SEARCH

For those who have been to Toronto, Canada you will know that one of the places you are likely to visit is the CN Tower. It remains as one of the tallest structures in the world and affords an unparalleled view of the city, and surrounding areas. On a clear day you can see for miles including all the way from the observation deck to the ground. The observation deck consists of a floor that is partially made from glass blocks. You can walk on them and look all the way down, unless you are like me. No matter how much I try my body will not let me walk on the glass blocks even though in my head I know it is safe. Is there a real risk here to explain my behavior or is there a problem with my perception? There is no doubt that a hole in the floor of the CN tower would be dangerous like many of the other dangers we are taught to avoid. When I was young my parents taught me (among other things) not to put my hands in an open flame, stick my fingers in an electrical socket, or play too close to the edge of a cliff. All of these are dangerous and pose real threats to our well being. Being fearless in the presence of these dangers is not wise and so it is good that we teach our kids and ourselves to have a proper respect for them. However, many of the risks that we face in life and in business are less physical (at least not directly) and do not illicit the same fear response. These risks are anticipated threats predicted by risk models, observations of past events, or other forms of analysis. It is with these that we often find a lack of proper respect, and sometimes even awareness of their existence. As an example, the introduction of mobile devices created the possibility to answer calls, text messages and emails, all while driving. It also created the opportunity for risk. However, for most people the perceived risk is not "real" as demonstrated by continued use of cell phones while driving. Unless involved personally in an automobile accident many are not likely to stop using cell phones. For behavioural change to occur we need to learn that distracted driving is dangerous just like we had to learn to not play too close to the edge of a cliff. Until the perception of risk is changed many will endure the consequences of fines, loss of demerit points and possibly their drivers license all introduced for the purpose of curtailing distracting driving. Although it does not have to be this way, as we instead can choose to change our behaviors and develop a proper respect (you might call this fear) of the dangers involved. The way we deal with the risks of "distracted driving" has similarities with how some companies contend with the risks associated with compliance. Organizations may find that in the pursuit of opportunities they end up being distracted with respect to safety, quality, environmental and regulatory objectives. Just like many who continue to use cell phones while driving they may comfort themselves by saying that they have not yet had any accidents and they can handle it. However, the risks still remain even if not perceived, ignored, or not personally experienced. Until these companies change their behaviors they will also endure the consequences of fines, the loss of reputation and trust, and possibly the loss of their operating licence. Even for them it does not need to be this way – they can choose to be more proactive with their compliance. Now back to me and the CN Tower glass floor. What was going on? In my case the glass blocks created an illusion of danger when none exists. It tricked my perception of reality. While it is good to fear things which are "really" dangerous it is not good to fear things which are not. That is why for some it important to face our fears to discover if they are based on reality. This is another example of how risk perception affects our decisions. My perception of danger was too high rather than too little as in the case with those who continue to text while driving. Both extremes are problematic. However, calibrating risk perceptions is not always easy to do. So it's back to the CN Tower to face the glass floor dragon again. Wish me luck!

When it comes to compliance there is a boundary that exists between what is inside an organization and what is outside. This compliance boundary is so important that the ISO standard on Compliance Management Systems (CMS) - ISO 19600 , calls out twelve (12) places where it should be considered: Section 4. Context of the Organization Internal / external issues Internal / external aspects Internal / external obligations Section 5. Leadership Internal / external stakeholders Section 6. Support Internal / external policies Internal / external communications Internal / external reporting Section 7. Performance Evaluation Internal / external inspections Internal / external reporting Internal / external issues Internal / external audit Section 8. Improvement Internal / external notification and escalation Taking external and internal factors into account helps to ensure that compliance is comprehensive and exhaustive across all of its roles and activities. The compliance boundary also helps to identify important factors with respect to where obligations might be found, who is accountable to meet them, and who is responsible to ensure that they are. The internal / external line also signals that different approaches and practices may be necessary depending on which side of the line a particular aspect resides. For example, how one identifies and incorporates internal / external stakeholder expectations might be different as external obligations tend to have regulatory and legal implications whereas internal obligations tend to be more voluntary and require different forms of incentives to achieve. The compliance boundary is a line that should be monitored regularly and not only once as if it was something that is entrenched or static as the physical parts of a business might be. The compliance boundary is more fluid and subject to change with new regulations and when companies take on more or less ownership of their obligations within their organization and across their supply chain. It is often that what is considered as internal or external will have more to do with who is accountable for the risk than who is responsible for providing the service or function. An example of when ownership of obligations is a driving force is when contractors are used and where accountability for safety remains with the company that’s procuring the service. The fact that an external party is responsible for the work doesn't necessarily result in the transfer of accountability for safety obligations. In this case, the line used to separate work packages is not the same as the line used to separate compliance obligations. For compliance to be effective, organizations must pay close attention to the compliance boundary which r equires that they: Define the line between what is internal and external with respect to meeting compliance obligations. Identify the role that internal / external factors have on meeting compliance objectives. Ensure that internal / external account-abilities and responsibilities are clearly defined and there are no gaps in coverage. Establish a process that anticipates and contends with impacts arising from changes to internal / external factors. Continually monitor the internal / external boundary. Lean Compliance helps companies adopt and improve compliance programs to better meet performance and outcome-based obligations. Schedule a call with us today to find out more. You can book your appointment here.

When it comes to risk & compliance it is important to identify, collect, and monitor data of all kinds. However, what data should be collected and which is most useful? To answer this it is helpful to consider two principle meanings behind the word measure: Measurement - Estimate or assess the extent, quality, value, or effect of something Method - A plan or course of action taken to achieve a particular purpose The first meaning uses the word measure to refer to measurements usually tied to values and most often the counting of things: How many injuries did we have this year? How many complaints did we receive? What was the amount of green house gas emissions this year? These are the easiest to capture and are useful to provide the status or condition of a particular risk or compliance system. The second meaning of measure refers to a plan or course of action to achieve an effect or result. These measures or you could say methods take the form of controls to achieve specific risk & compliance objectives. W. Edward Deming reminds us that, “ A goal without a method is nonsense.” Similarly, for risk & compliance – methods without measurements is also nonsense. While it is essential to know the status of risk & compliance system it is also important to know the effectiveness of the measures that are keeping an organization operating between the lines and within a specified level of risk. These are most useful when assessing the performance of a risk & compliance program. Measuring the effectiveness of risk & compliance controls (i.e. measures) will help to identify if the underlying systems are capable of keeping an organization in compliance today and in the future. Measures of effectiveness and performance are some of the best predictors of organizational resiliency. Unfortunately, many organizations do not measure the effectiveness of their risk & compliance controls. Work is done but without the assurance that this work will produce the desired effect or result. These companies have measures without measures which is waste. To reduce this waste the first step is to evaluate the effectiveness of the most critical risk & compliance controls. Effectiveness will be connected with progress towards targeted outcomes and objectives. Identifying which controls are effective will form the basis for determining which should be eliminated or improved.

In a previous post I introduced the scaffolding for a compliance assurance program that is capable of meeting the challenges of an Environment-First future. This framework focused on operational policy as the means to bridge the gap between environmental intention (i.e. commitments) and action (how commitments are assured). This week I explore the nature of policies themselves and how their designs can make a world of difference between what you intend and what you actually achieve. Policy Designs Let's consider an example policy statement using different design approaches: 1. Environment as an Assumption Based upon principles of quality-first our organization aims to achieve customer satisfaction, job security and company prosperity. This policy statement contains no explicit environmental intentions. This does not necessarily mean that environment objectives are being overlooked. However, without explicit environmental objectives, accountability and assurance will be difficult to achieve. 2. Environment as a Constraint Based upon principles of quality-first our organization aims to achieve customer satisfaction, job security, company prosperity while protecting the environment . In this case, environmental intentions are expressed as a guard rail or constraint on existing direction and goals. This may reduce negative impacts on the environment but most likely not result in substantive change to environmental outcomes. This policy design is commonly used as it allows organizations to make some commitment to the environment without needing to make significant changes to the way they operate. 3. Environment as an Outcome Based upon principles of quality-first our organization aims to achieve customer satisfaction, job security, company prosperity, and better environmental outcomes. This policy expresses environmental intention as a goal. Environmental outcomes can be optimized along side of other objectives which is more likely to result in environmental improvements rather than only environmental protection. This policy design is used by organizations that value environmental concerns at the same level as their other objectives. 4. Environment as a Principle Based upon principles of environment-first our organization aims to achieve customer satisfaction, job security, and company prosperity . In this last example, environmental intentions are expressed as the principles by which outcomes are achieved. Quality-first as an overarching principle is replaced or rather subsumed under an environment-first mandate. In the former case, quality-first is more than just making defect free products or services – it is about creating value. In the latter, environment-first is more than just protecting the environment – it is about creating sustainable value. Which Design is Better? The choice of policy design depends closely on the level of commitment that an organization has made or wants to make towards environmental objectives. The adoption of ESG and increasing environmental regulations will no doubt drive organizations to higher levels of commitments. At the same time, others may voluntarily raise their commitments. Whatever the case, these commitments will need to manifest as policy. You can choose whether or not environmental objectives are expressed as an assumption, a constraint, an outcome, or as a principle, Your choice will guide how your business will operate and the outcomes that will be achieved. So choose wisely.

As we head into the holiday season, we find ourselves facing another wave of COVID-19 as the Omicron variant spreads across the country and the world. The words from the Lord of the Rings continue to ring true: “It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” Over the last couple of years whether we have wanted to or not we have stepped onto that road and found ourselves being schooled on the topics of risk management. We may not have understood what risk was before COVID, but we do now at an experiential level and perhaps even explicitly. We have lived and breathed uncertainty and have had to learn how to deal with its effects. So, what have we learned from our years under the tutelage of uncertainty? We have learned that: 1. Everything happens in the presence of uncertainty Uncertainty may be associated with the news we hear, prediction models, COVID tests, and even with the vaccines we have now received. We will be more certain about some of these than others but there is always some uncertainty. We have had to learn to process information that is incomplete, inaccurate, over or understated, and sometimes even too much. I am sure that many long for the days living in the Shire when we knew what to expect, how things worked, and when life was predictable. 2. We all have different appetites for risk We probably have family members or friends that do not share the same appetite for risk as we do. Some may be risk tolerant and accept everything that may happen good or bad — call it fate or luck, whatever happens will happen. Others may be intolerant and choose not to have any risks whatsoever. They will shape their world the best they can to reduce their exposure to risk. You may even know others who are somewhere in between these extremes. Learning how to negotiate each perspective is not easy but necessary particularly around the dinner table if you want to experience a measure of peace. 3. Risk can be treated Risk in many cases is reducible. We can learn more, we can improve our models, we can develop better risk measures. For example, we can lower our chances of catching COVID by wearing a mask, washing hands, social distancing, getting vaccinated, and so on. We have learned that these are preventive measures. We can also reduce the effects of the virus by using ventilators along with receiving other medical treatments. We have learned that these are mitigative measures. 4. Not all risks matter COVID is the biggest threat and priority for many and perhaps most. However, for those in British Columbia, what is foremost on their minds is dealing with floods caused by atmospheric rivers. This would also be true for those in Texas who are facing the effects from recent tornadoes. For you, risk might be closer to home or your business. How will you make the next payroll, will I have a job in the new year, or one of many other concerns. We have needed to learn how to prioritize and act on the risks that really matter. 5. Risk tolerance is malleable In life and in business we hope for things. We hope to arrive at our destination, for a specific outcome, to complete a project on time, to visit a friend, and many other things. Sometimes it is the magnitude of what we are hoping for that increases our tolerance for risk. When the perceived benefits are high, we often neglect risks altogether. We might call this gambling. We have learned that we need to check our cognitive biases at the door. 6. There will always be some risk When it comes to contending with risk, we will do our part to establish measures with some more effective than others. However, there will always still be some uncertainty or doubt in our defences. This is called residual risk. We have had to learn how to deal with uncertainty that persists. 7. Hope is not a good strategy for risk While hope may not be a good strategy to contend with uncertainty, faith on the hand very well might be. Faith is defined in the Christian Bible as, “being sure of what we hope for and certain of what we do not see.” To some degree this is also what risk management is trying to accomplish. Risk management helps us be sure of what we hope to achieve and certain of what we do not yet see — the desired outcomes of our efforts. However, when risk measures are not enough and uncertainty persists, we often find that we need to put our faith in something or someone else. In the Lord of the Rings, Gandalf came to Frodo to invite him on a journey. It was Frodo’s faith in Gandalf that gave him the courage to step outside his door into a world he did not really know and where his path was uncertain. Many including myself will soon be celebrating Christmas when God came into our world to invite us on a similar journey. Much like Frodo, it has been my faith in this God that has helped me take the steps I needed when things were uncertain and my path was unclear. What I found was that after I took each step of faith my path became clearer, I could see a little further, and the God that I trusted in was proved to be faithful in keeping all his promises.The outcome for me has been an increase in gratefulness, joy but mostly peace. The Year Ahead As this year comes to a close, I want to thank all of you for being part of the Lean Compliance journey with me. It has been an adventure for sure which we plan to continue for years to come. Whatever and wherever you find yourself I hope that you may enjoy an extra measure of peace over the holidays. May you also find joy and in the words from the Hobbit: ‘If more of us valued food and cheer and song above hoarded gold, it would be a merrier world.’ – Thorin Oakenshield Merry Christmas from all us at Lean Compliance

In this article I want to discuss what is going on with the COVID-19 pandemic with respect to risk. The first risk will be what every one is talking about, the others are only now being discussed. Before we dive in I am not a health care expert and so will be taking the position of an observer of what is happening around me, and to some extent, others who I know. Here are three risks that I see: The COVID-19 pandemic and it's bigger brother the COVID-19 panic, The economic shutdown created by "Flattening the curve", and The loss of rights and freedoms or commonly known as #StayAtHome The last two are risk measures, or controls if you prefer, implemented for the purpose of protecting life against the effects of the first. However, these measures as important as they may be, are not without their own risks against life; as we will find out. Three Risks 1. The COVID-19 pandemic and it's bigger brother the COVID-19 panic, COVID-19 which is a variant of the corona virus has and continues to pose significant threat on life. Some say that this is not a Black Swan which is a risk that could not have been predicted. However, others say that it could have been anticipated and precautions made to deal with its possibility. Whatever the case, COVID-19 is now upon us. The window of prevention has closed and now the focus is directed at mitigating its effects by slowing down its transmission by reducing the number of those infected. This has been called, "flattening the curve," and its purpose is to save lives. You might say that the COVID-19 risk is now a reality and we are now facing the next risk which is, "COVID-19 Infection" The following diagram is a bow-tie analysis (not exhaustive) which we will use to demonstrate the interactions between the uncertain event of being infected by COVID-19, the causes that would bring this about, and the consequences that arise if infected. Preventive controls (or measures) are used to reduce the likelihood of getting infected. Whereas, mitigative controls are used to reduce the impact caused by the infection. Shutting down the economy to essential services is one of the measures to reduce the chance of infection and perhaps an enabler to allow as many as possible to self isolate. These measures are expected to reduce and delay the number who get infected. The forced economic shutdown while needed is itself a source of additional risk to life. 2. The economic shutdown created by "Flattening the curve" Shutting down businesses, public spaces, transportation along with other elements of society is also a risk on life. Preventing this shutdown from happening is not possible. In fact, right now, compliance to these measures is exactly what is needed and critical to flattening the curve. However, the longer this goes on the greater the chance that many, perhaps even more than the numbers of COVID-19 deaths, will lose their business, their livelihood, their marriages, and possibly their lives.The stress associated with financial loss should not be ignored and should be managed. There is a saying that if you remove the means by which someone is paying off their debt you not only take away their livelihood you take away their life. (Deuteronomy 25:6). 3. The loss of rights and freedoms or commonly known as #StayAtHome In attempts to flatten the curve many government institutions are amending by-laws and regulations to enforce public health measures. As and example, in Burlington, Ontario it is now illegal to stand closer than 2m to someone else on public spaces. The majority of people will comply with these measures and do their part to help flatten the curve by self-isolating, shop for food only when needed, and otherwise staying at home. However, there are some who won't and that is why governments have acted to remove freedoms. What has surprised me, and perhaps others as well, is how quickly freedoms have been removed. The question that is on my mind is how quickly will these rights and freedoms be restored. Will we find that governments will use emergency measures more often as a solution to not being proactive in the past? Will they see this as a way of dealing with bad governance? The removal of civil liberties is something that we should not accept lightly. We need to hold government officials accountable and to request from them plans and measures to restore all the freedoms that have been removed, livelihoods that have been lost, and how we will get back to life. Pursuit of Opportunities The pursuit of opportunities is an effective countermeasure to the negative effects of risk including those of COVID-19. Although, there is also uncertainty associated with opportunities as there is with threats. Therefore risk measures should also be used to improve the probability of realizing opportunities in the presence of uncertainty. The following diagram looks at how risks and their measures are connected: We will consider two of the effects: loss of business, loss of livelihood and consider how opportunities can be used to not only mitigate its effects but recover from them. COVID-19 Infection (risk) --> Economic Shutdown (risk measure) --> Loss of business, Loss of livelihood (effects) Here we use the bow-tie once again, but this time to improve the chances of an uncertain positive event which is the opportunites of: a new business, and a new livelihood. We can take measures to enable each opportunity and should it be realized, how it can be exploited to maximize the positive effects or outcomes. NEW BUSINESS Causes that will bring about a new line of business: Innovation New Product Development Pivot Improving your chances of a new business: Digital transformation Customer engagement Accelerate launch windows of NPI Exploiting the opportunity to maximize positive outcomes: Promotion Networking CRM Consequences of a new line of business: Increased sales Increased profits Increased stakeholder value NEW LIVELIHOOD Causes that will bring about a new livelihood: Apply for new opportunites (i.e. jobs) Improving your chances of a new livelihood : Volunteer Retrain Go back to school Network Update CV Exploiting the opportunity to maximize positive outcomes: Mentorship Networking Volunteer Take on new responsibilities Consequences of a new livelihood: Better job Better circumstances Better life Summary We see threats far more easily than we do opportunites particularly when we are in the midst of a crisis. However, that doesn't mean that the opportunities don't exist. In Khaneman's book, Thinking, Fast and Slow, he helps us understand that we need to use a different part of our brain when considering things such as opportunities. Whereas, the fast part of brain is great at dealing with threats, efficiencies, and getting things done. Risk measures can be put in place to prevent and mitigate the effects of uncertainty when they are negative and threaten what we value. However, measures can also be created to improve the probability of opportunities and increase their positive effects to protect and create new value. Be Safe Be Proactive. #lordoftherisks #covid

Not all obligations are the same or require the same capabilities or approaches to satisfy. Knowing the differences can help you better understand how best to allocate resources, invest in technologies, and prioritize management objectives to consistently meet them. One way to understand obligations better is to consider them as a hierarchy of needs between commitments associated with accepting legal responsibility and those connected with accepting stakeholder responsibility. These levels create increasing but separate needs to: Comply to minimum requirements Conform consistently to procedures and practices Improve performance to reach and sustain targets Advance stakeholder outcomes Each level builds on previous ones. However, the behaviours from one may not always apply to the next. For example, the behaviours at lower levels tend to be predominately reactive, waiting for incidents to happen. At the higher levels these behaviours will shift to be more proactive where goals are set and plans to achieve them are implemented. There are other differences so let's consider each level in turn. 1. Need to comply to minimum requirements Organizations most often begin their compliance journey by focusing on legal requirements associated with regulations. These represent the basic or minimum requirements needed to satisfy the conditions by which a regulatory license is given for a company to operate. These tend to be prescriptive written in the form of “shall statements” and subject to external inspection and audits. Compliance is addressed by closing gaps found in audits or when incidents arise. 2. Need to conform consistently to procedures and practices When companies begin to internalize their external commitments they start to improve how they meet these basic requirements. They also have an increased desire to accept greater social responsibilities. In a manner of speaking the more a company looks outwards at how they interact and affect others the more they internalize external obligations. This introduces new obligations which requires taking on more ownership often manifested by adopting industry standards to improve the consistency of meeting basic obligations. These standards will include both technical as well as management standards. Non-conformance in practices or outputs are identified and addressed through corrective and preventive actions. 3. Need to improve performance to achieve and sustain targeted goals The next level of needs is often associated with Vision Zero requirements and involves accepting industry objectives towards zero incidents, zero harm, zero breaches, zero fatalities, zero emissions, and so on. These obligations are aspirational goals that require organizations to continually improve their performance to achieve higher standards over time. In the same way that pursuing zero defects helps to drive operational excellence, vision zero helps organizations improve other important aspects of their business. To meet vision zero requirements an organization must be intentional, proactive, and consistently demonstrate progress. It also requires leadership and accountability at all levels within an organization. 4. Need to advance stakeholder outcomes The highest level of the Obligation’s Hierarchy of Needs is directly connected with the vision and mandate of an organization with respect to stakeholder interests. These will no doubt include financial outcomes but increasingly will involve social interests such as ESG (environmental, social and corporate governance) requirements. It is here that we see the use of GRC (governance, risk, and compliance) strategies to help ensure that an organization does what it has promised and is creating the desired outcomes for all stakeholders. Stakeholders are not only “shareholders” but are also: workers, investors, suppliers, customers, and the communities that are impacted or have a stake in a company' success. Effectiveness is best measured by the level of trust engendered needed to maintain a social license to operate. This is not something that an organization can apply for; it is granted not purchased. However, without it many companies could not operate even when they have a regulatory license to do so. The Path Up the Mountain Deciding to take the path up the mountain towards greater social responsibility is not easy as it brings with it more and different kinds of obligations as outlined above. Organizations that are ethical and have a culture of compliance will find the decision easier to make. These are companies that in general are not harming the environment, exploiting its workforce, or producing products that are harmful or dangerous. Ethical companies exhibit a high degree of integrity with respect to keeping the promises they have made. Integrity provides the motivation for climbing the mountain. Instead of being motivated by staying out of jail they are motivated by doing the right thing, the right way, all the time, every time. For companies that do decide to climb the mountain and stay the course they will notice sign posts that mark the transition from: Gap Closing to Goal Seeking External to Internal Obligations Reactive to Proactive Behaviours Completing Actions to Optimizing Systems Creating Outputs to Advancing Outcomes Conducting Audits to Improving Performance Executing Mitigative Procedures to Implementing Preventive Controls Command & Control Structures to Resilience & Preparedness Structure Shareholder focus to Stakeholder focus (i.e. accepting social responsibility) With ever sign post they pass these companies will gain an increased measure of trust from their investors, shareholders, workers, and communities in which they operate. They will be the kind of business that customers want to buy from, workers want to work for, and communities want to have in their midst.

One of the strategies that forward looking and proactive organizations use to protect people and the environment is the Precautionary Principle . While there is no single or generally accepted definition of the Precautionary Principle the concept behind it can be traced back to German environmental law: 1972: Germany: Vorsongeprinzip (“Fore-caring principle”) enacted in the Federal emission Control Act 1982: UN Charter for Nature 1987: Ministerial Declaration of the Second International Conference on the Protection of the North Sea 1987: Single European Act 1992: Rio Declaration, principle 15 2000: Communication of the European Commission Broadly speaking the principle is often used where there is the possibility of harm from making a certain decision and conclusive evidence is not yet available. This is a form of epistemic risk (lack of knowledge) which given enough time, knowledge, and resources is reducible. However, the problem is that there may not be enough of those to buy down the risk in time, at an affordable cost, and with sufficient efficacy. And yet, a decision must still be made. In this case, it may be better to err on the side of caution. Over the years this Precautionary Principle has become a fundamental aspect of many international treaties along with safety and environmental regulations including The Canadian Environmental Protection Act (CEPA) which states: Precautionary principle: The government's actions to protect the environment and health are guided by the precautionary principle, which states that "where there are threats of serious or irreversible damage, lack of full scientific certainty shall not be used as a reason for postponing cost-effective measures to prevent environmental degradation." Why is this principle so important and why now? Purpose of the Principle In everyday language the Precautionary Principle is about being safe rather than sorry. In the case of environmental decision-making measures are often too slow and too late to effectively contend with risk which makes this principal of significant importance. Even more so now as organizations contend with climate change, biodiversity, green house gas, and other environmental risks. The Precautionary Principle is a preventive measure against catastrophic or serious harm in the presence of significant uncertainty. If harm is “certain” then preventive measures commensurate with the level of risk is expected. However, in cases where significant harm is uncertain but possible preventive measures may still be required. This approach is similar to risk management practices used in energy and oil & gas sectors when contending with high consequence low probability events. In this case the probability is known – it is just low. The guidance is to treat this risk as if it was certain to happen. However, when the probability is unknown but not zero then what do you do? This is where the Precautionary Principle comes in. Precautionary Measures While the application of the Precautionary Principle can be open to interpretation it is not intended to be a zero-risk approach to prohibit development. Instead, it is a matter of degree as an Australian court described in the following: The type and level of precautionary measures that will be appropriate will depend on the combined effect of the degree of seriousness and irreversibility of the threat and the degree of uncertainty... The more significant and the more uncertain the threat, the greater the degree of precaution required. Applying the Precautionary Principle is not as straightforward as many would like. To help with that the commission of the European communities in 2000 published a communication of the Precautionary Principle where they outline that measures based on the precautionary principle should be (among other things): proportional to the chosen level of protection, non-discriminatory in their application, consistent with similar measures already taken, based on an examination of the potential benefits and costs of action or lack of action (including, where appropriate and feasible, an economic cost/benefit analysis), subject to review, in the light of new scientific data, and capable of assigning responsibility for producing the scientific evidence necessary for a more comprehensive risk assessment Proportionality means tailoring measures to the chosen level of protection. Risk can rarely be reduced to zero, but incomplete risk assessments may greatly reduce the range of options open to risk managers. A total ban may not be a proportional response to a potential risk in all cases. However, in certain cases, it is the sole possible response to a given risk. Non-discriminatory means that comparable situations should not be treated differently, and that different situations should not be treated in the same way, unless there are objective grounds for doing so. Consistency means that measures should be of comparable scope and nature to those already taken in equivalent areas in which all scientific data are available. Examining costs and benefits entails comparing the overall cost to the Community of action and lack of action, in both the short and long term. This is not simply an economic cost-benefit analysis: its scope is much broader, and includes non-economic considerations, such as the efficacy of possible options and their acceptability to the public. In the conduct of such an examination, account should be taken of the general principle and the case law of the Court that the protection of health takes precedence over economic considerations. Subject to review in the light of new scientific data, means measures based on the precautionary principle should be maintained so long as scientific information is incomplete or inconclusive, and the risk is still considered too high to be imposed on society, in view of chosen level of protection. Measures should be periodically reviewed in the light of scientific progress, and amended as necessary. Assigning responsibility for producing scientific evidence is already a common consequence of these measures. Countries that impose a prior approval (marketing authorization) requirement on products that they deem dangerous a priori reverse the burden of proving injury, by treating them as dangerous unless and until businesses do the scientific work necessary to demonstrate that they are safe. Application of the Principle It is expected that the legal aspects of the Precautionary Principle will continue to be argued and debated in the courts in the foreseeable future. However, the adoption of the principle is still expected to increase across industries, sectors, and government specifically those contending with environmental risk. Organizations will need to learn when and how to apply the Precautionary Principle to their decision-making. This will require organizations to: Incorporate the Precautionary Principle in policy development Integrate the Precautionary Principle with existing policies and programs Operationalize the Precautionary Principle by defining clear and concise operational measures Improve the effectiveness of using the Precautionary Principle through continuous learning and improvement.

"Pipeline process management includes determination of needs throughout the pipeline life-cycle, provision of sufficient human and financial resources, identification of the proper sequence of a series of activities, monitoring and measuring the effectiveness of the activities performed, and applying changes or corrections to those activities as needed. " – API RP 1173 Managing the Safety of Complex Processes API RP 1173 is a recommended practice introduced by the American Petroleum Institute that defines requirements for a holistic approach to pipeline safety. Companies that adopt these requirements can improve their safety efforts and achieve greater levels of safety performance. To accomplish this, companies must first define their obligations before they can successfully implement their pipeline safety system. The goal for API RP 1173 is not to implement all aspects of the practice but rather to use it as a framework on which to build or review a safety program to determine how better to achieve safety objectives (i.e. zero incidents). There are several aspects of this framework that makes a traditional check-box approach to compliance ineffective. In fact, it is the wrong way to look at applying this practice. Here are three key characteristics of API RP 1173 that companies should keep in mind: 1. API RP 1173 is a recommended practice API RP 1173 requirements are not mandatory nor are they the full extent of what a pipeline safety program should do. Each company needs to determine what they want their safety program to accomplish and to what extent API RP 1173 will be used and if other practices or standards should also be adopted. "In all cases, operators are intended to have the flexibility to apply this RP as appropriate to their specific circumstances" – API RP 1173 2. API RP 1173 is performance-based API RP 1173 is not prescriptive in terms of how requirements should be met and in some cases what needs to be accomplished. At a minimum, it is up to each company to determine the "how" necessary to achieve the goals and objectives of their pipeline safety program. As the practice is a framework, each implementation may look different in the details from one company to the next. Several of the approaches I have seen use a gap analysis as part of the implementation process. This is common particularly when dealing with prescriptive standards. However, API RP 1173 is not prescriptive so it creates a challenge for those that are looking for a simple check-box approach to compliance. This may result in adding prescriptive requirements so that there is something to be assessed. While prescription may be necessary, there can and often is a significant difference between what is prescribed and the obligations themselves. They are not one and the same. Instead, companies need to separate the "ends" from the "means" with their implementations. This distinction is critical and affects how audits should be conducted to assess compliance. It is common for performance-based standards to separate those things that verify the means from those that validate the ends (i.e. outcomes). An effective safety program will do both. 3. API RP 1173 is risk-based Safety programs are often described as being all about risk reduction and you could say the same about API RP 1173. However, it also means using a risk-based approach to achieving safety outcomes given that there are limited funds, resources, and time to accomplish the goals. Tailoring the means by which safety is done while at the same time coordinating efforts to address systemic risk is one of the hallmarks of API RP 1173. Using a risk-based approach to identify the extent of this tailoring is an effective strategy that is gaining traction as better way to establish compliance objectives. Build your safety program on obligations instead of requirements All of the reasons previously stated contribute to why it is first necessary for companies to identify and define their obligations. This will help ensure that appropriate levels of effort are directed to meeting each obligation. In addition, it allows the means by which they are met to improve and mature over time which is recommended by API RP 1173. The following steps are well suited for companies who are looking to establish their API RP 1173 compliance obligations: Document the context and expectations for each obligation Define what constitutes evidence of compliance Define how progress against outcomes will be measured Identify what standard will be used to establish normative processes (ex. ISO 9001:2015, ISO 31000, internally defined, etc.) Identify what is needed (structure, resources, technology, culture, etc.) by the organization to achieve the desired outcomes Identify and evaluate risks (both threats and opportunities) for each obligation Embed obligations, controls, and risk treatment into compliance programs, systems and processes The output from these steps can be used as input to create a compliance map to help steer the API RP 1173 program. Instead of the typical compliance map that looks like this: you will end up with an obligations-based compliance map that looks like this: This may appear to be a subtle and insignificant difference in approaches, however, this is far from the truth. An obligation-based compliance map is focused on identifying and meeting obligations. These are commitments that management makes and it is these commitments that are used to determine the means by which outcomes are achieved. Compliance is built into the means and verified through measures of: effectiveness (MoE), compliance (MoC), and performance (MoP). This affords companies the ability to be certain of their compliance and their capacity to always stay in compliance. Whereas, the previous approach is a remnant of prescriptive-based compliance focused on audits where for the most part documents and records substitute for evidence of compliance. It is well understood (yet not often heeded) that you can have a documented procedure that is not being followed or is ineffective at achieving the outcomes of the program. The only thing you do know is that you met the requirement to have a procedure and this is the crux of the matter. Compliance to prescriptive requirements while important is no substitute for programs that continually advance compliance outcome by maturing capabilities. #APIRP1173 #ManagementofChange #PipelineSafetySystem #ObligationsbasedComplianceMap

I have spent most of my career building information and management systems in support of engineering, compliance, and mission critical processes for highly regulated, high risk companies. In many cases, these systems were deployed following a process which would roughly follow these steps: Create a project team Identify requirements Select technology Implement system Train Users Disband project team After these steps were done the system would move into "maintenance mode" as is typical for other equipment in the organization. For that is how management and information systems were considered – as equipment. The thought of improving the capabilities of a system after it had been installed did not cross anyone's mind. The only thing that did was to make sure the system remained operational and continued to perform according to how it was originally designed. When the system could no longer do that it would be replaced. In some circles this is called, "run to fail" and fail they always did for all kinds of reasons that included the effects of: Changes in compliance requirements Lack of training Lack of support Changes in technology Changes in leadership priorities Changes in organizational structure Business process changes Changes in culture Improvements were few and far between and were seldom able to keep up. You might patch the software, upgrade the hardware, or even move to the cloud but eventually the system would need to be replaced. Improvement of the system might then be entertained. However, what I have observed is that even then improvement did not always come for the following reasons: The people who knew how things worked no longer work for the company The constraints of the old technology would became "requirements" for the new technology which would mostly negate any improvement Moving to the "cloud" and cost reduction would be a higher priority than improving system effectiveness Different leadership would have different priorities Run to fail created an urgent response instead of a planned one with sufficient time to consider options Resistance to change (what we did in the past is good enough for the future) And many other reasons ... When it comes to quality, safety, environmental, and regulatory systems where the goal is to reach a certain level of performance over time it is no wonder that one of the contributors to lack of overall progress is due to the effects of a "run to fail" or "set and forget" mode of system operations. The phrase, "two steps forward, three steps back" comes to mind and aptly describes the current state of many systems in place today. Continuous improvement and maturity of capabilities is extremely difficult when a system is thrown out and replaced every 3-5 years and always starting over. As compliance is now heading towards performance and outcome based standards the way in which systems operate must change to a new mode of operation. This new way of managing systems requires the ability to improve on a continuous basis but as importantly the ability to steer which is what compliance governance is responsible for and the function of a compliance program. The steering function must continually adjust system capabilities to achieve increasing and changing standards either from mandatory or voluntary obligations. Governance is what proactively drives this continuous improvement. It is important to note that this differs from continuous improvement at the process level which tends to focus on cost reduction by eliminating waste and improving efficiencies. While this is better than re-actively addressing non-conformance its purpose is still to improve consistency against current standards. Whereas, improvement at the system level directed by a compliance program focuses on advancing capabilities to advance overall outcomes: A compliance program is fundamentally a system in its own right consisting of proactive processes that anticipates, plans, and acts to improve compliance outcomes. An effective compliance program will steer the continuous improvement of processes, technology, and people so as to increase the probability that outcomes will be advanced. This is very different than the "run to fail" and "set and forget" mode of operations that assume that compliance obligations are mostly prescriptive and never change. In a world measured by the continuous increase in value, compliance must also be continuous and advancing in capabilities to keep up. This changes the role of governance away from "run to fail" and "set and forget" to one that proactively steers towards better outcomes. Instead of two steps forward three steps back, compliance governance needs to always be steps forward.

" Proactivity is a process that can be applied to any set of actions through anticipating, planning, and striving to have an impact." ​ Source: Research in Organizational Behavior, "The dynamics of proactivity at work", Adam Grant, Susan Ashford To help meet your quality, safety, environmental, and regulatory compliance objectives being proactive is essential and best done by incorporating feed-forward processes between functions as well as implementing learn / improve cycles in your feed-back path. These become proactive mechanisms when used to achieve goal-directed objectives where progress is made over time by advancing process capabilities not by conformance to prescriptive requirements.

Many companies run out of time, money, and motivation before results are achieved and outcomes are improved. This is often the case when it comes to adopting managed safety, quality, environmental and regulatory systems. Traditional component-first approaches fail to deliver an operational system on which real improvement in outcomes can occur. The good news is there is a better way.  Read more here