SEARCH

Compliance management systems are used by organizations for the purpose of helping them first achieve and then maintain compliance which is the outcome of meeting all your obligations (ISO 19600). The question is what properties or behaviours of a compliance system are needed for this outcome to be created? What is essential for a compliance system to be effective? How are outcomes created? To answer this we need to understand how outcomes are created in the first place. A system outcome is an emergent property that for compliance may be greater safety, quality, security, reputation, or any number of desired objectives. It is the collective interactions of all essential parts of a compliance system that are responsible for the overall system behaviour and any emergent properties. Dr. Russell Ackoff defined a system as: " a whole which is defined by its function in a larger system of which it's a part. For a system to perform its function it has essential parts: Essential parts are necessary for the system to perform its function but not sufficient Implies that an essential property of a system is that it can not be divided into independent parts. Its properties derive out of the interaction of its parts and not the actions of its parts taken separately." For example, using a transportation system such as a car, transporting someone from point A to B is an emergent property. A car fulfills this purpose when all its essential parts are working together to "transport" someone. It is not the property of any of its parts taken separately. When you take a car apart it is no longer a car. It cannot perform its function. You can take all the parts and put them on the ground. You can analyze them, improve them, but you still don’t have a car. There are also no parts on their own that can perform the function of a car. A car engine by itself cannot transport anything including itself. Another way of saying this is a compliance system is not the sum of its parts. In fact, it is a product of the interaction of its parts. Without the interactions you only have a bin of parts, a collection of components, a set of elements, but you do not have a system. Building parts For many organizations, compliance remains an exercise in manufacturing parts which they add to their collective parts bin. Unfortunately, none of the parts on their own will produce the desired compliance outcome. Audits, obligation registers, controls, risk measures, training; none of these by themselves is enough. Even if all the parts existed, if they do not work together as a whole you will still not have a compliance system. As with a transportation system we could have something simple like a skateboard or bicycle or more capable such as a motorcycle, car or a plane. What is important is that they all fulfill the transportation function recognizing that some are more effective than others. Instead of focusing on building parts organizations need to think about enhancing systems. They perhaps need to start with a skateboard equivalent of a compliance system, then move onto a bicycle, and so on. Each version of the system can produce compliance and will manifest all essential properties. Compliance system properties We have found that the following properties contribute to a compliance system's effectiveness: Operational – must have all the essential parts working together as a whole to produce an emergent property of compliance evidenced by the advancement of outcomes. Proactive – capable of establishing new goals and measures that continually advance outcomes. (ex. governance) Viable - capable of being achieved using current technologies. While new technologies may be helpful the system must be operational with the technologies currently available. Sustainable – capable of consistently achieving targeted levels. Resilient – consistently performs in the presence of changing conditions. Feed-back controls are used to reduce variation and to create consistency in both performance and outcomes. Efficient – capable of achieving targeted performance with minimum waste. Adaptive – capable of learning from the past to improve future outcomes. Performance and outcomes are measured to understand correlation and causation. Transparent – capable of retrospective investigation and analysis. We are able to know what the rules are. Compliance systems that have these properties in increasing measure of capability maturity are more likely to fulfill their compliance function. What is essential? We can now answer the question as to what properties are essential for a compliance system. The properties that are essential are those that are needed for the system to be operational. These are not sufficient for it to be effective but are necessary to perform in such a way to create the emergent property of compliance. The system may not perform much beyond a skateboard at first but you can still get from point A to B. You can improve capabilities over time to get faster, with less resources, and so on. Determining what is needed to be operational requires clearly defining the purpose of your compliance system (what are the desired outcomes) and then identifying the capabilities along with their interactions (i.e. the behaviours) to fulfill that purpose.

Safety performance is improved when organizations take a comprehensive and systemic view of their safety efforts. This requires different skills than implementing separate activities connected with requirements where the "means" have already been specified.  With todays performance and outcome-based regulatory designs, organizations must now identify and determine how they will achieve targeted safety goals; which can be considered as obligations. A "design" step is needed to translate requirements to design specifications. These specifications describe the ends (key results and objectives) and the means (people, process, technology) of the safety effort needed to meet your obligations. API RP 1173 Management of Change (MOC) Example The following completed system requirements canvas demonstrates how this looks like for a Management of Change (MOC) sub-system for a Pipeline Safety Managment System (SMS) using API RP 1173. Although, this approach can be applied to other types of systems where improvement in both performance and outcomes have been targeted. This canvas maps requirements to the processes and capabilities that have been identified to achieve MOC effectiveness. Since API RP 1173 is a recommended practice (i.e. not mandatory) and uses a performance-based approach, it is no surprise that elements only include minimum procedural requirements that could be verified using an internal or external audit. Although, no certification body exists or is expected. When considering requirements a necessary (and perhaps the first) step is to identify what effectiveness looks like. This goes beyond looking at minimum prescriptive requirements and includes consideration of the system's overall purpose, internal and external dependencies and requirements that come from improving essential capabilities to achieve key results and objectives. For an MOC subsystem, effectiveness can be defined as: Management of change is effective when it keeps pipeline safety risk (individual and aggregate) within acceptable risk levels (risk tolerance) resulting from technical, physical, procedural or organizational change. This measure of effectiveness will create additional requirements although not specified in API RP 1173, are certainly expected as part of its adoption. A comprehensive design will also consider overall system properties which for a purposively system, like a Pipeline SMS, can be expressed in the following way: The first property we have already addressed, although not for the system as a whole. We know from system theory that a system is not the sum of its parts and is rather the product of its interactions. We expect that all subsystems will be designed to contribute to the production of the essential system properties. Therefore, we must identify what is needed for the MOC subsystem itself and its contribution to the whole (i.e. dependency requirements) with respect to being: effective, proactive, viable, sustainable, resilient, efficient, adaptive, and transparent. A design structure matrix (as shown below) can be used to identify dependency requirements along with possible vulnerabilities or gaps in system capabilities: Summary To meet performance and outcome-based obligations each organization must establish their own goals and objectives along with the means by which they will be achieved. It is in meeting these obligations that create performance requirements that extend beyond procedural specifications within the API RP 1173 framework as in our MOC example. A design step is now needed to translate performance, element, and system requirements to design specifications for solutions that advance overall outcomes. As safety is an emergent property of an overall safety system the design step requires knowledge and skills in system design, cybernetic controls, and risk-based strategies to ensure that safety is advanced. These are not only needed for adopting API RP 1173 but for all performance and outcome-based regulations and standards.

When it comes to contending with risk it is important to have an understanding of the nature of uncertainty – the root cause of risk. There are several types of uncertainty but the two that are most critical are: epistemic and aleatory uncertainty. Epistemic uncertainty has to do with the lack of knowledge. The effects of epistemic uncertainty are often characterized in terms of its likelihood of occurrence and the severity of its impact. We can predict the outcomes with some level of confidence which facilitates decision making with respect to "buying down" these risks by reducing the likelihood or by mitigating the effects, or both. We call these reducible risks. Aleatory uncertainty has to do with chance. The effects of aleatory uncertainty can also be characterized using probabilities, however, the specific outcomes are not predictable with any level of certainty. This kind of uncertainty is considered as irreducible although its effects can be mitigated by introducing margins in the form of such things as extra resources, time, and capacity to help mitigate the effects. However, what we cannot do is improve the accuracy of our predictions. For risk management to be effective it must adequately contend with both kinds of uncertainty. However, in highly-regulated, high risk industries it is aleatory uncertainty that is foremost on everyone's mind as it presents a significant source of risk in the form of low occurrence, high impact events which are often called: unknown-unknowns and "black swans". These cannot be predicted and are in the domain of randomness, chaos, complexity and disorder – aleatory uncertainty. The solution to aleatory uncertainty In the book, "Antifragile" the author Nassim Nicholas Taleb who also wrote the book, "Black Swans" proposes that the solution to aleatory uncertainty is not greater margins or safeguards but instead the development of what he calls, antifragility properties. Taleb defines antifragility as going beyond resilience and robustness. A resilient system resists shocks to maintain its state, whereas, antifragile systems gets better; it improves. He suggests that uncertainty, disorder and the unknown are completely equivalent in their effects and therefore can be addressed in the same manner. Instead of trying to predict the future which is not possible for aleatory uncertainty, steps are taken to measure and reduce the level of fragility which is easier to do and results in greater utility. Fragile systems breakdown easily in the presence of uncertainty. The solution is not to build more robust systems as we might think. Resilient, robust systems neither break nor do they improve and therein lies the rub. The opposite of fragile is not robustness it is a word that we don't have a name for, so Taleb uses, "antifragile" – things that gain from disorder. Offshore drilling safety example A few years ago, a safety assessment of offshore drilling platforms was conducted for operations in the North Sea. Each platform had written procedures some of which were followed and some that were not. Each had a positive safety culture (more or less) and each had commitment from senior leadership, and so on. In terms of practice, compliance, and other categories of assessment there where no differences that stood out other than their safety performance. Some of platforms had experienced no incidents for a long period of time, while others were contending with multiple but mostly minor ones. The question that was asked was which platforms are the safest to work on? The platforms that had no incidents for a long time were considered to be the most unsafe which maybe surprising to some. While these platforms had excellent performance in the past there were other indicators that caused concern such as signs of complacency, and over confidence to name a few. Using past performance to predict the occurrence of future incidents suggested that these platforms would be the safest. However, their current behaviors suggested otherwise. The platforms considered most safe were the ones dealing with minor incidents. They had a heightened level of awareness, and from a "antifragile" perspective were improving with each incident. Everyone was looking out for each other and not resting on the achievements of the past. You might get "injured" but you would not be harmed. Lack of volatility is not the goal Seeking stability by inhibiting fluctuations (you might say incidents) tends to produce the opposite of what we had intended. According to Taleb, overly constrained systems become prone to Black Swan events. Such environments tend to experience massive blowups, catching everyone off guard and undoing years of stability almost all at once. It is for this reason that over regulation (mandatory or voluntary) and the preponderance of prescriptive rules can create greater levels of fragility which in turn increases the chance of risk. It is no wonder why some have criticized the pursuit of vision zero targets (zero defects, zero incidents, zero fatalities, and so on.) The low occurrence of these events is not sufficient to drive improvements and create the necessary behaviors. Antifragile companies learn from errors they create and the errors from others. With every plant failure, worker injury, and failed objective the industry as a whole becomes safer, but only if the we learn from what has happened. That is why it is so important for companies to share not only their best practices but more importantly their failures; otherwise the "sacrifices" paid by others will be for nought. Unfortunately, sharing of failures is considered by many to be foolishness when it fact it is the behavior of the wise. Continuous improvement as a means to introduce volatility Over the last several decades the adoption of continuous improvement (CI) has helped to transform many organizations foremost coming from the automotive industry. However, you will now find its application in almost every sector. The reasons stated for why companies adopt CI often have more to do with improving quality, increasing efficiencies, or lowering costs. However, is that all that is happening? Continuous improvement at its core is an intervention strategy to facilitate change. These changes done in small increments over time create the capacity for even greater changes in the future; they make companies less fragile. This is precisely what is behind the principle of "fail fast, fail often." Although, CI for many focuses on failures of the past it still creates the benefits associated with contending with volatility. If you were to ask, "which company is most likely to succeed in the presence of uncertainty?" the answer for me would not be the largest or most robust. It would be the ones that were practicing continuous change in any of its forms be it LEAN, Agile, CI, and others. These are the companies that embrace uncertainty, becoming stronger in the process, and instead of being surprised by negative black swans they anticipate and are delighted to see the appearance of the positive black swan.

In this article we take a look at the nature of risk reduction controls through the lens of barrier analysis. This is a common practice in process safety and is becoming more popular in other fields such as environmental, finance, regulatory, cybersecurity, and overall compliance risk. At a basic level, the bow-tie diagram (simplified above) is used to visualize a risk path initiated by a threat that results in an event that if left unmitigated will result in harmful consequences. Each element can be expanded so that analysis can occur to design measures or discover vulnerabilities in them that might lead to their insufficiency to completely stop harm to the people and things we care about. Process visualization is an important tenet of LEAN and also for risk management although not as prevalent or easy to do. What is more common is for risk to be communicated using statistical attributes which while necessary often fails to properly describe event chains and their contribution to harmful or hazardous events. Nancy Leveson (STAMP method) calls these hazardous processes, although other phrases have been used that include event chains, error chains, risk streams, and the like. What barrier analysis and bow-ties do for risk is what LEAN value stream analysis does for quality. The latter helps to identify waste to eliminate or reduce in the creation of value whereas the former helps to identify uncertainty whose effects we also want to eliminate or reduce in the creation of safety. Bow Tie Concept Handbook While the Bow Tie and Barrier Analysis methods are commonly used in process safety they have lacked consistent practices and vocabulary which has hindered their utility and advancement. To address these concerns, as well as others, The Center for Chemical and Process Safety (CCPS) along with the Energy Institute (UK) in 2018 published a handbook entitled, " BOW TIES IN RISK MANAGEMENT - A Concept Book for Process Safety. " This handbook provides a common set of definitions, best practices and guidelines by which hazard and risk analysis may be done. In the Bow Tie handbook the following definitions are provided for the basic elements of the bow tie shown previously which will be helpful for our consideration and application with respect to compliance where hazards also exist in need of contending with. Hazard : An operation, activity or material with the potential to cause harm to people, property, the environment or business or simply, a potential source of harm. Top Event : In bow tie risk analysis, a central event lying between a threat and a consequence corresponding to the moment when there is a loss of control or loss of containment of the hazard. Prevention Barrier : A barrier located on the left hand side of bow tie diagram and lies between a threat and the top event. It must have the capability on its own to completely terminate a threat sequence. (other possible names Proactive Barrier). Mitigation Barrier : A barrier located on the right hand side of a bow tie diagram lying between the top event and a consequence. It might only reduce a consequence, not necessarily terminate the sequence before the consequence occurs (other possible names Reactive Barrier, Recovery Measure). Threat : A possible initiating event that can result in a loss of control or containment of a hazard (i.e., the top event). ( other possible names Cause, Initiating Event). Consequence : The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Another possible name Outcome . The magnitude of the consequence may be described using a risk matrix For this article, I want to focus in on barriers which in other industries are called Risk Measures. Risk Measure Validity Barriers are the technical and human factors used to prevent threats from becoming a reality. They have specific meaning when it comes to process safety and particularly to the properties they should have. The handbook suggests that barriers must have three essential properties. They should be effective , independent , and auditable : Effective - A prevention barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended, and it is capable on its own of preventing a threat from developing into the top event. A mitigation barrier is described as ‘effective’ if it is capable of either completely mitigating the consequences of a top event, or significantly reducing the severity. Independent - Barriers should be independent of the threat and of other barriers on that pathway. For example, if the threat was loss of power and a barrier requires power to operate, then that would not be a permissible barrier in that pathway. Auditable - Barriers should be capable of being audited to check that they work. formally, it could be that performance standards are assigned to the functionality of a barrier. For example, a performance standard for an ESD valve would ideally include ‘periodic end to end testing’, i.e., a signal is placed upon the detection device, the logic controller responds, and activates the end device, e.g., the ESD valve. Validity of Compliance Risk Measures While these definitions are described for process safety they are applicable to general risk management including compliance. Compliance uses risk measures to prevent or reduce the consequences associated with data breaches, ethical violations, non-conformance, and other "hazardous" events. They should also have essential properties to ensure they perform their intended purpose. These would include the ones for barriers: effective, independent, and auditable for similar reasons given for process safety. In fact, compliance risk measures would also benefit from the extended list of attributes defined by CCPS: independence, functionality, integrity, reliability, auditability, access security, and management of change Unfortunately, just as in process safety and perhaps more so, there is a lack of a standard set of definitions and practices with respect to risk management as a whole. We seldom see risk defined using a consistent vocabulary across organizations let alone within them. Risk identification even when done tends to be focused on the "components" of an organization and seldom at the level describing how these might work together to create what in process safety is call a hazardous process. Without understanding the causal nature of risk it is impossible to effectively prevent risk from occurring. As a result it is no wonder that risk registers rarely contain the risks that really matter with measures that have been properly analyzed and designed to be effective at preventing or mitigating harmful outcomes. You might say that compliance is in need of tools such as the Bow Tie and Barrier Analysis to better visualize, describe and analysis risk processes. For those interested in learning more we have written additional articles on the topic of using bow ties in the compliance domain which can be found here .

When it comes to improving compliance it is important to know not only what your obligations are but also how each obligation has been designed to perform the regulation function. Knowing this will help organizations better understand what is needed to meet their obligations by understanding: The level of compliance rigour required. The level of support needed from leadership and management Controls that may need to be established Who is accountability for which part (self, industry, or government) How best to improve compliance What level of investment to make What is at stake and the level of risk Among other things All of which are derived from the obligation design. Four Obligation Designs There are four common ways that obligations are architected to regulate aspects of quality, safety, environmental and legal concerns. These can be described across the dimensions of micro-macro and means-ends parameters: Prescriptive-based (micro/means ) - rules that if followed will reduce risk. Management-based (macro/means) - processes that must be followed to manage obligations and risk. Performance-based (micro/ends) - specific measures that must be followed to achieve targeted performance targets. Outcome-based (macros/end ) - targeted outcomes that must be advanced. Obligation Taxonomy Each compliance design approach will in turn create different demands on an organization which can be discovered by considering where the regulation function is being applied to structure of the obligation: Outcome-based regulations specify the ends or the outcomes and not the means. The onus is on organizations and industry to determine the means, the performance criteria and the rules that should be followed. This is an example of self-regulation and where leadership is essential at all levels to advance outcomes. Performance-based regulations specify the level of performance to achieve the desired outcomes but not the means or the rules that should be followed. This is common with industry programs to achieve zero fatalities, zero emissions, incidents, breaches, and so on. Continual improvement is necessary to advance the desired outcome. In this case, industry associations act as the regulator and take on some of the leadership responsibilities. Prescriptive–based designs specify the details and does not specify performance or outcomes just the rules to follow. This the primary form of government regulation which takes on responsibility to achieve the desired outcomes. Organizations are expected to conform to the rules. Leadership is still important but perhaps less or in a different way. Following rules requires a culture of conformance rather than a culture of improvement and proactivity. Management-based designs like ISO 14000 and 19600 more generally focus on the processes by which you manage obligations. What is being regulated are the management processes not necessarily performance, or outcomes. This makes management standards applicable to all forms of regulatory designs, however, with the caveat that this only happens when organizations incorporate performance and outcome standards along side of their management systems. Leadership is essential at the program level to ensure that effectiveness is not lost in the pursuit of consistency and efficiency. Regulatory bodies and standards organizations may elect to use a combination of the four regulatory designs based on the nature of the risks they are attempting to ameliorate through regulation. Compliance analysts should be aware of this when they identify obligations and evaluate compliance risk. Obligation registers should include this information to help inform the actions for effective compliance. Related Posts: https://www.leancompliance.ca/post/an-objective-view-of-obligations

I once worked for a company that had multiple programs to address concerns such as: process safety, occupational safety, loss prevention, emergency preparedness, and several others. All of these programs involved contending with risk to various degrees mostly independently from each other. Over the years it became clear that their risk capabilities had not progressed as well as other aspects of their compliance programs. So a decision was made to improve the situation which resulted in the hiring of a risk manager. The goal for this new manager was to establish a consistent risk framework to be used across each of the compliance programs. This outcome was mostly achieved but with an unintended consequence. Managers of the compliance programs along with asset owners now believed that they no longer needed to manage risk as the company had hired someone else to take care of it. The ownership for risk started to migrate from where it once was to the new risk manager. Not all at first but over time the culture started to change and then the practice as it almost always does in these kinds of situations. If this sounds familiar it might be because you have heard this story before connected with your initiatives. You may have heard the following: I don’t have to manage quality; we have a department that does that. I don’t have to manage security; we have someone who does that. I don’t have to manage safety; we have a safety manager who does that. We believe that by transferring responsibility we are also transferring risk. Why does this happen? Organizations that try to improve their compliance often start by breaking down silos consolidating effort into a centralized function. This almost always ends up with the ownership of risk being transferred along with the effort. The distinction between accountability and responsibility has been confused and it is here that lies the rub. Those that are accountable for the objective should also be accountable for the risk. This is implied by ISO 3100 which defines risk as: the effects of uncertainty on objectives. The ownership for risk must remain closest to those that are answerable for the objective. Even when the objective is transferred to a third party the accountability for the objective is shared and so should the risk. You can delegate responsibility for risk identification, analysis, treatment, and monitoring to others. However, if you own the objective you cannot delegate your ownership of risk. In essence, risk can never be transferred. Who owns risk within your organization? If you have a department or manager who takes care of risk and compliance then you most likely have fallen into the same trap that many others have. If this is your situation then it may be time to make sure that those who are accountable for objectives remain accountable for risk. The first step is to take ownership of all your obligations which is necessary before any accountability can be assigned.

In the world of compliance, humility is a critical trait that is often overlooked. The lean principle of being humble is just as important in compliance as it is in any other aspect of business. The urgency for humility in compliance arises due to the constantly changing and complex regulatory landscape, which necessitates businesses and organizations to navigate regulations efficiently. Non-compliance can have severe consequences, including legal and financial penalties, damage to reputation, and criminal charges. In addition, the increased focus on corporate social responsibility and ethical behavior demands compliance professionals not only to follow regulations but also act in the best interests of their stakeholders and society at large. In today's ever-changing regulatory environment, humility in compliance is an urgent necessity for several reasons: Preventing arrogance : Compliance professionals must constantly deal with complex regulations and laws that are often changing. If they become arrogant in their understanding of these regulations, they may overlook certain nuances or misinterpret them, leading to non-compliance. Preventing cognitive bias : The compliance landscape is constantly evolving, and there is always something new to learn. Preventing unethical behaviour: Compliance is not just about following rules and regulations; it is also about behaving ethically. Preventing miscommunication: Compliance professionals often work with a wide range of stakeholders, from senior executives to front-line employees leaving lots of room for misunderstanding. How does humility help compliance? Being humble in compliance means acknowledging that no compliance program is perfect and that there is always room for improvement. It involves recognizing that regulatory requirements and best practices are constantly evolving, and being open to learning from others to stay ahead of the curve. When organizations approach compliance with humility, they are more likely to identify potential issues and vulnerabilities before they become major problems. They are also more likely to take a proactive approach to compliance, rather than waiting for regulators to identify areas of concern. Being humble in compliance also means being willing to learn from mistakes. No compliance program is immune to errors, but organizations that are open to feedback and willing to admit when they've made a mistake are better equipped to identify and address the root cause of the problem. Humility in compliance means recognizing the importance of collaboration. Compliance is not the responsibility of one person or team, but rather a shared responsibility across the organization. When teams work together and are open to feedback and ideas from others, they are better equipped to identify and address compliance issues. Being humble is a critical aspect of building a successful and sustainable compliance program. By acknowledging that there is always room for improvement, being open to learning from others, and recognizing the importance of collaboration, organizations can stay ahead of the curve and avoid costly compliance issues. Humility is essential for effective compliance because it promotes continuous learning, ethical behaviour, effective communication, and a mindset that is open to new perspectives and ideas. The lack of these traits hinder compliance from always staying between the lines and ahead of risk. Steps for becoming more humble Becoming more humble is a personal journey and requires a willingness to examine oneself and make changes. Here are some steps that may help: Practice active listening : One way to become more humble is to listen more and talk less. When someone else is speaking, resist the urge to interrupt or interject your own opinions. Instead, focus on understanding their perspective and ask questions to clarify their thoughts. Cultivate gratitude : Practising gratitude can help shift our focus from ourselves to the people and things around us. Take time each day to reflect on what you are thankful for, and acknowledge the contributions of others. Embrace vulnerability: Humility often requires us to be vulnerable and admit when we don't have all the answers. Embracing vulnerability means acknowledging that we are not perfect and being open to feedback and constructive criticism. Seek out diverse perspectives : It's easy to become trapped in our own ways of thinking, but seeking out diverse perspectives can help us broaden our understanding and challenge our assumptions. Make an effort to seek out people with different backgrounds, experiences, and opinions. Practice self-reflection: Take time to reflect on your actions and behaviors, and consider how they impact others. Be honest with yourself about areas where you may need to improve, and make a plan to address them. Serve others: Serving others can help us develop a sense of empathy and compassion. Look for opportunities to volunteer or help those in need. Remember, becoming more humble is a process that takes time and effort. It's important to approach this journey with an open mind and a willingness to learn and grow.

Some may be aware of an obscure but important guideline called ISO 19600 “Compliance Management System” which was introduced in 2014. This guideline has now been replaced by a full on Type A management standard ISO 37301 which affords organizations with a best practices approach to modernize their compliance. ISO 37301 specifies requirements which organizations must meet to provide stakeholders the assurance they need that obligations are being met. ISO 37301 is certifiable and applicable for organizations of all shapes and sizes. It can serve as a management system for corporate obligations, or as an overarching framework for managing compliance across risk domains or provide better assurance for areas which no standards exist. ISO outlines the following benefits for this standard: improving business opportunities and sustainability; protecting and enhancing an organization’s reputation and credibility; taking into account expectations of interested parties; demonstrating an organization’s commitment to managing its compliance risks effectively and efficiently; increasing the confidence of third parties in the organization’s capacity to achieve sustained success; minimizing the risk of a contravention occurring with the attendant costs and reputational damage. ISO 37301 builds on and replaces ISO 19600 with the following differences: ISO 37301 is a Type A management standard that is certifiable compatible with other Type A Management System standards such as ISO 9001, 45001, 14001, etc. replaces should with shall statements adds whistleblowing and expands culture and governance adds requirements for hiring or promoting staff to critical positions. adds assessment of staff in matters of regulatory compliance. provides description of what is considered a regulatory compliance culture. highlights the issues of independence, staffing and skills of Regulatory Compliance to operate without interventions and with appropriate staff. identifies Code of Ethics and Conduct as a key element in determining and controlling compliance. Is this standard what you need to modernize your compliance? With increasing and expanding stakeholder obligations this standard applied effectively will help organizations demonstrate that they have the capabilities to properly contend with risk and ensure that obligations can be met today and into the future. ISO 37001 is applicable for organizations that: want to modernized their corporate compliance efforts with industry best practices need a compliance management system for specific risk domains not currently covered need an overarching assurance framework across existing compliance management systems (e.g. safety, security, environmental, EHS, ESG, etc.) need to better address obligations not currently captured under existing management systems engender greater stakeholder trust More information can be found on the ISO website: https://www.iso.org/obp/ui/#iso:std:iso:37301:ed-1:v1:en

The new year has begun for many in earnest with the year's goals and objectives on the forefront of our minds. How will we achieve these in the presence of continued uncertainty? Which threats and opportunities should we contend with and with what measures? There are many assessment tools to help you identify risk but there are few that help you identify where and how to implement risk measures. The bow-tie analysis is one of the best and is used by many in highly-regulated, high-risk industries such as oil&gas, pipeline, chemical, and increasingly in IT and other industries. The Bow-Tie is one of their super powers to contend with uncertainty. That's why we recommend that organizations use the Bow-Tie Analysis to improve the probability of meeting all their stakeholder obligations and why you should too. Here is a list of articles and templates covering the bow-tie for you to use to help you increase your chances of mission success this year. Are Your Risk Measures Valid? Compliance versus Obligation Risk Integrated Risk Assessment - Template Lean Compliance A3 Format - Template Bow Tie Analysis - Template If you are interested in learning more please consider joining: The Proactive Certainty Program™

Risk management has for many years focused mostly on identifying possible losses and working out those probabilities. As beneficial as that might be it does not capture the full nature of uncertainty. ISO 31000 (and others) have tried to expand the definition but only go half way. They focus on the effects or better the symptoms and not the cause or the disease itself. Unfortunately, the lack of holistic approach and the negative connotations associated with the word risk, "Risk Management" is getting in the way of effectively contending with uncertainty. It's time for a change and why we no longer should only use risk. Historically compliance is considered as a means to keep risk at bay. When organizations are in compliance (i.e. operating consistently between the lines) they will in turn reduce the possibility of loss. This places compliance programs along side of the value chain with risk reduction as the goal. We have used this model in the past and in some cases it still make sense to do so. However, what we have found is that this approach tends to focus compliance mostly on conformance to rules attested by surveys and monitored by occasional audits. The goals seems to be only on "staying between the lines" and not staying ahead of risk. The lack of focus on the latter results in risk programs paying too much attention on risk identification and registers (staying between the lines) and not enough on contending with risk itself. In a sense, both risk & compliance suffer from too many check boxes and not enough action. A Need for Change Operationally, compliance at its core is the practice of meeting obligations in the presence of uncertainty. Risk management is a means to that end and more specifically, this should be the focus of operational risk management. This places the majority of risk programs: safety, sustainability, environmental, health, security, privacy, asset management, and so on, along side of the value chain with compliance as the outcome. However, compliance here does not mean check boxes. Instead, it means meeting all your obligations (conformance, performance, and outcome-based) in the presence of uncertainty. This change however is not enough in our estimation. To reflect the shift to improve the certainty of meeting obligations we have elected to call these certainty rather than risk programs. This aligns better with the ISO 31000 definition and the purpose of these programs which is - make certain (ensure) that objectives across the business are achieved. That is why we propose using the labels Certainty & Compliance rather than Risk & Compliance . There will still be a role for enterprise risk management but this should result in the creation of operational objectives that fall within certainty and compliance functions. The purpose of Certainty Programs is to keep organizations between the lines while increasing the probability of targeted outcomes and decreasing the probability of undesirable outcomes. These objectives should become part of certainty-based balanced scorecards instead of risk-based. This is more than semantics, it is a change in mindset, strategy, and focus.

The world is changing, and with it, so are the risks that businesses and organizations face. Over the last year, there has been much discussion in the domain of risk management, with many experts raising concerns about the use of risk matrices. In fact, some are even calling for their abandonment altogether, citing the dangers of relying on them to make critical decisions. The best advice, it seems, is to do nothing rather than use a risk matrix – but is that really the best course of action? The first step in understanding and managing risk is to recognize that it is a complex, multifaceted issue. It cannot be reduced to a simple, one-dimensional matrix or a set of numbers. Rather, it requires a nuanced understanding of the qualitative nature of the risk or hazard at hand. This means taking the time to thoroughly evaluate the specific risks faced by your organization and developing a comprehensive plan to address them. While quantitative analysis using tools like Monte Carlo simulations can be helpful when data is available, the reality is that many risks are difficult to quantify. In these cases, a more qualitative approach is necessary. This might involve conducting interviews with subject matter experts, analyzing historical data and trends, and engaging in scenario planning exercises to develop a more complete picture of the risks involved. The question then becomes, where is the middle ground between qualitative and quantitative analysis? How can organizations strike a balance between the two to effectively manage risk? The answer lies in a holistic approach that considers all available data and insights. Rather than relying solely on a risk matrix or other semi-qualitative/quantitative tools, organizations must adopt a more comprehensive approach to risk management. This might involve developing a risk management framework that includes a range of qualitative and quantitative techniques, such as scenario planning, risk mapping, and probabilistic risk assessments. By taking a more holistic view of risk, organizations can develop a more nuanced understanding of the threats they face and develop strategies to mitigate them. By discarding risk matrices and not having a replacement plan, organizations run the risk of being exposed to various risks that cannot be easily categorized and analyzed quantitatively. It is not enough to simply avoid using risk matrices – organizations must be proactive in identifying and managing risk.This requires a commitment to ongoing risk management efforts, including regular assessments, monitoring, and updating of risk management plans. The debate around risk matrices and their use is an important one, but it is just one piece of the larger puzzle of risk management. To effectively manage risk, organizations must take a comprehensive, holistic approach that considers all available data and insights. The stakes are too high to simply do nothing – the future of organizations depends on it.

An effective program results in changed outcomes. Therefore, for an environmental program to be effective it must perform in such a way so that outcomes are continually advanced towards the overall goal – community sustainability in the case of municipalities. For that to happen each pillar and the system as-a-whole must be operational. This means all essential parts working together to produce what no part can create on its own. We need a golden thread so to speak that runs through each environmental pillar that holds them altogether and defines what is essential for the pillar and the entire program to be operational and effective. As a current reference, The UK last year passed regulation requiring a golden information thread for building safety. This is a digital thread that will provide assurance during a buildings life-cycle that what should have been done was done. The environmental golden thread approach is an extension of this same thinking. It will provide leadership and management with the status of the environmental program, level of risk, and where investments might or need to be made across and through each pillar of their environmental program. Many do not have these tools but they are needed to advance environmental outcomes. As Elihayu Goldratt (father of Theory of Constraints) has said: "Partial implementation of a holistic approach is an oxymoron" An environmental golden thread can help ensure your environmental efforts produce more than the sum of your action plans. You can download a copy of our presentation from our recent webinar on the Environmental Golden Thread using the following link: If you are interested in learning more about how Lean Compliance can help you with your environmental efforts please book a 30 minute call with us: