SEARCH

When it comes to systems the goals we choose greatly affect the outcomes that are obtained. This is particularly true when it comes to the goals of feedback processes those used for correcting or reinforcing behaviors. When these goals are ill defined, the system will faithfully continue to produce a result, however, it may not be the one intended or wanted. Donella H. Meadows, in her book "Thinking in Systems" provides an illustrative example: The Goal of Sailboat Design Once upon a time, people raced sailboats not for millions of dollars or for national glory, but just for the fun of it. They raced the boats they already had for normal purposes, boats that were designed for fishing, or transporting goods, or sailing around on weekends. It quickly was observed that races are more interesting if the competitors are roughly equal in speed and maneuverability. So rules evolved, that defined various classes of boat by length, and sail area and other parameters, and that restricted races to competitors of the same class. Soon boats were designed not for normal sailing, but for winning races within the categories defined by the rules. They squeezed the last possible burst of speed out of a square inch of sail, or the lightest possible load out of a standard-sized rudder. These boats were strange-looking and strange-handling, not at all the sort of boat you would want to take out fishing or for a Sunday sail. As the races became more serious, the rules became stricter and the boat designs more bizarre. Now racing sailboats were extremely fast, highly responsive, and nearly unseaworthy. They need athletic and expert crews to manage them. No one would think of using an America's Cup yacht for any purpose other than racing within the rules. The boats are so optimized around the present rules that they have lost all resilience. Any change in the rules would render them useless. Meadows suggests a way out of the trap of seeking the wrong goal: "Specify indicators and goals that reflect the real welfare of the system. Be careful not to confuse effort with result or you will end up with a system that is producing effort, not result." These principles are not new, although they are easily forgotten and something we must always be reminded of. This can be seen by the number of companies that define their indicators and goals mostly by counting the things they are doing (i.e. measures of effort) without evaluating the effects of these efforts (i.e. measures of effectiveness). Many companies have created policies to optimize the production of numbers which when it comes to compliance looks something like this: The number of compliance issues open The number of hours of training per employee The number of internal audits completed on-time The percentage of outstanding post-audit issues The number of complaints And so on. As a result, companies have become experts (or now require hiring them) to support the business of auditing rather than the business of meeting obligations. They have created the equivalent of an America's Cup yacht optimized for one purpose - winning the audit game within the rules they have created. The compliance function is now so optimized around passing audits that it is unable to adapt to changes in regulations from prescriptive to performance and outcome-based designs. Compliance has created a high-performing yacht to win a race, but not the race that now matters. #systemsthinking

When it comes to business, life, and of course compliance, there are dragons that come across our path that cannot or should not be avoided and instead must be faced head on. Dragons may appear first from a distance and when viewed from afar may appear more or less dangerous than they really are. Until the threat arrives we have time to improve our vision to understand its nature and devise strategies to successfully contend with it. Most threats are a manifestation of uncertainty which is the root cause of risk (ISO 31000). This uncertainty may come in different forms the most common of which are aleatory uncertainty, having to do with randomness, and epistemic uncertainty, having to do with lack of knowledge. However, threats often will not be limited to either one but will consist of all forms of uncertainty in varying measures over time. When risk behaves mostly like aleatory uncertainty (random, chaotic, complex): Assume the threat is serious and its effects cannot be controlled. Accept that negative outcomes will happen. Treat uncertainty by using margins such as reserves, contingencies, insurance, savings, etc. Introduce broad level safeguards and life saving practices Goal is amelioration (to make better, to improve) When risk behaves mostly like epistemic uncertainty (lack of knowledge): Assume the threat is serious but its effects can be controlled if better understood. Accept that negative outcomes may happen Treat uncertainty by buying down risk Develop capabilities to increase knowledge of the threat and learn how to prevent or reduces its effects. Introduce targeted level safeguards and life saving practices Goal is mitigation (to reduce, lesson, or decrease) Although when it comes to uncertainty, nothing stays the same: The threat may change The effectiveness of measures may change Our understanding of the threat may change Conditions may change Therefore the path to certainty will seldom be a straight line which can be frustrating for some. As our knowledge of the threat increases and effectiveness of risk measures is better understood our path will necessarily change to focus on the uncertainty that remains. For this reason risk & compliance will always be a continuous endeavor, seldom a straight path but always working toward taming the dragon of uncertainty. More articles on dragons, uncertainty and risk can be found here

Everything happens in the presence of uncertainty, and this uncertainty creates the opportunity for risk.

When life is uncertain things are unclear, you don’t know what to expect, and you react to things when they happen. So you walk slowly, as if on-egg-shells, testing every step to make sure it is not a hole or the edge of a cliff. Life under uncertainty is a slow process. This is what it is like for many organizations with their compliance. They are uncertain of their obligations, they don’t know what to expect, and they react when non-conformance happens. So they create more rules to walk slowly, check every step to make sure that everything and everyone stays within the lines. Compliance under uncertainty is also a slow process. So how does one make progress and move faster? Some may decide to throw caution to wind and just press ahead hoping for the best. This happens in life and in compliance. This approach appeals to risk takers but perhaps those that like risk too much. Given a chance they will gamble their life and their companies away. All of these approaches fail to address the root cause which is the lack of knowledge or what is called epistemic uncertainty. If one wants to make progress it is important to contend with this uncertainty. This means identifying risk and then establishing measures to buy-it-down so that it doesn’t slow-you-down. If you want to stop compliance from slowing your business consider joining The Proactive Certainty Program™ . This program helps you move faster by reducing risk so you don’t have to walk as if on-egg-shells any more.

Compliance creates value by building trust when obligations are met and protects against the erosion of value when they are not. To achieve this compliance needs to operate as a business. It must create value, advance goals & objectives, and manage resources and systems to deliver a return on investment. ISO 19600 provides a framework to manage all your obligations under one governance system. It does this by establishing processes to identify, implement, evaluate, and maintain all mandatory and voluntary obligations covering: quality, safety, environment, security, regulatory, and other risk-based obligations. The goal of ISO 19600 is to promote compliance effectiveness. An important first step is establishing an obligations registry where you can manage: performance / outcome goals, threats & opportunities, controls, improvement objectives, and measures of compliance, performance and effectiveness. This will help you to know the status of your compliance, and as importantly, whether you have the capabilities you need to be effective at creating trust and protecting against loss.

Maximizing Business Value and Improving Strategy for Organizations and Teams All executives and senior management responsible for compliance will be well aware of how difficult it is to ensure that value creation is protected and progress is being made towards stakeholder objectives. These outcomes are often not well articulated and even when they are the means by which outcomes are achieved are usually not. Focus on effort over results is the name of the game while the board sits hoping for the best. Is there a better way to ensure outcomes are achieved? "It's a common trap to assume that outcomes are known and a mistake to place all emphasis on the outputs of work." – Alex Yakyma It is relatively easy to identify and manage outputs to ensure that they are on time, on budget, and on spec. This domain is well understand with vast amounts of knowledge, expertise, and practices to improve the certainty that outputs are created with a defect rate of 3.4 defects per million opportunities (i.e. six sigma). We are very good at doing this or at least know how to do it. However, when it comes to realizing outcomes this is not as easy and is often left to chance. Companies hope that their good intentions and hard work will produce the outcomes they are looking for. However, the road of good intentions often does not deliver what we want or what we need. Alex Yakyma in his book, "Pursuing Enterprise Outcomes" unpacks the nature of outcomes, how they are created, and how to improve the probability that you produce the outcomes you have targeted. This is a world that is not as well defined, often non-linear, and always in the presence of uncertainty. Yakyma provides a comprehensive framework that adds needed structure to this domain as presented in his book where he covers: The killer of Organizational performance How to Uncover Disconnects In Pursuit of Outcomes The Science and the Art of Probing The Mystery of Business Value Complex Bottlenecks and Emergent Solutions Strategy and Leverage Points Excerpts from the book: Complex tasks progress at the speed of managing unknowns. Doing the wrong work faster is false progress. For complex tasks, the ability to navigate is more important than velocity. Behaviours in a complex system can only emerge. Any attempt to "design" behaviour to match an expectation will only result in waste. To succeed with the ultimate outcome, all lower-level outcomes need to have owners who hold responsibility for the outcomes, not outputs. A disconnect anywhere in the outcome chain easily jeopardizes the ultimate outcome of the task. Outcomes provide meaning and structure to business value. Business value helps determine how effectively the outcomes are achieved. Strategy is the way in which system behaviour can be vectored toward a favourable outcome. What I like about this book: The concepts of outcome chains and connections, the emergence loop, and the nature of outcome uncertainty provide a solid structure to explore how to better advance outcomes. The author provides many good examples that help illustrate key concepts and principles. Every chapter has exercises that teams can work on to help reinforce learning and stimulate discussion. I highly recommend this book for anyone who is responsible for the creation of outcomes related to regulatory, safety, security, quality, environmental and operational objectives.

One of factors that hold companies back from improving their compliance is ambivalence; having mixed feelings or contradictory ideas about what goals to have and what approach to follow. This uncertainty contributes to the lack of motivation to act which is a significant cause for failing to achieve operational and effective compliance. Knowing where you are going Having somewhere positive to go to that is well articulated and realistic will help motivate change. We need to know what the pot of gold is that we are going after. However, all too often, we find that companies have vague ideas of what compliance should do and what the outcomes should be. The opposite is also common. Many companies are very specific and clear about their compliance destination. In fact they have already arrived as stated in their declaration that they are following all applicable laws and regulations. Where else is there to go when you believe that you are already there? What we need to understand is that the compliance landscape has changed and so has the destination and the measures to get there. Compliance has moved beyond prescriptive specifications to outcome and performance targets that requires continuous improvement and the effective management of risk. Compliance is not measured by whether you are comply or not but instead is measured by the level of certainty you have in achieving your compliance goals and objectives. As risk is never static continuous risk management is needed to keep companies operating between the lines in the presence of uncertainty. All of this changes the goals and objectives for compliance. Knowing what is behind Knowing where you are going is not enough to be properly motivated. You also need the motivation that comes from being aware of the danger of staying where you are. You need be aware of the dragon that is chasing you from behind as well as the the pot of gold that is in front of you to sustain proper motivation for change. The dragon facing companies these days are the effects that come from not addressing all their stakeholder obligations. These have a negative impact on mission success, reputation and ultimately trust. As a result, you may still be left with a regulatory licence to operate but you may not have a business that investors want to invest in or customers want to buy from. If ESG (Environmental, Social, and Governance) investing and the downstream impact on environmental programs continues to gain traction learning how to navigate the broader compliance landscape will be a decisive factor in avoiding the dragon that is behind. Knowing how to get there So how to you move from ambivalence to action? Here are three steps you can follow to improve and sustain your motivation: Describe what your compliance destination looks like in realistic and specific ways – the piece of heaven that you are striving for. Describe what your designation looks like if you don’t improve – the slice of hell that you want to avoid. Establish a program that continuously advances your business towards its destination and avoids the dangers of staying where you are. Making progress is a huge motivation for even more progress. Everyday is a chance to improve your compliance so let's not waste it.

When it comes to risk & compliance no one wants to be surprised. That’s why organizations put in place controls of various kinds to avoid them. While surprises are not desirable and cannot always be avoided there is something that can be far worse which is not being surprised at all. When something bad occurs it is not uncommon for someone to say, “I am not surprised that this happened.” Hearing this offers little comfort to those negatively impacted by the surprise. But why? When preventable incidents occur associated with safety, environmental, quality or regulatory objectives not acting when it was possible to do so is perhaps more concerning than the impact of inaction. Finding out that something could have been done and wasn't is often an indication of a failure in duty of care, negligence, or simply not caring at all. It is no wonder that we might feel anything other than comfort after hearing that someone was not surprised. To avoid the surprise of not being surprised organizations need to ensure that their risk management does more than just create a list of what might or could go wrong. They also need to act to create the outcomes that an organization wants and avoid the ones that it doesn't.

Compliance is often considered as a hindrance more than a help. Many organizations believe that they might do better if they were less encumbered by having to meet obligations. The philosopher Emmanuel Kant pondered the same kind of thing using the following metaphor: “The light dove, in free flight cutting through the air the resistance of which it feels, could get the idea that it could do even better in airless space. “ Without the resistance of air to contend with the dove thought it might soar higher. There is an art to flying. Too much drag or not enough resistance will prevent flight from occurring. However, removing the air altogether is removing what is essential for the dove to fly. It is the very act of contending with air that enables the dove to soar. The same might be said about compliance. It is the process of meeting obligations that a business develops the art of compliance. Removing the need to meet obligations is removing what is essential for companies to achieve its goals. Without obligations to contend with organizations would not get off the ground. Resistance is not always a hindrance. Resistance can be the very thing that strengthens our abilities. It helps the dove to fly higher and an organization to achieve higher standards. We know that when it comes to meeting safety, quality, and environmental obligations that it is by meeting standards that a company develops the capability to be safe, to create quality, and to reduce its impact on the environment. This is what vision zero objectives are all about. It is not the goals so much as the struggle to get closer to them that matters most. It is the striving that creates excellence not in spite of these goals but because of them. Obligations are the air beneath an organization’s wings. It provides the resistance needed for flight. What does this means for organizations that want to improve their compliance? Perhaps, instead of trying to remove obligations or doing the minimum, invest in your people and processes to learn how to become excellent at the art of compliance. You may end up not only getting off the ground but you may actually start to soar.

Over 3 years ago we launched Lean Compliance in response to the lack of sustainable compliance effectiveness across mostly ever sector as organizations struggled under the weight primarily of existing and changing prescriptive regulations and standards. The compliance landscape was also starting to transform as regulators were modernizing their programs to become more risk-based as they moved towards performance and regulatory designs. While the impact of this transformation would ultimately reduce the weight of regulation it would require different skills and a new mindset; something that many organizations did not have or have time to learn. To navigate this new landscape companies would need to become more proactive, own their obligations, and commit to continual improvement. Instead of inspection and audit regimes as the trigger for improvement, companies would need to set obligation goals, measure progress, and manage risk. Performance rather than checkbox compliance would become the new mandate. However, organizations were too busy being reactive, fighting fires, and had little time to be proactive and for the most part didn't know how. Space also needed to be created for improvement to occur. This is where LEAN would help to eliminate waste and create capacity to escape the reactive uncertainty trap and allow companies to begin their journey towards proactive certainty of their compliance objectives and goals. This birthed The Proactive Certainty Program ™ which we launched to effect our mission to help companies lift the weight of regulation and improve their compliance effectiveness in a sustainable way through continuous improvement over time. As our mission continued we quickly realized that not much had been written about effective compliance and specifically how performance and outcome-based obligations might be managed. So we started to do research and explored what this all might look like which we wrote about in blog posts every week. With every post (over 200 at this point), presentation, webinar, and consulting engagement we begain to lay the foundation for Effective Compliance. We started at the source of the obligations and worked our way to the outcomes that companies committed to achieve. This resulted in the formulation of: A regulatory classification model An obligation taxonomy The Compliance Value Chain The Proactive Certainty Model™ The 10 Rules for Effective Compliance A proactive accountability management framework A proactive model for governance risk and compliance (GRC) Strategies to apply systems & risk-based thinking, and lean & performance management to improve the probability of meeting obligations. A system of measures: effectiveness, performance and conformance to help govern (i.e. steer) towards better outcomes Digital strategies to improve the probability of mission success and numerous other methods and practices. Many of the concepts and principles we presented were in the form of diagrams to help describe behaviors, relationships, and elements as we worked towards a comprehensive operational model to effectively manage obligations. Several have commented and indicated how much you have benefited from the insights communicated in these diagrams and blog posts over the last three years. This has been instrumental by providing valuable feedback which we have used to improve the utility of our models. This has been very satisfying for us and a source of much encouragement which we are truly grateful. It has been a fantastic journey so for but there is still much to do. We would love to help more companies escape the reactive uncertainty trap and realize the benefits that come from effective compliance programs. One of the things we are working on is compiling all our work and creating an Effective Compliance Handbook . We will keep folks posted as we get closer to publication. If you want to launch your own mission towards effective compliance compliance, consider our 12-week virtual boot camp. Through weekly coaching sessions we help you develop a detailed improvement roadmap for one of your compliance programs: quality, safety, security, environmental, regulatory, risk, process safety, or pipeline safety. To learn more contact us at bootcamp@leancompliance.ca (individual and team rates available). Continue to be safe and proactive.

Help us better understand the state of compliance programs in your industry by participating in our 2017 Compliance Program Survey. This will take 10 minutes of your time and by participating you will receive a copy of the final report. If you are involved with PSM, HSE, Security, Quality, Regulatory, IT / Cyber Security, or any other compliance program we want to hear from you. Click here to take part of our survey. Thank you in advance for taking part to help advance compliance outcomes. #Survey

Someone once asked the question, "why do cars have brakes?" The answer given was, "so they can go fast!" What brakes do for cars is what compliance does for companies. They allow companies to go fast by helping them stay between the lines. In recent years, many companies have invested significant effort in ways to help them go faster. Several strategies have been used including Agile and LEAN techniques and methods. These approaches have functioned as an accelerator for business processes and have in many cases produced remarkable results. While a faster engine may help you to go fast, you also need a braking system that is just as capable. The faster you go the better the brakes need to be. However, brakes are only one part of what makes a car effective and safe. A car also needs (among other things): A driver to choose the destination and pilot the vehicle A guidance system to identify optimal routes Limits (speed, traffic lights, etc.) to keep everyone safe Guard rails to minimize injury Lines that tell us when we are off-side Newer vehicles have the ability to tell drivers when they have crossed the line, when it is safe to make a lane change, and when they are no longer on course. Intelligent braking systems also keep cars from losing traction so they can safely slow down. However, getting to your destination safely requires more than these, it also depends on the skills and actions of the driver. When I first learned to drive we were taught what is still called, "defensive driving skills." These were skills defined as, "driving to save lives, time, and money, in spite of the conditions around you and the actions of others." Its aim was to reduce the risk of collision by anticipating dangerous situations. We practiced these skills until they became second nature. I have continued to use these skills ever since and by doing so kept me and my family safe for over 30 years. This is what it means to be a good driver. Not that you never have an accident but rather that you have the skills and mindset to reach your destination safely. Just as we need drivers to be good we also need companies to be the same. Similar strategies as "defensive driving" can be learned and applied to meeting and maintaining compliance. Unfortunately, many companies have only the equivalent of guard rails to let them know when they are off-side. They need to crash into a rail before they realize they crossed the line and lost control. This is what happens to those that only use audits to manage compliance. Audits are necessary but ineffective at protecting our businesses and keeping everyone safe. Drivers that practice defensive driving skills plan and act in such a way to arrive at there destination on time and safely. It is not a choice between one or the other. Companies must also meet multiple goals with regards to compliance whether they include: safety, security, quality, environmental, financial or otherwise. They do not need to sacrifice one for the other and neither should they. This is what it means to take ownership of all your compliance obligations which is necessary for companies to be ethical. The cybernetic law of Inevitable Ethical Inadequacy (introduced in a previous blog) states, “If you don’t specify that you require a secure ethical system, what you get is an insecure unethical system." Without including ethical goals in your systems they will regulate away from being ethical towards other goals predominately being financial and short term. We know that most companies want to be ethical as stated in their mission and value statements where words such as: integrity, respect, safety, quality, and social responsibilities are often used. Unfortunately, many of these same companies use a reactive compliance model that was developed only to verify the integrity of financial statements and protect against fraud. However, the dynamics of the systems needed to achieve non-financial goals are different and require proactive strategies that anticipate conditions in the same way that we use defensive driving skills to anticipate dangerous situations. Next to audits, training is the predominate method used by companies to achieve compliance. This training tends to be technical in nature similar to learning how to drive a car and rarely includes "defensive skills." There are areas such as safety where defensive skills are taught and reinforced. However, for the most part, compliance for many is about checking off boxes to meet prescriptive standards. Companies can improve their compliance by teaching their workers defensive skills rather than only focusing on compliance actions. In addition to defensive skills, we can also consider greater degrees of automation and embedded compliance in our work processes. Current advancements in autonomous driving provide helpful insights into how automated compliance can work. Understanding that we may never want full automation as compliance decisions are ethical in nature since they involve risk trade-offs and that is something that cybernetics does not address. For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do. In 2014, SAE International published their standard for driving automation (J3016) that defines six levels of autonomous driving: This chart provides a means to compare against similar automation in compliance systems and processes. What we find is that many companies are only operating at a level 0 as they provide little to no automation to assist workers in meeting compliance obligations. In fact, many do not even provide the equivalent of defensive skills training and only teach workers to follow prescribed steps. No wonder the effort applied to audits is so high and increasing. Levels 3 and above do not have a human monitoring the environment and in the case of Level 4 and 5 do not have a human to fall back on should highly ethical decisions need to be made. Therefore, these levels may not be suitable for compliance support and arguably not desirable for autonomous vehicles either. Nevertheless, partial automation and compliance assist systems are helpful in providing workers with greater visibility of compliance obligations either in terms of objectives that need to be met along with limits that need to be observed. Looking forward, companies that want to see more of their ethical values realized in their organizations will benefit from applying proactive strategies such as defensive skills to help workers better meet compliance obligations. In addition, increasing the level of automation while maintaining human accountability will provide greater and immediate certainty of compliance and reduce the spiraling increase and dependence on audits. It is better to know that you might cross a line so you have the opportunity to make course corrections. The alternative, is hitting the guard rail and reading a police report that states the obvious. The first is proactive and the latter is reactive compliance which is preventable.