SEARCH

Compliance is much more than checking boxes and addressing non-conformance when it is discovered. It is about experiencing the benefits of compliance outcomes: delighted customers, safe and meaningful work, trusted manufacturers and suppliers, growing and sustainable economy, and an environment that we all want to work and live in. This requires a proactive approach focused on outcomes instead of a reactive approach focused on prescriptive requirements. Proactivity describes a process of action that includes: anticipating, planning, and striving to create a future outcome that has an impact. If you were more proactive with your compliance what would your business and work be like? What would you experience?

Ethical and proactive organizations are those that invest in improving their compliance performance and see it as an advantage in competing in highly-regulated, high-risk industries. When it comes to performance and outcome based compliance there are three aspects that you must consider: your capability (culture, systems, people) to be in compliance, the effectiveness of your compliance programs to reduce risk, the advancement of compliance outcomes . The greater your capabilities and the more effective your programs are the better you are able to contend with the effects of uncertainty in buying down risks or assigning appropriate margins to be more certain of achieving your outcomes. Or saying it another way, the better your compliance performance the more certain your value creation.

Back when I was in high school I had a teacher that would always say, "problems are our friend." At the time I didn't get it, probably because I didn't want to do the homework. However, looking back I realize that he was right. Working though the problems at the end of each chapter did help me to know if I really understood the material and was on track. Problems would become very good friends as I continued my engineering studies and throughout my career. However, not everyone views problems as helpful and sometimes this attitude shows up when it comes to safety, quality, environmental, and regulatory objectives particularly with respect to compliance metrics and reporting. It is all too common to hear that management does not like to see "red" in charts, or discuss "risks", or talk about problems in general. There may even be pressure to change the goals, change the units, or even change the colors so things "look" better when in reality the problems still remain. Although, you wouldn't know it when you looked at the metrics and therein lies the rub. The purpose of using metrics is to highlight where the problems are so that they can be fixed and improvements can be made to achieve better results. For metrics to be useful we need to see problems as our friends that help us rather then as enemies to avoid. This is what LEAN has helped us best to understand. LEAN teaches that if we cannot visualize problems we cannot see our way to improvement. One of the ways we can visualize problems is to make sure our metrics move beyond measures of compliance to include measures of performance, and effectiveness . This will help us to see whether problems are connected to conformance, capability, or progress in achieving goals and outcomes. If our metrics are always showing green it might be because we have decided to hide our problems instead of allowing the "red" to show through. It's time to view the red not as a problem that we want to avoid but rather as friend to let us know when we are on track or not.

A compass helps you to stay on course as you head towards your destination provided the world is flat. However, a compass can never prevent you from losing your way when you have as many dimensions as there are compliance programs. To maintain your direction across multiple dimensions you need a gimbal rather than a compass. A gimbal is a pivoted support that allows rotation of an object about an axis. It is specifically designed to handle multiple dimensions and always let's you know which way is up no matter how much the world around you has changed its direction. In today's changing landscape knowing which way is up is what helps keep organizations from falling outside the lines and risking their businesses. When you have three of more gimbals you can turn in any direction and you will always know your orientation in relation to a particular direction (i.e. the direction you have targeted). And knowing this is precisely what you need to properly adjust your course to make sure that you reach your destination and why organizations need an effective navigational system. Each component of GRC (Governance, Risk, and Compliance) functions like a gimbal oriented across the dimensions of each compliance program: quality, safety, environmental, regulatory, and ethics. Each GRC gimbal works together with the others to always let you know where you are relative to your compliance obligations when the landscape is always changing. It might be time to upgrade your navigational system to one that can handle all the dimensions of your compliance obligations. #GRC #Compliance #Risk

The goal of a compliance program is to improve the level of compliance of an organization. This differs from the goal of a compliance system which is to maintain a certain level of compliance. If you want to improve your compliance there are 5 questions you must answer which apply to any endeavor from projects, to flying to Mars (pg 16 – Performance Based Project Management by Glen B. Alleman) and to establishing an effective compliance program. Where are we going? How are we going to get there? What threats or opportunities will we encounter? Do we have everything we need? How are we going to measure our progress?

This is the perfect time of year to evaluate your compliance programs and make adjustments so that you achieve your objectives. However, to make that assessment you need to know where you are heading and then you can consider what paths will help and which ones to avoid. To help with your assessment here is a list of characteristics of what an Ideal Compliance Program might or even should look like. An Ideal Compliance Program will: Focus on outcomes Define comprehensive, clear and concise obligations Specify unambiguous goals and objectives Utilize standards to ensure normative behaviors Embed compliance to always keep you out of danger Be friction-less (doesn't add drag to your work processes) Effectively meet all required and voluntary obligations Consistently perform to your higher standards Easily adapt to meet new compliance obligations Implement systems that always keep you in compliance Be ethical, transparent, and have a high-degree of integrity Always improve Compliance is not just what you do at the end of everything else. It is instead, a competency that you improve over time to ensure that you achieve your business outcomes. #IdealCompliance

Rule # 2 - Take Ownership of All Your Obligations Being proactive with your compliance begins with taking ownership of all your obligations and this includes defining program outcomes and objectives. You may argue or debate what compliance program outcomes and objectives could or should be. What you cannot be is uncertain as to what they are. If your program goal is zero incidents then you know what your commitment needs to be. If your goal is to achieve a higher standard of quality then you also know what you need to do to achieve that. The outcomes you choose will direct where you are aiming, the strategies to get you there, and the capabilities you need to make progress towards them. Research shows that companies who adopted ISO 9001 Quality Management System (QMS) standard for the purpose of certification achieved just that – certification. These companies rarely saw an improvement in their quality. However, companies that wanted to improve their quality and chose to implement ISO 9001 as a means to get there, not only achieved certification, but they also improved their quality. They got both. The difference with these two companies was where they aimed. Where are your quality, safety, environmental, or regulatory compliance programs aiming at this year?

This is a work of fiction. Names, characters, businesses, places, events, locales, and incidents are either the products of the author's imagination or used in a fictitious manner. Any resemblance to actual persons, living or dead, or actual events is purely coincidental. We thought we were doing OK. We really did. I guess we were wrong. We consider ourselves an ethical company and take quality very seriously. We have someone assigned to all the typical compliance areas: quality, safety, environmental, and regulatory. We thought we had it all covered. We always conduct our periodic audits and pass all our certifications. However, auditors always found something, but that's normal. Auditors always need to find something, right? Nothing big mind you. Just little things for our people to work on; something to improve. The point is that by every measure we were doing just fine. We didn't expect that something would go this wrong. We had no idea, it was only a small change. We just needed to pass an emissions test. We had a timeline and time was running out. We had to do something. Some of the staff worked around the clock and came up with a software work-around that would fix the issue. Great! It was tested, it worked, and we were good to go. I guess we didn't expect that a small change would blow up in our faces. We never imagined this would expose a fault that was always there and something that we should have addressed long ago. What was that fault? Well, its not what you might think. It was a fault in our communication. When senior managers asked if the emissions issue was addressed, the answer given was yes. This was true (kind of). They were glad to hear that we could ship on time. That's all they cared about, at least that's what all their communication had indicated. Everyone who worked on the solution was considered a hero and were even given extra time off. I think in retrospect they would give all that time back if they could. It wasn't too long that this would blow up in our faces – big time. Hero to goat overnight. We are not sure if we will even survive this. You see, what happened was we took a short cut. Some might call it cheating although we didn't think of it that way at the time. The staff were just trying to solve a problem. They figured out they could adjust how our product works to lower the emissions while it was being tested. The product could ship on time and everything would be good – right? No, wrong! Once what we did was discovered, our reputation was in the toilet. Only a few people actually knew how the issue was solved. Frankly, nobody really cared how it was done. As long as we could ship, that's all that mattered. We were wrong about that. Apparently, it does matter – it matters a lot. Who was at fault? At one level it was the coders. However, that's the wrong way to think about it. It was the whole company's fault. We ask our staff too often to perform miracles so that production targets are met. We should have never asked them to do "whatever it takes" to solve problems like this, or any problem for that matter. I hope we get a chance to learn from what happened. However, our reputation is badly damaged that I am not sure if we will get the chance. It's going to take a long time to earn back the trust we lost with our customers. We could have done better. We should have done better and now we are paying for it.

Focusing on non-conformance is the first level of compliance. This involves meeting the prescriptive part of a regulation or industry standard. However, standards and regulations have changed and are now more performance-based focused on continuous improvement and risk. Instead of asking the question, "did we follow the procedure?" Compliance has evolved to answering a different question which is, "how well are we at achieving outcomes such as: zero injuries, zero defects, zero violations, zero environmental impacts, zero ethical misconducts?" The former is reactive, looking at the past. The latter is proactive, anticipating the future.

Turtle diagrams are often used to document processes in support of ISO standards and guidelines. However, they tend not to include compliance and risk as part of process definitions. That's why we created the Compliance Beetle so you can document compliance and risk considerations directly within each process. Download your template here . #RiskAssessment #ComplianceInsights #Complianceimprovement #RiskbasedThinking

The purpose given for companies is often stated as making profit. However, companies can exist for a greater purpose. They can exist to create opportunities for people to work so that their potential can be realized to some degree. The greater the degree, the more humanized the workplace becomes. However, when workers are used like “machinery” the work becomes dehumanizing. There is always a tendency (for the sake of efficiency) to separate humanity from the mechanics of business. Perhaps, when businesses are completely robotic (if that is even desirable) we can achieve total separation and no one needs to worry about values and ethics in the workplace anymore. In fact, we would not have workplace and I wonder if we could still call these businesses either. In a similar way, we can think of compliance in a dehumanizing fashion. Compliance for many companies is seen as a tax on productivity and something that should be reduced. This may lead to viewing compliance roles as something that we want to reduce and replace with technology. However, when taking a closer look we notice that compliance has more to do with managing risks than it does conformance to standards and following rules. Managing risk is a human-centric process that requires people to anticipate, plan and act to prevent or mitigate a threat or enable and exploit an opportunity. In fact, not only is risk management human-centric it is very much an ethical process. For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules or to a machine. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do. #Ethicalcompliance #complianceandvalues

For compliance to be effective you need the ability to: (1) demonstrate that you have met your obligations in the past, (2) meet your obligations today, and (3) meet your obligations tomorrow (and every day thereafter). This requires an architecture that is both resilient and adaptive to change over time. Current cloud based architectures are in many cases evolutionary. While this makes change easier, they also suffer in the same way as evolution does in nature (i.e. it is always changing). Each day we read about new platforms that in some cases replace, but in many cases discard what was already there. You might call this survival of the fittest. Companies looking to put their compliance data and processes into the cloud need something more enduring. This is what good architecture provides and something that has been lacking as technology marches on towards something new and shiny. Before you decide to lift and shift your compliance to the cloud, you may want to consider the following: Does the technology platform meet all your compliance standards? Does the platform allow you to tailor processes to meet your higher standards? Do you maintain ownership of your compliance data or is it being monetized by the provider? Is your compliance data adequately protected and secure? What are the risks to you and your stakeholders should your compliance data be breached? Can you transfer your data to another platform and resume operations without loss of compliance? #ComplianceTips