SEARCH

Does your approach to planning adequately address performance and outcome-based obligations?

Many companies are in the midst of adopting changes introduced by ISO 9001:2015. One of the most significant of these, is incorporating "Risk-based Thinking." Risk-based thinking was introduced to improve (among other things) the effectiveness of how corrective and preventative actions (CAPA) were handled. From the standard we know that preventative actions has been replaced with taking a risk-based approach. I am going to explore in this blog the concept that some have proposed to replace CAPA with CARA (i.e. Corrective Action / Risk Assessment). At the basic level this is conducting a risk assessment for the corrective action. First of all, there are good reasons to conduct a risk assessment on corrective actions. We know that change can be a significant source of new and emerging risks. When dealing with any change there are two primary sources of risk that need to be addressed: Risks implementing the change – these are risks in conducting the work needed to effect the change. These risks may include: worker safety, temporary impacts on other processes (including risk controls), and so on. A portion of these risks can be addressed proactively by using safe work practices which are procedures that have been previously risk-assessed. Risks introduced by the change – these are new risks or changes to existing risks that result after the change has been made. These risks are identified as part of the change process usually by a cross-functional team with experience in detecting risks within their particular discipline. Depending on the scope of the change it is not uncommon to have: occupational safety, process safety, IT, compliance, regulatory, environment, and other specialists involved as part of the risk assessment team. Corrective actions are a source of change and therefore also a potential source of risk. However, there are limitations in using these as the only trigger to identify and manage both external as well as internal program risks. These limitations result from the fact that corrective actions are often: addressed in isolation from other actions triggered by symptoms and not systemic causes a reaction to a non-conformance leading to lagging actions not effective at addressing latent failure modes (those that have yet to be discovered by the customer for example) To overcome these limitations companies should take a proactive and holistic/systems approach to assess risk. In fact, ISO 9001:2015 states that each company must identify and manage threats and opportunities associated with each process within their quality program. While this is good, it is not enough to identify risks associated with the objectives of the entire program. The latter requires consideration of not only individual processes but also how they interact with other processes within and outside the quality program. All with the goal of assessing how uncertainty affects achieving program outcomes. The first step is having clear and concise program objectives for each system and process. This will properly constrain risk assessments along with resulting treatments to ensure that the certainty of achieving program goals are increased. The advantages of being proactive and using a holistic/systems approach to risk assessment include: Improving processes before non-conformance is realized Addressing latent failure modes before they become active Minimizing disruption, and risks introduced by implementing the change by consolidating changes Avoiding higher costs associated with addressing non-compliance after the fact Applying resources to risks that really matter to achieving program outcomes Including risk assessments as part of corrective actions is indeed part of risk-based thinking. However, on its own, it is not enough to address uncertainty in achieving program outcomes. #RiskbasedThinking #CAPA #ISO9001 #ManagementofChange

With the emergence of the COIVID-19 pandemic many are working remotely with minimal on-site presence. This has put a strain on existing operational systems and processes particularly those connected with risk and compliance designed for and under different conditions. Organizations that have relied solely on audits to identify gaps in their compliance may now discover them to be too late and too slow for that purpose. In fact, as operating conditions have significantly changed they may no longer be effective at all. What should organizations do to deal with possible increases in incidents across their safety, environmental, regulatory, or quality programs? In this blog I will explore how organizations can answer this question but first we need to understand why audits are used in the first place. Use of Audits The use of periodic audits as the primary compliance control is all too common and has always had its limitations. By design audits provide evidence of what has happened. Audits provide a lagging indicator that can be used to identify and then correct prescriptive compliance gaps so that they don’t reoccur. Audits work best when organizations are mostly “in-compliance.” Audits cannot correct what has already happened. However, they do provide status of the integrity of financial and other reports that give witness to the conditions at a certain point in time. Under normal conditions when organization's are mostly “in-compliance” they may be also help to identify minor violations or infractions against standard practices and procedures. However, conditions today are not normal. The assumption that organizations are still mostly “in-compliance” may no longer be warranted or wise. In the presence of significant uncertainty in a COVID-19 pandemic world what should organizations now do so that they continue to operate between the lines? Are audits enough to provide the assurance that stakeholders require? Lessons from Process Safety In highly-regulated high-risk industries another process is used to stay ahead of the effects of uncertainty. This process is known as “Incident Management (IM)” and is a one of the pillars of an effective risk & compliance program. Incident management systems are used to address emergencies but also to discover when organizations cross the lines well before audits might otherwise catch them. The hope is that infractions are caught when the consequences and the cost to correct them is small. In fact it may even capture near misses which can provide an earlier warning of possible future incidents. Incident Management (IM) systems help to turn this hope into a reality. Incident management systems are used by safety-first organizations that have a culture of preparedness and response something that almost all compliance programs need these days. The following are key principles of effective incident management programs. Practice of these principles can be observed in industries such as Energy, Oil & Gas, and Mining. However, they also can also provide insights for others who are experiencing higher levels of uncertainty and risk as result of the on-going COVID-19 pandemic. Incident Management Principles 1. Preparedness and Response While effective risk management aims to prevent incidents before they happen; incident management aims to protect the public, workers, property and the environment just in case it does. This requires awareness of the effects of uncertainty (c.f. RISK: ISO 31000) and establishing measures in advance to mitigate the effects should an adverse situation arise. Establishing response standards is essential to knowing the level of preparedness needed along with how best to address specific cases such as emergencies. 3. Emergency Management Process Emergency management involves all the activities prior to and in response to a significant adverse event that has the potential of doing harm. Having a comprehensive response plan focused on rapid response can mean the difference between life and death along with the potential to avoid substantial remediation costs. After the emergency has been addressed, clean up, restoration, and remediation efforts are put in place informed by the results of a thorough incident investigation. 4. Incident Investigation To prevent re-occurrence of an adverse event it is necessary to understand the root cause or at least primary causes leading to the event occurrence. This requires thorough investigation and expert practice of root cause analysis (ex. Apollo Method), STAMP (Systems Theoretic Accident Modelling and Processing), HAZOPS, and other techniques designed to identify factors that may create the conditions and actions for the re-occurrence of the incident or similar ones. 5. Incident Resolution Investigation while important will not have its full effect unless measures are put in place to implement recommendations to reduce the probability of re-occurrence. Establishing new or updated measures and monitoring their effectiveness are necessary and where much of the failure in risk management occurs. Continuous evaluation of risk measure effectiveness is an essential practice for companies that strive towards operational excellence. 6. Incident Reporting Incident reporting provides both leading and lagging information of incidents. Tracking of events that fall outside of risk and compliance boundaries or targets are essential for both government reporting as well as in the discovery of causes leading to possible future events. Capturing of “near misses” while not easy to define or to do is the current focus for many safety-first organizations that are serious on preventing harm to their workers, property, communities, and the environment. 7. Continuous Learning and Adaptation For an incident management program to remain relevant and effective it must continually adapt to changing conditions and consider learning from within as well as outside of the organization. When conditions are changing as fast and as significantly as they are now it is imperative that organizations continue to learn and adapt their risk and compliance programs. For some (perhaps many) this begins with not assuming the state of existing risk & compliance is what it was prior to the pandemic. This will necessarily lead to establishing and or upgrading processes associated with incident management. Summary: COVID-19 has created significant disruption and uncertainty across the world, across communities, and across businesses of all shapes and sizes. Assuming that prior risk & compliance controls have remained intact and are still effective may no longer be warranted or wise. Waiting for downstream audits and reports may not be fast enough to close the gaps in programs essential to keep organizations operating between the lines and protect against harm or loss. Under current pandemic conditions or until the state of risk and compliance programs are better understood, organizations should consider implementing incident management programs to mitigate the effect of adverse events which are now more likely to occur. Tracking and monitoring of incidents may themselves provide early warning giving organizations time to prepare. However, safety-first organizations will take the proactive step to first understand their risks to ensure that they are ready to respond. Lean Compliance helps forward looking organizations improve stakeholder trust by improving the effectiveness of risk and compliance programs.

In a recent decision of the Ontario Court of Appeal they stated that the general duty clause in the Occupational Health and Safety Act, can impose higher obligations than specific requirements in regulations. They concluded the following in the case involving Quinton Steel with respect to a case involving guard rails: "It may not be possible for all risk to be eliminated from a workplace, as this court noted in Sheehan Truck, at para. 30, but it does not follow that employers need do only as little as is specifically prescribed in the regulations. There may be cases in which more is required – in which additional safety precautions tailored to fit the distinctive nature of a workplace are reasonably required by s. 25(2)(h) in order to protect workers. The trial justice’s erroneous conception of the relationship between s. 25(2)(h) and the regulations resulted in his failure to adjudicate the s. 25(2)(h) charge as laid." – Emphasis added in bold. Based on this decision, the general duty clause could require employers to do more than the prescriptive requirements of any hazard-specific regulations. Some might argue that this has expanded the scope of an employer's obligations. However, what this decision has affirmed is that regulations should be considered as "the low-water mark" when it comes to safety. It is therefore essential that employers understand exactly what and how they will keep their obligations. This requires greater consideration when it comes to duty and liability as well as other categories of obligations: Micro-means (prescriptive) Macro-means (management-based) Micro-ends (performance-based) Macro-ends (duty and liability) It is common for employers to focus on the prescriptive elements as these can be more easily quantified and measured. Whereas, the others often require the establishment of systems and processes to achieve standards that go above and beyond prescriptive elements. To address these companies will implement processes to address uncertainty and the management of risk, along with continuous improvement specifically with respect to performance and outcomes. A primary difference between following prescription compared with duty and liability obligations is the latter requires employers to be more proactive with their compliance. And this begins with taking ownership for each obligation and not waiting for an audit or a fine for improvements to occur. There will always be more risk than a company can contend with and so each company must decide which risks really matter. When it comes to duty of care the decision should always side in favor of employee safety. If you want to be more certain about your compliance you may want to consider joining – The Proactive Certainty Program™ – designed to help you avoid – The Reactive Uncertainty Trap™ . Visit our website at www.leancompliance.ca for more information on how to join. Sources: [1] - http://www.occupationalhealthandsafetylaw.com/in-important-decision-ontario-appeal-court-says-that-general-duty-clause-in-ohsa-can-impose-higher-obligations-than-specific-requirements-in-regulations?utm_source=Mondaq&utm_medium=syndication&utm_campaign=LinkedIn-integration [2] - Canadian Occupational Safety, www.cos-mag.com, "Regulatory compliance not enough: Court", Jeremy Warning

Compliance management systems are used by organizations for the purpose of helping them first achieve and then maintain compliance which is the outcome of meeting all your obligations (ISO 19600). The question is what properties or behaviours of a compliance system are needed for this outcome to be created? What is essential for a compliance system to be effective? How are outcomes created? To answer this we need to understand how outcomes are created in the first place. A system outcome is an emergent property that for compliance may be greater safety, quality, security, reputation, or any number of desired objectives. It is the collective interactions of all essential parts of a compliance system that are responsible for the overall system behaviour and any emergent properties. Dr. Russell Ackoff defined a system as: " a whole which is defined by its function in a larger system of which it's a part. For a system to perform its function it has essential parts: Essential parts are necessary for the system to perform its function but not sufficient Implies that an essential property of a system is that it can not be divided into independent parts. Its properties derive out of the interaction of its parts and not the actions of its parts taken separately." For example, using a transportation system such as a car, transporting someone from point A to B is an emergent property. A car fulfills this purpose when all its essential parts are working together to "transport" someone. It is not the property of any of its parts taken separately. When you take a car apart it is no longer a car. It cannot perform its function. You can take all the parts and put them on the ground. You can analyze them, improve them, but you still don’t have a car. There are also no parts on their own that can perform the function of a car. A car engine by itself cannot transport anything including itself. Another way of saying this is a compliance system is not the sum of its parts. In fact, it is a product of the interaction of its parts. Without the interactions you only have a bin of parts, a collection of components, a set of elements, but you do not have a system. Building parts For many organizations, compliance remains an exercise in manufacturing parts which they add to their collective parts bin. Unfortunately, none of the parts on their own will produce the desired compliance outcome. Audits, obligation registers, controls, risk measures, training; none of these by themselves is enough. Even if all the parts existed, if they do not work together as a whole you will still not have a compliance system. As with a transportation system we could have something simple like a skateboard or bicycle or more capable such as a motorcycle, car or a plane. What is important is that they all fulfill the transportation function recognizing that some are more effective than others. Instead of focusing on building parts organizations need to think about enhancing systems. They perhaps need to start with a skateboard equivalent of a compliance system, then move onto a bicycle, and so on. Each version of the system can produce compliance and will manifest all essential properties. Compliance system properties We have found that the following properties contribute to a compliance system's effectiveness: Operational – must have all the essential parts working together as a whole to produce an emergent property of compliance evidenced by the advancement of outcomes. Proactive – capable of establishing new goals and measures that continually advance outcomes. (ex. governance) Viable - capable of being achieved using current technologies. While new technologies may be helpful the system must be operational with the technologies currently available. Sustainable – capable of consistently achieving targeted levels. Resilient – consistently performs in the presence of changing conditions. Feed-back controls are used to reduce variation and to create consistency in both performance and outcomes. Efficient – capable of achieving targeted performance with minimum waste. Adaptive – capable of learning from the past to improve future outcomes. Performance and outcomes are measured to understand correlation and causation. Transparent – capable of retrospective investigation and analysis. We are able to know what the rules are. Compliance systems that have these properties in increasing measure of capability maturity are more likely to fulfill their compliance function. What is essential? We can now answer the question as to what properties are essential for a compliance system. The properties that are essential are those that are needed for the system to be operational. These are not sufficient for it to be effective but are necessary to perform in such a way to create the emergent property of compliance. The system may not perform much beyond a skateboard at first but you can still get from point A to B. You can improve capabilities over time to get faster, with less resources, and so on. Determining what is needed to be operational requires clearly defining the purpose of your compliance system (what are the desired outcomes) and then identifying the capabilities along with their interactions (i.e. the behaviours) to fulfill that purpose.

Safety performance is improved when organizations take a comprehensive and systemic view of their safety efforts. This requires different skills than implementing separate activities connected with requirements where the "means" have already been specified.  With todays performance and outcome-based regulatory designs, organizations must now identify and determine how they will achieve targeted safety goals; which can be considered as obligations. A "design" step is needed to translate requirements to design specifications. These specifications describe the ends (key results and objectives) and the means (people, process, technology) of the safety effort needed to meet your obligations. API RP 1173 Management of Change (MOC) Example The following completed system requirements canvas demonstrates how this looks like for a Management of Change (MOC) sub-system for a Pipeline Safety Managment System (SMS) using API RP 1173. Although, this approach can be applied to other types of systems where improvement in both performance and outcomes have been targeted. This canvas maps requirements to the processes and capabilities that have been identified to achieve MOC effectiveness. Since API RP 1173 is a recommended practice (i.e. not mandatory) and uses a performance-based approach, it is no surprise that elements only include minimum procedural requirements that could be verified using an internal or external audit. Although, no certification body exists or is expected. When considering requirements a necessary (and perhaps the first) step is to identify what effectiveness looks like. This goes beyond looking at minimum prescriptive requirements and includes consideration of the system's overall purpose, internal and external dependencies and requirements that come from improving essential capabilities to achieve key results and objectives. For an MOC subsystem, effectiveness can be defined as: Management of change is effective when it keeps pipeline safety risk (individual and aggregate) within acceptable risk levels (risk tolerance) resulting from technical, physical, procedural or organizational change. This measure of effectiveness will create additional requirements although not specified in API RP 1173, are certainly expected as part of its adoption. A comprehensive design will also consider overall system properties which for a purposively system, like a Pipeline SMS, can be expressed in the following way: The first property we have already addressed, although not for the system as a whole. We know from system theory that a system is not the sum of its parts and is rather the product of its interactions. We expect that all subsystems will be designed to contribute to the production of the essential system properties. Therefore, we must identify what is needed for the MOC subsystem itself and its contribution to the whole (i.e. dependency requirements) with respect to being: effective, proactive, viable, sustainable, resilient, efficient, adaptive, and transparent. A design structure matrix (as shown below) can be used to identify dependency requirements along with possible vulnerabilities or gaps in system capabilities: Summary To meet performance and outcome-based obligations each organization must establish their own goals and objectives along with the means by which they will be achieved. It is in meeting these obligations that create performance requirements that extend beyond procedural specifications within the API RP 1173 framework as in our MOC example. A design step is now needed to translate performance, element, and system requirements to design specifications for solutions that advance overall outcomes. As safety is an emergent property of an overall safety system the design step requires knowledge and skills in system design, cybernetic controls, and risk-based strategies to ensure that safety is advanced. These are not only needed for adopting API RP 1173 but for all performance and outcome-based regulations and standards.

When it comes to contending with risk it is important to have an understanding of the nature of uncertainty – the root cause of risk. There are several types of uncertainty but the two that are most critical are: epistemic and aleatory uncertainty. Epistemic uncertainty has to do with the lack of knowledge. The effects of epistemic uncertainty are often characterized in terms of its likelihood of occurrence and the severity of its impact. We can predict the outcomes with some level of confidence which facilitates decision making with respect to "buying down" these risks by reducing the likelihood or by mitigating the effects, or both. We call these reducible risks. Aleatory uncertainty has to do with chance. The effects of aleatory uncertainty can also be characterized using probabilities, however, the specific outcomes are not predictable with any level of certainty. This kind of uncertainty is considered as irreducible although its effects can be mitigated by introducing margins in the form of such things as extra resources, time, and capacity to help mitigate the effects. However, what we cannot do is improve the accuracy of our predictions. For risk management to be effective it must adequately contend with both kinds of uncertainty. However, in highly-regulated, high risk industries it is aleatory uncertainty that is foremost on everyone's mind as it presents a significant source of risk in the form of low occurrence, high impact events which are often called: unknown-unknowns and "black swans". These cannot be predicted and are in the domain of randomness, chaos, complexity and disorder – aleatory uncertainty. The solution to aleatory uncertainty In the book, "Antifragile" the author Nassim Nicholas Taleb who also wrote the book, "Black Swans" proposes that the solution to aleatory uncertainty is not greater margins or safeguards but instead the development of what he calls, antifragility properties. Taleb defines antifragility as going beyond resilience and robustness. A resilient system resists shocks to maintain its state, whereas, antifragile systems gets better; it improves. He suggests that uncertainty, disorder and the unknown are completely equivalent in their effects and therefore can be addressed in the same manner. Instead of trying to predict the future which is not possible for aleatory uncertainty, steps are taken to measure and reduce the level of fragility which is easier to do and results in greater utility. Fragile systems breakdown easily in the presence of uncertainty. The solution is not to build more robust systems as we might think. Resilient, robust systems neither break nor do they improve and therein lies the rub. The opposite of fragile is not robustness it is a word that we don't have a name for, so Taleb uses, "antifragile" – things that gain from disorder. Offshore drilling safety example A few years ago, a safety assessment of offshore drilling platforms was conducted for operations in the North Sea. Each platform had written procedures some of which were followed and some that were not. Each had a positive safety culture (more or less) and each had commitment from senior leadership, and so on. In terms of practice, compliance, and other categories of assessment there where no differences that stood out other than their safety performance. Some of platforms had experienced no incidents for a long period of time, while others were contending with multiple but mostly minor ones. The question that was asked was which platforms are the safest to work on? The platforms that had no incidents for a long time were considered to be the most unsafe which maybe surprising to some. While these platforms had excellent performance in the past there were other indicators that caused concern such as signs of complacency, and over confidence to name a few. Using past performance to predict the occurrence of future incidents suggested that these platforms would be the safest. However, their current behaviors suggested otherwise. The platforms considered most safe were the ones dealing with minor incidents. They had a heightened level of awareness, and from a "antifragile" perspective were improving with each incident. Everyone was looking out for each other and not resting on the achievements of the past. You might get "injured" but you would not be harmed. Lack of volatility is not the goal Seeking stability by inhibiting fluctuations (you might say incidents) tends to produce the opposite of what we had intended. According to Taleb, overly constrained systems become prone to Black Swan events. Such environments tend to experience massive blowups, catching everyone off guard and undoing years of stability almost all at once. It is for this reason that over regulation (mandatory or voluntary) and the preponderance of prescriptive rules can create greater levels of fragility which in turn increases the chance of risk. It is no wonder why some have criticized the pursuit of vision zero targets (zero defects, zero incidents, zero fatalities, and so on.) The low occurrence of these events is not sufficient to drive improvements and create the necessary behaviors. Antifragile companies learn from errors they create and the errors from others. With every plant failure, worker injury, and failed objective the industry as a whole becomes safer, but only if the we learn from what has happened. That is why it is so important for companies to share not only their best practices but more importantly their failures; otherwise the "sacrifices" paid by others will be for nought. Unfortunately, sharing of failures is considered by many to be foolishness when it fact it is the behavior of the wise. Continuous improvement as a means to introduce volatility Over the last several decades the adoption of continuous improvement (CI) has helped to transform many organizations foremost coming from the automotive industry. However, you will now find its application in almost every sector. The reasons stated for why companies adopt CI often have more to do with improving quality, increasing efficiencies, or lowering costs. However, is that all that is happening? Continuous improvement at its core is an intervention strategy to facilitate change. These changes done in small increments over time create the capacity for even greater changes in the future; they make companies less fragile. This is precisely what is behind the principle of "fail fast, fail often." Although, CI for many focuses on failures of the past it still creates the benefits associated with contending with volatility. If you were to ask, "which company is most likely to succeed in the presence of uncertainty?" the answer for me would not be the largest or most robust. It would be the ones that were practicing continuous change in any of its forms be it LEAN, Agile, CI, and others. These are the companies that embrace uncertainty, becoming stronger in the process, and instead of being surprised by negative black swans they anticipate and are delighted to see the appearance of the positive black swan.

In this article we take a look at the nature of risk reduction controls through the lens of barrier analysis. This is a common practice in process safety and is becoming more popular in other fields such as environmental, finance, regulatory, cybersecurity, and overall compliance risk. At a basic level, the bow-tie diagram (simplified above) is used to visualize a risk path initiated by a threat that results in an event that if left unmitigated will result in harmful consequences. Each element can be expanded so that analysis can occur to design measures or discover vulnerabilities in them that might lead to their insufficiency to completely stop harm to the people and things we care about. Process visualization is an important tenet of LEAN and also for risk management although not as prevalent or easy to do. What is more common is for risk to be communicated using statistical attributes which while necessary often fails to properly describe event chains and their contribution to harmful or hazardous events. Nancy Leveson (STAMP method) calls these hazardous processes, although other phrases have been used that include event chains, error chains, risk streams, and the like. What barrier analysis and bow-ties do for risk is what LEAN value stream analysis does for quality. The latter helps to identify waste to eliminate or reduce in the creation of value whereas the former helps to identify uncertainty whose effects we also want to eliminate or reduce in the creation of safety. Bow Tie Concept Handbook While the Bow Tie and Barrier Analysis methods are commonly used in process safety they have lacked consistent practices and vocabulary which has hindered their utility and advancement. To address these concerns, as well as others, The Center for Chemical and Process Safety (CCPS) along with the Energy Institute (UK) in 2018 published a handbook entitled, " BOW TIES IN RISK MANAGEMENT - A Concept Book for Process Safety. " This handbook provides a common set of definitions, best practices and guidelines by which hazard and risk analysis may be done. In the Bow Tie handbook the following definitions are provided for the basic elements of the bow tie shown previously which will be helpful for our consideration and application with respect to compliance where hazards also exist in need of contending with. Hazard : An operation, activity or material with the potential to cause harm to people, property, the environment or business or simply, a potential source of harm. Top Event : In bow tie risk analysis, a central event lying between a threat and a consequence corresponding to the moment when there is a loss of control or loss of containment of the hazard. Prevention Barrier : A barrier located on the left hand side of bow tie diagram and lies between a threat and the top event. It must have the capability on its own to completely terminate a threat sequence. (other possible names Proactive Barrier). Mitigation Barrier : A barrier located on the right hand side of a bow tie diagram lying between the top event and a consequence. It might only reduce a consequence, not necessarily terminate the sequence before the consequence occurs (other possible names Reactive Barrier, Recovery Measure). Threat : A possible initiating event that can result in a loss of control or containment of a hazard (i.e., the top event). ( other possible names Cause, Initiating Event). Consequence : The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Another possible name Outcome . The magnitude of the consequence may be described using a risk matrix For this article, I want to focus in on barriers which in other industries are called Risk Measures. Risk Measure Validity Barriers are the technical and human factors used to prevent threats from becoming a reality. They have specific meaning when it comes to process safety and particularly to the properties they should have. The handbook suggests that barriers must have three essential properties. They should be effective , independent , and auditable : Effective - A prevention barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended, and it is capable on its own of preventing a threat from developing into the top event. A mitigation barrier is described as ‘effective’ if it is capable of either completely mitigating the consequences of a top event, or significantly reducing the severity. Independent - Barriers should be independent of the threat and of other barriers on that pathway. For example, if the threat was loss of power and a barrier requires power to operate, then that would not be a permissible barrier in that pathway. Auditable - Barriers should be capable of being audited to check that they work. formally, it could be that performance standards are assigned to the functionality of a barrier. For example, a performance standard for an ESD valve would ideally include ‘periodic end to end testing’, i.e., a signal is placed upon the detection device, the logic controller responds, and activates the end device, e.g., the ESD valve. Validity of Compliance Risk Measures While these definitions are described for process safety they are applicable to general risk management including compliance. Compliance uses risk measures to prevent or reduce the consequences associated with data breaches, ethical violations, non-conformance, and other "hazardous" events. They should also have essential properties to ensure they perform their intended purpose. These would include the ones for barriers: effective, independent, and auditable for similar reasons given for process safety. In fact, compliance risk measures would also benefit from the extended list of attributes defined by CCPS: independence, functionality, integrity, reliability, auditability, access security, and management of change Unfortunately, just as in process safety and perhaps more so, there is a lack of a standard set of definitions and practices with respect to risk management as a whole. We seldom see risk defined using a consistent vocabulary across organizations let alone within them. Risk identification even when done tends to be focused on the "components" of an organization and seldom at the level describing how these might work together to create what in process safety is call a hazardous process. Without understanding the causal nature of risk it is impossible to effectively prevent risk from occurring. As a result it is no wonder that risk registers rarely contain the risks that really matter with measures that have been properly analyzed and designed to be effective at preventing or mitigating harmful outcomes. You might say that compliance is in need of tools such as the Bow Tie and Barrier Analysis to better visualize, describe and analysis risk processes. For those interested in learning more we have written additional articles on the topic of using bow ties in the compliance domain which can be found here .

When it comes to improving compliance it is important to know not only what your obligations are but also how each obligation has been designed to perform the regulation function. Knowing this will help organizations better understand what is needed to meet their obligations by understanding: The level of compliance rigour required. The level of support needed from leadership and management Controls that may need to be established Who is accountability for which part (self, industry, or government) How best to improve compliance What level of investment to make What is at stake and the level of risk Among other things All of which are derived from the obligation design. Four Obligation Designs There are four common ways that obligations are architected to regulate aspects of quality, safety, environmental and legal concerns. These can be described across the dimensions of micro-macro and means-ends parameters: Prescriptive-based (micro/means ) - rules that if followed will reduce risk. Management-based (macro/means) - processes that must be followed to manage obligations and risk. Performance-based (micro/ends) - specific measures that must be followed to achieve targeted performance targets. Outcome-based (macros/end ) - targeted outcomes that must be advanced. Obligation Taxonomy Each compliance design approach will in turn create different demands on an organization which can be discovered by considering where the regulation function is being applied to structure of the obligation: Outcome-based regulations specify the ends or the outcomes and not the means. The onus is on organizations and industry to determine the means, the performance criteria and the rules that should be followed. This is an example of self-regulation and where leadership is essential at all levels to advance outcomes. Performance-based regulations specify the level of performance to achieve the desired outcomes but not the means or the rules that should be followed. This is common with industry programs to achieve zero fatalities, zero emissions, incidents, breaches, and so on. Continual improvement is necessary to advance the desired outcome. In this case, industry associations act as the regulator and take on some of the leadership responsibilities. Prescriptive–based designs specify the details and does not specify performance or outcomes just the rules to follow. This the primary form of government regulation which takes on responsibility to achieve the desired outcomes. Organizations are expected to conform to the rules. Leadership is still important but perhaps less or in a different way. Following rules requires a culture of conformance rather than a culture of improvement and proactivity. Management-based designs like ISO 14000 and 19600 more generally focus on the processes by which you manage obligations. What is being regulated are the management processes not necessarily performance, or outcomes. This makes management standards applicable to all forms of regulatory designs, however, with the caveat that this only happens when organizations incorporate performance and outcome standards along side of their management systems. Leadership is essential at the program level to ensure that effectiveness is not lost in the pursuit of consistency and efficiency. Regulatory bodies and standards organizations may elect to use a combination of the four regulatory designs based on the nature of the risks they are attempting to ameliorate through regulation. Compliance analysts should be aware of this when they identify obligations and evaluate compliance risk. Obligation registers should include this information to help inform the actions for effective compliance. Related Posts: https://www.leancompliance.ca/post/an-objective-view-of-obligations

I once worked for a company that had multiple programs to address concerns such as: process safety, occupational safety, loss prevention, emergency preparedness, and several others. All of these programs involved contending with risk to various degrees mostly independently from each other. Over the years it became clear that their risk capabilities had not progressed as well as other aspects of their compliance programs. So a decision was made to improve the situation which resulted in the hiring of a risk manager. The goal for this new manager was to establish a consistent risk framework to be used across each of the compliance programs. This outcome was mostly achieved but with an unintended consequence. Managers of the compliance programs along with asset owners now believed that they no longer needed to manage risk as the company had hired someone else to take care of it. The ownership for risk started to migrate from where it once was to the new risk manager. Not all at first but over time the culture started to change and then the practice as it almost always does in these kinds of situations. If this sounds familiar it might be because you have heard this story before connected with your initiatives. You may have heard the following: I don’t have to manage quality; we have a department that does that. I don’t have to manage security; we have someone who does that. I don’t have to manage safety; we have a safety manager who does that. We believe that by transferring responsibility we are also transferring risk. Why does this happen? Organizations that try to improve their compliance often start by breaking down silos consolidating effort into a centralized function. This almost always ends up with the ownership of risk being transferred along with the effort. The distinction between accountability and responsibility has been confused and it is here that lies the rub. Those that are accountable for the objective should also be accountable for the risk. This is implied by ISO 3100 which defines risk as: the effects of uncertainty on objectives. The ownership for risk must remain closest to those that are answerable for the objective. Even when the objective is transferred to a third party the accountability for the objective is shared and so should the risk. You can delegate responsibility for risk identification, analysis, treatment, and monitoring to others. However, if you own the objective you cannot delegate your ownership of risk. In essence, risk can never be transferred. Who owns risk within your organization? If you have a department or manager who takes care of risk and compliance then you most likely have fallen into the same trap that many others have. If this is your situation then it may be time to make sure that those who are accountable for objectives remain accountable for risk. The first step is to take ownership of all your obligations which is necessary before any accountability can be assigned.

In the world of compliance, humility is a critical trait that is often overlooked. The lean principle of being humble is just as important in compliance as it is in any other aspect of business. The urgency for humility in compliance arises due to the constantly changing and complex regulatory landscape, which necessitates businesses and organizations to navigate regulations efficiently. Non-compliance can have severe consequences, including legal and financial penalties, damage to reputation, and criminal charges. In addition, the increased focus on corporate social responsibility and ethical behavior demands compliance professionals not only to follow regulations but also act in the best interests of their stakeholders and society at large. In today's ever-changing regulatory environment, humility in compliance is an urgent necessity for several reasons: Preventing arrogance : Compliance professionals must constantly deal with complex regulations and laws that are often changing. If they become arrogant in their understanding of these regulations, they may overlook certain nuances or misinterpret them, leading to non-compliance. Preventing cognitive bias : The compliance landscape is constantly evolving, and there is always something new to learn. Preventing unethical behaviour: Compliance is not just about following rules and regulations; it is also about behaving ethically. Preventing miscommunication: Compliance professionals often work with a wide range of stakeholders, from senior executives to front-line employees leaving lots of room for misunderstanding. How does humility help compliance? Being humble in compliance means acknowledging that no compliance program is perfect and that there is always room for improvement. It involves recognizing that regulatory requirements and best practices are constantly evolving, and being open to learning from others to stay ahead of the curve. When organizations approach compliance with humility, they are more likely to identify potential issues and vulnerabilities before they become major problems. They are also more likely to take a proactive approach to compliance, rather than waiting for regulators to identify areas of concern. Being humble in compliance also means being willing to learn from mistakes. No compliance program is immune to errors, but organizations that are open to feedback and willing to admit when they've made a mistake are better equipped to identify and address the root cause of the problem. Humility in compliance means recognizing the importance of collaboration. Compliance is not the responsibility of one person or team, but rather a shared responsibility across the organization. When teams work together and are open to feedback and ideas from others, they are better equipped to identify and address compliance issues. Being humble is a critical aspect of building a successful and sustainable compliance program. By acknowledging that there is always room for improvement, being open to learning from others, and recognizing the importance of collaboration, organizations can stay ahead of the curve and avoid costly compliance issues. Humility is essential for effective compliance because it promotes continuous learning, ethical behaviour, effective communication, and a mindset that is open to new perspectives and ideas. The lack of these traits hinder compliance from always staying between the lines and ahead of risk. Steps for becoming more humble Becoming more humble is a personal journey and requires a willingness to examine oneself and make changes. Here are some steps that may help: Practice active listening : One way to become more humble is to listen more and talk less. When someone else is speaking, resist the urge to interrupt or interject your own opinions. Instead, focus on understanding their perspective and ask questions to clarify their thoughts. Cultivate gratitude : Practising gratitude can help shift our focus from ourselves to the people and things around us. Take time each day to reflect on what you are thankful for, and acknowledge the contributions of others. Embrace vulnerability: Humility often requires us to be vulnerable and admit when we don't have all the answers. Embracing vulnerability means acknowledging that we are not perfect and being open to feedback and constructive criticism. Seek out diverse perspectives : It's easy to become trapped in our own ways of thinking, but seeking out diverse perspectives can help us broaden our understanding and challenge our assumptions. Make an effort to seek out people with different backgrounds, experiences, and opinions. Practice self-reflection: Take time to reflect on your actions and behaviors, and consider how they impact others. Be honest with yourself about areas where you may need to improve, and make a plan to address them. Serve others: Serving others can help us develop a sense of empathy and compassion. Look for opportunities to volunteer or help those in need. Remember, becoming more humble is a process that takes time and effort. It's important to approach this journey with an open mind and a willingness to learn and grow.

Some may be aware of an obscure but important guideline called ISO 19600 “Compliance Management System” which was introduced in 2014. This guideline has now been replaced by a full on Type A management standard ISO 37301 which affords organizations with a best practices approach to modernize their compliance. ISO 37301 specifies requirements which organizations must meet to provide stakeholders the assurance they need that obligations are being met. ISO 37301 is certifiable and applicable for organizations of all shapes and sizes. It can serve as a management system for corporate obligations, or as an overarching framework for managing compliance across risk domains or provide better assurance for areas which no standards exist. ISO outlines the following benefits for this standard: improving business opportunities and sustainability; protecting and enhancing an organization’s reputation and credibility; taking into account expectations of interested parties; demonstrating an organization’s commitment to managing its compliance risks effectively and efficiently; increasing the confidence of third parties in the organization’s capacity to achieve sustained success; minimizing the risk of a contravention occurring with the attendant costs and reputational damage. ISO 37301 builds on and replaces ISO 19600 with the following differences: ISO 37301 is a Type A management standard that is certifiable compatible with other Type A Management System standards such as ISO 9001, 45001, 14001, etc. replaces should with shall statements adds whistleblowing and expands culture and governance adds requirements for hiring or promoting staff to critical positions. adds assessment of staff in matters of regulatory compliance. provides description of what is considered a regulatory compliance culture. highlights the issues of independence, staffing and skills of Regulatory Compliance to operate without interventions and with appropriate staff. identifies Code of Ethics and Conduct as a key element in determining and controlling compliance. Is this standard what you need to modernize your compliance? With increasing and expanding stakeholder obligations this standard applied effectively will help organizations demonstrate that they have the capabilities to properly contend with risk and ensure that obligations can be met today and into the future. ISO 37001 is applicable for organizations that: want to modernized their corporate compliance efforts with industry best practices need a compliance management system for specific risk domains not currently covered need an overarching assurance framework across existing compliance management systems (e.g. safety, security, environmental, EHS, ESG, etc.) need to better address obligations not currently captured under existing management systems engender greater stakeholder trust More information can be found on the ISO website: https://www.iso.org/obp/ui/#iso:std:iso:37301:ed-1:v1:en