SEARCH

Michael Porter was right. You need capabilities to create value which he outlined in his Value Chain Analysis (VCA) from which competitive advantage can be determined. So the question is, what capabilities does compliance have to create value for the organization, and how does this generate competitive advantage? Integrated Balanced Scorecard The value chain's ultimate outcome is value as perceived by customers and stakeholders. While Michael Porter's value chain framework creates and delivers value, it cannot do so effectively in isolation. Total value creation requires integrating productivity and compliance programs. Productivity Drives Margins Organizations implement productivity programs to enhance value chain efficiencies and increase margins. This operational excellence domain encompasses methodologies such as Lean, Six Sigma, TQM, and digital automation. Performance is measured by efficiency, while effectiveness is measured by improved margins. Better margins create value both financially and as protection against unavoidable external and internal risks. Margins can offset losses from market disruptions and operational risks—instances where organizations fail to meet goals and objectives. However, operational risk is best managed through risk and compliance programs. Compliance Drives Certainty To address operational risk, organizations establish programs ensuring (to make certain) objectives are achieved. Management traditionally handles common variation, while risk and compliance functions address specialized threats and opportunities. Performance is measured by the level of certainty (or confidence) in achieving objectives—what might be called assurance—and risk amelioration. Effectiveness is measured by compliance: meeting obligations manifested through safety, quality, security, privacy, reputation, and other value properties. Managing operational uncertainty helps organizations stay within boundaries, protecting the value chain along with employees, assets, shareholders, customers, the environment, and communities. Integrated Balanced Scorecard Protecting value creation fundamentally means contending with two types of uncertainty. Aleatory uncertainty (irreducible randomness) is handled by applying margins to cover unavoidable losses. Epistemic uncertainty (reducible through knowledge) is managed through compliance controls and measures. Adequate margin and certainty are both necessary for effective value chain creation. An integrated balanced scorecard improves visibility of strategic initiatives related to value, margin, and compliance targets. It also facilitates appropriate trade-offs between opportunities to improve margins and measures to contend with threats. When establishing an integrated balanced scorecard, map strategic objectives and initiatives to appropriate categories. Using categories from Geoffrey Moore's "Zone to Win" alongside functions from Michael Porter's Value Chain Analysis helps capture objectives according to time horizon, risk appetite, and compliance priorities. Productivity and compliance activities each have objectives for positively affecting the value chain while including initiatives to improve one another. For example, productivity improvements can benefit compliance programs, and productivity initiatives benefit from objective risk-based approaches. Greater uncertainty and risk characterize incubation and startup activities, which may require different strategies focused on pursuing opportunities rather than avoiding losses. Compliance as Competitive Advantage Organizations that excel at compliance create sustainable competitive advantages beyond mere risk mitigation. Strong compliance capabilities build trust with customers, regulators, and stakeholders, enhancing brand reputation and market position. They enable faster market entry by streamlining regulatory approvals and reducing time-to-market for new products and services. Robust compliance frameworks also attract premium customers and partners who prioritize working with reliable, trustworthy organizations. Moreover, proactive compliance reduces the cost of crisis management, legal disputes, and remediation efforts that plague competitors with weaker systems. By embedding compliance into strategic planning rather than treating it as an afterthought, forward-thinking organizations transform regulatory requirements into differentiators that strengthen their competitive moat and create barriers to entry for less disciplined competitors.

EPA - Lean and Environment Toolkit Lean is well known for its focus and effectiveness to reduce waste specifically in production processes. The 8 sources of lean waste: defects, excess processing, overproduction, waiting, inventory, transportation, motion, and non-utilized talent have helped practitioners “see lean waste” in their processes and identify areas of improvement. A tool that is most often used is Value Stream Mapping (VSM) which adds a temporal dimension to visualize where, when, and how much waste is being used in every step of value creation. It's no wonder that this same approach is increasingly being used to “see environmental waste” in business processes. Although not considered part of Lean’s deadly wastes, environmental waste are embedded in and related to wastes targeted by lean strategies. Over the last decade Lean tools and practices have expanded to consider quality, safety, and environmental aspects. Instead, of quantifying waste only in terms of financial costs the quantification of such things as carbon footprint is becoming the new calculus by which processes are measured. One of the most comprehensive toolkits that combines lean and the environment is available is from the US Environmental Protection Agency (EPA). This toolkit provides practical strategies and techniques to: “improve Lean results—waste elimination, quality enhancement, and delivery of value to customers—while achieving environmental performance goals” Organizations that adopt this toolkit can better answer the following questions: Why should I identify environment waste in my processes? How will I know when I see environmental waste? Where should I look for environmental waste? How do I measure the environmental impacts of a process? Where can I find environmental preferable alternatives to my current process? One of the tenants of Lean is: if you can’t see it you can’t improve it. To begin to see environment waste in your organization, EPA recommends the following: Add environmental metrics to the metrics considered in Lean efforts to better understand the environmental performance of production areas. Show management commitment and support for improved Lean and en­vironmental performance by holding collaborative meetings and providing resources and recognition. Integrate environmental wastes into Lean training programs. This can be as simple as adding a few additional slides to a presentation or as ad­vanced as holding a special Lean training for EHS personnel. Make environmental wastes visible and simple to eliminate by using signs and other visual controls in the workplace. Recognize and reward environmental success accomplished through Lean. Identifying environmental wastes, calculating and optimizing for carbon footprint, and learning how to reduce environmental waste will become standard practice for Lean practitioners in an Environment-First future. Lean practitioners will need to work more closely with EHS professionals and become more knowledgeable and skilled on how to incorporate environmental aspects into their practices. These resources from the EPA are great places to start: The Environmental Professional's Guide to Lean and Six Sigma Lean and Environment Toolkit Lean and Energy Toolkit Lean and Chemicals Toolkit Lean and Water Toolkit

The Compliance Charter In project management, we don't start without a charter. Yet in compliance—where the stakes are often higher and the obligations more complex—many organizations dive in without establishing their foundational document. It's time we borrowed this proven practice and applied it where it matters most: keeping our promises to stakeholders. What Is a Compliance Charter? Drawing from both project management best practices and the structured approach of I SO 37301 , a compliance charter serves as the formal authorization and roadmap for your compliance program—the initiative that will create new organizational capabilities to improve your underlying compliance systems. Just as projects create new capabilities (a new product, system, or service), your compliance program creates new capabilities to advance compliance operability—the organization's ability to consistently deliver on all obligations across safety, quality, environmental, regulatory, and other domains. The charter provides the planning foundation that transforms compliance from scattered activities into integrated operational capability. Think of it as your organization's commitment contract to building the systems, processes, and culture needed to keep promises consistently. The Anatomy of an Effective Compliance Charter Based on proven project charter structures and compliance management principles, your compliance charter should include: Purpose & Business Case : Why this compliance program exists and what new capabilities it will create to improve how your organization manages obligations across all domains. Scope & Boundaries : Which compliance systems and processes will be enhanced or created, and which organizational areas will benefit from these new capabilities. Success Criteria : How you'll measure the effectiveness of your new compliance capabilities—not just audit pass rates, but improved ability to identify, track, and fulfill obligations consistently. Capability Goals : The specific operational competencies your program will build—integrative obligation tracking, real-time compliance monitoring, predictive risk management, or systematic compliance operability across all domains. Leadership Commitment : Top management's demonstrated commitment to building these new compliance capabilities and sustaining them over time. Resource Allocation : The people, budget, technology, and time required. If you're limited to spreadsheets and emails, you'll struggle to maintain any reasonably sized compliance management system. Risk Context : Understanding your organization's internal and external context to identify compliance risks and management approaches. Timeline & Milestones : Key deliverables and checkpoints that demonstrate progress toward operational readiness. Why Your Organization Needs This Organizations face multiple obligations simultaneously across legal, regulatory, and voluntary commitments. Without a charter, compliance efforts become reactive firefighting rather than proactive capability building. The charter forces crucial conversations: What promises are we making? To whom? How will we keep them consistently? Who's accountable? What happens when we don't? Our mission is helping organizations increase stakeholder trust by improving their ability to meet ALL their obligations. That starts with clarity about what you're trying to achieve and how you'll get there. Moving From Charter to Capability Your compliance charter isn't a document you write once and file away. It's a living commitment that guides your program's evolution as it builds the organizational capabilities needed to manage increasingly complex obligations. The charter should drive decisions about which systems to integrate first, what processes to standardize, and how to sequence capability development toward full compliance operability. As your compliance program matures, the charter helps ensure each phase builds operational strength while maintaining focus on the ultimate goal: seamless, reliable compliance delivery at organizational scale. As ISO 37301 emphasizes, effective compliance management requires principles of good governance, integrity, transparency, accountability, and sustainability. Your charter embeds these principles into your organizational DNA from day one. The question isn't whether you need a compliance charter—it's whether you can afford to operate without one. In highly-regulated, high-risk industries, the cost of unclear commitments and scattered efforts far exceeds the investment in getting this foundation right. Start with clarity. Build with purpose. Operate with confidence. Ready to develop your compliance charter? Our T otal Value Advantage Program™ helps organizations establish the essential capabilities needed to achieve compliance operability—the integrative ability to consistently meet all obligations while driving continuous improvement. Because operational compliance isn't just good practice—it's competitive advantage.

The Dual Nature of Compliance Over the years working with companies in highly-regulated industries, I've observed that organizations often struggle with compliance because they fail to distinguish between two fundamentally different types of work. They treat everything as equally urgent, pushing all work through the system regardless of actual need. This creates inefficiency and waste while failing to prevent the risks that matter most. The solution lies in recognizing that compliance involves two distinct flows requiring opposite strategies— pull for promises, push for risk. The Push of Obligations Let's start with what we cannot control. Obligations are pushed onto organizations from the outside world. Regulators don't wait for organizational readiness before issuing new requirements. Legislators pass laws on political timelines. Industry standards evolve. Customers demand certifications according to their procurement schedules. This external push is inevitable—organizations are demand-receivers in the compliance landscape. However, not all obligations come from outside. Organizations regularly push obligations onto themselves through voluntary commitments—sustainability pledges, ethical sourcing standards, diversity targets, voluntary certifications. While theoretically discretionary, competitive pressure and stakeholder expectations often make them feel just as mandatory as regulatory requirements. The critical difference: pull systems can reveal when voluntary obligations create unsustainable bottlenecks, providing data-driven insight to modify or discontinue them—a strategic flexibility that doesn't exist with mandated requirements. Pull for Promises: Making Bottlenecks Visible Obligations and Promises Once obligations exist—whether mandated or voluntary—organizations can use pull principles to fulfill them efficiently. Instead of immediately mobilizing resources when a new requirement appears, compliance work is pulled through the system based on level of commitment and applicability to the organization. A regulatory change announced with a two-year implementation window doesn't need immediate action—it needs a clearly defined trigger point that pulls appropriate resources when action becomes necessary. Pull systems excel at revealing where promise-keeping breaks down. When documentation requests accumulate before audits, when certifications expire before renewals complete, when regulatory deadlines are consistently missed—these visible accumulations pinpoint where capacity is insufficient. Pull systems reveal more than just delays. They also expose excess work from over-commitment, such as redundant reporting requirements that consume resources without adding value. They reveal duplicate delivery on promises due to lack of coordination—different departments doing similar work, preparing parallel compliance reports, or responding independently to the same stakeholder requirement. A compliance kanban board that shows work backing up, the visual management system that highlights both delays and redundancies—these are diagnostic tools that make constraints and waste obvious and actionable. This visibility enables continuous improvement. You're not guessing where to add resources or improve processes; the pull system shows you precisely where promises are falling behind to from obligation to fulfillment. Push for Risk: Prevention Requires Forecasting Risk management operates on entirely different logic. You cannot wait for a data breach to occur before implementing security controls. You cannot pull a response to a compliance violation after it has created regulatory liability. Prevention requires pushing controls, safeguards, and capabilities into place before they're needed—often for events that may never occur. This is fundamentally forecasting-based work. What regulatory changes are on the horizon? What emerging technologies might create new compliance challenges? What systemic vulnerabilities could cascade into organizational crises? Risk management demands horizon scanning, scenario modelling, and proactive deployment of countermeasures. The push approach accepts what appears to be inefficiency or waste as the necessary price of resilience. You build redundant capacity, invest in monitoring systems that may never detect an incident, and create response capabilities that might go unused. These are insurance premiums paid in organizational resources rather than money. Integrative Systems: Using Each Approach for What It Does Best The sophistication lies in connecting these two approaches. Pull-based promise-keeping generates valuable data about where compliance obligations concentrate and where failures occur most frequently. This historical pattern data should inform push-based risk investments. If pull systems consistently reveal bottlenecks in privacy compliance, that's a signal to push additional preventive controls into data governance. If promise-keeping regularly fails during regulatory transitions, that indicates a need to push more change management capability into the organization. The pull system provides the diagnosis; the push system delivers the prevention. From Reactive Chaos to Proactive Capability Organizations that lack this distinction scramble reactively when obligations arrive, pushing emergency work through systems where every new requirement feels like a crisis. There's no differentiation between what needs immediate execution and what requires long-term preparation. Organizations that understand this dual nature use push to build capability ahead of demand, then use pull to execute efficiently when obligations require action. The balance isn't about choosing between push and pull—it's about using each approach for what it does best. Pull for the promises you must keep today. Push for the risks you must prevent tomorrow. When external obligations are pushed at you—and they will be—you'll have pushed sufficient capability into place that you can pull work through efficiently. That's not just effective compliance. It's organizational resilience built on systems thinking. Raimund Laqua is founder and Chief Compliance Engineer at Lean Compliance Consulting, Inc. His focus is helping ethical, ambitious companies in highly-regulated, high-risk industries improve the effectiveness of their compliance programs.

By Raimund Laqua, Founder of Lean Compliance Why Risk Assessments Should Start with Uncertainty Walk into most organizations today, and you'll find risk management teams armed with comprehensive checklists, detailed taxonomies, and colour-coded matrices that promise to capture every conceivable threat. These frameworks are seductive in their apparent completeness—neat categories for operational risks, financial risks, strategic risks, compliance risks. Everything has its place, and every place has its thing. But here's what I've learned after years of working with organizations on their risk frameworks: these traditional risk assessments are treating symptoms, not the disease. The Symptom vs. The Disease Think of risk assessments as medical diagnoses. When a patient presents with a fever, a competent doctor doesn't simply prescribe aspirin and call it a day. The fever is a symptom—an indicator of something deeper that requires attention. The fever might signal anything from a minor infection to something far more serious. To provide effective treatment, you must identify and address the underlying cause. Traditional risk assessments operate like symptom-focused medicine. They catalogue the visible manifestations of risk—the potential for data breaches, supply chain disruptions, regulatory violations, market volatility. These are indeed risks worth considering, but they are symptoms of a more fundamental condition: uncertainty. Uncertainty is the root pathogen in the risk ecosystem. It's the fertile ground from which all risks grow. And just as effective medicine requires understanding the pathogen before prescribing treatment, effective risk management demands that we first understand and contend with uncertainty in all its forms. The Anatomy of Uncertainty Uncertainty isn't monolithic. It comes in distinct varieties, each requiring different approaches and interventions. Understanding these differences is crucial to developing effective risk strategies. Aleatory uncertainty represents the inherent randomness in systems—the fundamental unpredictability that exists even when we have complete information about a process. Think of rolling dice or the precise timing of radioactive decay. No amount of analysis will eliminate this uncertainty because randomness is built into the fabric of the system itself. Epistemic uncertainty , by contrast, stems from our lack of knowledge or understanding. This is the uncertainty that exists because we don't know enough about the system, haven't collected sufficient data, or lack the models to make accurate predictions. Unlike aleatory uncertainty, epistemic uncertainty can potentially be reduced through research, data collection, and improved understanding. But the uncertainty landscape extends beyond even these well-established categories. There's model uncertainty —the risk that our fundamental assumptions about how systems work are flawed. There's ambiguity uncertainty —situations where even the nature of the problem itself is unclear. And there's emergent uncertainty —the unpredictability that arises from complex interactions between multiple systems and stakeholders. The Strategic Response to Uncertainty Once we recognize uncertainty as the source rather than just another item on our risk checklist, our strategic options become clearer and more nuanced. Different types of uncertainty demand different responses, and understanding this matching is where sophisticated risk management begins. Some uncertainties demand isolation. When facing massive, systemic uncertainties that could fundamentally threaten an organization's existence, the wisest course may be complete avoidance. These are the uncertainties so vast and potentially catastrophic that no amount of mitigation can adequately prepare you for their impact. Think of a small technology company choosing not to enter markets dominated by nation-state actors, or a regional bank avoiding exposure to global derivatives markets. Sometimes the best risk management is recognizing when not to play the game at all. Some uncertainties require cushioning. These are the uncertainties that create inevitable risks—situations where negative outcomes will occasionally occur, but where the timing and magnitude remain unpredictable. Here, the strategy isn't prevention but resilience. You build buffers, create redundancies, establish reserves, and develop rapid response capabilities. A manufacturing company that maintains diverse supplier relationships isn't eliminating supply chain uncertainty—they're cushioning themselves against its inevitable manifestations. Some uncertainties can be actively reduced . This is where traditional risk mitigation shines, but only when applied with precision. When uncertainty stems from lack of knowledge or inadequate processes, you can invest in research, data collection, training, and system improvements. When uncertainty arises from insufficient controls, you can implement monitoring and governance mechanisms. The key insight is recognizing which uncertainties are genuinely reducible and focusing your mitigation efforts there. Most uncertainties require mixed strategies. The real world rarely offers pure cases. Most significant uncertainties contain elements that can be reduced, aspects that require cushioning, and components that might necessitate partial isolation. Sophisticated risk management involves decomposing complex uncertainties into their constituent parts and applying the appropriate strategy to each component. Transforming Risk Assessment Practice In my work developing lean approaches to compliance and risk management, I've seen how this uncertainty-first approach fundamentally changes how we conduct risk assessments. Instead of beginning with predetermined risk categories, we start by systematically identifying and characterizing the uncertainties that pervade our environment. Instead of immediately jumping to mitigation strategies, we first classify uncertainties by type and reducibility. The questions change too. Rather than asking "What risks do we face?" we begin with "What don't we know, and what can't we predict?" Rather than "How likely is this risk?" we ask "What type of uncertainty creates this risk, and what does that tell us about our strategic options?" This shift in perspective often reveals blind spots in traditional assessments. It highlights uncertainties that don't fit neatly into conventional risk categories. It exposes assumptions we didn't realize we were making. And it opens up strategic options that symptom-focused approaches might overlook. The Path Forward Through years of consulting with organizations struggling with traditional risk frameworks, I've found that improving risk assessment isn't about abandoning existing frameworks entirely—many traditional tools remain valuable for specific purposes. Instead, it's about establishing uncertainty analysis as the foundation upon which all other risk activities build. This means developing organizational capabilities to identify uncertainties systematically, classify them accurately, and match them with appropriate strategies. It means training teams to think like epidemiologists of risk—tracking uncertainties to their sources rather than just cataloguing their symptoms. Most importantly, it means accepting that effective risk management is less about predicting the future and more about building adaptive capacity to handle whatever uncertainties that future might hold. The organizations that thrive in an uncertain world won't be those with the most comprehensive risk checklists. They'll be those that best understand the uncertainties they face and have developed nuanced, strategic approaches to contending with them. After all, in a world where uncertainty is the only certainty, shouldn't our risk management reflect that fundamental truth?

AI Risk Containment Architecture Industrial leaders in safety-critical, highly regulated sectors like energy, chemical processing, oil&gas, and nuclear face an important challenge: how to harness the transformative power of A I—such as predictive maintenance, process optimization, and deep analytics—without compromising the safety systems, regulatory compliance, and operational integrity that protect people and infrastructure. Direct integration of AI into operational or enterprise systems introduces unacceptable risks, as even minor algorithmic errors can lead to regulatory violations, safety incidents, or catastrophic disruptions. To address this, industries can draw from proven frameworks like ICH Q8 in pharmaceuticals and ISO PAS 8800 in automotive safety, which emphasize containment and isolation of experimental technologies. This paper proposes a similar architecture for AI: one that separates Artificial Intelligence Technology (AIT) into bounded domains with controlled interfaces to Operational Technology (OT) and Information Technology (IT), enabling innovation while preserving compliance and operational excellence. Download our free white paper here:

When it comes to GRC systems, there can be a significant gap between what gets implemented and what's actually needed to achieve the performance and outcomes we're after. GRC system failures can be attributed to (among other things) practitioners lacking the fundamentals: understanding regulatory requirements, control theory, and how to translate compliance obligations into effective socio-technical solutions. At its core, this is requirements engineering and system design work. Yet how many self-proclaimed "GRC engineers" can actually design systems and processes that deliver meaningful data privacy, security, or compliance outcomes? Simply calling yourself an engineer doesn't make you one. This isn't just about credentials—it's about competence and trust. Organizations and the public deserve systems built by people who truly understand their craft. We demand reliability and integrity from our systems; shouldn't we expect the same from the people who build them? Other engineering disciplines have practice standards and licensing for good reason. As GRC automation becomes increasingly critical to organizational governance and public safety, we need similar standards to ensure practitioners are actually qualified for the work they claim to do. It's time to establish formal practice standards for GRC engineering—education requirements, competency assessments, and right-to-practice protections that ensure only qualified professionals design and implement the systems protecting our organizations and communities. What's your take on this? I'd love to hear your thoughts.

Ethics in AI is fundamentally an alignment problem between technological capabilities and human values. While discussions often focus on theoretical future risks, we face immediate ethical challenges today that demand practical solutions, not just principles. Many organizations approach AI ethics as an obstacle to innovation - something to be minimized or sidestepped in the pursuit of capability development. This creates a false dichotomy between progress and safety. Instead, we need to integrate ethics directly into development processes to address real issues and risks. The practical application of ethics doesn't hinder innovation but ensures AI systems are truly safe. This integration requires understanding that AI challenges span multiple dimensions. At its core, AI is simultaneously a technical, organizational, and social problem. Technically , we must build robust safety mechanisms and engineering practices. Organizationally , we must consider how AI systems interact with existing processes and infrastructures. Socially, we must acknowledge how AI reflects and amplifies human values, biases, and power structures. Any effective solution must address all three dimensions. A multi-faceted approach helps us tackle issues like fairness. When we talk about mitigating bias in AI, we're really asking: when is statistical bias a legitimate problem versus simply representing a different valid perspective? Applied ethics in AI helps us address these complex issues along with balancing competing values such as privacy versus security, transparency versus intellectual property protection – with no perfect solutions, only thoughtful compromises. Even seemingly technical decisions carry ethical weight. Consider prompt efficiency, which directly impacts energy consumption – making our usage choices inherently ethical ones with environmental consequences. Technical decisions accumulate to create systems with profound social impacts. This is why we need clear metrics to measure success in ethical AI deployment – how do we quantify fairness, transparency, and explainability in meaningful ways? The distinction between human and artificial intelligence also creates an opportunity to uncover previously overlooked human potential – qualities and capabilities that may have been undervalued in our efficiency-focused world. As we build AI systems, we should continuously ask: where can AI best complement human work, and which capabilities should remain distinctly human? Moving Forward: From Principles to Practice The future of AI will be determined not by what we wish or hope for, but by what we actually create through concrete actions. Instead of abstract principles, we need practical implementations built on clear ethical requirements. In regions considering AI deregulation, organizations must strengthen self-regulation practices. While reduced regulation may accelerate certain types of commercial innovation, it risks neglecting safety innovation without proper oversight and incentives. We need breakthroughs in AI safety just as much as we need advances in AI capabilities. The path forward isn't about choosing between innovation and ethics, but recognizing that ethical considerations make our innovations truly valuable and sustainable. Through all of this, remember the simplest principle: be good with AI.

By Raimund Laqua, Lean Compliance Engineer Mistakes aren't failures—they’re lessons. You see this quote everywhere. LinkedIn. Motivational posters. Team meetings. It sounds wise until you work in compliance. Because when compliance engineers make mistakes, people die. The Problem with Mistake Worship The Challenger explosion. Boeing's 737 MAX crashes. The 2008 financial meltdown. These weren't "learning opportunities"—they were preventable disasters where someone's mistake became everyone else's tragedy. I've watched too many post-incident reviews where we nod solemnly, update our procedures, and promise to "learn from this." But learning from mistakes is fundamentally reactive. We're saying: "Let's fail first, then get better." What if we didn't have to fail at all? Poka-Yoke: From Mistake-Proofing to Promise-Keeping In LEAN management, there's a concept called Poka-Yoke—traditionally defined as mistake-proofing. But I prefer to think of it as engineering processes where obligations will always be met and promises kept. Instead of training people to be perfect, you design systems that reliably help organizations deliver on commitments. You make it easier to keep promises rather than break them. Think about USB-C cables. You can't plug them in wrong because there is no wrong way. The connection is engineered to work every time. Now apply this to compliance. Engineering Reliable Delivery Build obligation fulfillment into the process.  If safety inspections must happen before equipment startup, don't rely only on procedures—make startup electronically impossible without all the essential safety aspects in place and operational. Engineer commitment keeping.  Your car won't start without a seatbelt. Your procurement system shouldn't approve purchases without environmental assessments. Design continuous assurance.  Don't wait for quarterly audits to verify compliance. Build systems that provide real-time confirmation—dashboards that show obligation status, alerts that trigger before deadlines, processes that maintain compliance automatically. The key insight: engineer systems where keeping promises is the natural outcome, even when people are stressed and rushing. When Prevention Fails Even perfect systems have failures. But Poka-Yoke isn't just about prevention—it's about rapid detection. Fail small and fast before small problems become big disasters. Manufacturing uses statistical process control to catch deviations immediately. Compliance needs similar real-time monitoring. Not quarterly reports or yearly audits—constant visibility into drift before it becomes non-compliance. Stop Blaming People, Start Fixing Systems When compliance fails, we ask "Who screwed up?" Better question: "What in our system allowed this to happen?" Individual blame misses the point. In complex systems, human error is usually a symptom of poor design. Fix the system, and you fix the error. The Reality Check Perfect systems don't exist. People will always find workarounds when pressured. But that's exactly why we need Poka-Yoke thinking—design for the humans you have, not the perfect humans you wish you had. Stop celebrating your ability to learn from mistakes. Start celebrating your ability to prevent them. The best lesson is the one you never have to learn the hard way. Raimund Laqua is a Lean Compliance Engineer focused on applying operational and lean principles to operationalizing regulatory and voluntary obligations.

Three operational rings power organizations towards total value from their GRC, ESG, Quality, Security, Regulatory, Ethics, and compliance investments, even when facing uncertainty: 🔸 Ring of Alignment (coordinated effort towards targeted outcomes) 🔸 Ring of Performance (capabilities to meet obligations) 🔸 Ring of Consistency (conformance to standards) Operational Rings of Power These are held together by the fellowship of: 🔸 Feed Forward Processes - leading indicators and actions, and 🔸 Feed Back Processes - lagging indicators and actions When these are operating together as one, obligations can be met and stakeholders will experience the benefits from being in compliance: improved quality, safety, environment, security, sustainability, and so on – the real power of compliance. And who knows, you might even defeat the forces of Mordor and save Middle Earth. Now wouldn't that be something.

By Raimund Laqua, P.Eng. - The Lean Compliance Engineer Uncertainty Creates the Opportunity for Risk I've sat through countless meetings where we talk about being "proactive"—whether it's safety, security, or quality. Yet here we are, still chasing incidents after they happen, still writing corrective actions for problems we should have seen coming. Sound familiar? Here's what I've learned after three decades in risk & compliance: we're fighting the wrong battle. The Real Enemy Isn't What You Think We obsess over the symptoms—incidents, failures, breaches, defects. But here's what we miss: uncertainty creates the opportunity for risk . These incidents are just manifestations of that risk. Hazards, threats, and failure modes? They're all manifestations of uncertainty. Think about your last major incident—safety, security, or quality related. The failure, the breach, the defect—those were risks that became a reality. But the real question is: why didn't we see it coming? Because we weren't looking at the uncertainties that created those risk opportunities in the first place. Why Traditional Programs Feel Like Whack-a-Mole Most risk & compliance management programs treat risk as a pest to eliminate. Write better procedures! More training! Tighter controls! But you can't eliminate risk when uncertainty keeps creating new ones. I've seen this pattern repeatedly across different organizations and domains. The root cause isn't equipment, people, or processes—it's uncertainties that keep creating fresh risk opportunities. What Actually Works The smartest professionals I know don't chase the symptoms of uncertainty (i.e. risk) —they map the uncertainties creating those opportunities. When we run HAZOP s in process safety, we're asking: "What uncertainties exist here, and what risk opportunities might they create?" In cybersecurity, threat modelling does the same thing—identifying uncertainties in system behaviour that create attack opportunities. Quality engineers use FMEA to map uncertainties in manufacturing processes that create defect opportunities. In aerospace, STAMP analysis tracks how uncertainties cascade through control systems, creating risk opportunities at every interaction. Even business consultants figured this out. CYNEFIN maps help teams recognize different types of uncertainty and the unique risk opportunities each creates—whether you're managing operational safety, cyber-security threats, or product quality. The Question That Changes Everything After years of watching organizations struggle with this across multiple domains, I'm convinced the future belongs to teams that hunt uncertainties—not the ones still swatting at symptoms – the effects of uncertainty. Instead of asking "How do we prevent this incident?" try asking "What uncertainties are creating the opportunity for risk to become a reality?"

AI Assistants - Blessing or Curse? The rise of Generative AI has taken the world by storm, and AI assistants are popping up all over the place, providing a new way for people to approach their work. These assistants automate repetitive and time-consuming tasks, enabling individuals to focus on more complex and creative work. However, for some, it is just an improvement in productivity, and they question whether the use of AI assistants may lead to them losing their jobs. For those starting to use AI assistants, they are indeed a blessing, providing much-needed relief for overworked employees. The improved productivity is creating needed capacity and some extra space in already full workloads. However, this is expected to be short-lived as these benefits become normalized and expected. The buffer we now experience will be consumed and used for something – the question is what? No wonder there is a fear that the widespread use of AI assistants may lead to significant job reductions. Some jobs will be redundant, while others will be expected to double their workloads. For instance, if someone used to write ten articles a week, they may now be expected to do twenty using AI assistants. So, where is the real gain for the organization apart from fewer people and perhaps marginal cost reductions? Is this the same story of bottom line rather than top-line thinking. How To Use AI Assistants To Achieve Better Outcomes The key to realizing transformational benefits of AI lies in adapting businesses to fully exploit the capabilities of these tools, without exploiting the people impacted by the technology. Dr. Eliyahu Goldratt (Father of the Theory of Constraints) believed that technology could only bring benefits if it diminished a limitation. Therefore, organizations must ask critical questions to exploit the power of AI technology: What is the power of the new technology? What limitation does the technology diminish? What rules enabled us to manage this limitation? And most importantly, what new rules will we now need? Keeping the old limitations that we had before the new technology limits the benefits we can realize. It is by removing the old rules and adopting new ones that creates transformational benefits. By providing credible answers to these questions, organizations can achieve a return on investment that is both efficient and effective, enabling their employees to focus on higher-level tasks and achieve more significant outcomes – higher returns not just lower costs. This will enable companies to move beyond the short-lived relief of AI and realize its true potential as a transformational tool. Which Path Will You Take? The use of AI will be a threat for some but an opportunity for others. If history repeats itself many organizations will adopt AI assistants, realize the efficiency gains, and pat themselves on the back for a short-term win. However, as these benefits become normalized they will soon be back to where they began. Any gains they might have realized will be lost and they will be left doing more with less except now with their new AI assistant. On the other hand, there will be others who asked the right questions, changed existing processes, and created new rules that will enable them to reap the full benefits of AI technology. They will realize compounding benefits that will accrue over time. What the future holds will depend on which path you take and your willingness to take a longer term perspective focused on improving outcomes rather than just reducing costs. Which path will you take?