SEARCH
Find what you need
609 results found with an empty search
- A Credible Program Needs A Credible Plan
Complying with regulatory acts is not optional and ignorance of the law is not a defence. A credible compliance program will help organizations stay within the law by being aware of legal obligations and safeguarding against the risk of violating regulatory and legal boundaries. At the same time, a credible compliance program needs a credible plan to design, build, operate, maintain, and improve over time. Creating a task list and doing the basics are not enough to establish credibility or achieve effectiveness. In this article we take a deep dive into the Canadian [ guidelines ] regarding corporate compliance programs along with 5 immutable principles for program success. Purpose of a Corporate Compliance Program The Canadian guidelines on corporate compliance defines the purpose for a compliance program in the following way: A good corporate compliance program helps to identify the boundaries of permissible conduct, as well as identify situations where it would be advisable to seek legal advice. In essence a corporate compliance program keeps organizations operating within regulatory and legal lines. These lines form the basic boundaries for compliance with respect to a regulatory license to operate. Additional obligations will come from stakeholder commitments which have more to do with a social license or at minimum; internal boundaries defined by corporate values. These will in turn create additional boundaries that go beyond the basics. Benefits of a Corporate Compliance Program According to the guideline, a credible and effective corporate compliance program generates three broad benefits: it signals an entity’s seriousness in tackling and addressing the legal obligations and ethical considerations facing businesses today; reduces costs of compliance by helping to clarify, for business managers and officers, the boundaries of permissible conduct as well as situations that could put their business at risk of violating the Acts; and should there be any violations of the Acts, it provides a possibility for the business to mitigate the cost of non‑compliance. The following specific benefits may also be realized: maintaining a good reputation; improving a business’ ability to recruit and retain staff—a business with a reputation for compliance is likely to attract higher‑quality employees and have a better employee retention rate; improving a business’ ability to attract and retain customers and suppliers who value companies that operate ethically; reducing the risk of non‑compliance; triggering early warnings of potentially illegal conduct; allowing a business to qualify for favourable treatment in sentencing, or reducing costs related to litigation, fines, AMPs, adverse publicity and the disruption to operations resulting from an investigation and/or proceedings before the court reducing the exposure of employees, management and the business to criminal or civil liability; educating employees as to the appropriate course of conduct if called upon to provide evidence in the course of an inquiry or if the company is the target of such an inquiry; assisting a business and its employees in their dealings with the government—for example, by identifying contraventions of the regulatory acts early enough to request immunity or leniency; and increasing awareness of possible conduct in breach of regulatory acts among competitors, suppliers and customers in the market. With respect to stakeholder obligations (internal or external) the following additional benefits may also accrue: reduced impact on the environment safer work environment greater data protection and privacy increased legitimacy greater stakeholder value greater trust Basic Requirements for a Corporate Compliance Program A credible and effective compliance program is one that addresses the risk profile of the business taking into account its resources and activities. In all cases a compliance program should have these seven basic elements as described in the guideline: Management Commitment and Support – Management's clear, continuous and unequivocal commitment and support is the foundation of a credible and effective corporate compliance program. Risk‑based Corporate Compliance Assessment – A thorough assessment of the potential risks faced by a company will allow it to properly design compliance strategies that address those risks. Corporate Compliance Policies and Procedures – A corporate compliance program should be tailored to the operations of a business and establish internal controls that reflect its risk profile. Compliance Training and Communication – A credible and effective corporate compliance program includes on‑going training and communications focusing on compliance issues for staff at all levels who are in a position to potentially engage in, or be exposed to, conduct in breach of the Act. Monitoring, Verification and Reporting Mechanisms – Monitoring, verification and reporting mechanisms are vital to the success of any corporate compliance program. Consistent Disciplinary Procedures and Incentives for Compliance – Consistent disciplinary actions as well as appropriate compliance‑related incentive plans demonstrate the seriousness with which the business views conduct in breach of the Act and its commitment to compliance. Compliance Program Evaluation – A program’s ability to deliver its core objective must continuously be assessed. It is also necessary to monitor new developments regarding the Acts and business activities to determine their impact on the program. However, to realize the broader set of compliance benefits organizations will need to go beyond these basic requirements. A Credible Program Needs a Credible Plan Instead of doing the basics, organizations should do what is essential to realize compliance benefits and contend with operational risk. A credible and effective program with needed capabilities to achieve and sustain the outcome of compliance evidenced by realized benefits requires a credible plan. Programs at an operational level manage systems and processes that achieve compliance objectives. These systems are social-technical in nature and objectives will vary in type and performance requirements. This all happens in the presence of uncertainty and may itself be subject to internal standards and guidelines. The following are 5 immutable principles of program success adapted from Glen Alleman’s ([ Five Immutable Principles of Project Success ]). PRINCIPLE PLANNING QUESTIONS EVIDENCE PRINCIPLE IS FOLLOWED 1. Define what compliance looks like. Where are we heading? What are our goals and targets? What are our obligations & promises? How will we know when we are in compliance and when we are not? Program Scope & Context Obligations / Promises Register Concept of Operations 2. Create plan to realize and sustain compliance. How will we meet all our obligations? How will we keep all our promises? How will we always stay between the lines? How will we manage change? How will we improve? Integrated Master Plan & Schedule (IMPS) 3. Resource the plan. Do we have enough resources (people, technology, knowledge, capabilities, capacity etc.) to satisfy the plan? Program Resource Plan 4. Estimate and handle uncertainty. What impediments or opportunities will we encounter? What could go wrong? What needs to go right? How will we recover when boundaries are breached? What is the nature of uncertainty (aleatory, epistemic, ontological, etc.) What is our risk appetite? What is our risk tolerance? Risk and Opportunity Register Risk-adjusted IMPS Risk Management Plan 5. Measure progress. How will success be measured? (MoE) How will performance be measured? (MoP) How will conformance be measured? (MoC) How will risk be measured? (MoR) Benefits realized Outcomes advanced Risk ameliorated Following these principles has proven to increase the probability of success across all domains by helping organizations develop and execute credible program / project plans.
- The Compliance Dance – Closing gaps and raising standards
When it comes to meeting revenue, margins, and overall business objectives many organizations establish performance-based systems and processes to ensure that they meet their targets. However, when it comes to keeping compliance promises associated with quality of service, impact on the environment, worker and public safety, organizations often put in place less rigorous systems where the notion of performance is connected more to cost rather than advancing outcomes. Many organizations also limit their compliance efforts to reducing liability and avoiding prosecution by establishing audit processes to close the gap between work-as-prescribed and work-as -done. Compliance performance is measured by the size and number of gaps that are discovered and the costs associated with closing them. That is not the story for some organizations that aim higher and commit to achieving broader goals for their compliance such as: zero violations, zero emissions, zero fatalities, zero incidents, zero harm, zero breaches and other standards. There are many good reasons why companies will want to do this which I have written about here and here . For these organizations a different approach is taken, one that establishes processes that not only close the gaps to standard but also raises the standard towards the ideal. Even when they are closing gaps they will take a more holistic perspective that focuses on outcomes and effectiveness at the same time as efficiency and cost. Closing Gaps Maintaining consistency to a standard is the primary function of a compliance system and is accomplished by closing the gap between work-as-imagined or work-as-prescribed and work-as done .: Conformance gaps : what standards are we not consistently achieving that if we did would advance compliance effectiveness? However, there are other gaps that also need to be addressed: Performance gaps: what are we doing that if we did more of would improve compliance effectiveness? Capability gaps: what are we not doing that if we did would improve compliance effectiveness? Achievement gaps: what objectives are we not achieving that if we did would advance compliance effectiveness? Uncertainty gaps: what threats or opportunities hinder or advance our objectives to meet all our obligations? The conformance gap is by far the most common and often the only one that many companies pay attention to particularly with respect to prescriptive obligations. However, these are what are called necessary, but not sufficient conditions to achieve or advance targeted compliance outcomes. You could say that closing these gaps are not improvements at all but rather steps along the way to operational compliance where real improvements can start to be made. Raising Standards Achieving effectiveness is the purpose of all compliance programs and accomplished by raising standards as needed to achieve the targeted levels as measured against progress towards compliance outcomes such as vision zero targets (zero harm, zero violations, zero incidents, and so on). This is not unlike how how a LEAN organizations use pull systems to improve the performance of their production processes. Performance issues are often hidden although they commonly manifest themselves as stockpiles of inventory. What is difficult is knowing which part of the process to change that will result in overall increases in productivity and the reduction of these stock piles. You can imagine asking the very same question when it comes to obligation debt where the gaps also pile up. Where do you improve your compliance performance? In LEAN thinking we pull customer demand (rather than pushing it) to stress a production process to expose the parts in the process that are hindering performance the most. These are the activities that are not able to keep up that create wait times upstream which lets you know what to improve first, second, and so on. This approach is repeated until the flow through production creates zero wait times and continuous flow is achieved: zero waste and the highest performance. Using this process Taiicho Ohno was able to double the capacity of Toyota's manufacturing with the same number of people. The same can be achieved with respect to doubling a company's ability to meet their obligations with the same cost. Wouldn't that be good! What a pull system does for manufacturing is what raising standards does for compliance. When you raise standards you quickly observe the areas that are holding you back the most. You will then have a ranked list of areas to improve to unleash greater compliance capacity, efficiency, and obligation performance. You will also be able to identify any uncertainty in meeting obligations which will tell you where to put your risk controls. The Challenge The challenge that many organizations face is how to do both: close gaps while raising standards at the same time. It is a dance that most never learn. Many never move beyond closing gaps and many will wait until a major incident has occurred before they raise their standards. Unfortunately, waiting is not only a waste when it comes to manufacturing, it is also a waste when it comes to compliance. Compliance is famously known for bottom line thinking focused on passing audits. Seldom is any attention given for top line considerations which would include better outcomes for the organization. We know that in order to achieve mission success organizations need to focus on both top and bottom lines, however, what many don't know is that this is also true for meeting obligations. The compliance dance is not really anything new. It is the same dance that organizations have applied for years to their value chain and now need to apply to their compliance chain. You take two steps forward, and then one step up, do the hokey pokey and turn your compliance around. That's what its' all about.
- The Qualitative Nature of Quality
The purpose of a quality program is fundamentally to improve the quality of something. However, with today's focus on quality systems and conformance to standards, this is often overlooked and why we need to revisit what quality is and how it can be improved. Companies that only implement quality systems will at best improve the quantity of things and risk not making a qualitative difference in outcomes. Quality by its very definition requires making distinctions between qualitative differences of products and services in ways that improve the suitability for its intended use. However, perhaps more importantly, "does this characteristic also qualitatively improve customer satisfaction?" Both of these questions extend beyond numerical to value-based comparisons for their answers. Over the last decade there has been significant attention given to the quantitative aspect of quality with Six Sigma and LEAN leading the way. In fact, even when considering qualitative characteristics they are often mapped to quantitative measures to serve as a "proxy", although not always a good one. Quantitative measurements are considered by many as better than qualitative measurements. One of the reasons given for this is that the former are objective whereas qualitative measurements are subjective and therefore prone to biases. However, they serve different purposes and you cannot replace one for the other. You need both if you want to improve quality, otherwise you risk only improving quantifiable aspects of a product or service at the risk of actually improving quality. This focus on quantitative measures has also been applied to quality management systems where key performance indicators are measured and monitored. Management systems are regulated, as their production counterparts are, to maintain a consistent output using: standard operating procedures, measurements and monitoring, inspections and audits, and so on. You could say that systems manage the quantitative aspect of quality. What is missing is the management of the qualitative aspect of quality and this is where quality programs come in. Quality programs are focused on qualitatively improving an attribute or outcome. Programs manage the gap between the quantitative world based on facts and the qualitative world based on values. One way to understand this is by considering the following scenario involving regulating the temperature of a house. Houses typically have a heating and cooling system (HVAC) to regulate temperature. The objective of the HVAC system is to maintain the internal temperature of the house at the parameter set by a thermostat. This parameter is called the, set point, and represents a numerical value for temperature. The HVAC system is always answering the question, "is the temperature in the house equal to the set point?" The answer is given as an offset (positive or negative) used to determine whether to heat or cool the house. However, what the HVAC system cannot do is answer the question, "is the room comfortable?" That is a qualitative measure which requires a value judgment. If you have more than one person who live in your house you know that each person will have a different idea of what is "comfortable." This value decision is made by a person who then adjusts the thermostat (i.e. set point) accordingly. This is precisely what quality programs do, they facilitate making value decisions connected with customer satisfaction which are then used to adjust set points to underlying systems (management and production) to achieve the desired outcome. This is in some fashion a form of regulation based on a qualitative assessment instead of a quantitative measure. While qualitative regulation is an important capability missing from many organizations, it perhaps is not the most important function of a quality program. There is still another question that quality programs answer that can significantly influence customer satisfaction and it is this, "are our systems capable of achieving customer satisfaction?" In the case of the heating and cooling scenario, "is the HVAC system capable of keeping the room comfortable?" an HVAC system may not: be fast enough to heat or the cool the room in response to external changes in temperature, adequately address humidity control the temperature evenly across the entire house Addressing these may require a different HVAC system that is more capable, or at a minimum, require improvements to the performance of the system. These are changes that the owner of the house may choose to do to be more comfortable. In the same way, quality program owners decide on changes to underlying systems to improve customer satisfaction. It is by making these decisions that the gap between quantitative and qualitative or output and outcomes is managed. Without a quality program to determine these changes companies are at risk of only improving the quantity of things without making a qualitative difference in outcomes.
- Two Obligations You Cannot Ignore
When it comes to compliance there are two primary obligations that you cannot ignore: stay between the lines and stay ahead of risk. Staying between the lines is focused on keeping risk out and certainty in. We want to operate within ethical, legal, and beneficial boundaries necessary to maintain mission success. This is accomplished by such things as codes of conduct, rules, limits, guardrails, protocols, guidelines, procedures, and policies. Improvements are triggered by incidents of operating near or outside the lines. Staying ahead of risk is focused on advancing the probability of mission success. This is a dynamic and continuous endeavour to keep the dragons of uncertainty at bay and far enough away to interfere with our mission. This is accomplished by contending with uncertainty using margins and buying down risk to levels needed for our strategy to succeed. Improvements are triggered by the presence of uncertainty between us and our objectives.
- 10 Things I Learned About Compliance
The following is a list of 10 things that I learned about compliance that may not be well known to those outside of compliance or even those who are compliance veterans. 1. Compliance protects value and makes certain it is created. 2. Compliance does not hinder innovation, it creates the opportunity for it. 3. Uncertainty is the root cause of all risk - negative and positive. 4. Risk that really matters are the ones connected with goals and objectives. 5. Risk-adjusted plans improve the probability of success in the presence of uncertainty not in spite of it. 6. LEAN reduces waste to create capacity for more value. 7. Governance provides oversight and actively steers towards better outcomes. 8. Compliance culture is built with action not only by what people believe. 9. Taking ownership of obligations is a prerequisite for compliance success. 10. Keeping promises is the best way to ensure obligations are always met. And one more .. The "C" in compliance stands for care because where there is care you will find safety, security, sustainability, quality, and other compliance outcomes. What have you learned about compliance?
- How to align operational objectives with organizational values
When it comes to operations an important goal is to achieve and maintain consistency of work. Standardized work is essential for the creation of value. However, it is also important to protect this value and why compliance needs to be involved. Benefits of Standard Work There is value in doing things the same way each time: increases worker productivity provides structure saves time establishes predictability simplifies training and many others Establishing standard work and performing it without variation is an essential aspect of effective operations. However, establishing standard work can have a downside. It may end up normalizing the absence of other behaviours and practices needed by the organization. Benefits of Standard Values Not only do we need consistency of work we need consistency of values - harmony of parts to one another and the whole organization. This requires aligning operational objectives with organizational values. We know from systems theory that a system designed for productivity will optimize for productivity at the expense or away from everything else. Similarly, if the goal is both productivity and safety then the system will optimize for both. This is one of the reasons why it is essential that organizational values are included as part of operational design. We don’t want systems that are only productive. They need to also be safe, secure, protect privacy and the environment along with other desired outcomes. Another way of saying this is that operations needs both standard work and standard values . If you don’t you will end up with standard work without any values – a consequence of system theory. How to Align Work with Value A good place to start is by identifying and documenting commitments (i.e. promises) to organizational obligations associated with safety, security, privacy, environmental, and so on. These promises can then be embedded into operational systems, processes and procedures. Supporting these promises will help keep operations aligned with organizational values. The Hoshin Kanri Process is helpful here. It provides a means to negotiate operational goals and objectives with organizations counter parts associated with obligations: Instead of a pushing obligations down, this process invites voluntary commitments which encourages ownership – a necessary condition for proactive and risk-based endeavours.
- Why Didn’t Risk and Compliance Programs Change During the Pandemic?
In a recent risk and compliance survey it was reported that the pandemic did not significantly disrupt risk and compliance programs although it did impact priorities. The fact that programs emerged relatively unscathed was interpreted as a good thing which I find difficult to understand and even troubling. The report goes on to say that risk & compliance programs were under-resourced with leadership commitment wavering. Data was also reported as not being effectively utilized to reduce risk and by enlarge risk and compliance was struggling. Now with an increase in risk awareness over the last year we should have seen a corresponding increase in leadership commitment with greater resolve to improve risk and compliance programs. These would have resulted in risk & compliance programs being disrupted although in a positive way rather than remaining the same; relatively “unscathed.” Programs would have increased in capabilities, maturity, and most of all effectiveness – all of this in earnest. However, this kind of disruption was not observed. Only priorities were changed weakened by competing interests. So what happened? Why didn’t risk and compliance change during the pandemic? Perhaps for many organizations the answer was one or more of the following: We don''t believe that risk has changed - the underlying uncertainties and its possible effects have not substantively changed that would warrant changes to the risk and compliance programs. What we are doing is adequate - greater investment in risk and compliance is not needed as existing measures are sufficient to cover any changes to risk. We have not seen any or enough benefit from our existing programs - risk and compliance programs have lacked effectiveness and further investment in measures would most likely be wasted. We don’t know how to improve - there is no process or adequate know-how to advance risk and compliance maturity so we are stuck where we are. Essentially, we are not prepared to expand risk & compliance. We are are too reactive to change - too much time is spent fighting fires to plan and effect needed improvements. Whether the reason was one of the above or something else the end was still the same for many companies – status quo. It appears the only defence was the tactic to change priorities. This may have resulted in minor improvements to programs but these will be short lived subject to further changes when priorities yet shift again. The way forward is to not only change or introduce new tactics as important as this may be. What is missing from many organizations which needs to be addressed is a program to govern risk & compliance effectiveness that includes processes to adapt and improve performance over time. Resiliency is built through continuous improvement not by fixing fires, closing gaps, or changing near-term priorities. Do you agree? What do you think? Reference: https://www.jdsupra.com/legalnews/new-benchmark-report-reveals-key-risk-7967546
- The Effects of Cyber Risk on Compliance Programs
On May 12th, the WanaCry (Wana Decrypt0r) worm began affecting computers worldwide. Among the many industries, companies, and individuals affected, the UK National Health Service (NHS) was hardest hit placing patients possibly at risk. This is a wake up call for all organizations. This should increase the level of concern as to an organization's ability to operate safety should a threat materialize. Cyber risk has the potential to affect compliance programs which are intended to keep: people, the environment, and businesses safe. Threats like those similar to the WanaCry worm could disrupt an organization's ability to: Shutdown a process Make safety and security decisions Access critical information and documents such as: safe work practices, shutdown procedures, critical defeats register, and so on. Having an effective cyber security program is an essential part of today's compliance platform. International standards such as: IEC 61511, IEC 61508, ISA S84, and others provide guidance and are considered best practices. However, aligning cyber security with process safety programs continues to be an important challenge for companies to address. Like all best practices they need to be applied, followed, and then continuously monitored as to their effectiveness. In light of recent news, this is the perfect time to review and evaluate the effectiveness of your cyber security, emergency preparedness, and safety management programs. Plan -Do-Check-Act Questions: Which compliance programs, if disrupted, would most hinder your organization's ability to operate safely? What procedures are in place to continue operating safely in case of a cyber attack? Does your cyber risk assessment extend beyond covered processes or high consequence areas? Are there any gaps in coverage? Is the identification of cyber risks part of your overall risk management program? What step can you take to improve the management of cyber risk within your organization?
- Are Your Risk & Compliance Programs Effective?
More than 75% of companies never measure the effectiveness of their risk & compliance programs. As a result they don't now if their efforts are helping or hurting the achievement of mission objectives or the protection of value and reputation. We created the Proactive Certainty Scorecard™ (Version 3) to help organizations quickly assess how well their risk & compliance programs are doing. This evaluation can be completed in 20 minutes and will provide you with valuable insights on how you can: better meet your all obligations, reduce risk, and build greater stakeholder trust. After you complete this scorecard we will schedule a free orientation session with one of our risk & compliance experts to help you quickly identify areas of improvement. You don't need to be part of the 75% that are uncertain. Join the 25% that are by completing the Proactive Certainty Scorecard™ today. The Proactive Certainty Scorecard™ is applicable to all risk & compliance domains including: Quality, Occupational Health and Safety, Environmental, Security, Process & Pipeline Safety, Regulatory, Data Privacy, Ethics and Legal, Financial, Corporate Risk, Supply Chain Risk, and overall Risk and Compliance.
- Implement Programs and Systems
The documented organization is at best a rough facsimile for the actual organization. There is always a gap between what is expressed in job descriptions, policies, and procedures; and the actual organization performing the work. A significant cause for this gap can be attributed to the level of accountability and autonomy given to workers to achieve their objectives. In fact, these are required to enable proactive behaviours that anticipate, plan, and advance objectives and goals. Creating the balance between adherence to standard practices and having adequate room to be proactive is precisely the balance between management systems and programs. Systems achieve consistency by adhering to procedures, resisting change and reacting to variation. While programs anticipate conditions, introduce change, and advance outcomes. Effective compliance (ex. quality, safety, environmental, and regulatory) requires that existing conditions are maintained, and that progress is made towards compliance goals (ex. zero defects, zero fatalities, zero emissions, zero violations). This requires that companies implement appropriate programs to advance these goals along with their management systems to keep the ground they already have.
- Bow Ties are Cool and Effective
There might be some who read my posts who are also Doctor Who fans and get the reference to bow ties being cool. However, even if you don't watch Doctor Who, you can still appreciate the benefits from using a bow-tie analysis to help improve the certainty of achieving your goals. Risk management has changed over the years and in many ways has now become an optimization process to increase the certainty of achieving outcomes. And nothing demonstrates this more than using a bow-tie analysis.The first thing that people notice when using a bow-tie analysis is that it looks like an actual bow tie particularly in its simpler form: This provides a great visual when considering how to address risks. However, what makes it so powerful is that it incorporates causal and consequence trees along with control analysis all in one tool. To illustrate how the bow-tie analysis can be used let's consider risks associated with achieving a relatively simple objective of getting to work. We can simplify this even further by only considering a risk scenario that involves getting from the parking lot to the office building. The path has a significant hole in the pavement that developed over the winter and is now a meter wide wide and several meters deep. This hole is referred to as a hazard which threatens the ability to achieve the objective of getting to work. However, it should be noted that not all holes represent threats only the ones that are in the way between us and our objective. As in the words of, Dr. David Hillson (The Risk Doctor), that's how you know which risks really matter. The goal of a bow-tie analysis is to optimize controls addressing both prevention and recovery to reduce the treated risk to below a given risk tolerance. For each cause an evaluation is made of the prevention controls effects on the likelihood of the risk event occurring, which in our example is falling in the hole. In a similar fashion, an evaluation is made of the effects of the recovery controls to reduce the impact of not achieving the objective. The following list contains brief definitions for key elements of our bow-tie example : Objective : This is what is being aimed or sought after (i.e. getting to work) Causes : these are conditions that may result in falling in the hole. In our example, three causes have been identified: walking down the path, running down the path, and walking while being distracted. Each one will have their own likelihood of falling in the hole. Consequences : these are the results of falling in the hole which affect whether or not we get to work. They are uncertain as they depend on the whether or not a person falls in the hole. Three consequences have been identified: cuts and bruises, broken bones, and fatalities. Prevention : these are controls to prevent falling in the hole. Each one has their own level of effectiveness Recovery : these are controls that mitigate the effects of falling in the hole should they happen. Each one has their own level of effectiveness. After optimizing the prevention and recovery controls to reduce residual risk below the risk tolerance, a risk plan can be developed by creating risk statements for the cross product of causes and consequences. Here I am using the risk meta-language proposed by Dr. Hillson and others: A bow-tie analysis is effective not only with qualitative considerations but can be (an often is) extended to include quantitative measures on both causal and prevention logic trees. In addition, by considering both prevention and recovery efficacy in isolation and in relationship with other controls, a preliminary assessment (LOPA) of the layers of defense can be obtained to gauge overall coverage. A bow-tie analysis can also be applied to opportunities where instead of prevention and recovery the focus is on enabling opportunity events and exploiting them should they materialize. By considering both threats and opportunities a holistic approach to addressing uncertainty in the achievement of objectives is possible. Download our free PowerPoint Bow-Tie / ISO 31000 Template here
- Steering Compliance: Three Imperatives for Operational Compliance Programs
An Operational Compliance Program is the means used to steer organizations towards meeting all their obligations and keeping all their promises associated with safety, security, sustainability, quality, and other stakeholder outcomes. Operational Compliance Programs are the vehicles to deliver compliance value – better compliance outcomes and increased stakeholder trust in presence of uncertainty. To ensure their effectiveness, Operational Compliance Programs must actively engage in three critical on-going activities: enhancing capabilities, introducing change, and regulating systems. By prioritizing these imperatives, organizations can provide greater assurance that they are able to stay between the lines and ahead of risk today, tomorrow, and everyday into the future. 1. Enhancing Capabilities: Driving Progress Towards Compliance Outcomes The first key imperative for operational compliance programs is to continuously enhance organizational capabilities (people, process, and technology) to meet all their obligations and effectively contend with risk. This involves developing and nurturing a knowledgeable and skilled workforce, equipped to tackle the challenges posed by evolving regulations, industry standards, and promised organizational performance and outcomes. By providing comprehensive training and educational resources, compliance programs empower management and staff to make informed decisions and take appropriate actions within the boundaries of organizational values. Moreover, enhancing capabilities requires establishing robust communication channels and fostering a collaborative environment. This enables the compliance team to proactively engage with other departments, identify potential compliance risks, and devise effective strategies to mitigate them. By strengthening cross-functional collaboration, compliance programs can align business objectives with compliance outcomes, fostering a culture where compliance is not seen as a hindrance but as an enabler of success. Here is a list of essential operational compliance program functions where capabilities need to be continuously enhanced: Managed Obligations Managed Promises Managed Assurance Managed Culture Managed Accountability and Responsibility Managed Organizational Alignment Managed Operations Managed Risk Managed Capabilities Managed Data & Monitoring Managed Improvements Managed Technology 2. Introducing Change: Staying Ahead of Risks The second imperative for operational compliance programs is to embrace change and remain ahead of emerging risks. Regulatory landscapes are constantly evolving, necessitating agility and adaptability from compliance professionals. It is crucial for compliance programs to proactively monitor regulatory developments and assess their impact on the organization's operations. By adopting a forward-thinking approach, operational compliance programs can identify potential gaps in their existing policies and procedures, and implement necessary changes to ensure ongoing compliance. Regular risk assessments and audits become invaluable tools in detecting vulnerabilities and implementing effective controls. Embracing change allows compliance programs to anticipate potential disruptions, minimize compliance breaches, and maintain a competitive edge in an ever-changing business environment. 3. Regulating Systems: Achieving Performance Targets The third imperative for operational compliance programs is to regulate compliance systems and processes to achieve risk and compliance performance targets. This involves implementing robust monitoring mechanisms and utilizing technology to enhance compliance oversight. By leveraging data analytics and automation tools, compliance programs can efficiently monitor compliance-related activities, identify patterns, and detect any anomalies that require immediate attention. Furthermore, compliance programs must establish clear performance targets and key performance indicators (KPIs) to gauge the effectiveness of their initiatives. Regular assessments and reporting enable organizations to measure progress, identify areas for improvement, and make data-driven decisions to optimize compliance efforts. Summary: Operational Compliance Programs steer organizations towards compliance outcomes as well as the vehicles to deliver value – better compliance outcomes and greater stakeholder trust in an ever-evolving business landscape. By prioritizing three imperatives — enhancing capabilities, introducing change, and regulating systems — operational compliance programs can establish a robust framework that ensures sustainable compliance outcomes in the presence of uncertainty. If you are interested in establishing an Operational Compliance program for your safety, security, sustainability, quality, ethical or regulatory compliance consider becoming a member of the – The Proactive Certainty Program™ ,












