SEARCH

In our previous blog post we considered the nature of environmental obligations from the perspective of their compliance approach and the shift from rules and audit-based regimes to performance and risk-based strategies. This week we continue our look at the nature of environmental obligations through the lens of regulatory, social, and government licenses to operate. Private and public sector obligations come from multiple sources that can be mapped to the following three type of licenses: Obligations arising from a regulatory license to operate. These come from accepting public responsibilities to behave in line with the conditions of an operating license. They tend to be mandatory and prescriptive in nature. They are often referred to as external obligations as they are imposed on organizations from external authorities. Obligations arising from a social license to operate . These come from accepting stakeholder responsibilities where stakeholder is defined in the broadest sense: employees, shareholders, communities, suppliers, customers, residence, the public at large – anyone who has a stake in what the organization is doing. These tend to be voluntary and more performance and outcome-based. They are referred to as internal obligations since organizations choose to impose these on themselves. Obligations arising from the authority to govern . These obligations are a result of accepting government responsibilities to contend with public risk. In the case of local governments they will have obligations from the previous two categories along with obligations associated with their role as regulator to inspect, enforce, monitor, and implement regulatory acts. In recent years internal obligations have approached parity and in some cases exceeded external obligations in many organizations driven to a large extent by the adoption of environmental, social, and governance (ESG) objectives. At the same time environmental obligations have increased across all categories in response to climate change. Unfortunately, compliance for many organizations focuses mostly on external obligations associated with a regulatory license to operate. This leaves a significant number of obligations, many of which are environmental, under-resourced, un-managed and at-risk. For compliance to be effective it must adapt to the changing landscape by expanding beyond mandatory and regulatory obligations to include obligations from all sources. This requires knowledge of the nature of obligations and strategies needed to meet them. Does compliance in your organization cover all your obligations?

Recently the province of Ontario experienced a thunderstorm leaving 10 dead and hundreds of thousands without power for several weeks. Waiting to act until an incident has occurred is never the best option when it comes to environmental risk. This tends to result in significant disruption and other adverse effects that might otherwise have been avoided. However, this is the approach when compliance is based on the traditional operating principles of audits and corrective actions. To get ahead of environmental risk will require a change in mindset and behaviors of the kind that we have talked about in recent years. Just as we have seen quality and safety become more performance and risk-based the same shift is happening for environmental obligations with increasing measure. This shift will require an operational model that is more than training, audits and corrective actions. It will more akin to Total Quality Management (TQM) where better environmental outcomes are designed into products and services – Environmental By Design. Organizations will need to set goals and objectives, contend with uncertainty, continuously improve performance, and make progress in the advancement of environmental outcomes. The good news is the same principles applied to TQM and Operational Excellence can be used to meet environmental obligations. It's time for environmental compliance to become operational in the full sense of the word. Are environmental objectives included in your operational plans?

There are 3 ways that we talk about strengthening defences: Reliability Resiliency Anti-fragility Reliability has to do we preventing disruption and most often by preventing failure of equipment, processes, systems, and other measures to prevent risk from becoming a reality. When reliability fails, we need Resilience to recover from the disruption created when that happens. In a storm trees need to bend and snap back and so do businesses. Anti-fragile is about getting stronger, better at what we do, as a result of disruption. This has much to do about learning and improving our defences to make them more robust. The airline industry has a strong safety record partly because after every incident they took a deep dive and learned from what happened. They became stronger at preventing accidents over time. They did not waste any knowledge that could be learned from disasters. All of this applies to meeting all our obligations and keeping our promises. We need to prevent non-conformance, recover from them should they occur, and get stronger when we learn from our experiences. What strategies have you adopted so that you endure in the presence of uncertainty? Are you abilities at keeping commitments to all your obligations getting stronger or weaker? Are you extracting all you can from your incidents?

This blog post continues our series on Cyber Safety where we have explored various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. In this week's post we consider steps you can take to select which approach is best for you to start improving your cyber safety. 1. Evaluate Defences & Develop Improvement Roadmap The framework or standard you choose depends on the risks your organizations are currently facing or anticipating. So the best place to start is with an assessment of what you want to keep safe, your safety goals, and your cybersecurity objectives. To help you answers these we recommend first conducting a Cyber Resilience Review (CRR) which is a non-technical assessment of your current situation. This review will provide the parameters you need to formulate an improvement roadmap you could work on in a stepwise fashion over time. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. 2. Select Standard and Conduct Detailed Assessments Conducting a CRR will place you in a better position to select a management standard that best suits your business if you don’t already have one. You will also know if and which detailed technical assessments may be necessary to address serious holes in your defences. In our last post in this series we looked at three frameworks: Cybersecure Canada Program - this is great place to start if your exposure to cyber risk is moderate and your organization is just getting started with a cyber safety program. NIST Cybersecurity Framework - this framework has a strong technical component and best suits organizations with a significant sized IT component, infrastructure, and governance. ISO 27001 - this family of standards is particularly useful for organizations that have already adopted other ISO standards where they can leverage existing management processes and infrastructure. The results of a CRR will help you make a determination if which approach is best for you. 3. Develop and Implement Detailed Improvement Roadmap Once a framework has been selected additional detailed assessments can conducted based on the kinds and level of risk identified in the CRR along with additional considerations suggested by the given framework. The goal is to: Identify the risks that really matter. Uncover strategies and plans that already exist that contend with these risks. Evaluate if these defences are strong enough to keep what you value safe. Develop a comprehensive improvement roadmap that meets your cyber safety objectives. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment and roadmap development process. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. If you are interested in having a cyber safety improvement roadmap for your organization please reach out to us. Also, if you missed Part 1 of this series you can find it here .

This blog post is a continuation in our series on Cyber Safety. In this article we explore several guidelines, standards, and frameworks available to help organizations realize their cyber safety goals. We will begin with a framework from The Canadian Centre for Cyber Security followed by three from the US, and one from the International Standards Organization (ISO). Let’s start with the Canadian program. CyberSecure Canada Program The Canadian Centre for Cybersecurity is a valuable source for companies of any size who want to strengthen their defenses. On their site you will find a Cyber Secure Canada Program which is a federal cyber certification program that aims to raise the cyber security baseline among small and medium enterprises (SMEs) in Canada. The desired outcome of this program is to increase overall confidence in the digital economy, and promote international standardization that better positions organizations to compete globally, and I would add locally as well. Certification requires an implementation of a set of baseline controls (v1.2) . These provide an excellent set of initial risk measures specifically designed for small and medium sized operations. You will also need to develop a management framework to advance your cybersecurity capabilities beyond the baseline, but otherwise this an excellent place to learn and get started with cybersecurity, Next we will consider what I call, the triple threat against cyber risk: CISA CRR NIST CF DOE C2M2 Cyber Resilience Review (CRR) The Cybersecurity & Infrastructure Security Agency (CISA) created what is called the Cyber Resilience Review (CRR) assessment. This assessment is a no cost, voluntary, non-technical review to evaluate an organization’s operational resilience and cybersecurity practices. The assessment covers 10 activity areas or what you might call capabilities and is available as a self-assessment tool. It is also designed to measure existing organizational resilience and provide a gap analysis for improvement based on recognized best practices. The self-assessment tool and practice guidelines are available for free on-line. A CRR will help organizations scope out what is needed to create a roadmap for improvements along with a determination if more detailed assessments should be conducted. It is compatible with other frameworks from NIST discussed below. Next we will look at what is probably the most common framework used to manage cybersecurity. NIST Cybesecurity Framework In response to a presidential executive order issued in 2013, the National Institute of Standards and Technology in collaboration with government and private sectors developed a cybersecurity framework that focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s overall risk management process. NIST CF consists of three parts, the core, the profiles, and implementation tiers covering 5 functions: Identify, protect, detect, respond, and recover. This is a very popular framework, particularly if you are a technology and information sectors. It is risk-based and not a one-size fits all strategy intended to be adapted by organizations based on their level of risk and safety obligations. Cybersecurity Capability Maturity Model (C2M2) Program The Department of Energy (DOE) developed what is known as C2M2 which is becoming one the most important tools in assessing the cybersecurity posture of organizations in the energy sector and organizations in highly-regulated, high risk industries. C2M2 focuses on the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) which are often managed separately within these industries. C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high enough level, so that it can be interpreted by organizations of various types, structures, sizes, and industries. C2M2 differentiates between technical and management objectives across 10 domains which provides organizations with a holistic perspective and assessment of their cybersecurity program. The overall intent of C2M2 is to help organizations assess and advance their cyber safety capabilities over time. Self assessment tools and practice guidelines are also available online. Lastly, we look at what the International Standards Organization (ISO) has to offer. ISO / IEC 27001 If you already have adopted other ISO programs then this one may align better to your existing management practices. This management standard is widely known, providing requirements for an information security management system (ISMS) along with supporting standards in the 27000 family providing guidance on individual capabilities and practice domains. This standard provides the ability to leverage your existing management structure (assuming that it already aligns with other ISO standards) to support technical processes needed to address cybersecurity risk. Third party certification is attractive to companies as it provides some evidence that they are treating their cybersecurity seriously. Summary We have looked at various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. Now, which one should you use and if you are already are using one, how do you improve your effectiveness and improve your cybersecurity performance? Answering these questions will the topic of our next blog post on cyber safety so stay tuned.

When we hear the phrase cybersecurity many things may come to mind. You might think of such things as: Viruses and malware Email spam Phishing attacks Ransomware You might also think of things more technically in terms of: Internet, Internet of Things (IoT) Networks Firewalls VPNs Antivirus Software Passwords You might also think of things in terms of what is at stake, such as: Financial loss Loss of identity Loss of reputation Loss of business or the loss of your business Each of these groups represent the kinds of things that need to managed holistically, together, as a system, and pardon the pun, without any holes or as they say in the cybersecurity world, vulnerabilities. But what happens when vulnerabilities are exposed and what is valued is not protected? The LifeLabs Breach To explore the concept of cybersecurity and to bring the topic closer to home I thought it helpful to look at the LifeLabs breach that happened in Canada in 2019. Here are some of the key facts surrounding the event: This was the largest breach in Canada resulting from a ransomware attack 15 million people across Canada were affected by the theft of their private data. LifeLabs is reportedly facing lawsuits (in the billions) and certainly a loss in reputation and perhaps, maybe more. In recent weeks, I received an email from LifeLabs which was also sent to others affected by the breach. This latest communication outlines LifeLabs latest response in the wake of the ransomware attack. In the letter we read that LifeLabs has now: Appointed CISO (Chief information and Security Officer) Added CPO (Chief Protection Officer) and CIO (Chief Information Officer) Investing $50M to achieve ISO 27001 certification (international standard for information security management) Engaged third-party to evaluate their cybersecurity program Established an information security council Strengthened their detection technology Implemented yearly security awareness and training This certainly sounds substantial and it is. However, what this list of actions also tells me is that they had very little in place prior to the breach in terms of management accountability, oversight, standards, or anything that would let them know how well they were doing with respect to protecting patient data. It is good to see that they are addressing these now, perhaps, too little too late; time will tell. What we do know is that it will take time before these changes will significantly impact the improvement of their defences which they should have started to do years ago. Cybersecurity Risk Landscape When we look across the cybersecurity landscape one can make the following observations with respect to risk: Threats to people and things we care about are all around us and perhaps always will be. The risks that matter are connected with what is valued, and there are plenty of bad actors who are interested in what we value. The conditions for cybersecurity risk are also increasing, specifically now as more employees are working from home than ever before. Every company has a cybersecurity program, some are more effective than others. Cybersecurity is not only a technical problem; it is a business problem that requires a business solution. It is the last one that needs to be highlighted, underscored, and acted on the most. Cyber risk is a real threat, involves technical measures to address but is foremost a business problem that requires a business solution. LifeLabs' failure to prevent a breach was a failure in leadership and management which they are now attempting to address, and not necessarily a failure in their technology. Leadership intention and management commitment are needed for companies to keep the dragon of uncertainty from penetrating their defences and stealing their gold in whatever ways that is defined. Lack of Intention It used to be said that: There are two kinds of companies: those that have suffered a cyber-attack, and those that will. But now, we say it this way: There are two kinds of companies: those that have suffered a cyber-attack and those that don't know that they have. When they do find out it is often too late, and the effects too severe for many companies to survive its effects. Waiting until you have been breached to improve your cybersecurity defences is probably not the best business or technical strategy. However, many companies still take the wait and see approach. So what might motivate organizations to be more proactive with respect to improving their defences? Companies might consider a legal motivation. Regulations do exist and are expanding to compel organizations to establish adequate programs and measures. However, they are have not kept and fall short to adequately contend with cyber safety. Waiting for regulations to tell you what you must do will mostly likely also be too late. Improving cybersecurity defences is beneficial to reduce insurance costs, improve efficiencies if done correctly, and prevent disruptions which contributes to greater resiliency for your business. While these are all valuable outcomes, they are often considered as goals that are worked on after all other objectives have been met. Keeping what you value safe and protecting against lost can also be a power motivator particularly when it involves the safety of people and their livelihoods. But what lies behind all our motivations, is our intention. It is a company's intention that ultimately determines the effectiveness of their cybersecurity program and motivates improvement that are made. Research has shown that intention significantly determines what is accomplished. If your intention is to achieve ISO 27001 certification, for example, then that's what you will get, most likely, but you will most likely not improve your cyber security. However, if you want to improve your cyber security and choose ISO 27001 as the means to do that, then you will not only receive your certification, you will most likely improve your cybersecurity as well. You will get both. Where you aim determines what you achieve. Which is why organizations need to choose their goals well including those to improve cyber safety. In our next blog article we will look at various standards, guidelines, and strategies companies are using to address cybersecurity risk. #managedcybersafety

One of the powers of technology is its ability to externalize the means to achieve our ends. This is one way to evaluate what is happening with AI. It is externalizing the means by which we learn to the point that we don’t need to learn ourselves. What if meaning is found not by having the goal of our desire but instead by our participation in the means to make it happen. This makes the ends even more worthwhile because it is something we accomplished by our own agency, effort, and courage. Something to think about.

Value Stream Mapping (VSM) is a widely recognized and adopted lean management method used in various industries and domains including compliance. While many organizations focus on the tool itself, the true power of VSM lies in its ability to address complex problems and drive transformational improvements. In this blog post, we delve deeper into the essence of VSM and why it's crucial to move beyond the surface-level application of the tool to unlock its full potential. Understanding Value Stream Mapping Value Stream Mapping is a systematic approach to analyzing the current state of a process and designing a future state to deliver a product or service from its inception to the customer. It visualizes the flow of materials, information, and activities, highlighting value-adding and non-value-adding steps. By mapping the entire value stream, organizations gain a holistic view of the process, enabling them to identify bottlenecks, and waste but also areas of risk and compliance improvement. Beyond the Tool: Problem Solving with VSM VSM is not merely a visual representation of a process; it is a problem-solving tool. The true power of VSM lies in the subsequent steps after mapping the current state. While understanding the problem is the first step, it is through effective problem-solving that organizations can leverage VSM to drive significant improvements. Many organizations tend to focus on easily solvable issues or low-hanging fruit , resulting in incremental benefits. While these improvements are of some value, they do not maximize the potential of VSM. To truly exploit the power of VSM, organizations must have the courage and determination to address the hard problems that lie beneath the surface. Transformational Outcomes Organizations that choose to tackle challenging problems more likely will experience better outcomes. By focusing on the problems that really matter, they can initiate transformational changes in their value streams that go beyond eliminating waste and reducing lead times. They will also improve outcomes associated with quality, safety, security, sustainability, and ultimately stakeholder trust. Taking a proactive and comprehensive approach to problem-solving with VSM allows organizations to identify and eliminate root causes rather than simply treating symptoms. This will promote a culture of continuous improvement, fostering innovation, and driving sustainable change. Using VSM Strategically To extract the maximum value from VSM, organizations should adopt a strategic approach. Here are a few key considerations: Problem Prioritization : Identify the critical problems that have the most significant impact on the value stream and prioritize them accordingly. By focusing resources on these areas, organizations can achieve substantial improvements. Cross-Functional Collaboration : VSM involves multiple stakeholders from different departments and levels within the organization. Collaborative problem-solving encourages diverse perspectives, enabling the identification of comprehensive solutions and the alignment of goals. Continuous Improvement : VSM is not a one-time exercise; it is an ongoing journey. Regularly revisit and update the value stream maps as new challenges emerge, and continuously seek opportunities for improvement and risk reduction. Value Stream Mapping is a powerful tool that goes beyond its visual representation. To truly harness its potential, organizations must shift their focus from the tool itself to the problem-solving aspect. By addressing the hard problems, organizations can drive transformative improvements, eliminate waste, reduce risk, and achieve better outcomes associated with safety, security, sustainability, quality, and ultimately stakeholder trust. Strategic utilization of VSM, combined with a culture of continuous improvement, can pave the way for sustained success in any industry or domain. So, let's not just adopt VSM as a tool, but let's exploit its full potential to improve the probability of mission success.

The creation of stakeholder value is an essential obligation that successful organizations willingly accept. Contrary to common misconceptions, compliance does not hinder the creation of stakeholder value; instead, it safeguards the value creation process and ensures its effectiveness. Compliance is not solely about adhering to rules but encompasses integrity, alignment, and operational excellence—a triple threat against mission failure. Compliance as defined by ISO is the outcome of meeting obligations and therefore plays a vital role in ensuring that organizations fulfill their responsibility to create stakeholder value along with other targeted outcomes. Stakeholders, including customers, employees, shareholders, and the community, have legitimate expectations from organizations. These expectations revolve around the delivery of quality products and services, ethical practices, fair treatment, and contributions to the community's well-being. For organizations to be considered compliant, they must meet all their obligations. Compliance and Stakeholder Value Compliance and the creation of stakeholder value are two interconnected aspects that play a crucial role in the success and sustainability of organizations. Compliance refers to adherence to legal, regulatory and internal obligations, industry standards, and ethical practices. It ensures that companies operate within the boundaries set by society and mitigate risks associated with non-compliance. On the other hand, creating stakeholder value involves considering the interests and needs of all stakeholders, including employees, customers, shareholders, communities, and the environment, and actively working towards fulfilling those expectations. These two elements are not mutually exclusive; rather, they are mutually reinforcing. Compliance provides a foundation for building trust and credibility with stakeholders. When companies prioritize compliance, they demonstrate their commitment to upholding ethical standards and responsible business practices. This, in turn, fosters stakeholder confidence and enhances the organization's reputation. Compliance also helps mitigate legal and reputational risks that could negatively impact stakeholder value. By adhering to regulations and standards, companies can avoid costly fines, legal disputes, and reputational damage, thus preserving stakeholder value and ensuring long-term sustainability. Integrity, Alignment, and Operational Excellence However, compliance goes beyond the mere adherence to prescriptive rules and regulations. It encompasses a broader set of principles that govern an organization's conduct. At its core, compliance is about upholding promises associated with all organizational obligations. This requires organizations to act with integrity, align their activities with their stated values and goals, and strive for operational excellence. Integrity ensures that organizations are transparent, honest, and accountable for their actions. It establishes trust among stakeholders, fosters long-term relationships, and safeguards the organization's reputation. Alignment refers to the consistent integration of compliance principles throughout an organization's structure, policies, and practices. It ensures that compliance is embedded in all decision-making processes, preventing conflicts and promoting a unified approach. Compliance helps align organizational values with operational objectives. Operational excellence is achieved through efficient and effective practices that meet compliance requirements while driving organizational success. By implementing robust compliance management systems, organizations can streamline processes, identify areas for improvement, and enhance overall performance. Operational excellence bolsters stakeholder confidence, reinforces trust, and creates a competitive advantage. Conclusion Compliance is not a separate entity from stakeholder value creation; rather, it is intertwined with it. Organizations must meet their obligation to create stakeholder value, and compliance ensures that this obligation is fulfilled effectively and ethically. Compliance encourages innovation by providing a framework within which organizations can explore new ideas while safeguarding stakeholder interests. Compliance is rooted in integrity, alignment, and operational excellence, serving as a triple threat against mission failure. By embracing compliance as an integral part of their operations, organizations can cultivate a culture of responsible and sustainable practices. This not only enhances stakeholder relationships but also paves the way for long-term success, growth, and positive societal impact. Compliance, therefore, should be viewed as an ally rather than a hindrance—an essential driver of stakeholder value creation in the modern business landscape.

As a lean compliance leader, your role is pivotal in upholding integrity and ensuring adherence to regulations and internal obligations while maximizing efficiency. To truly excel, it's essential to find purpose in your work and become a driving force for positive change within your organization. By embracing essential habits inspired by the principles of lean compliance, you can uncover your purpose and make a meaningful impact.

In the realm of gambling, loading the dice is unequivocally seen as cheating, a violation of both legal and moral principles. Whether it is the house or an individual player who engages in such tactics, the act itself undermines the fairness of the game. We expect the dice to be impartial, providing us with an equal chance of winning or losing. However, the landscape changes drastically when we shift our focus to compliance in organizations. In this context, loading the dice, or stacking the deck, becomes not only acceptable but necessary. Before you think I have gone off the deep end, keep reading. Loading the compliance dice does not imply evading or bypassing regulations. Instead, it involves taking proactive steps to understand, interpret, and implement the requirements effectively. It is about staying one step ahead, anticipating potential compliance challenges, and mitigating risks through diligent preparation and execution. It is about loading the dice to improve the probability of staying within the boundaries of laws, regulations, and ethical standards. If you are going to gamble with your compliance at least load the dice in your favour. Let's look at how this is done. Loading The Compliance Dice Compliance is the outcome of meeting obligations associated with laws, regulations, industry standards, and internal policies that govern the conduct of businesses and organizations. The complexity and ever-evolving nature of these requirements can present significant challenges. Non-compliance can lead to severe consequences, such as legal penalties, reputational damage, loss of trust, and even the demise of the organization itself. With so much at stake, it becomes imperative for organizations to employ strategies that maximize their chances of compliance success. Loading the compliance dice involves proactively taking steps to minimize the risks of non-compliance. It entails implementing systems, processes, and controls that ensure adherence to the relevant regulations and standards. Just as a card player (but for different reasons) might stack the deck in their favour to increase their chances of winning, organizations must strategically position themselves to navigate the intricate compliance landscape. One of the ways organizations load the compliance dice is by establishing robust internal compliance programs. These programs typically include policies, procedures, training initiatives, and monitoring mechanisms to ensure obligations are met across all levels of the organization. By investing in compliance infrastructure, organizations create an environment where employees understand their obligations, are equipped with the necessary knowledge and tools, and are incentivized to keep promises associated with obligations. Additionally, organizations may leverage technology to load the compliance dice in their favor. Automation and data analytics play a crucial role in enhancing compliance efforts. Advanced software solutions can help monitor and track compliance-related activities, identify potential risks, and detect anomalies or deviations from established protocols. By leveraging technology, organizations can proactively identify areas of concern and take corrective measures before they escalate into compliance breaches. Partnerships and collaborations can also contribute to loading the compliance dice. Organizations can engage with industry associations, regulatory bodies, and other stakeholders to stay updated on the latest regulatory changes and best practices. These partnerships can provide valuable insights, guidance, and support, enabling organizations to align their practices with evolving compliance requirements effectively. Risk Management The concept of loading the compliance dice closely connected to effective risk management for organizations. By strategically taking steps to minimize risks and enhance compliance efforts, organizations can stack the deck in their favor and increase their chances of staying within the boundaries of laws, regulations, and ethical standards. Loading the compliance dice emphasizes the importance of risk assessment and mitigation as integral parts of compliance strategies. Organizations need to identify and evaluate potential compliance risks, assess their impact, and implement appropriate controls and measures to manage those risks effectively. This proactive approach allows organizations to align their risk management practices with compliance requirements and safeguard their stakeholders. This involves implementing robust risk programs, leveraging technology, and fostering partnerships. These measures not only enable organizations to proactively identify and address potential risks but also enhance their ability to detect anomalies and deviations from established protocols. By doing so, organizations can mitigate risks before they escalate into compliance breaches and potential legal consequences. The practice of loading the dice can help develop a culture of proactivity. Organizations can strive to anticipate and address compliance challenges, protecting their reputation and ensuring the long-term viability of the business. Ultimately, by embracing effective risk management practices, organizations can enhance their ability to navigate the complex compliance landscape and achieve sustainable compliance success. It's time to load the compliance dice in favour of staying between the lines and head of risk. What do you think? It you are interested in learning how to improve the probability of compliance success for your program register for our upcoming Foundations course on the topic of Operational Risk :

Compliance is the outcome of meeting obligations which requires compliance to be operational. Compliance operability is achieved when essential functions, behaviours, and interactions exist at levels sufficient to produce a measure of effectiveness – this defines Minimum Viable Compliance (MVC). Traditional approaches never reach MVC until the very end which is too slow and often too late to protect value creation and stay ahead of risk. The good news is there is a better way to do compliance that delivers benefits sooner, with greater certainty, and less waste. This approach is based on Lean Startup model by Eric Ries which we have adapted to the compliance domain as shown in the following diagram: The traditional approach is based on implementing components or the parts of the compliance function starting at the bottom and advancing in capability and maturity until the last phase is reached. This is when effectiveness happens as measured against realized outcomes. This is also when effectiveness can start to improve over time. The operational approach is based on first achieving operability which is the minimum level of capability for creating outcomes - a measure of effectiveness. Advancement in capability and maturity happens across all functions, behaviours, and interactions always tied to realizing higher levels of effectiveness. This provides the maximum amount of learning with the minimum amount of cost creating less waste while delivering benefits sooner. The operational approach has improved the development of products and services particularly when contending with uncertainty and achieving outcomes are important. This is the case for all organizations under performance and outcome-based regulation.