRC) solutions: ENHESA, and Nimonik both offer partial GRC solutions to address compliance, risk, and governance requirements that include managing policies and procedures and monitoring compliance metrics. Compliance management software : ENHESA, and Nimonik both offer compliance management software solutions that allow organizations to track compliance obligations, manage compliance activity, conduct audits and inspections, and monitor compliance metrics. Here's a summary comparison of the solutions offered by Enhensa , Nimonik , RegScan , and STP Publishing against the solution categories listed above: Compliance Solutions Category ENHESA Nimonik Regscan STP Publishers Regulatory compliance solutions Yes Yes Yes Yes Risk management solutions Partial Partial Partial Partial Environmental, health, and safety (EHS) solutions Yes Yes No No Governance, risk, and compliance (GRC) solutions Partial Partial No No Compliance management software Yes Yes Partial Partial This comparison is based on publicly available information and may not be exhaustive or completely accurate. How do ENHESA, Nimonik, Regscan and STP Publishers help you stay between the lines and ahead of risk? ENHESA, Nimonik, Regscan, and STP Publishers are all designed to help companies manage compliance. However, the effectiveness of each solution in handling compliance risk depends on several factors, including the specific industry, the types of regulations that the organization must comply with, and the organization's specific compliance needs and requirements. That being said, ENHESA is generally considered to be a leading provider of compliance solutions for multinational companies that need to manage compliance across multiple jurisdictions. ENHESA's solutions provide a comprehensive approach to compliance risk management, including a focus on risk assessments, compliance audits, and compliance gap analysis. Nimonik also offers a comprehensive range of compliance management tools and features to identify and manage obligations, create and track compliance activity, conduct audits, and capture and monitor compliance risks. STP Publishers and RegsScan primarily provide compliance content (RegScan also provides audit capabilities) such as manuals and online resources, that can help organizations stay up-to-date with regulatory changes and requirements. While these resources can be useful in staying between the lines, they may not provide the same level of hands-on support and guidance needed to contend with uncertainty and risk. Overall, the effectiveness of each solution in handling compliance risk will depend on the specific needs and requirements of the organization. It is important to evaluate each solution based on its specific features, capabilities, and industry focus to determine which one will best meet the organization's compliance risk management needs. Here's how each compare against key compliance capabilities: Features ENHESA Nimonik Regscan STP Publishers Compliance monitoring and tracking Yes Yes Yes No Regulatory updates and alerts Yes Yes Yes Yes Compliance gap analysis Yes Yes Yes No Compliance risk assessments Yes Yes Partial No Compliance audit tools Yes Yes Yes Partial Multinational compliance management Yes No No No Environmental, health, and safety compliance management Partial Yes No No Industry-specific compliance guidance No No No Yes Integration with enterprise systems Yes Yes Yes Yes This comparison is not meant to be exhaustive and there may be additional features and capabilities offered by each solution beyond those listed here. Additionally, the specific features and capabilities of each solution may vary depending on the specific package or plan that an organization chooses to subscribe to. What are the main differences between ENHESA, Nimonik, Regscan and STP Publishers? ENHESA, Nimonik, Regscan, and STP Publishers all provide regulatory compliance solutions, but there are some differences between them. ENHESA is a global environmental, health, and safety (EHS) consultancy that provides compliance solutions to businesses operating in various industries. Their services include regulatory analysis, EHS audits, and compliance management systems. Nimonik provides a turn-key web-based compliance monitoring platform that helps organizations to identify, track, and comply with applicable regulations. Their services include audit and inspection tools, document management, and automated compliance alerts. The main differentiator is that they have both software and content, allowing you to rapidly deploy a compliance monitoring program. They can also extract obligations from your internal documents such as permits, policies and procedures. RegScan is a global regulatory compliance solution provider that offers compliance monitoring, analysis, and management solutions for businesses. Their services include compliance audits, training, and consulting. They are now owned by ENHESA, which is based in Belgium. STP Publishers is a provider of EHS and sustainability regulatory compliance solutions, offering online tools and consulting services to help organizations stay up-to-date with regulatory changes. Their services include regulatory compliance news and analysis, training, and audit checklists. Regscan, ENHESA and STP focus on providing data. To fully use their information you often need to purchase software programs such as a GRC platform or an EHS platform. If you are a large organization with a big team and budget, this might be the best option as you will be able to fully customize the program. The main differences between these providers are the scope of the industries they serve as well as the management capabilities they provide. For example, while all four providers offer compliance monitoring and management solutions, ENHESA focuses specifically on EHS compliance, while Nimonik covers regulatory change for privacy, cybersecurity, HR, aviation and numerous other areas of concern. Each have different ways for risk to be captured, evaluated and managed. Ultimately, the choice of provider will depend on your organization's specific needs and the industries you operate in. It's important to conduct thorough research and evaluation of the various providers to determine which one offers the best fit for your organization's compliance needs. Summary In today's business landscape, regulatory compliance is more important than ever. Failure to comply with regulations can result in hefty fines, legal action, and damage to a company's reputation. Fortunately, technology solutions have emerged to help organizations manage compliance more efficiently and effectively. ENHESA, Nimonik, Regscan, and STP Publishers are four companies that offer regulatory compliance solutions that assist organizations in complying with laws and regulations. These solutions include tools for monitoring regulatory changes, automating compliance tasks, and managing compliance documentation and information. Overall, compliance technology solutions are becoming more critical for organizations to effectively manage their regulatory and stakeholder obligations. The solutions offered by these companies can provide organizations with the tools they need to stay compliant, avoid costly penalties, and protect their reputation. Lean Compliance helps organizations stay between the lines and head of risk. Visit our website to learn how you can improve the probability of mission success by using a proactive and integrative approach to compliance.

When it comes to playing games where the goal is to have fun “Best Effort” is often applauded and even celebrated. We often hear statements like, “you did your best and as long as you had fun that’s all that matters.” This may provide some consolation when stakes are low and dealing with a bruised ego. However, when the stakes are higher and the goal is to save lives, “Best Effort” may not be enough. Knowing that you did your best when an incident occurs provides little comfort to those who have been injured or those who are responsible for their well being. A “Best Effort” approach is also rarely acceptable for high performing companies when it involves making production numbers or other business goals. However, it is surprisingly the approach often adopted for meeting compliance objectives. In this blog we will look at why a “Best Effort” approach is not enough and how you can turn it into a “Best Outcome” strategy to advance compliance objectives and improve overall outcomes. The Tale of Two Companies Let’s consider two companies each operating processing facilities that produce natural gas for distribution by downstream operators. They are both focused on operational excellence, cost reduction, and have a safety culture in place. Their safety records to date have not been stellar both having had numerous incidents as well as at least one fatality in the last decade. Both companies have come to realize that they need to improve their safety record and have decided to adopt a new safety initiative and introduce a new safety management system. At this point, as far as one can tell, these companies look the same and are taking the same kind of actions to improve. However, their results may turn out differently. One company has adopted a “Best Effort” approach, whereas, the other an approach based on “Best Outcome.” Best Effort Approach The best effort approach is more common than one would expect. Companies promise to achieve the desired outcomes (ex. zero incidents, zero defects, zero fatalities, and so on) but their focus is on “effort” rather than “results.” Companies may implement standard practices and behaviours, management systems, safety culture, and even continuous improvement, however outcomes remain largely incidental and contingent (subject to chance) rather than planned and managed. The “best effort” approach is characteristic of organizations in early stages of capability maturity as attention is given to: Standard work Process consistency Inspections and audits Corrective actions Systems (safety, quality, environmental, etc.) are introduced to manage processes and industry standards help to ensure that the minimum processes are in place. The goal of all systems is to “execute processes as consistently as possible” or using the previous analogy “play the game the best you can.” This approach has the greatest impact when essential processes, practices, or culture is missing or not meeting a minimum standard. Outcomes may improve although these are often not measured or used to drive continuous improvement. Since the goal is to “execute processes as consistently as possible” resources are aligned to achieve that end, rather than on advancing outcomes. From a systems-theory perspective we know that when optimizing for a given outcome you will necessarily optimize away from other outcomes. In other words, you can only improve in the direction you are facing. When you are facing “consistency” you will necessarily move away from “effectiveness.” Best Outcome Approach A “Best Outcome” approach differs from “Best Effort” in that it optimizes for progress with respect to outcomes rather than effort or efficiency. This is more than just a subtle change in focus or a play on words, it defines a different strategy altogether. Companies will still implement standard practices and behaviours, management systems, safety culture, and even continuous improvement. However, focus is on whether or not they have the “right” capabilities at the “right” level of performance to achieve the promised outcomes. This is one of the roles that governance and associated programs (i.e. the permanent versions of steering committees) has which is to steer capabilities towards creating “Best Outcomes.” This approach is “proactive” in that it doesn’t wait until an incident has occurred before making further improvements. Instead, it anticipates, plans, and acts to ensure that progress against outcomes is made. This requires that risk is managed, and improvement is made by continually steering towards defined goals, objectives, and intended results. Adopting a “Best Outcome” Approach When companies are in early stages of capability maturity a “Best Effort” approach can provide utility to introduce missing capabilities. For some companies this is a starting point but for all companies it is not the destination when it comes to advancing compliance outcomes. Without a steering function a “Best Effort” approach will “continuously improve” towards greater consistency rather than effectiveness. Unfortunately, this tends to promote more inspections, audits, and corrective actions which is commonly referred to as the “audit-fix cycle.” However, there is a way for companies that have adopted this approach or caught in the audit-fix cycle to become more effective. Here are 5 steps towards that end: Clearly define goals, objectives, and expected outcomes. Determine the capabilities (people, processes, organization, technology, culture, etc) needed to achieve them. Develop a risk plan to ensure progress is made. Define how progress will be measured. Establish a governance program to continuously improve compliance effectiveness. Two Companies, Two Outcomes? The outcomes of the two companies mentioned previously are still pending. Which one do you think will reach zero incidents, the one that chose a “Best Effort” or “Best Outcome” approach? Let me know what you think or which approach you would use.