SEARCH

The creation of stakeholder value is an essential obligation that successful organizations willingly accept. Contrary to common misconceptions, compliance does not hinder the creation of stakeholder value; instead, it safeguards the value creation process and ensures its effectiveness. Compliance is not solely about adhering to rules but encompasses integrity, alignment, and operational excellence—a triple threat against mission failure. Compliance as defined by ISO is the outcome of meeting obligations and therefore plays a vital role in ensuring that organizations fulfill their responsibility to create stakeholder value along with other targeted outcomes. Stakeholders, including customers, employees, shareholders, and the community, have legitimate expectations from organizations. These expectations revolve around the delivery of quality products and services, ethical practices, fair treatment, and contributions to the community's well-being. For organizations to be considered compliant, they must meet all their obligations. Compliance and Stakeholder Value Compliance and the creation of stakeholder value are two interconnected aspects that play a crucial role in the success and sustainability of organizations. Compliance refers to adherence to legal, regulatory and internal obligations, industry standards, and ethical practices. It ensures that companies operate within the boundaries set by society and mitigate risks associated with non-compliance. On the other hand, creating stakeholder value involves considering the interests and needs of all stakeholders, including employees, customers, shareholders, communities, and the environment, and actively working towards fulfilling those expectations. These two elements are not mutually exclusive; rather, they are mutually reinforcing. Compliance provides a foundation for building trust and credibility with stakeholders. When companies prioritize compliance, they demonstrate their commitment to upholding ethical standards and responsible business practices. This, in turn, fosters stakeholder confidence and enhances the organization's reputation. Compliance also helps mitigate legal and reputational risks that could negatively impact stakeholder value. By adhering to regulations and standards, companies can avoid costly fines, legal disputes, and reputational damage, thus preserving stakeholder value and ensuring long-term sustainability. Integrity, Alignment, and Operational Excellence However, compliance goes beyond the mere adherence to prescriptive rules and regulations. It encompasses a broader set of principles that govern an organization's conduct. At its core, compliance is about upholding promises associated with all organizational obligations. This requires organizations to act with integrity, align their activities with their stated values and goals, and strive for operational excellence. Integrity ensures that organizations are transparent, honest, and accountable for their actions. It establishes trust among stakeholders, fosters long-term relationships, and safeguards the organization's reputation. Alignment refers to the consistent integration of compliance principles throughout an organization's structure, policies, and practices. It ensures that compliance is embedded in all decision-making processes, preventing conflicts and promoting a unified approach. Compliance helps align organizational values with operational objectives. Operational excellence is achieved through efficient and effective practices that meet compliance requirements while driving organizational success. By implementing robust compliance management systems, organizations can streamline processes, identify areas for improvement, and enhance overall performance. Operational excellence bolsters stakeholder confidence, reinforces trust, and creates a competitive advantage. Conclusion Compliance is not a separate entity from stakeholder value creation; rather, it is intertwined with it. Organizations must meet their obligation to create stakeholder value, and compliance ensures that this obligation is fulfilled effectively and ethically. Compliance encourages innovation by providing a framework within which organizations can explore new ideas while safeguarding stakeholder interests. Compliance is rooted in integrity, alignment, and operational excellence, serving as a triple threat against mission failure. By embracing compliance as an integral part of their operations, organizations can cultivate a culture of responsible and sustainable practices. This not only enhances stakeholder relationships but also paves the way for long-term success, growth, and positive societal impact. Compliance, therefore, should be viewed as an ally rather than a hindrance—an essential driver of stakeholder value creation in the modern business landscape.

As a lean compliance leader, your role is pivotal in upholding integrity and ensuring adherence to regulations and internal obligations while maximizing efficiency. To truly excel, it's essential to find purpose in your work and become a driving force for positive change within your organization. By embracing essential habits inspired by the principles of lean compliance, you can uncover your purpose and make a meaningful impact.

In the realm of gambling, loading the dice is unequivocally seen as cheating, a violation of both legal and moral principles. Whether it is the house or an individual player who engages in such tactics, the act itself undermines the fairness of the game. We expect the dice to be impartial, providing us with an equal chance of winning or losing. However, the landscape changes drastically when we shift our focus to compliance in organizations. In this context, loading the dice, or stacking the deck, becomes not only acceptable but necessary. Before you think I have gone off the deep end, keep reading. Loading the compliance dice does not imply evading or bypassing regulations. Instead, it involves taking proactive steps to understand, interpret, and implement the requirements effectively. It is about staying one step ahead, anticipating potential compliance challenges, and mitigating risks through diligent preparation and execution. It is about loading the dice to improve the probability of staying within the boundaries of laws, regulations, and ethical standards. If you are going to gamble with your compliance at least load the dice in your favour. Let's look at how this is done. Loading The Compliance Dice Compliance is the outcome of meeting obligations associated with laws, regulations, industry standards, and internal policies that govern the conduct of businesses and organizations. The complexity and ever-evolving nature of these requirements can present significant challenges. Non-compliance can lead to severe consequences, such as legal penalties, reputational damage, loss of trust, and even the demise of the organization itself. With so much at stake, it becomes imperative for organizations to employ strategies that maximize their chances of compliance success. Loading the compliance dice involves proactively taking steps to minimize the risks of non-compliance. It entails implementing systems, processes, and controls that ensure adherence to the relevant regulations and standards. Just as a card player (but for different reasons) might stack the deck in their favour to increase their chances of winning, organizations must strategically position themselves to navigate the intricate compliance landscape. One of the ways organizations load the compliance dice is by establishing robust internal compliance programs. These programs typically include policies, procedures, training initiatives, and monitoring mechanisms to ensure obligations are met across all levels of the organization. By investing in compliance infrastructure, organizations create an environment where employees understand their obligations, are equipped with the necessary knowledge and tools, and are incentivized to keep promises associated with obligations. Additionally, organizations may leverage technology to load the compliance dice in their favor. Automation and data analytics play a crucial role in enhancing compliance efforts. Advanced software solutions can help monitor and track compliance-related activities, identify potential risks, and detect anomalies or deviations from established protocols. By leveraging technology, organizations can proactively identify areas of concern and take corrective measures before they escalate into compliance breaches. Partnerships and collaborations can also contribute to loading the compliance dice. Organizations can engage with industry associations, regulatory bodies, and other stakeholders to stay updated on the latest regulatory changes and best practices. These partnerships can provide valuable insights, guidance, and support, enabling organizations to align their practices with evolving compliance requirements effectively. Risk Management The concept of loading the compliance dice closely connected to effective risk management for organizations. By strategically taking steps to minimize risks and enhance compliance efforts, organizations can stack the deck in their favor and increase their chances of staying within the boundaries of laws, regulations, and ethical standards. Loading the compliance dice emphasizes the importance of risk assessment and mitigation as integral parts of compliance strategies. Organizations need to identify and evaluate potential compliance risks, assess their impact, and implement appropriate controls and measures to manage those risks effectively. This proactive approach allows organizations to align their risk management practices with compliance requirements and safeguard their stakeholders. This involves implementing robust risk programs, leveraging technology, and fostering partnerships. These measures not only enable organizations to proactively identify and address potential risks but also enhance their ability to detect anomalies and deviations from established protocols. By doing so, organizations can mitigate risks before they escalate into compliance breaches and potential legal consequences. The practice of loading the dice can help develop a culture of proactivity. Organizations can strive to anticipate and address compliance challenges, protecting their reputation and ensuring the long-term viability of the business. Ultimately, by embracing effective risk management practices, organizations can enhance their ability to navigate the complex compliance landscape and achieve sustainable compliance success. It's time to load the compliance dice in favour of staying between the lines and head of risk. What do you think? It you are interested in learning how to improve the probability of compliance success for your program register for our upcoming Foundations course on the topic of Operational Risk :

Compliance is the outcome of meeting obligations which requires compliance to be operational. Compliance operability is achieved when essential functions, behaviours, and interactions exist at levels sufficient to produce a measure of effectiveness – this defines Minimum Viable Compliance (MVC). Traditional approaches never reach MVC until the very end which is too slow and often too late to protect value creation and stay ahead of risk. The good news is there is a better way to do compliance that delivers benefits sooner, with greater certainty, and less waste. This approach is based on Lean Startup model by Eric Ries which we have adapted to the compliance domain as shown in the following diagram: The traditional approach is based on implementing components or the parts of the compliance function starting at the bottom and advancing in capability and maturity until the last phase is reached. This is when effectiveness happens as measured against realized outcomes. This is also when effectiveness can start to improve over time. The operational approach is based on first achieving operability which is the minimum level of capability for creating outcomes - a measure of effectiveness. Advancement in capability and maturity happens across all functions, behaviours, and interactions always tied to realizing higher levels of effectiveness. This provides the maximum amount of learning with the minimum amount of cost creating less waste while delivering benefits sooner. The operational approach has improved the development of products and services particularly when contending with uncertainty and achieving outcomes are important. This is the case for all organizations under performance and outcome-based regulation.

Recently I spoke with a retired CEO of a successful semiconductor manufacturer who said to me when I asked him about quality, "if there is care you will find quality." If a company really cares about its customers it will invest in quality. That is what he has experienced over the years. It is the object of our care that is important. Quality cares about customers. This goes beyond respect as important as that is. Care includes: the provision of what is necessary for the health, welfare, maintenance, and protection of someone or something. serious attention or consideration applied to doing something correctly or to avoid damage or risk. Many people talk about the importance of a strong culture for a company to succeed at what it does. A strong culture can reinforce values, help provide direction to employees, and fill in the gaps between what is written in policies and procedures and how things are actually done. That is why alignment of culture with strategy is so important. If your culture is at odds with your strategy it is impossible to advance outcomes. However, trying to come up with a consistent culture that supports the values and strategies of an organization is not easy. Companies consist of different kinds of activities that require their own approach and have there own culture. Geoffrey Moore in his book, "Zone to Win" suggests four zones: performance, productivity, incubation, and transformation. Each of these is managed differently, has different strategies, and ultimately have their own cultures. In fact, one could go further and suggest that there are even subcultures beyond the ones for each zone. One could imagine a culture for each value that a company has: a safety culture, a quality culture, a risk culture, a learning culture and so on. Now add to this each person's own culture and no wonder companies have a difficult time bringing everyone onto the same page. This is where having a culture of care helps. Companies that care pursue excellence, work on doing things right, and strive to make sure that they look after their workers, customers, and environment. A culture like this would go along way to bringing everyone on the same page. If there is care you will find excellence If there is care you will find safety if there is care you will find quality if there is care you will find loyalty if there is care you will find integrity The great part of working in compliance is working with people who do care about things that really matter. If "C" in compliance stands for anything it stands for "Care"

Certification is often seen as a way to demonstrate compliance in various industries, such as security, safety, sustainability, and more. However, the effectiveness of certification in improving performance is limited. Studies have shown that organizations that pursue compliance certification for its own sake, rather than as a means to improve performance, may fail to achieve real progress as certification can create a "check-the-box" mentality that hinders real improvement and the advancement of compliance outcomes. For example, ISO 14001 Environmental Management System (EMS) certification is a widely recognized certification for demonstrating compliance with environmental regulations. However, a study found that organizations that adopted ISO 14001 for the purpose of certification did not necessarily see an improvement in their environmental performance. These organizations focused on meeting the minimum requirements to obtain certification, rather than pursuing excellence and continuous improvement. Similarly, organizations that pursue security certifications, such as ISO/IEC 27001 Information Security Management System (ISMS) certification, may focus solely on meeting the minimum requirements to obtain certification, rather than on addressing real security risks. This can create a false sense of security, leading to complacency and putting the organization at risk. The problem with certification is that it can create a culture of complacency. Once an organization obtains certification, it may feel that it has achieved mastery and stop pursuing further improvement. This can lead to a stagnation of skills and performance, limiting the potential for innovation and progress. To truly improve performance, organizations must shift their focus from certification to a culture of excellence and continuous improvement. For example, instead of pursuing ISO 14001 certification for its own sake, organizations should focus on reducing their environmental impact through a continuous improvement program that includes metrics and targets for environmental performance. This can lead to real improvements in environmental sustainability and create a competitive advantage for the organization. Similarly, organizations should focus on real security risks and adopt a risk-based approach to security, rather than solely focusing on meeting certification requirements. This can create a culture of continuous improvement and innovation, improving the organization's security posture and reducing the risk of security breaches. While certification can be a useful tool for demonstrating compliance, it should not be seen as a substitute for real performance improvements. Organizations must adopt a culture of excellence and commit to learning and adapting to truly achieve their full potential across various industries. Companies that desire to improve their compliance outcomes and chose certification as a means to get there, not only receive certification, but also improve their performance – you get both. However, to get both, you need to start with intention not certification.

When it comes to making compliance decisions many organizations will consider the cost and what they can afford. This will include evaluating risk and identifying the costs associated with noncompliance (e.g. a fine) and the cost to mitigate the non-conformance. A risk/reward calculation is then performed to decide to proceed or not. If the cost of mitigation is higher than the fine then many might just accept the risk and proceed along that course of action. Why pay $100,000 if the fine is only $10,000? At one level of analysis this makes sense and appears similar to the ALARP principle referenced in many regulations and standards — reduce the risk to “As Low As Reasonably Practicable”. It’s not reasonable or practicable to invest $100,000 to cover a $10,000 fine so let's just pay the fine if and when it happens. Applying ALARP is a good principle and will lead to good decisions. However, I don’t think that is what’s happening. What appears to be going on is the scope of risk consideration is making compliance decisions “de minimis” – too small to be meaningful or material. In this case when the cost of a fine is only considered. There are many reasons why a “de minimis” rather than a broader or comprehensive scope is used. Some of this happens as a result from taking a reductive, siloed, and simplistic approach to managing compliance. Perhaps the largest factor is not considering the total value of what is at risk. This is enabled when no one owns or is accountable for enough compliance scope to make the risk consideration material. When this happens the methods used to evaluate risk are focused on only a fraction of what is at stake. Risk is more than paying a fine or the probability of the sum of all possible fines that might need to be paid. Effective risk-based compliance decisions requires that organizations widen their scope by considering all their promises: to keep people safe, to protect private data, to provide quality products and services, to be a good steward of the environment, and so on. This starts by having credible answers to these questions: What promises have we made to our stakeholders? What capabilities and resources are needed to keep all our promises? Do we have a credible plan to meet all of them? What obstacles or opportunities will we find as we meet our promises? How will we measure our progress? Having answers to these questions will help organizations evaluate the impact of their decisions on their ability to keep all their promises to avoid such things as loss to reputation, loss of trust, and loss of life which are material and not "de minimis." If you can't afford to keep your promises, fines will not be the only risk you will face an have to accept. You may face the risk of considering a new line of business. Investing $100,000 to cover a $10,000 fine may not make sense for many organizations. However, if that investment aligns with your values and helps you keep all your promises the reward will be much higher and will accrue over time. A better decision in the long run.

Wardley Mapping is a strategic planning and visualization technique that was developed by Simon Wardley, a researcher and consultant in the field of IT strategy. Simon Wardley first introduced the concept of Wardley Mapping in 2005 in his blog, Bits or pieces, where he published a series of articles explaining the technique and its benefits. Over time, Wardley Mapping gained popularity among business leaders, entrepreneurs, and strategists, as a tool to visualize and plan complex systems and processes. Today, Wardley Mapping is used by organizations around the world to gain insights into their systems, processes, and products, and to develop strategies that help them stay ahead of the curve in an ever-evolving market. In this article we look at how it is used to improve compliance. Wardley mapping is a powerful tool that can also help organizations understand the inter-dependencies of their compliance programs, systems, processes, and technology, and identify gaps and opportunities for optimization in their capabilities. It is particularly useful for assessing the maturity of capabilities required to achieve and advance compliance outcomes towards vision zero targets such as: zero breaches, zero violations, zero emissions, zero fatalities, and so on, all of which are essential for any organization's mission success. By using Wardley mapping organizations can make strategic decisions about how to allocate resources and prioritize efforts to better achieve compliance outcomes, ultimately improving efficiency and reducing costs. With its ability to provide a visual representation of a compliance value chain, Wardley mapping is a valuable tool for any organization looking to gain a better understanding of its capabilities and make informed decisions about its future direction concerning compliance. Wardley Mapping Steps Wardley mapping is a simple and yet powerful tool that everyone can learn . At a high-level here are steps you can take to map your compliance efforts to assess needed capabilities: 1. Understand the compliance landscape: First, you need to gain a good understanding of the compliance landscape in your industry or organization. This means identifying the key regulations, standards, and best practices that apply to your business. 2. Map the compliance value chain: Start by identifying the compliance value chain : Begin by identifying the various components of the program, systems, or processes that you want to map out. This may involve identifying the key activities, functions, and inputs that contribute to the overall value chain. Map out the components on an X-Y axis : The X-axis represents the evolution of the components, from the initial state (genesis) to the final state (maturity), while the Y-axis represents the value chain, from the organizational need to the final compliance program or technology. Identify the components and their dependencies: For each component on the map, identify its dependencies and how it interacts with other components in the program. This can help you understand how changes in one component can affect other components in the overall system. Determine the characteristics of each component: For each component, identify its characteristics such as its level of maturity, its cost, its importance to the system, and its level of differentiation from other components in the system. Analyze the map and identify areas of opportunity : Use the Wardley Map to identify areas of opportunity, such as areas where new technologies can be applied or where costs can be reduced. Use the map to prioritize actions and investments that will help to improve the overall program, systems, or process. Update the map as the program evolves : As the compliance function evolves, continue to update the Wardley Map to reflect changes in the components, their dependencies, and their characteristics. This will help to ensure that the map remains an accurate representation of the system and can continue to guide decision-making. 3. Identify areas for improvement : With the compliance landscape and program mapped, you can identify areas where improvements are needed. This might include areas where your organization is not meeting regulatory requirements or where your compliance program is not as effective as it could be. 4. Prioritize improvements: Once you have identified areas for improvement, you can prioritize them based on their impact on your organization's compliance posture and their feasibility. For example, you might prioritize improvements that address high-risk areas or that can be implemented quickly and easily. 5. Develop a plan : With the improvements prioritized, you can develop a plan to implement them. This might involve developing new policies or procedures, implementing new controls, or providing additional training to employees. 6. Monitor progress: Finally, it's important to monitor progress and make adjustments as needed. This might involve tracking key compliance metrics, conducting regular risk assessments, and reviewing your compliance program on a regular basis to ensure it remains effective. Using Wardley Mapping organizations can understand how best to improve compliance, gain a better understanding of the compliance landscape, identify areas for improvement, and prioritize those improvements to ensure your organization is effective at staying between the lines and ahead of risk.

In this blog post we look at answers from two representative companies to the question: What is the status of your compliance? Both organizations are "in compliance" using Compliance 1 measures, however, they are both not doing compliance the same way. Which company do you think is doing compliance better and does it matter? The answers are fictional but based on an aggregate from conversations I have had over the years. Here are answers from 5 compliance roles at "We Make Things, Inc." We Make Things, Inc. What is the status of your compliance? CEO, We Make Things, Inc. Answer : We have someone who looks after compliance. Chief Compliance Officer, We Make Things, Inc, Answer : We are always in compliance with all applicable laws and regulations as far we know. Safety Manager, We Make Things, Inc. Answer : We passed our last audit. Quality Manager, We Make Things, Inc. Answer : We are certified to ISO 9001. Environmental Manager, We Make Things, Inc. Answer : We comply with all greenhouse gas emissions reporting. This company is in compliance and doing what they believe they need to do. On paper everything looks just fine. Now, let's look at the answers from our second organization for the same roles: We Make Other Things, Inc. What is the status of your compliance? CEO, We Make Other Things, Inc. Answer : I take a personal interest to ensure that we meet all our obligations. To ensure that we do, we choose higher standards than asked of us. Our customers are delighted with our products, our shareholders want to invest more, our employees see a future with us, and our communities are happy to have us operate. If we are not living up to our standards let me know and I will make sure that we do better. You can hold me accountable to that. Chief Compliance Officer, We Make Other Things, Inc. Answer : We have a high level of confidence that we will meet all our obligations based on consistently achieving measures of effectiveness, performance, and conformance year over year. We communicate all our measures of assurance to our stakeholders to keep us accountable and on track. Safety Manager, We Make Other Things, Inc. Answer : All our safety obligations, commitments, risk and measures are documented, measured, controlled and continuously improved to meet higher standards of safety. We are making continued progress evidenced by fewer incidents and lower risk which we continuously measure and evaluate. We are very proud of our results. Would you like to see them? Quality Manager, We Make Other Things, Inc. Answer : All our quality obligations, commitments, risk and measures are documented, measured, controlled and continuously improved to meet higher standards of quality. We are making continued progress evidenced by fewer defects and lower risk which we continuously measure and evaluate. We are very proud of our quality just talk to our customers. Environmental Manager, We Make Other Things, Inc. Answer : All our environmental obligations, commitments, risk and measures are documented, measured, controlled and continuously improved to better our environmental stewardship. We are making continued progress evidenced by lower emissions, lower risk and reduced impact on the environment which we continuously measure and evaluate. We are very proud of our progress. We plan to meet net carbon neutrality early. Which one does compliance better? Clearly, there is a difference from the previous answers. The first organization: is doing the minimum and perhaps less than that probably considers compliance as a necessary evil (a tax on production) is not viewing compliance as mission critical Is reactive with their compliance Does not really know how well they are doing. Most likely is not realizing any of the benefits from being in compliance The second organization: is taking ownership for their obligations across all levels of the organization treats compliance as mission critical provides a greater measure of assurance that value (in the broadest sense of the word) is protected. is proactive with their approach to compliance measures how well they are doing with their compliance is realizing the benefits from their compliance effort Do you think these differences matter? Which company would you want to work for or buy products from? If you were an investor which one would you rather invest in? Which one do believe will reach their mission goals and objectives? This is the climate that organizations are facing and these are the some of the questions that stakeholders (customers, employees, communities, shareholders, suppliers, etc.) are asking. How would you answer these questions for your organization? What is the status of your compliance and do you think it matters?

In this post we consider a question that we are often asked: "How do we strengthen our ability to drive compliance improvements in our organization, particularly with those who may be resistant to change?" There are several factors that need to be considered to drive change and overcome resistance. These can be categorized along two dimensions: technical and people side of change. Technical Side of Change On the technical side, we need to overcome inherent resistance built into systems and processes. Operational systems are designed to resist change to achieve consistency to standard which is a desirable quality. This poses unique challenges when systems need to adapt to deliver improved performance or new capabilities and why managing these change need to be done carefully. It is not surprising to find resistance from those responsible to keep these systems operational. For them, change introduces the opportunity for risk. To overcome resistance one needs to first contend with risk. Managing technical change is often a regulated process referred to as Management of Change (MoC) in high-risk, highly-regulated: An effective MOC process will help guide planning, implementation, and manage change to prevent or mitigate unintended consequences that affect the safety of workers, public, or the environment. Although MOC processes may look different based on the industry or compliance system involved, the purpose remains the same, which is, to avoid unnecessary risk. An MOC process provides a structured approach to capture a change, identify and mitigate risks, assess impacts (organization, procedures, behaviours, documentation, training, etc.), define work plans to effect change safely, engage stakeholders, obtain necessary approvals, and update effected documentation. By following such a process risk can be adequately ameliorated which perhaps is the most important measure of MOC effectiveness. People Side of Change Organizations will often use management programs to introduce change needed to achieve greater effectiveness over time. Programs act as a from regulation for underlying systems to achieve a change in outcomes rather than only performance. These outcomes will be in the form of financial, safety, security, environmental, quality and other mission critical objectives. Change Management (CM) will therefore be an essential part of management programs focusing mostly (but not entirely) on the people side of change. This makes sense as programs will by necessity introduce new capabilities which will affect existing and introduce new structures, systems and processes. Organizations often look to change methodologies such as the PROSCI® ADKAR model, Kotter 8-step process, or something similar to increase support and reduce resistance to change. What is often not well understood is that CM and MoC need to work together in order to realize intended benefits. For example, accomplishing short-term wins may not be possible when new capabilities are not implemented first. All aspects of change must be coordinated and often sustained over a long period of time which will involve other change methodologies and processes aligned with continuous improvement. It is no wonder that without capabilities to navigate change of this kind some may be resistant or at least skeptical of participating in such an endeavour. Driving Compliance Improvements Using The Proactive Certainty Program The Proactive Certainty Program™ that we offer is designed to drive change towards compliance operability and better compliance outcomes over time. Participants of this program find that they are in a better position to contend with both the technical and people sides of change by defining: What changes are needed, Why these change are needed, and What strategy to use for making change a reality. The Proactive Certainty Program™ helps answer these questions by helping organizations better understand their compliance landscape, the destination (purpose, outcomes, and goals) for their compliance program, where they are now relative to that destination, and how best to get there. This knowledge contributes to building a common vision and desire for change. It also helps to discover what capabilities are needed to effect the benefits of compliance from both an organizational and technical perspective. Resistance triggers are also identified as threats and opportunities providing early insights for input into change management and MoC processes. Further information on how to strengthen your ability to drive compliance improvements can be found here . Further reading on managing change: https://www.leancompliance.ca/post/the-most-important-risk-control https://www.leancompliance.ca/post/what-is-management-of-change https://www.leancompliance.ca/post/the-differences-between-managing-organizational-and-asset-changes https://www.leancompliance.ca/post/be-certain-about-change

When we adopt a standard we find that it inevitably judges what we are currently doing. That is what good standards do. They are a measuring stick set against our current mindset, behaviours, practices, and culture. Our reaction to what the standard reveals provide important insights that will need to be addressed. We may find that we are: 🔸Indifferent - this doesn’t affect me so I don’t care if we do it or not. 🔸Confused - the standard overlaps and competes with other initiatives. This will slow down the other projects I am working on. 🔸Overwhelmed - this will be too hard. The standard is too high for us to obtain. This will only be more work. I am already doing the best that I can. 🔸Discouraged - I put a lot of work into our last effort and nothing came from it. Why should this be any different? 🔸Unsure - adopting new ways of doing things is easier said than done. I don’t see how this will succeed. 🔸Skeptical - why are we really doing this? Will this really help us? 🔸Encouraged - the standard will help us improve and provide something to work towards. Why are we waiting. Let’s get started. Organizations will need to address these reactions and others when they adopt new or revised compliance standards. How have you addressed these reactions? What other reactions did you discover? What else did a standard reveal about your situation? What ways can help bring everyone on board? You can read more about how to manage change here .

Establishing and maintaining compliance is an objective of many organizations. However, many do not measure the effectiveness of their programs (75% according to HBR do not). This means they don't know if their compliance efforts are helping or hindering meeting their regulatory or voluntary obligations. A Measure of Effectiveness An important question to answer is how should compliance effectiveness be measured? How is compliance progress measured? Mark Burgess (author of Promise Theory) defines effectiveness for purposeful systems as: Effectiveness = Promises Kept / Promises Made Promises are the operational component of obligations. They define the commitments organizations make to meet obligations associated with both a regulatory license and social license to operate. The latter being mostly "voluntary" and tied to sustainability, ESG, and other stakeholder expectations. Examples of promises: The internet service provider promises to deliver broadband internet for a specific bandwidth for a fixed monthly payment. The security officer promises that the system will conform to security requirements. The support personnel promise to be available by phone 24 ours a day. Support staff promise to reply to queries within 24 hours. The ERP cloud provider promises to provide 99.9999% service availability. We promise to reduce our emissions by10% year over year. Compliance effectiveness can be calculated by measuring if these promises have been kept over a specific period of time. According to promise theory keeping a promise is necessary but not a sufficient measure for whether obligations are met. Only the agent imposing the obligation can make that determination. This is similar to the difference between verification and validation in the medical device and pharma industries. Verification tests that a device (for example) works as designed. Validation tests to see if the device delivers the intended benefits. For most organizations verifying that their compliance systems are effective at keeping organizational promises is a good first step. More information about promises and obligations can be found here .